feat: migrate to pnpm, enhance Docker and deployment workflows, and improve clipboard OTP UX

[mrbadri]

Description

Changes

Checks

• Storybook updated
• Build succeeds
• Standards followed

Summary by CodeRabbit

• New Features

  • Introduced clipboard OTP extraction and paste functionality with a new PasteOtpButton component and useClipboardOtp hook.
  • Added production, development, and preview Docker Compose configurations.
  • Implemented a comprehensive CI/CD pipeline automating build, deployment, preview environments, and cleanup on PR closure.

• Enhancements

  • Improved OTP input with digit-only validation, clipboard support, and automatic submission in signup and password reset flows.
  • Enhanced login and password reset forms with route prefetching and personalized login success messages.
  • Added a back button to the authentication card for easier navigation.

• Bug Fixes

  • Improved error handling in authentication forms.

• Chores

  • Migrated package management from Yarn to pnpm and updated workspace dependency protocols.
  • Updated Dockerfiles and environment variable handling for deployments.
  • Removed authentication checks from middleware to simplify routing.

• Style

  • Applied formatting and minor UI adjustments for readability and consistency.

• Refactor

  • Streamlined password input and OTP input components for better usability.
  • Simplified middleware logic by disabling authentication checks.

• Documentation

  • Added HAProxy configuration examples for multi-environment routing including production, development, and PR previews.

[coderabbitai]

Walkthrough

This update introduces a pnpm-based monorepo workspace configuration, replacing Yarn, and updates all relevant package and Docker files accordingly. It adds a CI/CD pipeline using GitHub Actions, enhances OTP input UX with clipboard support, and makes various dependency, environment, and authentication-related adjustments across the codebase. Several new utility components and hooks are introduced.

Changes

File(s)	Change Summary
.github/workflows/deploy.yml	Added a comprehensive CI/CD workflow with build, deploy (production, development, preview), and cleanup-preview jobs using Docker Compose and GitHub secrets; includes concurrency control and PR comment integration.
pnpm-workspace.yaml, scripts/prepare.js, package.json	Switched package manager from Yarn to pnpm; added pnpm workspace config; updated scripts and package manager fields accordingly.
apps/core/Dockerfile, docker-compose.yml, docker-compose.prod.yml, docker-compose.dev.yml, docker-compose.preview.yml	Migrated Docker and Compose files to use pnpm; updated environment variable handling; renamed services and containers; removed external network; added production, development, and preview Compose files with appropriate image tags and port mapping.
apps/core/package.json, apps/storybook/package.json, packages/apis/package.json, packages/ui/package.json, packages/design-system/package.json, packages/icons/package.json, packages/utils/package.json	Updated internal dependency versions to use workspace:* protocol; added or removed dependencies as needed; added new runtime and dev dependencies such as @tabler/icons-react, lucide-react, input-otp, and recharts.
apps/core/app/auth/_components/auth-card.tsx	Converted AuthCard to a client component; added a back button using Next.js router; adjusted vertical padding.
apps/core/app/auth/login/_components/form/loginForm.tsx, apps/core/app/auth/forget-password/_components/form/forgetPasswordForm.tsx	Enhanced error handling with toasts, added route prefetching, enabled autofocus on username inputs, and simplified link styling.
apps/core/app/auth/set-password/page.tsx, apps/core/app/auth/signup/otp/_components/signup-otp-form.tsx	Refactored OTP input to support clipboard paste via new PasteOtpButton and useClipboardOtp hook; restricted OTP input to digits only; improved UX and form control synchronization.
packages/ui/src/components/molecules/paste-otp-button.tsx, packages/ui/src/hooks/use-clipboard-otp.ts, packages/ui/src/components/index.ts, packages/ui/src/hooks/index.ts	Added new PasteOtpButton component and useClipboardOtp hook for extracting OTPs from clipboard; updated exports to include them.
packages/ui/src/components/molecules/passwordInput.tsx	Refactored PasswordInput to use an iconRight prop for the show/hide toggle button, simplifying structure and logic.
packages/ui/src/constant/cookie.ts, packages/apis/src/constant/cookie.ts, packages/apis/src/utils/cookies.ts	Moved COOKIES constant from UI package to APIs package; updated import paths accordingly; deleted original UI constant file.
packages/apis/src/instance/core-api.ts, packages/apis/src/instance/guest-api.ts	Temporarily hardcoded API base URLs to "http://api.pixelgenius.ir" instead of using environment variables, with TODO comments to revert later.
apps/core/app/(landing)/_components/mobile-menu/BrowseSheet.tsx, apps/core/app/(landing)/become-auther/_components/auther-form.tsx	Code formatting and whitespace/style improvements only; no functional changes.
apps/core/app/auth/login/page.tsx	Removed commented-out social login and forgot password UI code; cleaned up link prefetch attribute.
apps/core/middleware.ts	Commented out all authentication and redirect logic; middleware now passes requests through unconditionally.
packages/icons/src/types/types.ts	Changed IconProps interface to extend SVGAttributes<SVGSVGElement> instead of SVGElement.
packages/ui/tsconfig.json	Added ../apis/src/constant to the TypeScript include paths.
scripts/haproxy-config-helper.md	Added documentation for HAProxy configuration supporting production, development, and PR preview environments with domain and port routing examples.
Other package.json files	Updated internal dependency protocols and made minor dependency adjustments.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant UI (React)
    participant useClipboardOtp Hook
    participant PasteOtpButton
    participant Server/API

    User->>UI (React): Navigates to OTP input page
    UI (React)->>useClipboardOtp Hook: Mounts, checks clipboard (auto)
    useClipboardOtp Hook->>UI (React): Sets extractedOtp state
    User->>PasteOtpButton: Clicks "Paste OTP"
    PasteOtpButton->>useClipboardOtp Hook: Reads extractedOtp
    PasteOtpButton->>UI (React): Calls onPaste with OTP
    UI (React)->>Server/API: Submits OTP for verification
    Server/API-->>UI (React): Returns verification result

Loading

Possibly related PRs

• feat: handle dockerize core app #272: Introduces the initial multi-stage Dockerfile and basic docker-compose setup for the core app; related due to overlapping Dockerfile and containerization changes.
• Test pr #275: Implements a simpler preview deployment workflow with PR comment integration; related as both involve PR preview deployment workflows, with the current PR extending and replacing it.

