[#328] Update PR Workflow

[DVidal1205]

Why

We keep pushing bugs into production. We need better checks, tests, and code review!

What

Issue(s): #328

Adds a Build workflow and a PR validator. The new PR validator requires all PRs are up to repository standards:

• PR has an Assignee
• PR has a label
• PR links an issue
• PR title is of form [#XYZ] Etc Etc Etc

Also adds Code Rabbit!

Test Plan

Merge me twin

Checklist

• Database: No schema changes, OR I have contacted the Development Lead to run db:push before merging
• Environment Variables: No environment variables changed, OR I have contacted the Development Lead to modify them on Coolify BEFORE merging.

Summary by CodeRabbit

• Chores

  • Added monorepo governance and automation: review workflows, path-based rules, pre-merge checks, tool toggles, auto-review and issue enrichment
  • Consolidated and renamed environment variables; added webhook, storage, Google, Passkit, Listmonk defaults and CI secrets
  • Added env skip-validation toggle to bypass validation in CI/lint runs
  • Enhanced CI with build verification, PR validation checks, and tightened permissions
  • Removed automated dependency-update configuration

• Documentation

  • Updated PR template to include issue tracking and a pre-merge checklist

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a CodeRabbit monorepo governance file, updates example environment variables, adjusts GitHub Actions CI (new build and pr-checks jobs, permissions), removes Renovate config, tweaks the PR template, and adds a CI/lint skipValidation flag to apps/guild/src/env.ts.

Changes

Cohort / File(s)	Summary
Monorepo governance ./.coderabbit.yml	New comprehensive CodeRabbit config: global settings, per-path governance, pre-merge checks (title/description, secrets, env access, TS rules), tools toggles, auto-review/labeling, codegen, chat/knowledge/issue enrichment.
Environment example .env.example	Replaced BETTER_AUTH_SECRET with AUTH_SECRET; added Stripe keys; refactored Discord vars to DISCORD_WEBHOOK_* and consolidated weather key; added Google GOOGLE_PRIVATE_KEY_B64/GOOGLE_CLIENT_EMAIL; added Minio MINIO_* and BLADE_URL; added Passkit base64 cert/env vars and identifiers; updated Listmonk defaults.
CI workflows .github/workflows/ci.yml	Added permissions; removed env-copy step from lint job; introduced build job (depends on lint/format/typecheck); added pr-checks job for PR metadata validation.
PR template & Renovate config .github/PULL_REQUEST_TEMPLATE, .github/renovate.json	PR template: added "Issue(s):" section and small formatting tweaks. Deleted Renovate config file.
App env flag apps/guild/src/env.ts	Exported skipValidation flag set to `!!process.env.CI

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant Repo as Repository
    participant GH as GitHub Actions
    participant CR as CodeRabbit

    Dev->>Repo: push branch / open PR
    Repo->>GH: trigger workflows (pull_request)
    GH->>GH: run lint, format, typecheck
    GH->>GH: run build (after lint/format/typecheck)
    GH->>GH: run pr-checks (labels/title/assignees)
    GH->>CR: call CodeRabbit for auto-review/labels per `.coderabbit.yml`
    CR->>Repo: suggest labels, reviewers, comments
    GH->>Repo: block or allow merge based on checks

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

Guild

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title follows the required format with issue number [#328] and concise description, accurately summarizing the main change of updating PR workflow and automation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
No Hardcoded Secrets	✅ Passed	No hardcoded API keys, passwords, tokens, or secrets found as string literals in the pull request.
Validated Env Access	✅ Passed	The pull request does not introduce any violations of the env access validation rule. The only application code file modified is apps/guild/src/env.ts, which is a designated env configuration file where direct process.env usage is appropriate and necessary.
No Typescript Escape Hatches	✅ Passed	No TypeScript escape hatches (any type, @ts-ignore, @ts-expect-error, or non-null assertions) detected in the PR changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch repo/workflows-and-dx

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

.env.example (2)

21-21: Provide a placeholder value for consistency.

DISCORD_WEBHOOK_ANIMAL is the only Discord webhook variable with an empty value while others have descriptive placeholders. For consistency and clearer documentation, consider adding a placeholder like the others:

-DISCORD_WEBHOOK_ANIMAL=""
+DISCORD_WEBHOOK_ANIMAL="discord-webhook-animal"

---

51-51: Add trailing newline to satisfy dotenv-linter.

