Merged
Conversation
This reverts commit c3c0cc2.
This reverts commit c892d2c.
This reverts commit dcbea3b.
- ngx-countdown: ^19.0.0 → ^20.0.0 - ngx-draggable-dom: ^19.0.7 → ^20.0.0 - @types/node: ^20.14.9 → ^24.10.0
Optimize directory scanning, exclude 23 UI packages from API builds
…9371) * fix: add arch in about window, timer window not white blank screen * fix: remove log * fix: add skipLibCheck option in tsconfig.electron.json files * fix: clean code
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
[Fix] API Build Performance
…kro-orm [Fix] Rename micro-orm repository to mikro-orm
* feat: build optimizations (experimental) * fix: employees page * fix: more fixes / optimizations
feat: more optimizations / fixes
chore: more build optimizations and fixes
Feat/optimize2
Feat/optimize2
fix: builds
fix: builds
Feat/optimize2
chore: enable NX Cloud
Contributor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the
✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
This pull request is too large for Augment to review. The PR exceeds the maximum size limit of 100000 tokens (approximately 400000 characters) for automated code review. Please consider breaking this PR into smaller, more focused changes. |
Contributor
|
Too many files changed for review. ( |
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
17 issues found across 574 files
Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="apps/desktop-timer/src/app/app.module.ts">
<violation number="1" location="apps/desktop-timer/src/app/app.module.ts:177">
P1: Interceptor order now runs UnauthorizedInterceptor before RefreshTokenInterceptor, which wraps the 401 into a generic Error and prevents RefreshTokenInterceptor from detecting and handling token refresh. This can break automatic token refresh on unauthorized responses.</violation>
</file>
<file name=".github/workflows/docker-build-publish-mcp-auth-prod.yml">
<violation number="1" location=".github/workflows/docker-build-publish-mcp-auth-prod.yml:48">
P2: Avoid passing secrets as Docker build-args because they can leak into image layers/history. Use build secrets (`secrets`/`secret-envs`) and consume them with `RUN --mount=type=secret` in the Dockerfile instead.</violation>
</file>
<file name=".scripts/fix-tsconfig-paths.js">
<violation number="1" location=".scripts/fix-tsconfig-paths.js:44">
P2: The dist-only check uses `some`, so a path with mixed entries (dist + non-dist) will still be removed. If any `@gauzy/*` alias includes a non-dist entry, it should be preserved. Use `every` to ensure all entries are dist paths before deleting.</violation>
</file>
<file name=".deploy/api/Dockerfile">
<violation number="1" location=".deploy/api/Dockerfile:289">
P2: Avoid baking the NX Cloud access token into image layers via ENV; it can be recovered from image history. Pass it as a build secret or only scope it to the build RUN command instead.</violation>
</file>
<file name=".deploy/mcp/Dockerfile">
<violation number="1" location=".deploy/mcp/Dockerfile:143">
P2: Avoid persisting `NX_CLOUD_ACCESS_TOKEN` via `ENV` in the Dockerfile; it embeds the secret in the image layer/history. Pass it only at build time (e.g., secret mount or env on the `RUN yarn build` command) so it isn’t stored in image metadata.</violation>
</file>
<file name=".github/workflows/docker-build-publish-mcp-stage.yml">
<violation number="1" location=".github/workflows/docker-build-publish-mcp-stage.yml:48">
P1: Avoid passing `NX_CLOUD_ACCESS_TOKEN` as a Docker build-arg because build args can be recorded in image layers/history. Use build secrets (`secrets:` in docker/build-push-action) and consume them via `RUN --mount=type=secret` in the Dockerfile instead.</violation>
</file>
<file name="apps/api/config/webpack-package-copy-patterns.js">
<violation number="1" location="apps/api/config/webpack-package-copy-patterns.js:122">
P1: Scoped package names are flattened when constructing the destination path. This will copy `@gauzy/*` packages into `node_modules/<package>` instead of `node_modules/@gauzy/<package>`, breaking module resolution for scoped imports. Preserve the full package name in the destination path.</violation>