Poem

🐇
Hopping from Yarn to pnpm, the workspace now is neat,
With Docker Compose and CI flows, our build is quite complete.
OTPs from clipboards paste with ease,
And back buttons help you leave as you please.
In every burrowed file and line,
This rabbit finds the code divine!

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[openzeppelin-code]

Pnpm

Generated at commit: 4ee4a0861e9e1ac52b522a0f38b3dc1ee4c20558

🚨 Report Summary

	Severity Level	Results
Contracts	Critical High Medium Low Note Total	0 0 0 0 0 0
Dependencies	Critical High Medium Low Note Total	0 0 0 0 0 0

---

For more details view the full report in OpenZeppelin Code Inspector

[coderabbitai]

Actionable comments posted: 9

🧹 Nitpick comments (9)

docker-compose.prod.yml (1)

1-13: Consider adding production-specific configurations.

The Docker Compose configuration is functional but may benefit from additional production-specific settings:

1. Resource limits: Consider adding memory and CPU limits to prevent resource exhaustion
2. Health checks: Add health check configuration for better monitoring
3. Security: Consider adding security_opt or user configurations

Here's an enhanced version with production best practices:

version: "3.8"

services:
  core-client:
    container_name: core-client
    build:
      context: .
      dockerfile: ./apps/core/Dockerfile
    restart: always
+   deploy:
+     resources:
+       limits:
+         memory: 512M
+         cpus: '0.5'
+   healthcheck:
+     test: ["CMD", "curl", "-f", "http://localhost:3000/api/health"]
+     interval: 30s
+     timeout: 10s
+     retries: 3
    environment:
      NEXT_PUBLIC_BASE_URL: ${NEXT_PUBLIC_BASE_URL}
      NEXT_PUBLIC_BASE_URL_ATTACHMENT: ${NEXT_PUBLIC_BASE_URL_ATTACHMENT}

apps/core/Dockerfile (1)

26-27: Remove outdated comment and verify build efficiency.

The comment mentions "Configure pnpm with better network settings and use Taobao registry" but the command uses the standard pnpm install --frozen-lockfile without any registry configuration.

-# Configure pnpm with better network settings and use Taobao registry
-RUN pnpm install --frozen-lockfile
+RUN pnpm install --frozen-lockfile

.github/workflows/deploy.yml (3)

46-46: Fix trailing spaces.

Remove trailing spaces as flagged by yamllint.

-          docker compose -f docker-compose.prod.yml up -d 
+          docker compose -f docker-compose.prod.yml up -d

---

16-20: Eliminate duplicate .env file creation.

The .env file creation is duplicated in both jobs. Consider using a reusable workflow or moving it to a shared step.

+  create-env:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create .env file
+        run: |
+          echo "NEXT_PUBLIC_BASE_URL=${{ secrets.NEXT_PUBLIC_BASE_URL }}" >> .env
+          echo "NEXT_PUBLIC_BASE_URL_ATTACHMENT=${{ secrets.NEXT_PUBLIC_BASE_URL_ATTACHMENT }}" >> .env
+      - name: Upload .env as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: env-file
+          path: .env
+
   build:
     runs-on: [self-hosted, core]
+    needs: create-env
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
-
-      - name: Create .env file
-        run: |
-          echo "NEXT_PUBLIC_BASE_URL=${{ secrets.NEXT_PUBLIC_BASE_URL }}" >> .env
-          echo "NEXT_PUBLIC_BASE_URL_ATTACHMENT=${{ secrets.NEXT_PUBLIC_BASE_URL_ATTACHMENT }}" >> .env
+      - name: Download .env file
+        uses: actions/download-artifact@v4
+        with:
+          name: env-file

Also applies to: 37-41

---

48-48: Implement rollback logic for failed deployments.

The comment indicates missing rollback logic. Consider implementing health checks and rollback mechanisms for production deployments.

Would you like me to generate a robust deployment script with health checks and rollback capabilities?

apps/core/app/auth/signup/otp/_components/signup-otp-form.tsx (1)

70-75: Consider adding user confirmation for auto-submit on paste.

The auto-submit functionality on paste is convenient but might be too aggressive. Consider adding a brief delay or user confirmation to prevent accidental submissions.

 const handlePasteOtp = (otp: string) => {
   setValue("otp", otp);
-  // Auto submit after pasting valid OTP
-  const data = getValues();
-  handleSubmitForm(data);
+  // Auto submit after pasting valid OTP with a brief delay
+  setTimeout(() => {
+    const data = getValues();
+    handleSubmitForm(data);
+  }, 500);
 };

packages/ui/src/components/molecules/paste-otp-button.tsx (1)

57-62: Consider using CSS variables for variant-based styling.

The current approach with conditional classes works but could be improved with CSS variables for better maintainability and consistency with the design system.

Consider refactoring to use CSS variables:

-              variant === "primary" && "bg-primary",
-              variant === "secondary" && "bg-secondary",
-              variant === "tertiary" && "bg-tertiary",
+              "bg-[var(--button-bg)]",

This would require the Button component to set appropriate CSS variables based on the variant.

packages/ui/src/hooks/use-clipboard-otp.ts (2)

91-91: Remove debug console.log statement.

The console.log statement appears to be debug code that should be removed before production.

-        console.log("permission", permission);

---

168-168: Remove debug console.log statement.

Another debug console.log that should be removed.

-            console.log("permission changed", permissionStatus);

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f42431e and dbde556.

