feat: upgrade deps, workflows and fix claude workflows

[codfish]

Note

Modernizes CI and docs, updates Claude workflows, and bumps dev tooling.

• Switches all workflows and docs to actions/checkout@v6; adds/updates required permissions
• Upgrades Claude integrations: use anthropics/claude-code-action@v1, new prompt, progress tracking, and explicit claude_args; updates secret to CLAUDE_CODE_OAUTH_TOKEN
• Security: extend allowed licenses to include MPL-2.0; keep CodeQL/dependency review/audit steps, minor tweaks
• Validate workflow: matrices unchanged; integrate comment/report steps; small script/formatting fixes
• Dev tooling: bump @codfish/eslint-config, eslint, prettier, lint-staged, bats; refresh pnpm-lock.yaml
• READMEs updated to reflect checkout@v6 in examples

^{Written by Cursor Bugbot for commit 0f87469. Configure here.}

Summary by CodeRabbit

• Chores

  • Updated GitHub Actions workflows to use the latest checkout action (v6)
  • Upgraded Claude code review action from beta to v1 with expanded review configuration
  • Updated development dependencies including ESLint, Prettier, Bats, and related tools

• Documentation

  • Updated workflow examples in README files to reflect the latest checkout action version

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub Actions workflows upgraded from actions/checkout@v5 to v6 across multiple files. Claude code review action updated from beta to v1 with new OAuth token authentication and enhanced configuration. Dev dependencies bumped in package.json. Documentation and README files updated to reflect new checkout version in examples.

Changes

Cohort / File(s)	Summary
GitHub Workflows – Checkout & Action Upgrades .github/workflows/claude.yml, .github/workflows/claude-code-review.yml, .github/workflows/release.yml, .github/workflows/security.yml, .github/workflows/update-docs.yml, .github/workflows/validate.yml	Upgraded actions/checkout@v5 to v6 across six workflows. Updated Claude code review action from beta to v1, switched API secret from ANTHROPIC_API_KEY to CLAUDE_CODE_OAUTH_TOKEN, added OAuth token write permission, expanded review prompt with structured focus areas (Code Quality, Security, Performance, Testing, Documentation), and replaced direct_prompt with claude_args block.
Documentation – Workflow Examples README.md, npm-publish-pr/README.md, setup-node-and-install/README.md	Updated code examples and usage snippets to reference actions/checkout@v6 instead of v5. No logic or behavior changes.
Development Dependencies package.json	Bumped devDependencies: @codfish/eslint-config (^12.1.1 → ^12.2.0), bats (^1.10.0 → ^1.13.0), eslint (^9.36.0 → ^9.39.2), lint-staged (^16.2.0 → ^16.2.7), prettier (^3.6.2 → ^3.8.1).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 With v6 now in place and Claude set to v1,
Our workflows hop faster—the upgrade is done!
Fresh tokens and permissions, docs bright and new,
Dependencies bump-bumped, we hopped right on through!
Review them with ease, for the changes align,
One pattern, one rhythm—it all looks fine! 🐇✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: dependency upgrades, workflow updates (actions/checkout@v5 to v6), and Claude workflow fixes (API key, permissions, action version).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 Integration Test Results

npm-pr-version action test:

• ✅ Version generation: 0.0.0-PR-29--0f87469
• ✅ package.json update: Successful
• ✅ Format validation: Passed

The action is working correctly! 🎉

[github-actions]

🧪 Test Results

✅ All tests passed successfully!

• Linting: ✅ Passed
• Unit tests: ✅ Passed
• Integration tests: ✅ Passed

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.github/workflows/claude.yml:
- Around line 37-41: The workflow uses the wrong secret for the
anthropics/claude-code-action step: update the Run Claude Code step to pass the
actual Anthropic API key by replacing the secret referenced for the
anthropic_api_key input (currently secrets.CLAUDE_CODE_OAUTH_TOKEN) with
secrets.ANTHROPIC_API_KEY so the anthropic_api_key input receives a proper API
key.

In `@package.json`:
- Around line 28-35: The dependency "@codfish/eslint-config@12.2.0" in
package.json is invalid; update the version to a published release (e.g., change
"@codfish/eslint-config" to "12.0.0" or another exact version found in the npm
registry), then run "pnpm format" to apply Prettier formatting to package.json;
ensure compatibility with existing "eslint" and "prettier" pins after the change
and verify the new version in the registry before committing.