</file>
<file name=".cspell.json">
<violation number="1" location=".cspell.json:11">
P3: Duplicate word entries were added to the CSpell word list. Remove redundant duplicates (e.g., the extra "agentapp") to keep the list maintainable.</violation>
</file>
<file name=".github/workflows/docker-build-publish-stage.yml">
<violation number="1" location=".github/workflows/docker-build-publish-stage.yml:44">
P1: Avoid passing NX_CLOUD_ACCESS_TOKEN via build-args; the Dockerfiles copy the arg into ENV, which can leak the token through build layers/cache. Use BuildKit secrets (and read via `RUN --mount=type=secret`) or another secret injection method instead.</violation>
</file>
<file name=".github/workflows/docker-build-publish-prod.yml">
<violation number="1" location=".github/workflows/docker-build-publish-prod.yml:44">
P1: Avoid passing NX_CLOUD_ACCESS_TOKEN via Docker build-args; build args can be persisted in image layers/history. Use BuildKit secrets or another secure injection method instead.</violation>
</file>
<file name=".github/workflows/docker-build-publish-demo.yml">
<violation number="1" location=".github/workflows/docker-build-publish-demo.yml:44">
P1: Passing NX_CLOUD_ACCESS_TOKEN via build-args risks baking the secret into the Docker image layers/history. Use BuildKit secrets (docker/build-push-action `secrets:`) or avoid passing the token unless the Dockerfile explicitly consumes it securely.</violation>
</file>
<file name=".github/workflows/docker-build-publish-mcp-auth-stage.yml">
<violation number="1" location=".github/workflows/docker-build-publish-mcp-auth-stage.yml:48">
P1: Avoid passing NX_CLOUD_ACCESS_TOKEN as a Docker build-arg because ARG values are persisted in image history/metadata. Use BuildKit secrets (e.g., build-push-action `secrets`/`secret-envs` with `RUN --mount=type=secret`) so the token is not embedded in the image.</violation>
</file>
<file name=".deploy/mcp-auth/Dockerfile">
<violation number="1" location=".deploy/mcp-auth/Dockerfile:98">
P1: Avoid persisting NX_CLOUD_ACCESS_TOKEN via ENV in the image. This bakes the secret into build image metadata/layers and can leak it through build cache/history. Use a build secret or pass the token only to the build command without storing it in ENV.</violation>
</file>
<file name=".github/workflows/docker-build-publish-mcp-auth-demo.yml">
<violation number="1" location=".github/workflows/docker-build-publish-mcp-auth-demo.yml:49">
P1: Avoid passing `NX_CLOUD_ACCESS_TOKEN` via `build-args`; Docker/BuildKit docs caution against using ARG/ENV for secrets because they can be exposed in image history. Use build secrets (`secrets`/`secret-files`) instead and remove the secret from build args.</violation>
</file>
<file name=".deploy/webapp/Dockerfile">
<violation number="1" location=".deploy/webapp/Dockerfile:192">
P2: Avoid persisting `NX_CLOUD_ACCESS_TOKEN` via `ENV`; it bakes the secret into the image metadata. Inject the token only at build time (e.g., BuildKit secrets or inline env on the `RUN` command) so it isn’t stored in any layer.</violation>
</file>
<file name=".github/workflows/docker-build-publish-mcp-prod.yml">
<violation number="1" location=".github/workflows/docker-build-publish-mcp-prod.yml:48">
P1: Do not pass NX_CLOUD_ACCESS_TOKEN via build-args; build args are not safe for secrets and can leak through image history/cache. Use Docker build secrets (build-push-action `secrets:` + `RUN --mount=type=secret` in the Dockerfile) instead.</violation>
</file>
<file name=".github/workflows/docker-build-publish-mcp-demo.yml">
<violation number="1" location=".github/workflows/docker-build-publish-mcp-demo.yml:49">
P1: Avoid passing NX_CLOUD_ACCESS_TOKEN via build args; it gets written into the build stage environment and can leak through image history/cache. Use BuildKit secrets (and consume with `RUN --mount=type=secret`) or inject the token at runtime instead.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| { | ||
| provide: HTTP_INTERCEPTORS, | ||
| useClass: UnauthorizedInterceptor, | ||
| useClass: RefreshTokenInterceptor, |
Contributor
There was a problem hiding this comment.
