🚀 Socket Launch Week Day 5:Introducing Repository Access Permissions and Custom Roles.Learn more
Sign In

@qvac/ci

Package Overview
Dependencies
Maintainers
2
Versions
4
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@qvac/ci - npm Package Compare versions

Comparing version
0.2.0
to
0.2.1
+11
-2
CHANGELOG.md
# Changelog
## [0.2.1] - 2026-06-30
### Fixed
- README: remove stale GPR/`ci-mono` distribution note, correct `lib/commands/index.js` registration step (explicit import + push to commands array)
## [0.2.0] - 2026-06-24
### Added
- `--version` / `-v` flag: prints `qvac-ci v<version>` and exits
### Changed
- Removed the `paparam` dependency; CLI parsing now uses an internal zero-dependency module (`lib/cli.js`)
- Help output: usage line omits `[command]` for leaf commands and no longer duplicates flag short names
- Replace `paparam` runtime dependency with a zero-dependency internal CLI builder (`lib/cli.js`); no change to command behaviour or flags

@@ -10,0 +19,0 @@ ## [0.1.0] - 2026-06-04

+2
-2
{
"name": "@qvac/ci",
"version": "0.2.0",
"version": "0.2.1",
"description": "CI utilities for the QVAC monorepo",

@@ -44,3 +44,3 @@ "author": "Tether",

},
"homepage": "https://github.com/tetherto/qvac/tree/main/packages/qvac-ci#readme",
"homepage": "https://qvac.tether.io",
"dependencies": {

@@ -47,0 +47,0 @@ "@octokit/auth-app": "^8.2.0",

# @qvac/ci
CI utilities — a modular, extensible CLI for GitHub automation. Replaces inline YAML scripts with tested, versioned Node.js commands.
CLI utilities for GitHub CI automation. Replaces inline YAML scripts with tested, versioned Node.js commands.
> **Note:** Development and feature builds are published to GitHub Packages (GPR) under the name `@qvac/ci-mono`. The unscoped `@qvac/ci` name is only available after a release-branch npm publish.
## Installation

@@ -23,7 +21,7 @@

Checks whether a PR has the required approvals from the right roles (Management, Team Lead, Member), then upserts a `## Review Status` comment on the PR summarising the current state.
Checks whether a PR has the required approvals from the right roles (Management, Team Lead, Member) and upserts a `## Review Status` comment on the PR summarising the current state.
Always exits with code `0` — this command is **informational only**. Merge enforcement is delegated to GitHub-native branch protection (CODEOWNERS + ruleset approval requirements).
Always exits `0` — informational only. Merge enforcement is handled by GitHub-native branch protection (CODEOWNERS + ruleset requirements).
> **Note:** This command is deprecated as part of the Tier 1 approval migration to native GitHub controls. It will be disabled after rollout validation.
> **Deprecated:** This command will be removed after the Tier 1 approval migration to native GitHub controls is complete.

@@ -48,3 +46,3 @@ ```bash

**Environment variables (required):**
**Required environment variables:**

@@ -54,6 +52,6 @@ | Variable | Description |

| `GITHUB_TOKEN` | Token used to post the review-status comment |
| `GITHUB_APP_ID` | GitHub App ID used for team membership resolution |
| `GITHUB_APP_ID` | GitHub App ID for team membership resolution |
| `GITHUB_PRIVATE_KEY` | GitHub App private key (PEM) |
Secrets are env-only — there are no `--token` flags. This prevents tokens from appearing in the process list, shell history, or CI log echoes.
Secrets are env-only — no `--token` flags — to prevent tokens from appearing in the process list or CI logs.

@@ -76,20 +74,2 @@ **Example GitHub Actions step:**

**Comment format:**
The command upserts a single `## Review Status` comment on the PR (updates in place if one already exists):
```
## Review Status
**Current Status: ✅ APPROVED**
Approvals so far: Management: 1, Team Lead: 1
```
```
## Review Status
**Current Status: ❌ PENDING**
Approvals so far: Member: 1
Pending reviews: Needs 1 Management or Team Lead.
```
## Adding a new command

@@ -99,3 +79,3 @@

2. Create `lib/commands/<name>/helpers.js` — domain logic. Read secrets from `process.env`; never pass them as parameters. Export a mutable `helpers` object so tests can stub methods without a mock framework.
3. Register in `lib/commands/index.js` — `main.js` picks it up automatically.
3. Register in `lib/commands/index.js` — add an explicit `import` and push `.toCommand()` to the `commands` array. `main.js` spreads the array.
4. Write tests in `test/unit/<name>/index.test.js` and `test/unit/<name>/helpers.test.js`. Mock all network calls.

@@ -102,0 +82,0 @@