fix(ci): Install project dependencies in Repomix action

[yamadashy]

Summary

Fixes the pack-repository workflow failure caused by missing dependencies when loading repomix.config.ts.

Changes

• Added conditional npm install step in the Repomix action when package.json exists
• Removed explicit cache: "npm" setting (setup-node v5 detects it automatically)

Background

The workflow was failing with "Cannot find module 'picocolors'" error because repomix.config.ts imports from ./src/index.js, which requires local project dependencies. This is specific to the Repomix project itself, where the config file imports from local source code.

Checklist

• Run npm run test
• Run npm run lint

[Copilot]

Pull Request Overview

This PR fixes a CI workflow failure in the Repomix action by ensuring project dependencies are installed before running the tool. The workflow was failing because repomix.config.ts imports from local source code that requires project dependencies to be available.

• Added conditional dependency installation step when package.json exists
• Removed explicit npm cache setting (auto-detected by setup-node v5)

[gemini-code-assist]

Summary of Changes

Hello @yamadashy, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical CI workflow failure that occurred because the repomix.config.ts file, which imports local source code, could not find its required dependencies during the pack-repository job. The changes introduce a robust mechanism to install these project dependencies conditionally, ensuring the workflow runs successfully. Additionally, it refines the GitHub Actions configuration by removing a redundant caching setting, leveraging the automatic detection capabilities of the updated setup-node action.

Highlights

• CI Workflow Fix: Resolved a failure in the pack-repository workflow by ensuring project dependencies are installed, which was previously causing 'Cannot find module' errors.
• Dependency Installation: Introduced a conditional npm install step within the Repomix action, which executes only if a package.json file is present in the project root.
• GitHub Actions Optimization: Removed the explicit cache: "npm" setting from the setup-node action, as version 5.0.0 and above automatically detects and configures npm caching.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds a conditional "Install project dependencies" step to the GitHub Action at .github/actions/repomix/action.yml, replacing the previous setup-node npm cache configuration. The new step runs npm install only if package.json exists. The "Install Repomix" step remains, with indentation adjusted.

Changes

Cohort / File(s)	Summary of Changes
GitHub Action: repomix workflow \.github/actions/repomix/action.yml	Replaced setup-node cache: "npm" with a new step "Install project dependencies" that conditionally runs npm install when package.json exists; retained "Install Repomix" step with indentation alignment.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor GH as GitHub Actions Runner
    participant WF as repomix/action.yml

    GH->>WF: Setup Node.js
    alt package.json exists
        GH->>WF: Install project dependencies (npm install)
    else No package.json
        note right of WF: Skip npm install
    end
    GH->>WF: Install Repomix
    note over WF: setup-node npm cache removed

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ci(cache): Use setup-node npm cache #220 — Both PRs change Node.js setup behavior in CI: that PR adds npm cache via setup-node, while this PR replaces cache usage with a conditional npm install.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title clearly and concisely highlights the main change by specifying that the CI workflow now installs project dependencies in the Repomix action, which directly corresponds to the modifications made in the pull request.
Description Check	✅ Passed	The description adheres to the repository’s template by including a clear summary of the changes and a completed checklist for tests and linting, and it adds useful background and change details without omitting any required sections.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.66%. Comparing base (80f182a) to head (a744737).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #892   +/-   ##
=======================================
  Coverage   74.66%   74.66%           
=======================================
  Files         109      109           
  Lines        7653     7653           
  Branches     1433     1433           
=======================================
  Hits         5714     5714           
  Misses       1939     1939           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gemini-code-assist]

Code Review

This pull request resolves a CI failure within the Repomix action by ensuring project dependencies are installed. The approach of adding a conditional npm install step is a direct fix for the issue where repomix.config.ts requires local modules. Additionally, removing the explicit cache: "npm" setting is a good simplification, relying on the automatic detection capabilities of setup-node v5. I've included one suggestion to enhance the dependency installation process by using npm ci when a lockfile is available, which aligns with best practices for CI environments to achieve faster and more reliable builds.

