feat: add test-utoo

[elrrrrrrr]

• add test-utoo.yml

Summary by CodeRabbit

• 维护
  • 新增持续集成工作流，统一执行代码检出、环境准备与缓存，加速并稳定构建与测试流程；集成覆盖率上报以提升质量可见性。
• 测试
  • 在 CI 中自动执行静态检查（代码规范与类型检查）、编译验证与单元测试，确保变更在合并前得到全面验证。

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Walkthrough

新增一个可被 workflow_call 触发的 GitHub Actions 工作流 test-utoo.yml，定义在 ubuntu-latest 上运行的 react-component-workflow 任务。步骤包括检出代码、安装 UTOO、执行 ut/ut lint/utx tsc/ut compile/ut test（含覆盖率），并使用 Codecov 上传覆盖率，使用 CODECOV_TOKEN。

Changes

Cohort / File(s)	Change Summary
CI 工作流：UTOO 测试与覆盖率 ./.github/workflows/test-utoo.yml	新增工作流：被 workflow_call 触发；单一作业在 ubuntu-latest 上运行；步骤含 actions/checkout、utooland/setup-utoo@v1（latest、npm registry mirror、cache-store）、依次执行 ut、ut lint、utx tsc --noEmit、ut compile、ut test -- --coverage，最后用 codecov-action@v5 上传覆盖率（需 CODECOV_TOKEN）。

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Caller as 触发方（workflow_call）
    participant GHA as GitHub Actions
    participant Runner as ubuntu-latest 运行器
    participant Repo as 仓库
    participant UTOO as UTOO/UT 工具
    participant Codecov as Codecov

    Caller->>GHA: 调用工作流 test-utoo
    GHA->>Runner: 启动作业 react-component-workflow
    Runner->>Repo: actions/checkout 检出代码
    Runner->>UTOO: setup-utoo@v1 安装/缓存 UTOO
    note over Runner,UTOO: 使用 latest 版本与 npm registry mirror

    Runner->>UTOO: ut
    Runner->>UTOO: ut lint
    Runner->>UTOO: utx tsc --noEmit
    Runner->>UTOO: ut compile
    Runner->>UTOO: ut test -- --coverage

    alt 覆盖率产物生成
        Runner->>Codecov: codecov-action@v5 上传覆盖率（使用 CODECOV_TOKEN）
        Codecov-->>Runner: 响应上传结果
    else 失败
        Runner-->>GHA: 标记作业失败
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

我是兔子，蹦到 CI 的云端坡，
UTOO 转呀转，把 lint 与编译都摸过。
测试如鼓点，覆盖率像星火，
codecov 收好锅，报告一声妥。
咔嗒——主干更稳妥！ 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	PR 标题 "feat: add test-utoo" 简洁且直接对应变更集的主要内容：新增 .github/workflows/test-utoo.yml 工作流以在 CI 中运行 UTOO 测试并上传覆盖率报告。标题使用 feat 前缀表明是新增功能/工作流，能让审阅者快速理解主要意图并与变更集高度相关。总体而言标题清晰、具体且长度适中，适合合并历史记录中识别该更改。
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (4)

.github/workflows/test-utoo.yml (4)

10-10: Checkout 建议禁用持久凭据

减少长期凭据暴露面；本工作流不需要向仓库回推。

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false

---

11-15: 确认是否需要显式安装 Node.js

若 utooland/setup-utoo 未保证 Node 版本，建议固定 Node 版本，避免环境漂移。

       - uses: utooland/setup-utoo@v1
         with:
-          utoo-version: 'latest'
+          utoo-version: ${{ inputs.utoo-version || 'latest' }}
           registry: 'https://registry.npmmirror.com/'
           cache-store: true
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node-version || 'lts/*' }}
+          cache: 'npm'

请确认 setup-utoo 是否内置并固定 Node 版本；若已覆盖，可忽略本建议。

---

14-14: 使用第三方镜像需合规与稳定性评估

npmmirror.com 可能受区域/合规策略影响；如仓库需全球稳定，可考虑官方 registry 或提供可配置输入。

-          registry: 'https://registry.npmmirror.com/'
+          registry: ${{ inputs.npm-registry || 'https://registry.npmjs.org/' }}