In `@README.md`:
- Line 87: The README contains manual edits inside the auto-generated block <!--
start action docs --> / <!-- end action docs --> (specifically the changed
"uses: actions/checkout@v6" lines); revert those manual changes, restore the
auto-generated section to its original state, and instead update the
authoritative source README(s) (e.g., npm-publish-pr/README.md) if needed, then
run the docs generator (pnpm docs:generate) to regenerate the section so the
correct checkout@v6 entries are applied.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

anthropics/claude-code-action@v1 authentication input requirements oauth token

💡 Result:

For the official anthropics/claude-code-action@v1, authentication is done via an Anthropic API key, passed as the anthropic_api_key input (typically from a GitHub Actions secret). The official v1 docs list anthropic_api_key as the required auth input and do not document an OAuth-token-based auth input for v1. [1]

Example:

- uses: anthropics/claude-code-action@v1
  with:
    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
    prompt: "..."

If you’re looking for OAuth token auth (often referenced as CLAUDE_CODE_OAUTH_TOKEN / claude_code_oauth_token), that shows up in other Claude Code Action variants/older/beta-style setups rather than the official v1 docs. [2]

Sources
[1] https://docs.anthropic.com/en/docs/claude-code/github-actions
[2] https://github.com/marketplace/actions/claude-code-action-yolo-mode

---

🏁 Script executed:

# Check the full workflow file to understand context and permissions
cat -n .github/workflows/claude.yml

Repository: codfish/actions

Length of output: 1605

---

Use ANTHROPIC_API_KEY secret instead of CLAUDE_CODE_OAUTH_TOKEN.

The anthropic_api_key input expects an Anthropic API key, not an OAuth token. The official anthropics/claude-code-action@v1 docs specify secrets.ANTHROPIC_API_KEY as the standard secret. Update the secret reference to match the actual API key type:

with:
  anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

🤖 Prompt for AI Agents

In @.github/workflows/claude.yml around lines 37 - 41, The workflow uses the
wrong secret for the anthropics/claude-code-action step: update the Run Claude
Code step to pass the actual Anthropic API key by replacing the secret
referenced for the anthropic_api_key input (currently
secrets.CLAUDE_CODE_OAUTH_TOKEN) with secrets.ANTHROPIC_API_KEY so the
anthropic_api_key input receives a proper API key.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

@codfish/eslint-config 12.2.0 compatibility eslint prettier requirements

💡 Result:

I couldn’t find any published @codfish/eslint-config@12.2.0 release; the package pages I can access show 12.0.0 as the latest available version. [1]

For the currently published v12 line, the stated requirements/compatibility are:

• ESLint: v9+ (flat config). The install docs explicitly show eslint@9 alongside the config. [2]
• Prettier: not required to be installed separately for basic JS/TS formatting, because Prettier formatting is described as already integrated and run via ESLint. [1]
  • Install prettier yourself only if you want to run Prettier directly or format non-JS file types (Markdown/JSON/CSS/YAML, etc.). [1]

Sources: [1] [2]

---

🌐 Web query:

@codfish/eslint-config npm package version 12.2.0 peerDependencies

💡 Result:

For @codfish/eslint-config@12.2.0, I wasn’t able to retrieve the published package.json (and therefore the exact peerDependencies block) from npm/registry via the available sources/tools—Socket’s dependency view doesn’t load the peer list, and GitHub’s rendered package.json view didn’t expose the raw file contents. [1][2]

What I can confirm from the project’s installation instructions is that it expects ESLint v9 (they show installing eslint@9 alongside the config), which strongly implies eslint is a required peer dependency. [2]

If you paste the output of:

npm view `@codfish/eslint-config`@12.2.0 peerDependencies

(or the package.json contents), I can enumerate the exact peerDependencies precisely.

Sources: [1] [2]

---

🌐 Web query:

eslint 9.39.2 prettier 3.8.1 compatibility

💡 Result:

ESLint 9.39.2 and Prettier 3.8.1 are compatible in the sense that they can be used together; the usual “compatibility” issues are about the bridge packages between them.

What to use:

• To avoid rule conflicts (recommended): use eslint-config-prettier (extend "prettier"). This just turns off ESLint rules that conflict with Prettier. [1]
• If you also want Prettier to run as an ESLint rule: use eslint-plugin-prettier v5+ (v4 is incompatible with Prettier 3). The v5 line upgraded to Prettier v3 and sets ESLint peer dependency to >=8, so it works with ESLint 9.x. [2][3]

Also note: some third-party ESLint configs/plugins may still lag ESLint 9 support (example: eslint-config-universe reported incompatible with ESLint 9.0.0). [4]

Security note: there was a reported compromise affecting specific versions of eslint-config-prettier and eslint-plugin-prettier; avoid the listed compromised versions if you pin exact versions. [5]

Practical install targets (safe defaults):

• prettier@3.8.1
• eslint@9.39.2
• eslint-config-prettier@latest
• eslint-plugin-prettier@^5 (only if you use the plugin)

Sources: [1][2][3][4][5]

---

@codfish/eslint-config@12.2.0 does not exist in npm registry; latest published version is 12.0.0.