[cloudflare-workers-and-pages]

Deploying repomix with    Cloudflare Pages

Latest commit:	ca369ec
Status:	✅  Deploy successful!
Preview URL:	https://cbdf1d17.repomix.pages.dev
Branch Preview URL:	https://fix-ci-pack-repo.repomix.pages.dev

View logs

[claude]

PR Review

Thank you for fixing this workflow issue! The solution properly addresses the dependency problem when repomix.config.ts imports from local source code.

✅ Strengths

• Root cause fix: Correctly identifies and solves the dependency issue where repomix.config.ts imports from ./src/index.js
• Conditional logic: The if [ -f "package.json" ] check is appropriate and prevents unnecessary failures
• Good documentation: Clear comments explain the purpose of the installation step
• Clean removal: Removing cache: "npm" is correct since setup-node v5 auto-detects it

🔍 Potential Issues & Suggestions

1. Performance consideration: Full npm install may be slow

The current implementation runs a full npm install which includes devDependencies. For a GitHub Action, this could be slow (Repomix has many dependencies).

Considerations:

• If only runtime dependencies are needed for repomix.config.ts, consider npm install --omit=dev
• However, if the config uses any build artifacts (transpiled TS → JS), you may need build tooling
• Given that repomix.config.ts imports from ./src/index.js (already JS), production deps should suffice

Suggested optimization (if applicable):

- name: Install project dependencies
  shell: bash
  run: |
    # Install project dependencies if package.json exists
    # This ensures repomix.config.ts can import from local source
    if [ -f "package.json" ]; then
      npm install --omit=dev
    fi

However, test this carefully - if the build process requires dev dependencies, keep the current approach.

2. Caching could improve performance

While you removed explicit cache: "npm" from setup-node (correctly, as v5 auto-detects), you might want to verify that caching is actually working. The auto-detection looks for package-lock.json or similar lock files.

You could add a comment or verify in testing that the cache is functioning:

- name: Setup Node.js
  uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
  with:
    node-version: "24"
    # cache is auto-detected from package-lock.json

3. Error handling consideration

The npm install step lacks explicit error handling. If the install fails, the action will fail, which is probably the desired behavior. However, you might want to add set -e at the top of the script for consistency with the "Run Repomix" step (line 65).

- name: Install project dependencies
  shell: bash
  run: |
    set -e
    # Install project dependencies if package.json exists
    # This ensures repomix.config.ts can import from local source
    if [ -f "package.json" ]; then
      npm install
    fi

Though bash defaults to continuing on error, explicit set -e makes the intent clear.

4. Potential for a more targeted approach

This is more of a design consideration: The current solution installs all dependencies whenever package.json exists. An alternative approach could be:

• Only install dependencies if repomix.config.ts exists and imports from local source
• Use a specific marker in the config file

However, this adds complexity and the current approach is simpler and more robust. The overhead is acceptable for CI.

🧪 Testing Suggestions

Consider testing these scenarios:

1. ✅ Repository with package.json and repomix.config.ts importing local source (your case)
2. ✅ Repository with package.json but standard repomix.config.ts (importing from 'repomix')
3. ✅ Repository without package.json (regular user project)
4. Check workflow timing to ensure the install doesn't significantly slow down the action

📝 Minor: Commit Message

Your commit message follows Conventional Commits well:

• ✅ Type: fix
• ✅ Scope: ci
• ✅ Description: Clear and capitalized

Summary

This is a solid fix that solves the immediate problem. The implementation is straightforward and safe. The main optimization opportunity is using npm install --omit=dev if dev dependencies aren't needed, but this requires testing to ensure it doesn't break the build.

Recommendation: ✅ Approve with optional optimization consideration

The PR is ready to merge as-is. The suggested --omit=dev optimization can be evaluated in a follow-up if CI performance becomes a concern.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/actions/repomix/action.yml (1)

49-56: Prefer npm ci when a lockfile exists.