（并在 workflow_call.inputs 中新增 npm-registry，默认官方源）

---

16-20: 可选：将 UT 相关命令合并为单个 shell，减少进程开销并统一错误处理

非功能性优化，可保留现状。

-      - run: ut
-      - run: ut lint
-      - run: utx tsc --noEmit
-      - run: ut compile
-      - run: ut test -- --coverage
+      - name: Run UTOO pipeline
+        run: |
+          set -euxo pipefail
+          ut
+          ut lint
+          utx tsc --noEmit
+          ut compile
+          ut test -- --coverage

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9c61354 and e96492a.

📒 Files selected for processing (1)

• .github/workflows/test-utoo.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/test-utoo.yml (1)

21-23: 启用 OIDC（无 token）或保证上传失败不阻断 CI

已确认：codecov/codecov-action@v5 支持通过 OIDC 进行无 token 上传（设置 use_oidc: true）；需在 workflow 或 job 的 permissions 中开启 id-token: write；同时 Codecov 端的组织/仓库（Global Upload Token）设置可能仍会要求 token。

建议（二选其一）：

• 若可启用 OIDC：移除 token、在 action 中设置 use_oidc: true，并在工作流顶层添加 permissions: id-token: write。
• 若继续使用 token：将上传步骤改为 if: ${{ always() }}，并在 with 中设置 fail_ci_if_error: false（可加 verbose 等），避免上传抖动导致 CI 失败。

-      - uses: codecov/codecov-action@v5
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
+      - uses: codecov/codecov-action@v5
+        if: ${{ always() }}
+        with:
+          # 若采用 OIDC，请改为：
+          # use_oidc: true
+          # 并移除 token，同步在顶层 permissions 增加 id-token: write
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: false
+          verbose: true
+          # 可选：指定报告路径或标记
+          # files: ./coverage/lcov.info
+          # flags: unittests

确认仓库/组织是否已启用 Codecov 的 OIDC 集成并允许 id-token: write。

[coderabbitai]

⚠️ Potential issue

将 reusable workflow 显式声明所需机密（CODECOV_TOKEN），否则调用方未传入时会直接失败

当前仅有 on: [workflow_call]，未强制声明需要的机密。建议改为显式的 workflow_call 并要求 CODECOV_TOKEN。

-on: [workflow_call]
+on:
+  workflow_call:
+    secrets:
+      CODECOV_TOKEN:
+        required: true
+    # 可选：暴露可配置输入
+    inputs:
+      node-version:
+        description: 'Node.js version'
+        required: false
+        type: string
+        default: 'lts/*'
+      utoo-version:
+        description: 'UTOO version'
+        required: false
+        type: string
+        default: 'latest'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	on: [workflow_call]
	on:
	workflow_call:
	secrets:
	CODECOV_TOKEN:
	required: true
	# 可选：暴露可配置输入
	inputs:
	node-version:
	description: 'Node.js version'
	required: false
	type: string
	default: 'lts/*'
	utoo-version:
	description: 'UTOO version'
	required: false
	type: string
	default: 'latest'

🤖 Prompt for AI Agents

.github/workflows/test-utoo.yml around line 3: the workflow currently uses a
bare "on: [workflow_call]" and doesn't declare required secrets, so callers that
don't pass CODECOV_TOKEN will fail; update the trigger to the explicit
workflow_call form and declare CODECOV_TOKEN as a required secret (under on:
workflow_call -> secrets: required: - CODECOV_TOKEN) so callers are forced to
provide it and the workflow fails early with a clear requirement.