⛔ Files ignored due to path filters (2)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (36)

• .github/workflows/deploy.yml (1 hunks)
• apps/core/Dockerfile (4 hunks)
• apps/core/app/(landing)/_components/mobile-menu/BrowseSheet.tsx (3 hunks)
• apps/core/app/(landing)/become-auther/_components/auther-form.tsx (0 hunks)
• apps/core/app/auth/_components/auth-card.tsx (1 hunks)
• apps/core/app/auth/forget-password/_components/form/forgetPasswordForm.tsx (1 hunks)
• apps/core/app/auth/login/_components/form/loginForm.tsx (5 hunks)
• apps/core/app/auth/login/page.tsx (1 hunks)
• apps/core/app/auth/set-password/page.tsx (7 hunks)
• apps/core/app/auth/signup/otp/_components/signup-otp-form.tsx (5 hunks)
• apps/core/middleware.ts (1 hunks)
• apps/core/package.json (2 hunks)
• apps/storybook/package.json (2 hunks)
• docker-compose.prod.yml (1 hunks)
• docker-compose.yml (1 hunks)
• package.json (1 hunks)
• packages/apis/package.json (2 hunks)
• packages/apis/src/constant/cookie.ts (1 hunks)
• packages/apis/src/instance/core-api.ts (2 hunks)
• packages/apis/src/instance/guest-api.ts (1 hunks)
• packages/apis/src/utils/cookies.ts (1 hunks)
• packages/design-system/package.json (1 hunks)
• packages/icons/package.json (1 hunks)
• packages/icons/src/types/types.ts (1 hunks)
• packages/ui/package.json (2 hunks)
• packages/ui/src/components/index.ts (1 hunks)
• packages/ui/src/components/molecules/passwordInput.tsx (1 hunks)
• packages/ui/src/components/molecules/paste-otp-button.tsx (1 hunks)
• packages/ui/src/constant/cookie.ts (0 hunks)
• packages/ui/src/hooks/index.ts (1 hunks)
• packages/ui/src/hooks/use-clipboard-otp.ts (1 hunks)
• packages/ui/src/hooks/use-dimensions.ts (1 hunks)
• packages/ui/tsconfig.json (1 hunks)
• packages/utils/package.json (1 hunks)
• pnpm-workspace.yaml (1 hunks)
• scripts/prepare.js (1 hunks)

💤 Files with no reviewable changes (2)

• apps/core/app/(landing)/become-auther/_components/auther-form.tsx
• packages/ui/src/constant/cookie.ts

🧰 Additional context used

🧠 Learnings (3)

apps/storybook/package.json (1)

Learnt from: mrbadri
PR: pixel-genius/pixel-client#133
File: apps/core/app/dashboard/_compnents/app-sidebar.tsx:17-20
Timestamp: 2024-12-22T16:57:42.240Z
Learning: We always use '@repo/icons' path alias instead of relative paths for icons across the codebase for maintainability.

apps/core/package.json (1)

Learnt from: mrbadri
PR: pixel-genius/pixel-client#133
File: apps/core/app/dashboard/_compnents/app-sidebar.tsx:17-20
Timestamp: 2024-12-22T16:57:42.240Z
Learning: We always use '@repo/icons' path alias instead of relative paths for icons across the codebase for maintainability.

packages/ui/package.json (1)

Learnt from: mrbadri
PR: pixel-genius/pixel-client#133
File: apps/core/app/dashboard/_compnents/app-sidebar.tsx:17-20
Timestamp: 2024-12-22T16:57:42.240Z
Learning: We always use '@repo/icons' path alias instead of relative paths for icons across the codebase for maintainability.

🧬 Code Graph Analysis (4)

apps/core/app/auth/forget-password/_components/form/forgetPasswordForm.tsx (3)

packages/apis/src/services/core/accounts/users/forgot-password/post/post-forget-password.types.ts (1)

• PostForgetPasswordRequest (5-5)

packages/apis/src/services/core/accounts/users/forgot-password/post/post-forget-password.schema.ts (1)

• postForgetPasswordSchema (15-18)

packages/apis/src/services/core/accounts/users/forgot-password/post/use-post-forget-password.ts (1)

• UsePostForgetPassword (22-34)

apps/core/app/auth/signup/otp/_components/signup-otp-form.tsx (1)

packages/ui/src/components/molecules/paste-otp-button.tsx (1)

• PasteOtpButton (26-72)

packages/ui/src/components/molecules/paste-otp-button.tsx (2)

packages/ui/src/components/atoms/button.tsx (1)

• Button (151-151)

packages/ui/src/lib/utils.ts (1)

• cn (4-6)

apps/core/app/auth/set-password/page.tsx (2)

packages/ui/src/hooks/use-clipboard-otp.ts (1)

• useClipboardOtp (30-222)

packages/ui/src/components/molecules/paste-otp-button.tsx (1)

• PasteOtpButton (26-72)

🪛 YAMLlint (1.37.1)

pnpm-workspace.yaml

[error] 3-3: no new line character at the end of file

(new-line-at-end-of-file)

---

[error] 3-3: trailing spaces

(trailing-spaces)

.github/workflows/deploy.yml

[error] 46-46: trailing spaces

(trailing-spaces)

🪛 actionlint (1.7.7)

.github/workflows/deploy.yml

11-11: label "core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🪛 Biome (1.9.4)

packages/ui/src/hooks/use-clipboard-otp.ts

[error] 85-85: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

---

[error] 160-160: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

🔇 Additional comments (60)

packages/icons/src/types/types.ts (1)

3-3: Good type narrowing improvement!

Changing from SVGElement to SVGSVGElement makes the type more specific and semantically correct for icon components that render as <svg> elements. This provides better type safety and IntelliSense support without introducing breaking changes.

apps/core/app/(landing)/_components/mobile-menu/BrowseSheet.tsx (1)

1-12: LGTM - Clean formatting improvements!

The formatting changes improve code readability and consistency across import statements, JSX elements, and exports without affecting functionality.