Running plain npm install can mutate package-lock.json and produces non-deterministic dependency trees on CI. Consider using npm ci when a lockfile is present and falling back to npm install otherwise to keep installs reproducible and avoid dirtying the workspace.

Apply this diff to handle both cases:

-        if [ -f "package.json" ]; then
-          npm install
+        if [ -f "package-lock.json" ]; then
+          npm ci
+        elif [ -f "package.json" ]; then
+          npm install
         fi

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 80f182a and a7569f9.

📒 Files selected for processing (1)

• .github/actions/repomix/action.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Test (windows-latest, 22.x)
• GitHub Check: Build and run (windows-latest, 22.x)
• GitHub Check: Test (windows-latest, 24.x)
• GitHub Check: Test (windows-latest, 20.x)
• GitHub Check: Test with Bun (windows-latest, latest)
• GitHub Check: claude-review

[claude]

Code Review Summary

This PR effectively addresses the CI workflow failure by ensuring project dependencies are installed before running Repomix. The fix is well-targeted and includes appropriate documentation.

✅ Positive Aspects

1. Clear Problem Identification: Correctly identifies that repomix.config.ts imports from ./src/index.js, requiring project dependencies
2. Defensive Approach: Conditional check for package.json existence makes the action more robust
3. Good Documentation: Inline comments explain the rationale
4. Simplified Configuration: Removing cache: "npm" is appropriate (setup-node v5 auto-detects)

📝 Suggestions for Improvement

1. Performance - Consider using npm ci

In CI environments, npm ci is preferred:

• Faster (up to 2x)
• Uses exact versions from package-lock.json
• Cleaner install (removes node_modules first)

if [ -f "package.json" ]; then
  npm ci
fi

Current npm install is safer if package-lock.json might not exist.

2. Error Handling - Add explicit error message

if [ -f "package.json" ]; then
  echo "Installing project dependencies..."
  npm install || {
    echo "Error: Failed to install project dependencies"
    exit 1
  }
fi

3. Caching - Verify auto-detection works

Monitor workflow runs to ensure npm caching is active. If not, explicitly add cache: 'npm' back to setup-node.

4. Test Coverage - Add config import test

Consider adding a test case that verifies repomix.config.ts with local imports works correctly.

5. Documentation - Update action description

Document that the action installs project dependencies when package.json exists, especially for users with custom configs importing from local source.

🔒 Security & Best Practices

• ✅ No security concerns
• ✅ Follows GitHub Actions best practices
• ✅ Uses specific commit SHAs
• ✅ Safe shell scripting

📊 Code Quality

• ✅ Shell best practices
• ✅ Helpful comments
• ✅ Minimal, focused change
• ✅ No unnecessary complexity

---

Overall Assessment: ✅ Approve with minor suggestions

The fix is solid. Suggestions above are optional enhancements, not blockers.

[claude]

PR Review

Thank you for this fix! The approach correctly addresses the workflow failure where repomix.config.ts couldn't import from local source files. Here's my detailed feedback:

---

✅ What Works Well

1. Root Cause Identified: The fix correctly addresses the missing dependencies issue when the config file imports from local source
2. Conditional Logic: The if [ -f "package.json" ] check ensures the step only runs when needed
3. Clear Documentation: Comments explain why dependencies are needed
4. Minimal Impact: Only affects repos with a package.json, maintaining backward compatibility

---

🔍 Code Quality & Best Practices

Details

1. Missing npm Cache Configuration

The removal of cache: "npm" from setup-node relies on automatic detection, which is good. However, the new npm install step doesn't benefit from caching, which could significantly slow down the action.