The version specified must be corrected to an available release. Additionally, per the project guidelines, run pnpm format to apply Prettier formatting to package.json after this change.

If upgrading to a v12 version: ESLint 9.39.2 is compatible (v12 requires ESLint v9+), and Prettier 3.8.1 can be used alongside it. Verify the exact version pins in package.json against the npm registry before committing.

🤖 Prompt for AI Agents

In `@package.json` around lines 28 - 35, The dependency
"@codfish/eslint-config@12.2.0" in package.json is invalid; update the version
to a published release (e.g., change "@codfish/eslint-config" to "12.0.0" or
another exact version found in the npm registry), then run "pnpm format" to
apply Prettier formatting to package.json; ensure compatibility with existing
"eslint" and "prettier" pins after the change and verify the new version in the
registry before committing.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

# Check repository structure
echo "=== Repository structure ==="
ls -la | head -20

# List action directories
echo -e "\n=== Action directories ==="
find . -maxdepth 2 -type d -name '*action*' -o -type d -name '*npm*' -o -type d -name '*comment*' 2>/dev/null | head -20

# Check if bin/generate-docs.js exists
echo -e "\n=== Looking for docs generator ==="
ls -la bin/ 2>/dev/null || ls -la scripts/ 2>/dev/null

# Find all JavaScript files related to docs generation
echo -e "\n=== JavaScript files related to docs ==="
find . -type f -name '*generate*' -o -name '*docs*' 2>/dev/null | grep -E '\.(js|ts)$' | head -20

Repository: codfish/actions

Length of output: 1646

---

🏁 Script executed:

#!/bin/bash

# Read the generate-docs.js script
echo "=== Examining bin/generate-docs.js ==="
wc -l bin/generate-docs.js
echo ""
cat bin/generate-docs.js

echo -e "\n=== Action README files ==="
ls -la comment/
echo ""
cat comment/README.md 2>/dev/null

echo -e "\n=== npm-publish-pr README ==="
ls -la npm-publish-pr/
echo ""
cat npm-publish-pr/README.md 2>/dev/null

Repository: codfish/actions

Length of output: 20853

---

🏁 Script executed:

#!/bin/bash

# Check the main README.md around the flagged lines
echo "=== Main README.md around lines 87, 124, 162 ==="
cat -n README.md | sed -n '80,95p'
echo ""
echo "=== Lines around 124 ==="
cat -n README.md | sed -n '115,135p'
echo ""
echo "=== Lines around 162 ==="
cat -n README.md | sed -n '155,170p'

# Check where the action docs markers are
echo -e "\n=== Checking for action docs markers ==="
grep -n "action docs" README.md

Repository: codfish/actions

Length of output: 1928

---

🏁 Script executed:

#!/bin/bash

# Verify that npm-publish-pr/README.md has checkout@v6 in its source
echo "=== Checking npm-publish-pr/README.md for checkout versions ==="
grep -n "checkout@v" npm-publish-pr/README.md

# Check comment/README.md usage
echo -e "\n=== Checking comment/README.md usage examples ==="
sed -n '/## Usage/,/## /p' comment/README.md | head -20

# Verify that running the generator would use these as source
echo -e "\n=== Verify generator extracts from these files ==="
grep -A5 "extractUsageExample" bin/generate-docs.js | head -15

Repository: codfish/actions

Length of output: 853

---

Remove manual edits to auto-generated section; update via docs generator instead.

Lines 87, 124, 162 are within the <!-- start action docs --> / <!-- end action docs --> auto-generated section. Per coding guidelines, this content must not be manually edited. The source action README files (e.g., npm-publish-pr/README.md) already contain the correct checkout@v6 references. Remove these direct edits and run pnpm docs:generate to regenerate the section properly.

🤖 Prompt for AI Agents

In `@README.md` at line 87, The README contains manual edits inside the
auto-generated block <!-- start action docs --> / <!-- end action docs -->
(specifically the changed "uses: actions/checkout@v6" lines); revert those
manual changes, restore the auto-generated section to its original state, and
instead update the authoritative source README(s) (e.g.,
npm-publish-pr/README.md) if needed, then run the docs generator (pnpm
docs:generate) to regenerate the section so the correct checkout@v6 entries are
applied.

[github-actions]

🎉 This PR is included in version 3.0.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