Also applies to: 30-32, 35-38, 49-49

packages/apis/src/utils/cookies.ts (1)

1-1: Cookies constant import and location verified

• Confirmed packages/apis/src/constant/cookie.ts exists.
• The switch from absolute to relative import is appropriate and keeps constants close to their usage.

All set!

packages/ui/src/hooks/use-dimensions.ts (1)

1-1: Correct addition of client directive!

Adding "use client"; is appropriate here since this hook uses browser-specific APIs (ResizeObserver, getBoundingClientRect, window properties) that only work on the client side. This directive is necessary for Next.js 13+ app router environments.

scripts/prepare.js (1)

7-7: Package manager migration approved

Confirmed that [email protected] is a valid stable release (Dec 6, 2024). While the latest pnpm version is 10.13.1, pinning to 9.15.0 is acceptable for now, and the comment update remains consistent.

packages/ui/tsconfig.json (1)

12-12: LGTM: Proper inclusion of shared constants from apis package.

This change correctly includes the constants from the apis package, aligning with the refactoring to centralize shared constants. The relative path is appropriate for the monorepo structure.

packages/ui/src/hooks/index.ts (1)

3-3: LGTM: Proper export of the new clipboard OTP hook.

The export is correctly placed in alphabetical order and follows the established pattern for hook exports in this package.

packages/icons/package.json (1)

82-83: LGTM: Proper workspace protocol usage for internal dependencies.

The migration from "*" to "workspace:*" aligns with pnpm workspace best practices, ensuring internal packages are resolved from within the workspace for better dependency management.

apps/storybook/package.json (2)

13-14: LGTM: Consistent workspace protocol usage for UI and icons packages.

The migration to "workspace:*" for internal dependencies is consistent with the pnpm workspace setup and ensures proper resolution of internal packages.

---

23-24: LGTM: Proper workspace protocol for development dependencies.

The development dependencies are correctly updated to use the workspace protocol, maintaining consistency with the monorepo migration approach.

packages/design-system/package.json (1)

12-13: LGTM: Workspace protocol migration and Node.js types addition.

The changes properly implement the workspace protocol for the TypeScript config and add the necessary Node.js types dependency, consistent with the monorepo migration and development requirements.

packages/utils/package.json (1)

13-14: LGTM! Proper workspace protocol usage.

The migration from wildcard dependencies to workspace protocol is correct for pnpm monorepos. This ensures proper dependency resolution within the workspace.

packages/apis/src/constant/cookie.ts (1)

1-4: LGTM! Good architectural decision.

Moving cookie constants from the UI package to the APIs package improves separation of concerns and makes the dependency relationship clearer.

apps/core/app/auth/login/page.tsx (1)

20-25: LGTM! Clean UI and improved UX.

The removal of commented-out social login components and the prefetch={false} attribute improves code cleanliness and user experience through default prefetching.

package.json (2)

22-24: LGTM! Consistent workspace protocol usage.

The migration to workspace protocol for internal dependencies is consistent with the pnpm migration.

---

29-29: Confirm [email protected] compatibility

[email protected] is a stable release, widely adopted in early 2025 with no known critical bugs. To avoid any minor version-management or CI/CD mismatches, please:

• Use Corepack to pin the exact pnpm version specified in your packageManager field.
• Verify the active binary in your environment with which pnpm (macOS/Linux) or where.exe pnpm.* (Windows).
• If you run into friction or want the latest features and performance improvements, consider upgrading to the current stable 10.x series (latest: 10.12.1).

No further changes are required here.

packages/ui/src/components/index.ts (1)

56-56: LGTM: Export addition follows proper pattern.

The export for PasteOtpButton is correctly placed in the molecules section and follows the established export pattern in the index file.

apps/core/app/auth/forget-password/_components/form/forgetPasswordForm.tsx (3)

31-33: Good error handling implementation.

The onError callback properly handles API errors with user-friendly feedback, using the server message when available and falling back to a generic message.

---

40-42: Effective performance optimization.

Route prefetching for the next step in the authentication flow improves user experience by preloading the set-password page.

---

49-50: Good UX improvements.

The placeholder text change to "Enter your username" is more accurate than the previous email placeholder, and adding autoFocus improves accessibility and user experience.

apps/core/package.json (3)

13-16: Correct workspace protocol implementation.

The migration from wildcard "*" to "workspace:*" for internal dependencies is the proper approach for pnpm monorepos, ensuring consistent dependency resolution.

---

36-37: Consistent devDependency updates.

The devDependencies also correctly use the workspace protocol, maintaining consistency across the monorepo configuration.

---

29-32: All new dependencies are actively used across the codebase
A ripgrep search over *.ts/*.tsx files confirms that:

• @tabler/icons-react is imported in dozens of UI components
• lucide-react appears throughout atoms and molecules
• input-otp is used in OTP-related forms
• recharts powers charts in the dashboard

Please confirm that the version ranges (^3.12.0, ^0.483.0, ^1.2.4, ^2.12.7) match the latest stable releases (e.g. via npm outdated or the respective package changelogs).

apps/core/middleware.ts (1)

2-19: Critical: Authentication Middleware Disabled Without Replacement

All authentication checks in apps/core/middleware.ts have been commented out, leaving protected routes unguarded and calling NextResponse.next() unconditionally. No alternative authentication logic was found elsewhere in the codebase.

Please confirm this change is intentional and that authentication is now handled in another layer. If it’s temporary, restore or relocate the auth logic and update the cookie import path:

-// import { COOKIES } from "@repo/ui/constant/cookie";
+// import { COOKIES } from "@repo/apis/constant/cookie";

• apps/core/middleware.ts: lines 2–19 need review for reinstating protection or verifying replacement
• Ensure protected routes like /dashboard are still secured

apps/core/app/auth/_components/auth-card.tsx (3)

1-1: Good: Client component conversion is appropriate

Converting to a client component is correct since the component now uses the useRouter hook for navigation.

