fix: Read github-token from input instead of env var

[jonathanpopham]

Summary

• Fix bug where GITHUB_TOKEN was read from process.env instead of core.getInput('github-token')
• This caused the warning "GITHUB_TOKEN not available, skipping PR comment" even when the token was provided as an input
• Add dogfood CI job to test the action on itself

The Bug

// Before (broken)
const token = process.env.GITHUB_TOKEN;

// After (fixed)
const token = core.getInput('github-token') || process.env.GITHUB_TOKEN;

Test plan

• CI will run the dogfood job which tests the action on itself
• Should see PR comment posted (no more warning)

Summary by CodeRabbit

• Tests

  • Added automated self-testing workflow to validate tool functionality through continuous integration

• Chores

  • Improved GitHub authentication configuration for greater flexibility in specifying token inputs

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR adds a self-test CI workflow called "dogfood" that runs Dead Code Hunter on its own repository to validate functionality, and updates the token acquisition logic to accept a github-token action input with fallback to the GITHUB_TOKEN environment variable.

Changes

Cohort / File(s)	Summary
CI Workflow Configuration .github/workflows/ci.yml	Added new dogfood job that runs Dead Code Hunter on the repository itself using actions/checkout@v4 and the local action (.), passing API key and GitHub token as inputs. Includes appropriate permissions for reading contents and writing pull requests.
Token Handling Logic src/index.ts	Modified token acquisition to check for github-token action input first, falling back to GITHUB_TOKEN environment variable if input is not provided, preserving backward compatibility.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Test: Self-analysis with intentional dead code #2 — Involves parallel dogfooding CI workflow and token/API handling modifications in the same files.

Poem

🐕 The hunter turns to hunt itself,
A mirror held with dogfood wealth,
Token flows from input streams,
Self-testing fuels the CI dreams! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change—switching from reading github-token from an environment variable to reading it from action input instead.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Dead Code Hunter

Found 2 potentially unused functions:

Function	File	Line
findDeadCode	src/dead-code.ts#L98	L98
formatPrComment	src/dead-code.ts#L154	L154

---

Powered by Supermodel graph analysis

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/ci.yml:
- Around line 39-41: The dogfood job currently invokes the action via "uses: ./"
(which relies on built dist/index.js) but has no build step; either add the same
build step used in the test job (run "npm run build" before the action
invocation) or make the dogfood job depend on the test job by adding "needs:
test" so it waits for the build to complete; update the "dogfood" job definition
to include one of these fixes so the action under test uses an up-to-date
dist/index.js.
- Around line 30-36: The dogfood job should be skipped for forked PRs because
secrets are unavailable; update the dogfood job definition in
.github/workflows/ci.yml to add an if condition that only runs on push or on
pull_request originating from the same repository (not a fork). Specifically,
add an if: expression to the dogfood job (the job named "dogfood") such as:
github.event_name == 'push' || (github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name == github.repository) so the job
won't run for forked PRs where secrets like secrets.SUPERMODEL_API_KEY are
empty.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/ci.yml | head -80

Repository: supermodeltools/dead-code-hunter

Length of output: 1206

---

🏁 Script executed:

cat -n action.yml

Repository: supermodeltools/dead-code-hunter

Length of output: 1337

---

Skip dogfood job on forked PRs—secrets won't be available.

Here's the issue: when someone opens a PR from a forked repo, GitHub Actions intentionally blocks access to secrets as a security measure. So secrets.SUPERMODEL_API_KEY becomes empty.

Your action requires that API key (see required: true in action.yml), so the job will crash immediately when the secret is empty. To avoid cluttering CI with failures you can't fix, skip the dogfood job when running on forked PRs.

The condition below works because it says: "run this job if it's a push event OR if it's a PR from the main repo (not a fork)":

🛠️ Suggested guard

   dogfood:
     name: Self-test (dogfood)
     runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
     permissions:
       contents: read
       pull-requests: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	dogfood:
	name: Self-test (dogfood)
	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: write
	steps:
	dogfood:
	name: Self-test (dogfood)
	runs-on: ubuntu-latest
	if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
	permissions:
	contents: read
	pull-requests: write
	steps:

🤖 Prompt for AI Agents

In @.github/workflows/ci.yml around lines 30 - 36, The dogfood job should be
skipped for forked PRs because secrets are unavailable; update the dogfood job
definition in .github/workflows/ci.yml to add an if condition that only runs on
push or on pull_request originating from the same repository (not a fork).
Specifically, add an if: expression to the dogfood job (the job named "dogfood")
such as: github.event_name == 'push' || (github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name == github.repository) so the job
won't run for forked PRs where secrets like secrets.SUPERMODEL_API_KEY are
empty.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check action.yml structure and entry point
fd -a 'action.ya?ml' -type f

Repository: supermodeltools/dead-code-hunter

Length of output: 246

---

🏁 Script executed:

# Read action.yml to see what it points to
cat -n action.yml | head -20

Repository: supermodeltools/dead-code-hunter

Length of output: 775

---

🏁 Script executed:

# Check if dist/index.js exists
fd -a 'index.js' dist/

Repository: supermodeltools/dead-code-hunter

Length of output: 108

---

🏁 Script executed:

# Look at the full workflow around the dogfood step to see if there's a build
sed -n '1,50p' .github/workflows/ci.yml | cat -n

Repository: supermodeltools/dead-code-hunter

Length of output: 1206

---

🏁 Script executed:

cat -n action.yml | tail -30

Repository: supermodeltools/dead-code-hunter

Length of output: 1097

---

Dogfood job needs to build before testing the action.

The dogfood job runs uses: ./ which points to dist/index.js (from action.yml), but it only does checkout—no build step. Since GitHub jobs run in parallel by default, the dogfood might test an outdated dist/index.js if your PR hasn't committed pre-built dist/ files.

Fix this by adding a build step in the dogfood job (same as test job has at line 28: npm run build), or add needs: test to ensure dogfood waits for the build to complete.

🤖 Prompt for AI Agents

In @.github/workflows/ci.yml around lines 39 - 41, The dogfood job currently
invokes the action via "uses: ./" (which relies on built dist/index.js) but has
no build step; either add the same build step used in the test job (run "npm run
build" before the action invocation) or make the dogfood job depend on the test
job by adding "needs: test" so it waits for the build to complete; update the
"dogfood" job definition to include one of these fixes so the action under test
uses an up-to-date dist/index.js.