Refactor: Improve Build Workflow

[victorkl400]

PR description

This PR updates the Lint & Build GitHub Actions workflow to run via pull_request_target, add an “external PR” guidance comment job, and adjust concurrency grouping.

Also bumps checkout/setup-node from v3 to v4, switches build/lint commands to yarn build + yarn lint, and adds a compressed-size check on packages/vechain-kit/dist.

Summary by CodeRabbit

• Chores
  • Removed the standalone automated build-size workflow.
  • Introduced a guarded external-PR guidance step instead of running full checks on forks.
  • Restructured CI to separate external commentary from internal build/lint/size validation.
  • Package size comparisons and full build/test runs now run only for internal or specially labeled PRs.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@victorkl400 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 16 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between e538915 and 7c2f15e.

📒 Files selected for processing (1)

• .github/workflows/lint-build-test.yaml

📝 Walkthrough

Walkthrough

Removed the standalone build-size workflow and consolidated its functionality into an updated lint-build-test workflow that uses pull_request_target, adds guarded external-PR commentary, updates actions, and includes an internal package-size comparison step. (45 words)

Changes

Cohort / File(s)	Summary
Removed workflow ​.github/workflows/build-size.yaml	File removed entirely; previously provided external-PR guidance job and an internal build-size-check job comparing package sizes for internal PRs.
Updated primary CI workflow ​.github/workflows/lint-build-test.yaml	Reworked trigger to pull_request_target (types: labeled, opened, synchronize, reopened) and restricted to main; added repo contents read permission and concurrency. Split into two jobs: comment-external-pr (posts guidance for forked PRs) and internal build-and-test-job (checkout@v4, setup-node@v4, install/build/lint, and a new "Compare package sizes" step using preactjs/compressed-size-action). Updated caching and node setup steps.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant PR as External PR (fork)
participant GH as GitHub Actions (pull_request_target)
participant Comment as Comment Action
participant CI as Internal CI Job
participant Size as Compressed Size Action

PR->>GH: pull_request_target (opened / labeled / sync)
alt PR head is from a fork
    GH->>Comment: run comment-external-pr job
    Comment-->>PR: post guidance comment (size checks gated)
    Note right of GH: build gated until label / internal PR
else Internal PR or labeled safe-to-deploy
    GH->>CI: run build-and-test-job
    CI->>CI: checkout, setup-node, install, build, lint
    CI->>Size: compare package sizes (packages/vechain-kit/dist/**)
    Size-->>CI: report size diff
    CI-->>GH: job result
end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• mikeredmond
• Agilulfo1820

Poem

🐰 I hopped through workflows, tidy and spry,

Forks get a nudge, internal builds fly,
Sizes compared where the artifacts dwell,
CI hums along — all's running well! 🥕

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title succinctly describes the primary change of refactoring and improving the build workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Size Change: 0 B

Total Size: 5.76 MB

ℹ️ View Unchanged

Filename	Size
packages/vechain-kit/dist/assets	4.1 kB
packages/vechain-kit/dist/assets-aAdDxPJu.mjs	50.1 kB
packages/vechain-kit/dist/assets-aAdDxPJu.mjs.map	70.2 kB
packages/vechain-kit/dist/assets-DXVXPy3w.cjs	54.8 kB
packages/vechain-kit/dist/assets-DXVXPy3w.cjs.map	71.6 kB
packages/vechain-kit/dist/assets/index.cjs	716 B
packages/vechain-kit/dist/assets/index.d.cts	973 B
packages/vechain-kit/dist/assets/index.d.mts	973 B
packages/vechain-kit/dist/assets/index.mjs	718 B
packages/vechain-kit/dist/index--hSO7Xv4.d.mts	5.63 kB
packages/vechain-kit/dist/index--hSO7Xv4.d.mts.map	2.99 kB
packages/vechain-kit/dist/index-0FTTofwQ.d.cts	151 kB
packages/vechain-kit/dist/index-0FTTofwQ.d.cts.map	43.8 kB
packages/vechain-kit/dist/index-C8Y3ZKJ3.d.cts	5.63 kB
packages/vechain-kit/dist/index-C8Y3ZKJ3.d.cts.map	2.99 kB
packages/vechain-kit/dist/index-CVn-gsns.d.mts	151 kB
packages/vechain-kit/dist/index-CVn-gsns.d.mts.map	43.8 kB
packages/vechain-kit/dist/index.cjs	612 kB
packages/vechain-kit/dist/index.cjs.map	1.86 MB
packages/vechain-kit/dist/index.d.cts	20.5 kB
packages/vechain-kit/dist/index.d.mts	20.5 kB
packages/vechain-kit/dist/index.mjs	578 kB
packages/vechain-kit/dist/index.mjs.map	1.81 MB
packages/vechain-kit/dist/utils	4.1 kB
packages/vechain-kit/dist/utils-CNYVq6tT.mjs	21.2 kB
packages/vechain-kit/dist/utils-CNYVq6tT.mjs.map	63.4 kB
packages/vechain-kit/dist/utils-DcAJej3n.cjs	26.4 kB
packages/vechain-kit/dist/utils-DcAJej3n.cjs.map	63.7 kB
packages/vechain-kit/dist/utils/index.cjs	1.94 kB
packages/vechain-kit/dist/utils/index.d.cts	2.97 kB
packages/vechain-kit/dist/utils/index.d.mts	2.97 kB
packages/vechain-kit/dist/utils/index.mjs	1.96 kB