---

19-29: Good: Well-implemented back button with accessibility

The back button implementation is excellent:

• Proper accessibility with aria-label
• Consistent styling with existing design system
• Appropriate positioning and hover states

---

32-32: Minor: Padding adjustment looks good

The padding change from py-7 to py-8 provides better visual spacing around the content.

packages/apis/package.json (2)

15-16: Good: Correct workspace protocol usage

The change from "*" to "workspace:*" is correct for pnpm workspace configuration and ensures proper internal dependency resolution.

---

40-44: Good: Enhanced exports configuration

The exports array format allows multiple file extensions and provides more flexibility for module resolution.

packages/apis/src/instance/core-api.ts (1)

1-1: Good: Correct import path update

The import path change to use relative imports is correct and reflects the relocation of the COOKIES constant to the APIs package.

apps/core/app/auth/login/_components/form/loginForm.tsx (4)

33-35: Good: Personalized success message improves UX

The personalized toast message with username and emoji creates a more engaging user experience.

---

49-53: Good: Route prefetching optimizes navigation performance

Prefetching key authentication routes will improve perceived performance when users navigate between auth pages.

---

63-63: Good: Auto-focus improves accessibility and UX

Adding autoFocus to the first input field provides better user experience and accessibility.

---

74-74: Good: Simplified CSS classes are cleaner

Replacing multiple CSS classes with a single "underline" class is more maintainable and readable.

apps/core/Dockerfile (1)

49-51: LGTM - Environment variables properly configured.

The addition of Next.js public environment variables is correctly implemented and aligns with the docker-compose configuration.

packages/ui/package.json (1)

15-16: LGTM - Workspace protocol correctly implemented.

The migration from wildcard "*" to "workspace:*" for internal dependencies follows pnpm workspace best practices. This ensures proper dependency resolution and prevents version conflicts in the monorepo.

Also applies to: 52-54

docker-compose.yml (1)

1-1: LGTM - Docker Compose configuration properly updated.

The changes correctly:

• Add explicit version specification
• Rename service for consistency with deployment configuration
• Add required environment variables that align with the Dockerfile and CI/CD pipeline

Also applies to: 4-5, 12-14

apps/core/app/auth/signup/otp/_components/signup-otp-form.tsx (3)

31-34: LGTM - Clipboard OTP integration properly implemented.

The integration of the useClipboardOtp hook with digit-only pattern is correctly implemented and enhances user experience.

---

113-121: LGTM - PasteOtpButton integration enhances UX.

The replacement of manual verification with the new PasteOtpButton component provides a better user experience with visual OTP preview and proper loading states.

---

87-89: Verify OTP pattern change across flows

The new REGEXP_ONLY_DIGITS pattern is now used in:

• apps/core/app/auth/signup/otp/_components/signup-otp-form.tsx
• apps/core/app/auth/set-password/page.tsx

Meanwhile, elsewhere (e.g.
apps/core/app/dashboard/products/create/_components/version-modal.tsx) the alphanumeric pattern REGEXP_ONLY_DIGITS_AND_CHARS is still in use.

Before merging, please confirm that your backend OTP endpoints (signup, reset-password, verify-otp) accept digits-only codes. If any service or email/SMS provider sends alphanumeric tokens, you’ll need to revert or extend this pattern.

apps/core/app/auth/set-password/page.tsx (7)

3-6: LGTM! Clean integration of new clipboard OTP functionality.

The imports are well-organized and the new components (PasteOtpButton, useClipboardOtp) will enhance the OTP input user experience significantly.

---

26-30: Good configuration of the clipboard OTP hook.

The hook is properly configured with appropriate OTP length and pattern restrictions. The REGEXP_ONLY_DIGITS pattern ensures only numeric OTPs are accepted, which is standard for most OTP systems.

---

40-44: Excellent use of React Hook Form's watch method.

Using watch to monitor the OTP field enables real-time synchronization with the InputOTP component, providing a smooth user experience.

---

66-68: Clean OTP paste handler implementation.

The handler properly uses setValue to update the form state when an OTP is pasted, maintaining consistency with React Hook Form patterns.

---

93-98: Proper OTP input configuration with form synchronization.

The REGEXP_ONLY_DIGITS pattern restriction and watch value integration ensure the OTP input behaves correctly with both manual input and clipboard paste functionality.

---

112-118: Excellent integration of the paste OTP button.

The button is properly configured with the extracted OTP, paste handler, loading state, and appropriate styling. The secondary variant and full-width styling fit well with the form design.

---

121-135: Good replacement with specialized PasswordInput components.

The transition from generic inputs to PasswordInput components provides better UX with built-in password visibility toggle functionality while maintaining proper form integration.

packages/ui/src/components/molecules/paste-otp-button.tsx (4)

8-24: Well-defined TypeScript interface with comprehensive prop types.

The interface covers all necessary props with proper types, optional flags, and helpful JSDoc comments. The eslint disable comment for the onPaste callback is appropriate since it's a standard React callback pattern.

---

35-41: Excellent error handling in the paste click handler.

The handler properly checks for OTP availability and provides user feedback through toast notifications when no OTP is found. This prevents silent failures and improves user experience.

---

44-52: Proper button configuration with accessibility features.

The button is correctly configured with appropriate props, disabled state when no OTP is available, and includes an accessible clipboard icon. The type="button" prevents form submission issues.

---

53-69: Thoughtful OTP preview implementation with good UX.

The conditional rendering shows either the OTP preview with proper formatting (spaced digits) or a fallback text. The showOtpPreview flag provides flexibility for different use cases.

packages/ui/src/components/molecules/passwordInput.tsx (3)

4-4: Good refactoring to use the Input component.

The switch to using the Input component with iconRight prop simplifies the component structure and improves maintainability.

---

12-29: Excellent extraction of toggle button to a constant.

Moving the toggle button JSX to a constant improves code readability and makes the render method cleaner. The button maintains proper accessibility with screen reader support and appropriate ARIA attributes.

---

32-42: Clean implementation using Input component's iconRight prop.

