ci: add backend workflow for lint, tests, and audit checks

[srija-pixel]

Added GitHub Actions backend workflow to run on pull requests touching backend.

Includes:

• dependency installation check
• backend startup validation
• npm security audit

Ensures backend CI checks run automatically.

Summary by CodeRabbit

• Chores
  • Added a backend continuous-integration workflow that automatically runs on backend pull requests: installs dependencies, performs a lightweight smoke start of the backend, and runs a security audit to surface issues early.

[vercel]

@srija-pixel is attempting to deploy a commit to the Revon Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow (.github/workflows/backend.yml) that runs on pull requests affecting the backend directory: checks out code, sets up Node.js 20, installs dependencies, starts the backend briefly as a smoke test, and runs npm audit.

Changes

Cohort / File(s)	Summary
Backend CI Workflow .github/workflows/backend.yml	Adds a new "Backend CI" workflow triggered on PRs touching backend/**. Steps: checkout, setup Node 20, npm install, start backend/server.js in background (sleep 5s, kill), and run `npm audit

Sequence Diagram(s)

mermaid
sequenceDiagram
participant GitHub as GitHub Actions
participant Runner as CI Runner
participant Repo as Repository
participant Node as Node.js env
participant Server as Backend Server
participant Audit as npm Audit
GitHub->>Runner: Trigger on PR affecting backend/**
Runner->>Repo: actions/checkout@v4
Runner->>Node: setup-node@v4 (Node 20)
Runner->>Node: npm install
Runner->>Server: start node backend/server.js (background)
Runner->>Server: sleep 5s then kill process
Runner->>Audit: npm audit || true
Audit-->>Runner: audit results
Runner-->>GitHub: job result

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• Add CI quality gates for backend #24 — Adds a backend CI workflow with PR trigger, smoke start, and npm audit, matching the goal of adding backend validation on pull requests.

Poem

🐰 I hopped into code with a CI cheer,

Node set to twenty, the server peeks near,
A brief little start, then a silent goodbye,
npm audits the burrow for bugs fluttering by,
Hooray for green checks and a carrot-shaped sigh 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions 'lint, tests, and audit checks' but the actual workflow only includes a startup validation and audit checks, with no linting or testing framework present.	Update the title to accurately reflect the workflow contents: 'ci: add backend workflow for startup validation and audit checks' or similar to match the actual implementation.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/backend.yml (1)

24-28: Smoke test doesn't verify server health.

The current approach sleeps for 5 seconds without checking if the server actually started. If the server crashes immediately, the step still passes. Consider adding a health check request.

♻️ Proposed improvement with health check

       - name: Start backend briefly
         run: |
           node backend/server.js &
+          SERVER_PID=$!
           sleep 5
-          kill $! || true
+          curl --fail --silent --max-time 5 http://localhost:3000/health || (echo "Server health check failed" && exit 1)
+          kill $SERVER_PID || true

If no health endpoint exists, at minimum check the process is still running:

      - name: Start backend briefly
        run: |
          node backend/server.js &
          SERVER_PID=$!
          sleep 5
          if ! kill -0 $SERVER_PID 2>/dev/null; then
            echo "Server process crashed"
            exit 1
          fi
          kill $SERVER_PID || true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/backend.yml around lines 24 - 28, The smoke test step
"Start backend briefly" currently just sleeps and may miss a crashed process;
update that step to start backend/server.js in background, capture its PID
(e.g., SERVER_PID), then verify the server is healthy before killing
it—preferably by issuing an HTTP health-check request to the server's health
endpoint and failing the step if the check does not return success, otherwise
fall back to checking the process is still alive with kill -0 $SERVER_PID and
exit non‑zero if it crashed, then cleanly kill the process.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/backend.yml:
- Around line 30-31: The "Run security audit" step currently uses "npm audit ||
true" in the repo root which both silences failures and runs in the wrong
directory; update the step so it runs in the backend directory (set
working-directory to backend) and remove the "|| true" so the job fails on
vulnerabilities, and add an audit level flag such as "--audit-level=high" (or
"--audit-level=critical" if preferred) to the npm audit command to only fail on
high/critical issues.
- Around line 21-22: The "Install dependencies" CI step currently runs `npm
install` in the repo root (step name "Install dependencies", run: `npm
install`), so backend deps aren't installed; update that step to run in the
backend package directory—either set the step's working-directory to "backend"
or run installation with a prefix (e.g., `npm ci --prefix backend`) so the
backend/package.json is used and dependencies are installed correctly.

---

Nitpick comments:
In @.github/workflows/backend.yml:
- Around line 24-28: The smoke test step "Start backend briefly" currently just
sleeps and may miss a crashed process; update that step to start
backend/server.js in background, capture its PID (e.g., SERVER_PID), then verify
the server is healthy before killing it—preferably by issuing an HTTP
health-check request to the server's health endpoint and failing the step if the
check does not return success, otherwise fall back to checking the process is
still alive with kill -0 $SERVER_PID and exit non‑zero if it crashed, then
cleanly kill the process.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Security audit is ineffective and runs in wrong directory.

Two issues:

1. || true means this step always passes, even with critical vulnerabilities—defeating the purpose of CI security checks.
2. Like npm install, this runs in the repo root instead of backend/.

🐛 Proposed fix

       - name: Run security audit
-        run: npm audit || true
+        run: npm audit --audit-level=high
+        working-directory: backend

Using --audit-level=high will fail only on high/critical vulnerabilities while allowing moderate/low ones to pass. Adjust to --audit-level=critical if you want even less strict enforcement.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Run security audit
	run: npm audit || true
	- name: Run security audit
	run: npm audit --audit-level=high
	working-directory: backend

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/backend.yml around lines 30 - 31, The "Run security audit"
step currently uses "npm audit || true" in the repo root which both silences
failures and runs in the wrong directory; update the step so it runs in the
backend directory (set working-directory to backend) and remove the "|| true" so
the job fails on vulnerabilities, and add an audit level flag such as
"--audit-level=high" (or "--audit-level=critical" if preferred) to the npm audit
command to only fail on high/critical issues.