The file is missing a blank line at the end, which dotenv-linter expects. Adding it ensures the file follows POSIX text file conventions:

 LISTMONK_FROM_EMAIL="ci@localhost"
+

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.env.example:
- Around line 19-23: Rename the ambiguous environment variable
DISCORD_WEBHOOK_REMINDERS_HACK to a clearer name (e.g.,
DISCORD_WEBHOOK_REMINDERS_HACKATHON) by updating .env.example and all code
references that read process.env.DISCORD_WEBHOOK_REMINDERS_HACK (or similar
config access) to use the new identifier; also reorder the keys alphabetically
in .env.example if you want to satisfy dotenv-linter (place REMINDERS_HACKATHON
before REMINDERS_PRE) and update any README or deployment config that documents
the variable name.

In @.github/workflows/ci.yml:
- Around line 48-58: The build job lacks an explicit permissions block; add a
minimal, explicit permissions YAML key to the build job (the job named "build")
to follow least-privilege practices—e.g., include a permissions mapping that
scopes token access to only what's required for a build (for example: contents:
read and packages: read, and only add id-token or write scopes if the build
actually needs them); update the "build" job's top-level keys (near
runs-on/needs/steps) to include this permissions block.
- Around line 60-74: The pr-checks job currently runs the
actions/github-script@v7 step without an explicit permissions block; add an
explicit permissions: {} entry to the pr-checks job definition so the job runs
with no GitHub token scopes (least-privilege). Update the pr-checks job YAML to
include permissions: {} at the same indentation level as runs-on and steps,
keeping the existing steps (including the actions/github-script@v7 usage and its
script) unchanged.

Trivial

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.env.example:
- Line 8: Replace the AUTH_SECRET entry in .env.example with the
library-preferred BETTER_AUTH_SECRET variable name and populate it with a secure
example (a high-entropy string of at least 32 characters) so the example matches
the documented convention and prevents production errors; update the AUTH_SECRET
line to BETTER_AUTH_SECRET and use a long placeholder value (e.g., a 32+
character random-looking secret) to illustrate required entropy.

In @.github/PULL_REQUEST_TEMPLATE:
- Around line 9-13: Add a short, one-line example and guidance under the
"Issue(s):" heading in the pull request template showing how to reference issues
(e.g., include example syntaxes like "Fixes `#123`" and "Refs `#123`") so
contributors know how to auto-link and auto-close issues; update the block that
currently contains "Issue(s):" to include a brief example sentence and two
sample link formats to serve as guidance for proper issue linking.

In @.github/workflows/ci.yml:
- Line 71: Update the GitHub Action usage from actions/github-script@v7 to
actions/github-script@v8 by replacing the version token used in the workflow
step (the line containing "uses: actions/github-script@v7"); after changing, run
tests in a draft PR to validate behavior against Node.js 24, review the v8
breaking changes in the actions/github-script release notes, and ensure runner
versions meet the minimum required (v2.327.1+) for any self-hosted runners
before merging.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Better Auth library environment variable AUTH_SECRET configuration

💡 Result:

In Better Auth, the encryption/signing secret can be provided either via config or environment variables:

• Preferred env var: BETTER_AUTH_SECRET (better-auth.com)
• Also supported: AUTH_SECRET (Better Auth will check both) (better-auth.com)

Typical .env / .env.local

BETTER_AUTH_SECRET=your-high-entropy-secret-at-least-32-chars

(better-auth.com)

Or pass it explicitly in code

import { betterAuth } from "better-auth";

export const auth = betterAuth({
  secret: process.env.BETTER_AUTH_SECRET, // or process.env.AUTH_SECRET
});

(better-auth.com)

Requirements / behavior

• Use a high-entropy secret, minimum 32 characters; recommended generation:

  openssl rand -base64 32

  (better-auth.com)
• If neither env var is set, Better Auth falls back to a default secret during development, but in production it throws an error if the secret isn’t set. (better-auth.com)

Citations:

• 1: https://www.better-auth.com/docs/installation?utm_source=openai
• 2: https://www.better-auth.com/docs/reference/options?utm_source=openai
• 3: https://www.better-auth.com/docs/installation?utm_source=openai
• 4: https://www.better-auth.com/docs/reference/options?utm_source=openai
• 5: https://www.better-auth.com/docs/installation?utm_source=openai
• 6: https://www.better-auth.com/docs/reference/options?utm_source=openai

---

Use BETTER_AUTH_SECRET instead of AUTH_SECRET—it's the library's official variable name.