The refactored approach is much cleaner than the previous manual positioning logic. The hide-password-toggle class and proper prop forwarding maintain the expected behavior.

packages/ui/src/hooks/use-clipboard-otp.ts (6)

4-28: Well-designed TypeScript interfaces with comprehensive documentation.

The interfaces are properly typed with helpful JSDoc comments, providing clear guidance for hook usage and return values.

---

30-38: Good configuration with sensible defaults.

The hook options provide flexibility while maintaining reasonable defaults. The alphanumeric pattern and auto-check behavior are appropriate for most OTP use cases.

---

48-79: Robust OTP extraction logic with fallback handling.

The extraction logic handles various scenarios well - prioritizing numeric sequences, falling back to alphanumeric patterns, and validating against the configured pattern.

---

130-149: Excellent permission-aware clipboard checking.

The clipboard checking logic properly handles permission states and provides appropriate fallbacks when access is denied.

---

152-195: Comprehensive permission listener setup with proper cleanup.

The effect properly sets up permission change listeners and includes appropriate cleanup to prevent memory leaks.

---

197-212: Well-implemented auto-check functionality.

The auto-check logic respects configuration options and properly handles both mount and focus scenarios for optimal user experience.

[coderabbitai]

🛠️ Refactor suggestion

Avoid hardcoding the base URL

Hardcoding the API base URL removes environment flexibility and makes the code less maintainable. Consider keeping the environment variable approach.

-  // TODO: change to process.env.NEXT_PUBLIC_BASE_URL
-  // baseURL: process.env.NEXT_PUBLIC_BASE_URL,
-  baseURL: "https://api.pixelgenius.ir",
+  baseURL: process.env.NEXT_PUBLIC_BASE_URL || "https://api.pixelgenius.ir",

This provides a fallback while maintaining environment flexibility.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// TODO: change to process.env.NEXT_PUBLIC_BASE_URL
	// baseURL: process.env.NEXT_PUBLIC_BASE_URL,
	baseURL: "https://api.pixelgenius.ir",
	// before:
	// // TODO: change to process.env.NEXT_PUBLIC_BASE_URL
	// // baseURL: process.env.NEXT_PUBLIC_BASE_URL,
	// baseURL: "https://api.pixelgenius.ir",
	// after:
	baseURL: process.env.NEXT_PUBLIC_BASE_URL || "https://api.pixelgenius.ir",

🤖 Prompt for AI Agents

In packages/apis/src/instance/core-api.ts around lines 10 to 12, the baseURL is
hardcoded which reduces flexibility. Replace the hardcoded URL with
process.env.NEXT_PUBLIC_BASE_URL and provide a fallback to the current URL
string to maintain environment flexibility and ensure the code works in
different environments.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

docker-compose.prod.yml (3)

1-2: Drop the obsolete version key

Compose V2 ignores the version field and the linter already warns about it. Keeping it around is just noise and may confuse newcomers who think it still matters.

-version: "3.8"

---

6-6: Avoid hard-coding container_name unless strictly necessary

Pinned names break Compose’s default naming (which namespaces by project) and can clash on hosts running multiple stacks or replicas. Unless other services depend on the literal name client, consider deleting this key.

-    container_name: client

---

11-13: Consider env_file or Docker secrets for deploy-time values

NEXT_PUBLIC_BASE_URL* appear public, but if any sensitive variables are later added it’s safer to mount an .env/env_file: or use secrets:. Either way keeps the compose file generic and avoids accidental commits of secrets.

No change required now, just flagging for future hardening.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dbde556 and 75388c3.

📒 Files selected for processing (1)

• docker-compose.prod.yml (1 hunks)

🧰 Additional context used

🪛 GitHub Actions: CI/CD Pipeline

docker-compose.prod.yml

[warning] 1-1: The attribute version is obsolete in docker-compose.prod.yml and will be ignored. Please remove it to avoid potential confusion.

🔇 Additional comments (1)

docker-compose.prod.yml (1)

5-9: Re-evaluate simultaneous use of image and build

Defining both keys is valid, but the resulting behaviour is subtle: Compose will build a new image and then tag it as mrbadri/pixel-client:latest, potentially overwriting a registry image with local artefacts.
If the CI builds and pushes the image separately, keep only image:; if you need local builds, keep only build: or move the tag inside build: → tags:.

-    image: mrbadri/pixel-client:latest
-    build:
-      context: .
-      dockerfile: ./apps/core/Dockerfile
+    # Option A – pull the pre-built image
+    image: mrbadri/pixel-client:latest
+
+    # Option B – build locally and tag
+#   build:
+#     context: .
+#     dockerfile: ./apps/core/Dockerfile

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

.github/workflows/deploy.yml (2)

15-16: Define custom runner label “core” in actionlint.yaml.

actionlint still flags core as an unknown self-hosted label. Add the configuration file suggested in the earlier review or rename the label to one of the well-known defaults to silence the warning.

Also applies to: 35-36

---

25-33: Stop hard-coding the Docker Hub username.

mrbadri is hard-wired in both the login and push steps. Reuse the ${{ secrets.DOCKER_USERNAME }} secret so the workflow works for forks / other environments and avoids leaking internal details.

-        run: docker login -u mrbadri -p ${{ secrets.DOCKER_TOKEN }}
+        run: docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_TOKEN }}

-        run: docker push mrbadri/pixel-client:latest
+        run: docker push ${{ secrets.DOCKER_USERNAME }}/pixel-client:latest

🧹 Nitpick comments (2)

.github/workflows/deploy.yml (2)

48-50: Clean trailing whitespace & avoid shell foot-gun.

Line 50 has trailing spaces flagged by yamllint, and an unquoted newline after -d can accidentally concatenate the next line if someone removes the comment.

-          docker compose -f docker-compose.prod.yml up -d 
+          docker compose -f docker-compose.prod.yml up -d

---

52-53: Implement—or remove—the rollback TODO, and fix the typo.