P1: Interceptor order now runs UnauthorizedInterceptor before RefreshTokenInterceptor, which wraps the 401 into a generic Error and prevents RefreshTokenInterceptor from detecting and handling token refresh. This can break automatic token refresh on unauthorized responses.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/desktop-timer/src/app/app.module.ts, line 177:
<comment>Interceptor order now runs UnauthorizedInterceptor before RefreshTokenInterceptor, which wraps the 401 into a generic Error and prevents RefreshTokenInterceptor from detecting and handling token refresh. This can break automatic token refresh on unauthorized responses.</comment>
<file context>
@@ -174,12 +174,12 @@ if (environment.SENTRY_DSN) {
{
provide: HTTP_INTERCEPTORS,
- useClass: UnauthorizedInterceptor,
+ useClass: RefreshTokenInterceptor,
multi: true
},
</file context>
| cache-to: type=inline | ||
| build-args: | | ||
| NODE_ENV=production | ||
| NX_CLOUD_ACCESS_TOKEN=${{ secrets.NX_CLOUD_ACCESS_TOKEN }} |
Contributor
There was a problem hiding this comment.
P1: Avoid passing NX_CLOUD_ACCESS_TOKEN as a Docker build-arg because build args can be recorded in image layers/history. Use build secrets (secrets: in docker/build-push-action) and consume them via RUN --mount=type=secret in the Dockerfile instead.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/docker-build-publish-mcp-stage.yml, line 48:
<comment>Avoid passing `NX_CLOUD_ACCESS_TOKEN` as a Docker build-arg because build args can be recorded in image layers/history. Use build secrets (`secrets:` in docker/build-push-action) and consume them via `RUN --mount=type=secret` in the Dockerfile instead.</comment>
<file context>
@@ -45,6 +45,8 @@ jobs:
cache-to: type=inline
build-args: |
NODE_ENV=production
+ NX_CLOUD_ACCESS_TOKEN=${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+ NX_BRANCH=${{ github.ref_name }}
</file context>
|
|
||
| patterns.push({ | ||
| from: fullPath, | ||
| to: path.join(targetNodeModulesDir, packageName), |
Contributor
There was a problem hiding this comment.
P1: Scoped package names are flattened when constructing the destination path. This will copy @gauzy/* packages into node_modules/<package> instead of node_modules/@gauzy/<package>, breaking module resolution for scoped imports. Preserve the full package name in the destination path.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/api/config/webpack-package-copy-patterns.js, line 122:
<comment>Scoped package names are flattened when constructing the destination path. This will copy `@gauzy/*` packages into `node_modules/<package>` instead of `node_modules/@gauzy/<package>`, breaking module resolution for scoped imports. Preserve the full package name in the destination path.</comment>
<file context>
@@ -0,0 +1,200 @@
+
+ patterns.push({
+ from: fullPath,
+ to: path.join(targetNodeModulesDir, packageName),
+ globOptions: {
+ ignore: ['**/node_modules/**']
</file context>
| NODE_ENV=development | ||
| NODE_ENV=production | ||
| DEMO=false | ||
| NX_CLOUD_ACCESS_TOKEN=${{ secrets.NX_CLOUD_ACCESS_TOKEN }} |
Contributor
There was a problem hiding this comment.
