feat: chatbot#483
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review infoConfiguration used: Organization UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthrough환경 변수와 외부 챗봇 로더 스크립트를 추가하고, 출시 기반 Cloudflare Pages 배포 워크플로우를 새로 추가했으며, 개발자 도구 위치를 오른쪽에서 왼쪽으로 변경했습니다. Changes
Sequence Diagram(s)sequenceDiagram
participant Browser
participant Loader as "Chatbot Loader (external)"
participant WidgetSvc as "Chatbot Service / Widget"
Browser->>Loader: load https://chatbot.gistory.me/loader.js\n(with data-widget-key, colors, icons)
Loader->>WidgetSvc: initialize widget (widgetKey, config)
WidgetSvc-->>Loader: widget scripts/resources
Loader-->>Browser: render widget UI / attach to page
Browser->>WidgetSvc: user messages (via widget)
WidgetSvc-->>Browser: bot responses
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Deploying ziggle-fe with
|
| Latest commit: |
fa248af
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://b861e0da.ziggle-fe.pages.dev |
| Branch Preview URL: | https://paperstar-zgf-51-chatbot.ziggle-fe.pages.dev |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (3)
.github/workflows/production.yml (1)
8-9: Job 이름이 실제 목적과 일치하지 않습니다.
preview-deploy라는 이름은 프로덕션 배포 워크플로우에 적합하지 않습니다.production-deploy와 같이 명확한 이름으로 변경하는 것을 권장합니다.♻️ 제안된 수정
jobs: - preview-deploy: + production-deploy: runs-on: ubuntu-latest🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/production.yml around lines 8 - 9, Rename the workflow job id "preview-deploy" to a name that matches its purpose (e.g., "production-deploy") so the job name reflects this is a production deployment; update every reference to the job id in the workflow file (job declaration "preview-deploy" and any uses like needs:, if present) to the new "production-deploy" identifier to keep the workflow consistent..env.example (1)
6-7: 정적 분석 도구의 린트 경고를 수정하세요.dotenv-linter가 다음 문제를 감지했습니다:
- 환경 변수 키가 알파벳 순서로 정렬되어 있지 않음
- 파일 끝에 빈 줄이 없음
♻️ 제안된 수정
VITE_AMPLITUDE_API_KEY= +VITE_API_BASE_URL=https://api.stg.ziggle.gistory.me +VITE_CHATBOT_WIDGET_KEY= VITE_IDP_CLIENT_ID= VITE_IDP_AUTHORIZE_URL= VITE_IDP_TOKEN_URL= VITE_IDP_REDIRECT_URI= -VITE_API_BASE_URL=https://api.stg.ziggle.gistory.me -VITE_CHATBOT_WIDGET_KEY= +🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.env.example around lines 6 - 7, Sort the environment variable keys alphabetically and ensure the file ends with a newline: reorder the two entries so VITE_API_BASE_URL and VITE_CHATBOT_WIDGET_KEY appear in alphabetical order (VITE_API_BASE_URL after VITE_CHATBOT_WIDGET_KEY if needed) and add a single trailing newline at the end of the .env.example file; update the lines that define VITE_API_BASE_URL and VITE_CHATBOT_WIDGET_KEY accordingly so dotenv-linter warnings are resolved.index.html (1)
12-13: 외부 스크립트에 대한 보안 강화를 고려하세요.외부 도메인(
chatbot.gistory.me)에서 스크립트를 로드하고 있습니다. Subresource Integrity(SRI)를 추가하면 스크립트가 변조되었을 때 브라우저가 실행을 차단하여 보안을 강화할 수 있습니다.<script src="https://chatbot.gistory.me/loader.js" integrity="sha384-{hash}" crossorigin="anonymous" ... ></script>단, 외부 스크립트가 자주 업데이트되는 경우 SRI 해시 관리가 번거로울 수 있으므로 상황에 맞게 판단하세요.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@index.html` around lines 12 - 13, The external script tag loading "https://chatbot.gistory.me/loader.js" should include Subresource Integrity and crossorigin attributes to prevent executing tampered content; compute the SRI hash for loader.js and add integrity="sha384-..." plus crossorigin="anonymous" to the <script src="https://chatbot.gistory.me/loader.js"> element (or alternatively host a pinned copy or use a CSP nonce if the file changes frequently), and ensure you update the integrity value whenever the remote script is updated.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/production.yml:
- Around line 17-22: The production build step is missing required VITE_*
environment variables used/validated by getRequiredEnv in src/app.tsx and
referenced in index.html; update the build job (the "build" step) to export the
necessary GitHub Actions secrets as environment variables — at minimum add
VITE_IDP_* (all IDP-related VITE_IDP_* keys used by getRequiredEnv),
VITE_API_BASE_URL, and VITE_CHATBOT_WIDGET_KEY — so bun run build runs with
those secrets available (use secrets.<NAME> for each env var).
- Around line 23-24: The "Deploy to production" step currently uses the
deprecated action `uses: cloudflare/pages-action@v1.5.0`; change this to use the
supported `cloudflare/wrangler-action` (e.g., `uses:
cloudflare/wrangler-action@v1`) and update the step inputs to match
wrangler-action's required inputs (auth token, account/zone/project config, and
any env or args), ensuring any Pages-specific parameters are translated to the
wrangler equivalents in that step.
In `@index.html`:
- Around line 12-19: index.html injects the chatbot loader using the placeholder
%VITE_CHATBOT_WIDGET_KEY% (script tag attributes), but the production build job
doesn't pass VITE_CHATBOT_WIDGET_KEY into the build environment; update the CI
build step to add the VITE_CHATBOT_WIDGET_KEY environment variable and set it
from the repository secret named VITE_CHATBOT_WIDGET_KEY so the placeholder is
replaced at build time and the loader script receives the real widget key.
---
Nitpick comments:
In @.env.example:
- Around line 6-7: Sort the environment variable keys alphabetically and ensure
the file ends with a newline: reorder the two entries so VITE_API_BASE_URL and
VITE_CHATBOT_WIDGET_KEY appear in alphabetical order (VITE_API_BASE_URL after
VITE_CHATBOT_WIDGET_KEY if needed) and add a single trailing newline at the end
of the .env.example file; update the lines that define VITE_API_BASE_URL and
VITE_CHATBOT_WIDGET_KEY accordingly so dotenv-linter warnings are resolved.
In @.github/workflows/production.yml:
- Around line 8-9: Rename the workflow job id "preview-deploy" to a name that
matches its purpose (e.g., "production-deploy") so the job name reflects this is
a production deployment; update every reference to the job id in the workflow
file (job declaration "preview-deploy" and any uses like needs:, if present) to
the new "production-deploy" identifier to keep the workflow consistent.
In `@index.html`:
- Around line 12-13: The external script tag loading
"https://chatbot.gistory.me/loader.js" should include Subresource Integrity and
crossorigin attributes to prevent executing tampered content; compute the SRI
hash for loader.js and add integrity="sha384-..." plus crossorigin="anonymous"
to the <script src="https://chatbot.gistory.me/loader.js"> element (or
alternatively host a pinned copy or use a CSP nonce if the file changes
frequently), and ensure you update the integrity value whenever the remote
script is updated.
Summary by CodeRabbit
변경 사항
새로운 기능
배포
수정