[coderabbitai]

🛠️ Refactor suggestion

最小权限、并发与超时：提升安全性与稳定性

为 GITHUB_TOKEN 限权，并设置并发与超时，避免卡跑。

 name: react component workflow
-
 on: 
   # ...同上
+
+permissions:
+  contents: read
+  # 如后续采用 Codecov OIDC（无 token），再加：id-token: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.workflow_ref }}-${{ github.run_id }}
+  cancel-in-progress: false
+
+env:
+  CI: true
+
 jobs:
   react-component-workflow:
     name: react component workflow
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest
+    timeout-minutes: 30

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	jobs:
	react-component-workflow:
	name: react component workflow
	runs-on: ubuntu-latest
	steps:
	name: react component workflow
	on:
	# ...同上
	permissions:
	contents: read
	# 如后续采用 Codecov OIDC（无 token），再加：id-token: write
	concurrency:
	group: ${{ github.workflow }}-${{ github.workflow_ref }}-${{ github.run_id }}
	cancel-in-progress: false
	env:
	CI: true
	jobs:
	react-component-workflow:
	name: react component workflow
	runs-on: ubuntu-latest
	timeout-minutes: 30
	steps:

🤖 Prompt for AI Agents

.github/workflows/test-utoo.yml around lines 5 to 9: The workflow job lacks
least-privilege GITHUB_TOKEN permissions and missing concurrency/timeout
settings; update the job definition to explicitly set minimal permissions
required for the job (e.g., restrict to contents: read, id-token or other
specific scopes your steps need) by adding a top-level permissions block, add a
concurrency key to prevent parallel runs for the same ref (e.g., concurrency: {
group: github.workflow + github.ref, cancel-in-progress: true }), and add
timeout-minutes to the job to cap execution time and avoid stuck runs.

[coderabbitai]

⚠️ Potential issue

🧩 Analysis chain

将第三方 Action 固定到 commit SHA，降低供应链风险

目前引用的是浮动标签（@v1/@v4/@v5），存在被篡改的风险。请固定到对应 commit SHA，并在行尾注释来源版本。

-      - uses: actions/checkout@v4
-      - uses: utooland/setup-utoo@v1
+      - uses: actions/checkout@<checkout@v4-commit-sha> # v4
+      - uses: utooland/setup-utoo@<setup-utoo@v1-commit-sha> # v1
       ...
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@<codecov-action@v5-commit-sha> # v5

请检索最新稳定的 commit SHAs：

Also applies to: 21-23

---

🌐 Web query:

What are the recommended pinned commit SHAs for actions/checkout@v4, utooland/setup-utoo@v1, and codecov/codecov-action@v5?

💡 Result:

Do you want me to look up the current full commit SHAs now (I’ll fetch and return the recommended pinned SHAs for those three actions)?

---

🏁 Script executed:

#!/bin/bash
# Fetch commit SHAs for specified tags
curl -s https://api.github.com/repos/actions/checkout/git/refs/tags/v4 | jq -r '.object.sha'
curl -s https://api.github.com/repos/utooland/setup-utoo/git/refs/tags/v1 | jq -r '.object.sha'
curl -s https://api.github.com/repos/codecov/codecov-action/git/refs/tags/v5 | jq -r '.object.sha'

Length of output: 122

---

将第三方 Action 固定到 commit SHA，降低供应链风险

文件：.github/workflows/test-utoo.yml（行 10-12、21-23）
已检索到对应 tag 的 commit SHA，按下列替换：

-      - uses: actions/checkout@v4
-      - uses: utooland/setup-utoo@v1
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+      - uses: utooland/setup-utoo@95032667c071f3f6dbf87768172e6216ad4b9e31 # v1
       ...
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v4
	- uses: utooland/setup-utoo@v1
	with:
	- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
	- uses: utooland/setup-utoo@95032667c071f3f6dbf87768172e6216ad4b9e31 # v1
	with:

🤖 Prompt for AI Agents

In .github/workflows/test-utoo.yml around lines 10-12 and 21-23, the workflow
pins third-party actions by tag (e.g., actions/checkout@v4 and
utooland/setup-utoo@v1); replace each tag reference with the corresponding
commit SHA you retrieved (e.g., actions/checkout@<checkout-commit-sha> and
utooland/setup-utoo@<setup-utoo-commit-sha>) so the workflow uses the exact
commit SHA instead of the mutable tag; update both occurrences and commit the
change.