P1: Avoid passing NX_CLOUD_ACCESS_TOKEN via build-args; the Dockerfiles copy the arg into ENV, which can leak the token through build layers/cache. Use BuildKit secrets (and read via RUN --mount=type=secret) or another secret injection method instead.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/docker-build-publish-stage.yml, line 44:
<comment>Avoid passing NX_CLOUD_ACCESS_TOKEN via build-args; the Dockerfiles copy the arg into ENV, which can leak the token through build layers/cache. Use BuildKit secrets (and read via `RUN --mount=type=secret`) or another secret injection method instead.</comment>
<file context>
@@ -39,7 +39,10 @@ jobs:
- NODE_ENV=development
+ NODE_ENV=production
+ DEMO=false
+ NX_CLOUD_ACCESS_TOKEN=${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+ NX_BRANCH=${{ github.ref_name }}
</file context>
| build-args: | | ||
| NODE_ENV=production | ||
| DEMO=false | ||
| NX_CLOUD_ACCESS_TOKEN=${{ secrets.NX_CLOUD_ACCESS_TOKEN }} |
Contributor
There was a problem hiding this comment.
P1: Avoid passing NX_CLOUD_ACCESS_TOKEN via Docker build-args; build args can be persisted in image layers/history. Use BuildKit secrets or another secure injection method instead.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/docker-build-publish-prod.yml, line 44:
<comment>Avoid passing NX_CLOUD_ACCESS_TOKEN via Docker build-args; build args can be persisted in image layers/history. Use BuildKit secrets or another secure injection method instead.</comment>
<file context>
@@ -40,6 +40,9 @@ jobs:
build-args: |
NODE_ENV=production
+ DEMO=false
+ NX_CLOUD_ACCESS_TOKEN=${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+ NX_BRANCH=${{ github.ref_name }}
</file context>
| // Check if all gauzy paths point to dist | ||
| const allDistPaths = gauzyPaths.every((k) => { | ||
| const pathValues = paths[k]; | ||
| return pathValues.some((p) => p.includes('/dist/')); |
Contributor
There was a problem hiding this comment.
P2: The dist-only check uses some, so a path with mixed entries (dist + non-dist) will still be removed. If any @gauzy/* alias includes a non-dist entry, it should be preserved. Use every to ensure all entries are dist paths before deleting.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .scripts/fix-tsconfig-paths.js, line 44:
<comment>The dist-only check uses `some`, so a path with mixed entries (dist + non-dist) will still be removed. If any `@gauzy/*` alias includes a non-dist entry, it should be preserved. Use `every` to ensure all entries are dist paths before deleting.</comment>
<file context>
@@ -0,0 +1,80 @@
+ // Check if all gauzy paths point to dist
+ const allDistPaths = gauzyPaths.every((k) => {
+ const pathValues = paths[k];
+ return pathValues.some((p) => p.includes('/dist/'));
+ });
+
</file context>
| ENV NX_NO_CLOUD=true | ||
| # Enable NX Cloud caching for faster builds | ||
| ENV NX_NO_CLOUD=false | ||
| ENV NX_CLOUD_ACCESS_TOKEN=${NX_CLOUD_ACCESS_TOKEN} |
Contributor
There was a problem hiding this comment.
P2: Avoid baking the NX Cloud access token into image layers via ENV; it can be recovered from image history. Pass it as a build secret or only scope it to the build RUN command instead.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .deploy/api/Dockerfile, line 289:
<comment>Avoid baking the NX Cloud access token into image layers via ENV; it can be recovered from image history. Pass it as a build secret or only scope it to the build RUN command instead.</comment>
<file context>
@@ -273,23 +275,25 @@ ENV CI=true
-ENV NX_NO_CLOUD=true
+# Enable NX Cloud caching for faster builds
+ENV NX_NO_CLOUD=false
+ENV NX_CLOUD_ACCESS_TOKEN=${NX_CLOUD_ACCESS_TOKEN}
+ENV NX_BRANCH=${NX_BRANCH}
</file context>
| ENV NX_NO_CLOUD=true | ||
| # Enable NX Cloud caching for faster builds | ||
| ENV NX_NO_CLOUD=false | ||
| ENV NX_CLOUD_ACCESS_TOKEN=${NX_CLOUD_ACCESS_TOKEN} |
Contributor
There was a problem hiding this comment.