_{compressed-size-action}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

.github/workflows/lint-build-test.yaml (2)

36-38: Minor formatting and style issues in the comment body.

• Line 36: "Eg." should be styled as "e.g.," (lowercase with comma) per standard English conventions.
• Line 38: Excessive indentation before "Next steps:" creates awkward spacing.

🔎 Proposed fix

             Since this PR comes from a forked repository, the lint and build will only run for internal PRs for security reasons.
-            Please ensure that your PR is coming from a meaningful branch name. Eg. feature/my-feature **not main**
+            Please ensure that your PR is coming from a meaningful branch name, e.g., feature/my-feature **not main**

-                      **Next steps:**
+            **Next steps:**
                       1. A maintainer will review your code

---

65-72: Consider enabling compression for more accurate size analysis.

The compression: none setting means the size comparison doesn't account for how files will actually be served (typically gzipped or brotli-compressed). Consider using compression: gzip or compression: brotli for a more realistic size impact assessment.

🔎 Proposed change

       - name: Compare package sizes
         uses: preactjs/compressed-size-action@946a292cd35bd1088e0d7eb92b69d1a8d5b5d76a # v2
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           pattern: "packages/vechain-kit/dist/**/*"
           exclude: "{**/node_modules/**}"
-          compression: none
+          compression: gzip
           minimum-change-threshold: 1000

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cb2990f and e4b7670.

📒 Files selected for processing (2)

• .github/workflows/build-size.yaml
• .github/workflows/lint-build-test.yaml

💤 Files with no reviewable changes (1)

• .github/workflows/build-size.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build-size-check
• GitHub Check: e2e-test

🔇 Additional comments (1)

.github/workflows/lint-build-test.yaml (1)

52-58: Action version updates look good.

The updates to actions/checkout@v4 and actions/setup-node@v4 are appropriate. The Node.js setup correctly uses the .nvmrc file for version management and enables yarn caching for faster builds.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/lint-build-test.yaml (1)

49-55: Checkout still doesn’t test PR changes under pull_request_target.

With pull_request_target, actions/checkout@v4 without an explicit ref/repository checks out the base branch, so this job currently builds and lints main, not the PR’s code—even for internal PRs and for external PRs with safe-to-build. That makes the CI signal misleading and effectively useless for catching regressions.

To both respect the gating you’ve added and actually exercise the PR code, explicitly check out the PR head commit from the PR’s repository (and avoid persisting credentials):

Proposed checkout fix

       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+          persist-credentials: false

This keeps the pull_request_target security posture (thanks to your gating + minimal permissions) while ensuring builds/lints are run against the actual PR code.

In GitHub Actions, for workflows triggered by `pull_request_target`, what commit does `actions/checkout@v4` check out when `ref` is omitted, and what is the recommended pattern to safely build/test the PR’s head commit (including for forks) while minimizing token permissions?

🧹 Nitpick comments (1)

.github/workflows/lint-build-test.yaml (1)

33-41: Clarify external‑PR guidance text to match actual behavior.

The message says “lint and build will only run for internal PRs,” but the job condition also allows external PRs once a maintainer adds the safe-to-build label. To avoid confusing contributors, consider rephrasing to something like “lint and build won’t run automatically for forked PRs; a maintainer can trigger them by adding the safe-to-build label,” while keeping the numbered steps.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e4b7670 and e538915.

📒 Files selected for processing (1)

• .github/workflows/lint-build-test.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-size-check