Recommendation: Add caching for node_modules:

- name: Setup Node.js
  uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
  with:
    node-version: "24"
    cache: 'npm'  # Re-add for the global repomix install
    
- name: Install project dependencies
  shell: bash
  run: |
    if [ -f "package.json" ]; then
      # Check cache first
      if [ -f "package-lock.json" ]; then
        npm ci
      else
        npm install
      fi
    fi

2. Performance Consideration

Installing all project dependencies (including devDependencies) when only runtime dependencies are needed for the config file could be optimized.

Recommendation: Use npm ci --production or npm install --omit=dev if devDependencies aren't required for config loading.

3. Error Handling

The npm install step doesn't have explicit error handling. If it fails, the subsequent steps will also fail, but the error might not be immediately clear.

Recommendation: Add set -e or explicit error messages:

- name: Install project dependencies
  shell: bash
  run: |
    set -e
    if [ -f "package.json" ]; then
      echo "📦 Installing project dependencies for config file..."
      npm install || {
        echo "❌ Failed to install project dependencies"
        exit 1
      }
    fi

---

🐛 Potential Issues

Details

1. Schema File Inclusion

The PR includes a newly generated schema file (website/client/src/public/schemas/1.7.0/schema.json). This appears to be an automatic generation from the schema-update workflow.

Questions:

• Was this intentionally included in this PR, or is it a side effect of running the project locally?
• According to the schema-update.yml workflow (.github/workflows/schema-update.yml:26), schema generation should be auto-committed by the github-actions bot

Recommendation: Consider whether this schema file should be in a separate PR or if it was properly generated.

2. Action Version Reference Change

The workflow changed from:

uses: yamadashy/repomix/.github/actions/repomix@main

to:

uses: ./.github/actions/repomix

This is good for testing the local action, but means this specific workflow will always use the repository's version rather than a stable published version.

Consideration: This is appropriate for the repomix repository itself (eating your own dog food), but external users should continue using the versioned reference.

3. Dependency Version Conflicts

Installing project dependencies could potentially conflict with the globally installed repomix version if there are version mismatches.

Risk: Low, but worth monitoring in case the global repomix@latest expects different dependency versions than what's in the project's package.json.

---

🔒 Security Considerations

Details

1. Dependency Installation from Unverified Sources: The action runs npm install on the checked-out repository's package.json. If used by external repositories, this could potentially execute postinstall scripts.

   • Mitigation: Document that users should review their own package.json scripts
   • Alternative: Use npm install --ignore-scripts if scripts aren't needed

2. setup-node Hash: Good use of SHA pinning (a0853c24544627f65ddf259abe73b1d18a591444)

3. git-auto-commit-action Upgrade: The schema-update.yml change from v6.0.1 to v7.0.0 is a major version bump

   • Recommendation: Verify the changelog for breaking changes

---

🧪 Testing Coverage

The PR correctly mentions that npm run test and npm run lint were run. However:

Missing:

• No integration test for the GitHub Action itself
• The action could benefit from a test workflow that verifies it works with a repo that has dependencies

Recommendation: Consider adding a test workflow:

name: Test Repomix Action
on: pull_request
jobs:
  test-action:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - uses: ./.github/actions/repomix
        with:
          output: test-output.xml
      - name: Verify output
        run: test -f test-output.xml

---

📋 Minor Suggestions

Details

1. Action Documentation: Update the action.yml description to mention that it automatically installs project dependencies if package.json exists

2. Commit Message: The commit message follows Conventional Commits correctly ✅

3. PR Checklist: Properly completed ✅

---

🎯 Overall Assessment

Verdict: ✅ Approve with suggestions

The PR successfully fixes the immediate issue and is ready to merge. The suggestions above are optimizations and nice-to-haves that could be addressed in follow-up PRs if desired.

Priority Improvements (if any changes are made):

1. Add caching for npm dependencies
2. Clarify the schema file inclusion
3. Consider npm ci instead of npm install for reproducibility

Great work on:

• Quick identification and fix of the issue
• Clear documentation in comments
• Proper git-auto-commit-action version update
• Following the project's commit conventions