P2: Avoid persisting NX_CLOUD_ACCESS_TOKEN via ENV in the Dockerfile; it embeds the secret in the image layer/history. Pass it only at build time (e.g., secret mount or env on the RUN yarn build command) so it isn’t stored in image metadata.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .deploy/mcp/Dockerfile, line 143:
<comment>Avoid persisting `NX_CLOUD_ACCESS_TOKEN` via `ENV` in the Dockerfile; it embeds the secret in the image layer/history. Pass it only at build time (e.g., secret mount or env on the `RUN yarn build` command) so it isn’t stored in image metadata.</comment>
<file context>
@@ -133,8 +135,13 @@ COPY --chown=node:node tsconfig.base.json tsconfig.json ./
-ENV NX_NO_CLOUD=true
+# Enable NX Cloud caching for faster builds
+ENV NX_NO_CLOUD=false
+ENV NX_CLOUD_ACCESS_TOKEN=${NX_CLOUD_ACCESS_TOKEN}
+ENV NX_BRANCH=${NX_BRANCH}
ENV CI=true
</file context>
| ENV NX_NO_CLOUD=true | ||
| # Enable NX Cloud caching for faster builds | ||
| ENV NX_NO_CLOUD=false | ||
| ENV NX_CLOUD_ACCESS_TOKEN=${NX_CLOUD_ACCESS_TOKEN} |
Contributor
There was a problem hiding this comment.
P2: Avoid persisting NX_CLOUD_ACCESS_TOKEN via ENV; it bakes the secret into the image metadata. Inject the token only at build time (e.g., BuildKit secrets or inline env on the RUN command) so it isn’t stored in any layer.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .deploy/webapp/Dockerfile, line 192:
<comment>Avoid persisting `NX_CLOUD_ACCESS_TOKEN` via `ENV`; it bakes the secret into the image metadata. Inject the token only at build time (e.g., BuildKit secrets or inline env on the `RUN` command) so it isn’t stored in any layer.</comment>
<file context>
@@ -176,18 +178,25 @@ ENV CI=true
-ENV NX_NO_CLOUD=true
+# Enable NX Cloud caching for faster builds
+ENV NX_NO_CLOUD=false
+ENV NX_CLOUD_ACCESS_TOKEN=${NX_CLOUD_ACCESS_TOKEN}
+ENV NX_BRANCH=${NX_BRANCH}
</file context>
| "activitywatch", | ||
| "adminer", | ||
| "agentapp", | ||
| "agentapp", |
Contributor
There was a problem hiding this comment.
P3: Duplicate word entries were added to the CSpell word list. Remove redundant duplicates (e.g., the extra "agentapp") to keep the list maintainable.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .cspell.json, line 11:
<comment>Duplicate word entries were added to the CSpell word list. Remove redundant duplicates (e.g., the extra "agentapp") to keep the list maintainable.</comment>
<file context>
@@ -3,71 +3,90 @@
"activitywatch",
"adminer",
"agentapp",
+ "agentapp",
"AGPL",
"airbyte",
</file context>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR
Please note: we will close your PR without comment if you do not check the boxes above and provide ALL requested information.
Summary by cubic
Improved build speed and reliability across apps by enabling Nx Cloud caching, optimizing API package copying, and updating CI/Docker workflows. Also modernized Angular bootstrapping and Sass usage, refreshed icons, and added macOS code signing/notarization config.
Refactors
Dependencies
Migration
Written for commit 24d0e9b. Summary will update on new commits.