Skip to content

fix: Read github-token from input instead of env var #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jonathanpopham merged 1 commit into from
Jan 17, 2026
Merged

fix: Read github-token from input instead of env var #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,18 @@ jobs:

- name: Build
run: npm run build

dogfood:
name: Self-test (dogfood)
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
Comment on lines +30 to +36
Copy link

@coderabbitai coderabbitai bot Jan 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/ci.yml | head -80

Repository: supermodeltools/dead-code-hunter

Length of output: 1206

🏁 Script executed:

cat -n action.yml

Repository: supermodeltools/dead-code-hunter

Length of output: 1337

Skip dogfood job on forked PRs—secrets won't be available.

Here's the issue: when someone opens a PR from a forked repo, GitHub Actions intentionally blocks access to secrets as a security measure. So secrets.SUPERMODEL_API_KEY becomes empty.

Your action requires that API key (see required: true in action.yml), so the job will crash immediately when the secret is empty. To avoid cluttering CI with failures you can't fix, skip the dogfood job when running on forked PRs.

The condition below works because it says: "run this job if it's a push event OR if it's a PR from the main repo (not a fork)":

🛠️ Suggested guard 
   dogfood:
     name: Self-test (dogfood)
     runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
     permissions:
       contents: read
       pull-requests: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
dogfood:
name: Self-test (dogfood)
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
dogfood:
name: Self-test (dogfood)
runs-on: ubuntu-latest
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
permissions:
contents: read
pull-requests: write
steps:
🤖 Prompt for AI Agents 
In @.github/workflows/ci.yml around lines 30 - 36, The dogfood job should be
skipped for forked PRs because secrets are unavailable; update the dogfood job
definition in .github/workflows/ci.yml to add an if condition that only runs on
push or on pull_request originating from the same repository (not a fork).
Specifically, add an if: expression to the dogfood job (the job named "dogfood")
such as: github.event_name == 'push' || (github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name == github.repository) so the job
won't run for forked PRs where secrets like secrets.SUPERMODEL_API_KEY are
empty.

- uses: actions/checkout@v4

- name: Run Dead Code Hunter on itself
uses: ./
with:
Comment on lines +39 to +41
Copy link

@coderabbitai coderabbitai bot Jan 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check action.yml structure and entry point
fd -a 'action.ya?ml' -type f

Repository: supermodeltools/dead-code-hunter

Length of output: 246

🏁 Script executed:

# Read action.yml to see what it points to
cat -n action.yml | head -20

Repository: supermodeltools/dead-code-hunter

Length of output: 775

🏁 Script executed:

# Check if dist/index.js exists
fd -a 'index.js' dist/

Repository: supermodeltools/dead-code-hunter

Length of output: 108

🏁 Script executed:

# Look at the full workflow around the dogfood step to see if there's a build
sed -n '1,50p' .github/workflows/ci.yml | cat -n

Repository: supermodeltools/dead-code-hunter

Length of output: 1206

🏁 Script executed:

cat -n action.yml | tail -30

Repository: supermodeltools/dead-code-hunter

Length of output: 1097

Dogfood job needs to build before testing the action.

The dogfood job runs uses: ./ which points to dist/index.js (from action.yml), but it only does checkout—no build step. Since GitHub jobs run in parallel by default, the dogfood might test an outdated dist/index.js if your PR hasn't committed pre-built dist/ files.

Fix this by adding a build step in the dogfood job (same as test job has at line 28: npm run build), or add needs: test to ensure dogfood waits for the build to complete.

🤖 Prompt for AI Agents 
In @.github/workflows/ci.yml around lines 39 - 41, The dogfood job currently
invokes the action via "uses: ./" (which relies on built dist/index.js) but has
no build step; either add the same build step used in the test job (run "npm run
build" before the action invocation) or make the dogfood job depend on the test
job by adding "needs: test" so it waits for the build to complete; update the
"dogfood" job definition to include one of these fixes so the action under test
uses an up-to-date dist/index.js.

supermodel-api-key: ${{ secrets.SUPERMODEL_API_KEY }}
github-token: ${{ secrets.GITHUB_TOKEN }}
2 changes: 1 addition & 1 deletion dist/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32621,7 +32621,7 @@ async function run() {
core.setOutput('dead-code-json', JSON.stringify(deadCode));
// Step 6: Post PR comment if enabled
if (commentOnPr && github.context.payload.pull_request) {
const token = process.env.GITHUB_TOKEN;
const token = core.getInput('github-token') || process.env.GITHUB_TOKEN;
if (token) {
const octokit = github.getOctokit(token);
const comment = (0, dead_code_1.formatPrComment)(deadCode);
Expand Down
2 changes: 1 addition & 1 deletion src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ async function run(): Promise<void> {

// Step 6: Post PR comment if enabled
if (commentOnPr && github.context.payload.pull_request) {
const token = process.env.GITHUB_TOKEN;
const token = core.getInput('github-token') || process.env.GITHUB_TOKEN;
if (token) {
const octokit = github.getOctokit(token);
const comment = formatPrComment(deadCode);
Expand Down