The comment states “rullback” but there is no logic to handle a failed start. Either implement the rollback (e.g., check container health and redeploy the previous tag) or delete the comment to keep the workflow honest.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 75388c3 and 10046db.

📒 Files selected for processing (4)

• .github/workflows/deploy.yml (1 hunks)
• docker-compose.prod.yml (1 hunks)
• packages/apis/src/instance/core-api.ts (2 hunks)
• packages/apis/src/instance/guest-api.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• docker-compose.prod.yml
• packages/apis/src/instance/guest-api.ts
• packages/apis/src/instance/core-api.ts

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/deploy.yml

15-15: label "core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

---

35-35: label "core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🪛 YAMLlint (1.37.1)

.github/workflows/deploy.yml

[error] 50-50: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (4)

packages/apis/src/services/core/accounts/users/login/post/post-login.schema.ts (2)

11-11: Fix typo in variable name.

There's a typo in the variable name: "Transofrmed" should be "Transformed".

-export const postLoginResponseSchemaTransofrmed = apiResponseSchema
+export const postLoginResponseSchemaTransformed = apiResponseSchema

Also update the reference on line 28:

-  response: postLoginResponseSchemaTransofrmed,
+  response: postLoginResponseSchemaTransformed,

---

25-25: Consider removing redundant identity transform.

The transform function simply returns the data unchanged. If no transformation is needed, consider removing the .transform((data) => data) entirely to simplify the code.

-  .transform((data) => data);
+;

docker-compose.yml (2)

6-6: Static container_name blocks scaling and parallel docker compose up runs
Hard-coding container_name: client prevents multiple replicas and forces users to remove the container before re-running the stack. Unless another service depends on this exact name, drop the key and let Compose generate one.

-    container_name: client

---

13-15: Confirm the two NEXT_PUBLIC_* vars are defined for all environments
If these come from the developer’s shell, local builds may fail silently when they’re missing. Consider a .env file checked into the repo (or .env.example) so newcomers get sensible defaults and CI is explicit.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 10046db and 1a21f6c.

📒 Files selected for processing (2)

• docker-compose.yml (1 hunks)
• packages/apis/src/services/core/accounts/users/login/post/post-login.schema.ts (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Avoid mixing image: with build: unless you need a custom tag – right now the intent is ambiguous
Having both keys is allowed, but Compose will always build first; image: is then just the tag of that locally-built image. In CI you also docker pull mrbadri/pixel-client:latest, so developers may unknowingly run different images than prod. Either:

1. Drop build: here and rely exclusively on the registry image, or
2. Keep build: and replace latest with a deterministic tag (commit SHA / semver) that the pipeline also pushes, so local ≈ prod.

-    image: mrbadri/pixel-client:latest
+    # Option A – tag the locally-built image deterministically
+    image: mrbadri/pixel-client:${PIXEL_CLIENT_TAG:-dev}

---

🏁 Script executed:

#!/bin/bash
# Search for references to pixel-client in the repository
rg 'pixel-client' -n

# Search for any definition or usage of PIXEL_CLIENT_TAG environment variable
rg 'PIXEL_CLIENT_TAG' -n

# Search for docker pull commands referencing the image
rg 'docker pull.*mrbadri/pixel-client' -n

# Show the image: line in docker-compose.yml for context
sed -n '1,50p' docker-compose.yml | rg 'image:' -n

Length of output: 352

---

🏁 Script executed:

#!/bin/bash
# Check for CI configuration files
if [ -d .github ]; then
  echo "Found GitHub workflows:" 
  find .github -maxdepth 2 -type f
else
  echo ".github directory not found"
fi

if [ -f Jenkinsfile ]; then
  echo "Jenkinsfile present"
else
  echo "Jenkinsfile not found"
fi

if [ -f .gitlab-ci.yml ]; then
  echo ".gitlab-ci.yml present"
else
  echo ".gitlab-ci.yml not found"
fi

# Display deploy.sh to see how the image is pulled or built in prod
echo "---- deploy.sh ----"
sed -n '1,200p' deploy.sh || echo "deploy.sh not found"

# Display docker-compose.prod.yml to inspect service definitions
echo "---- docker-compose.prod.yml ----"
sed -n '1,200p' docker-compose.prod.yml || echo "docker-compose.prod.yml not found"

# Search for build: and pull usage in docker-compose.prod.yml
rg 'build:' -n docker-compose.prod.yml || echo "no build: in prod compose"
rg 'pull' -n docker-compose.prod.yml || echo "no pull in prod compose"

Length of output: 1767

---

🏁 Script executed:

#!/bin/bash
# Inspect CI workflows for usage of pixel-client image
echo "---- References to pixel-client in CI workflows ----"
rg 'pixel-client' -n .github/workflows || echo "No references found"

# Show build-and-merge workflow
echo "---- .github/workflows/build-and-merge.yml ----"
sed -n '1,200p' .github/workflows/build-and-merge.yml || echo "build-and-merge.yml not found"

# Show deploy workflow
echo "---- .github/workflows/deploy.yml ----"
sed -n '1,200p' .github/workflows/deploy.yml || echo "deploy.yml not found"

Length of output: 5420

---

Clarify build vs. image in Docker Compose

Compose always rebuilds a service when build: is present, tagging it as whatever you’ve set in image:. In our CI/CD:

• Build job (.github/workflows/build-and-merge.yml):
  docker compose -f docker-compose.prod.yml build → docker push mrbadri/pixel-client:latest
• Deploy job (.github/workflows/deploy.yml):
  docker compose -f docker-compose.prod.yml pull client then up -d
  → But up sees build: and rebuilds from source, so the pulled latest is never used.

This mismatch means prod never runs exactly what CI pushed—and using the floating latest tag makes drift more likely.

Recommendations (choose one):

1. Drop build: in production and rely solely on the registry image.
2. Keep build: but:
   • Switch to a deterministic tag (${PIXEL_CLIENT_TAG} instead of latest),
   • Have CI push that same tag,
   • Change deploy to use docker compose up --no-build.