Better Auth prefers BETTER_AUTH_SECRET (the documented, canonical env var). While AUTH_SECRET is also supported, using the preferred convention ensures better maintainability and aligns with the library's documentation. Also populate with a secure example:

- AUTH_SECRET=""
+ BETTER_AUTH_SECRET="your-secret-here-min-32-chars-use-openssl-rand-base64-32"

The secret must be at least 32 characters of high entropy in production—an empty string will cause errors in production deployments.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	AUTH_SECRET=""
	BETTER_AUTH_SECRET="your-secret-here-min-32-chars-use-openssl-rand-base64-32"

🧰 Tools

🪛 dotenv-linter (4.0.0)

[warning] 8-8: [QuoteCharacter] The value has quote characters (', ")

(QuoteCharacter)

🤖 Prompt for AI Agents

In @.env.example at line 8, Replace the AUTH_SECRET entry in .env.example with
the library-preferred BETTER_AUTH_SECRET variable name and populate it with a
secure example (a high-entropy string of at least 32 characters) so the example
matches the documented convention and prevents production errors; update the
AUTH_SECRET line to BETTER_AUTH_SECRET and use a long placeholder value (e.g., a
32+ character random-looking secret) to illustrate required entropy.

[DVidal1205]

Ready for review

N/A

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/ci.yml:
- Around line 76-83: The PR check script currently validates labels, assignees
and title but misses verifying the PR body links an issue; update the script
that references the pull_request object (variable pr) to also inspect pr.body
for an issue reference (e.g. patterns like /#\d+/,
/(closes|fixes|resolves)\s+#\d+/i, or a GitHub issue URL) and push an error into
the e array if none found; ensure the new message (e.g. "Missing linked issue in
PR body.") is added to e so core.setFailed still reports it along with the other
checks.

In `@apps/guild/src/env.ts`:
- Around line 11-12: The skipValidation flag currently uses !!process.env.CI
which disables env validation in all CI jobs; change its predicate to an
explicit opt-in like process.env.SKIP_ENV_VALIDATION === "true" (or keep the
existing lint check) so only jobs that set SKIP_ENV_VALIDATION skip
validation—update the skipValidation line (referencing skipValidation,
process.env.CI, process.env.npm_lifecycle_event) to something like
process.env.SKIP_ENV_VALIDATION === "true" || process.env.npm_lifecycle_event
=== "lint".

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

51-67: Please validate the new build job in a fork/draft PR.

This adds a new gating stage; running it in a draft/fork PR first reduces the risk of blocking main if the build or .env setup behaves differently in CI.

As per coding guidelines: "Test workflow changes in a fork or draft PR first."

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid blanket skip of env validation in CI.

CI is true for all jobs, so this disables validation for build/typecheck too, which can hide missing or malformed envs. Prefer an explicit flag (or lint-only) to keep validation in other CI jobs.

🔧 Suggested fix

  skipValidation:
-    !!process.env.CI || process.env.npm_lifecycle_event === "lint",
+    process.env.SKIP_ENV_VALIDATION === "true" ||
+    process.env.npm_lifecycle_event === "lint",

If you still want CI to skip validation for specific jobs, set SKIP_ENV_VALIDATION=true only in those workflow steps.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	skipValidation:
	!!process.env.CI || process.env.npm_lifecycle_event === "lint",
	skipValidation:
	process.env.SKIP_ENV_VALIDATION === "true" ||
	process.env.npm_lifecycle_event === "lint",

🤖 Prompt for AI Agents

In `@apps/guild/src/env.ts` around lines 11 - 12, The skipValidation flag
currently uses !!process.env.CI which disables env validation in all CI jobs;
change its predicate to an explicit opt-in like process.env.SKIP_ENV_VALIDATION
=== "true" (or keep the existing lint check) so only jobs that set
SKIP_ENV_VALIDATION skip validation—update the skipValidation line (referencing
skipValidation, process.env.CI, process.env.npm_lifecycle_event) to something
like process.env.SKIP_ENV_VALIDATION === "true" ||
process.env.npm_lifecycle_event === "lint".

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.env.example:
- Around line 8-9: Update .env.example to satisfy dotenv-linter: remove
surrounding quotes from values for keys like BETTER_AUTH_SECRET and AUTH_SECRET
(and other quoted entries at the ranges noted), sort/normalize key ordering to
match the linter's expected order across the file, and ensure the file ends with
a single trailing newline; apply the same unquoted/value and ordering fixes to
the other flagged ranges (21-25, 32-34, 37, 48-51) so dotenv-linter no longer
emits warnings.

Negligible

[BryanTaylan]

lgtm