Example diff for docker-compose.prod.yml:

 services:
   client:
-    image: mrbadri/pixel-client:latest
-    build:
-      context: .
-      dockerfile: ./apps/core/Dockerfile
+    # Pull only from registry in prod
+    image: mrbadri/pixel-client:${PIXEL_CLIENT_TAG:-latest}

Files requiring updates:

• docker-compose.prod.yml
• .github/workflows/deploy.yml (e.g. add --no-build or remove build)
• Optionally deploy.sh if it also uses docker compose up

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In docker-compose.yml lines 4 to 10, the presence of both build and image causes
Docker Compose to rebuild the image on deploy, ignoring the pulled image from
the registry. To fix this, remove the build section from the production compose
file to rely solely on the prebuilt image, or alternatively, keep build but
switch to a fixed tag instead of latest, ensure CI pushes that tag, and modify
deploy commands to use 'docker compose up --no-build' to prevent rebuilding
during deployment.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

.github/workflows/deploy.yml (2)

18-19: core runner label still unrecognised by actionlint

actionlint flags every usage of [self-hosted, core]. Ensure .github/actionlint.yaml declares core, or rename the label to one of the well-known values to silence the lint job.

---

52-54: Use secrets for Docker Hub username as well

Hard-coding mrbadri couples the workflow to a single account and leaks information if the repo is ever forked. Leverage the secret already suggested in past reviews:

-      - name: Login to Docker Hub
-        run: docker login -u mrbadri -p ${{ secrets.DOCKER_TOKEN }}
+      - name: Login to Docker Hub
+        run: docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_TOKEN }}

🧹 Nitpick comments (2)

scripts/haproxy-config-helper.md (2)

8-37: Add syntax identifier to fenced HAProxy snippet

markdownlint (MD040) complains because the code block has no language hint. Adding haproxy after the opening back-ticks fixes the lint error and gives readers syntax highlighting.

-```
+```haproxy
 frontend pixel_frontend
     bind *:80
     bind *:443 ssl crt /etc/ssl/certs/pixel.pem
@@
     # Port calculation: 3100 + PR_NUMBER
-```
+```

---

64-67: Avoid hard-coding the public IP in documentation

82.115.24.87 will become stale the moment the server is reprovisioned or fronted by a load balancer/CDN. Replace static IPs with a placeholder such as <SERVER_IP> or a DNS record (e.g. pixel.yourdomain.com) to keep the doc future-proof and prevent accidental disclosure of infrastructure details.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1a21f6c and 1ecb3c2.

📒 Files selected for processing (4)

• .github/workflows/deploy.yml (1 hunks)
• docker-compose.dev.yml (1 hunks)
• docker-compose.preview.yml (1 hunks)
• scripts/haproxy-config-helper.md (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• docker-compose.preview.yml
• docker-compose.dev.yml

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/deploy.yml

18-18: label "core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

---

75-75: label "core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

---

95-95: label "core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

---

115-115: label "core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

---

173-173: label "core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🪛 markdownlint-cli2 (0.17.2)

scripts/haproxy-config-helper.md

7-7: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (1)

.github/workflows/deploy.yml (1)

11-14: concurrency.group expression may mis-serialize on non-PR pushes

github.event.number is undefined for push events, which can result in an empty string (CI-main-) instead of a unique key. Consider an explicit fallback:

group: CI-${{ github.ref_name }}-${{ github.event.number || github.run_id }}

[github-actions]

🚀 Preview Deployed Successfully!

Your pull request preview is now available:

• 📍 Preview URL: http://82.115.24.87:3462
• 🔗 Container: client-preview-362
• 🐳 Image: mrbadri/pixel-client:pr-362

This preview will be automatically cleaned up when the PR is closed.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (3)

.github/workflows/deploy.yml (3)

23-24: Missing actionlint runner-label config for “core”

runs-on: [self-hosted, core] is still flagged by actionlint as an unknown label. Either add an explicit .github/actionlint.yaml declaring the custom label or rename the label to one of the built-in values.

---

57-58: Hard-coded Docker Hub username & plaintext password

The username mrbadri is hard-coded in both the docker login and docker push commands, and the password is supplied via -p.
Use GitHub secrets for the username and pass the token via --password-stdin to avoid leaking credentials in process lists:

-        run: docker login -u mrbadri -p ${{ secrets.DOCKER_TOKEN }}
+        run: echo "${{ secrets.DOCKER_TOKEN }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin

-          docker push mrbadri/pixel-client:$TAG
+          docker push ${{ secrets.DOCKER_USERNAME }}/pixel-client:$TAG

Also applies to: 70-76

---

64-67: No-op retagging on the dev branch

$TAG is already set to dev, so re-tagging the image adds no value and costs CI time:

-            docker compose -f docker-compose.dev.yml build
-            docker tag mrbadri/pixel-client:dev mrbadri/pixel-client:$TAG
+            docker compose -f docker-compose.dev.yml build

🧹 Nitpick comments (1)

.github/workflows/deploy.yml (1)

52-56: Duplicate “create .env” logic across four jobs

The same shell fragment is copy-pasted. Extract it into a reusable composite action or a single reusable step (e.g. uses: ./.github/actions/setup-env) to keep the workflow DRY and easier to maintain.

Also applies to: 87-91, 107-111, 127-131

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1ecb3c2 and 4ee4a08.

📒 Files selected for processing (1)

• .github/workflows/deploy.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/deploy.yml

23-23: label "core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

---

80-80: label "core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

---

100-100: label "core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

---

120-120: label "core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

---

169-169: label "core" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

[github-actions]

🧹 Preview Cleanup Complete

All preview deployment resources for this pull request have been successfully removed:

• 🐳 Docker container client-preview-362 stopped and removed
• 📦 Docker image mrbadri/pixel-client:pr-362 cleaned up
• 📁 Docker compose file removed

The cleanup process has finished for PR #362.