Add GitHub Pages site with SEO and project icon

[oleg-koval]

Summary

Add a dedicated GitHub Pages website for the package with a minimal visual identity, focused installation/usage content, and built-in SEO metadata.

Problem

The repository did not have a public landing page optimized for discoverability or quick onboarding.

Solution

Implemented a static site/ with focused docs content, a custom project icon, and a Pages deployment workflow.

Changes

• Add site/index.html landing page with package-focused sections
• Add site/styles.css with a minimal but intentional visual system
• Add site/assets/icon.svg and use it as favicon + hero icon
• Add SEO and social metadata (canonical, OG, Twitter, JSON-LD)
• Add crawler assets: site/robots.txt, site/sitemap.xml
• Add .github/workflows/pages.yml to deploy site/ on pushes to main

Out of scope

• Dynamic docs generation
• Blog/news pages
• Analytics integration

Related issues

None

Validation

• npm test
• npm run docs:index:check

Screenshots / Demo

N/A

Risk and impact

Low risk. Isolated to GitHub Pages static assets and workflow.

Breaking changes

None

Documentation

Site content mirrors existing README install/usage behavior.

Reviewer notes

OG/Twitter image currently references SVG icon; can switch to PNG social card if preferred by preview consumers.

[coderabbitai]

Warning

Rate limit exceeded

@oleg-koval has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 26 minutes and 33 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 26 minutes and 33 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f4a5f407-4a87-46d6-bbdc-8efbff34e5a7

📥 Commits

Reviewing files that changed from the base of the PR and between 54b1b95 and 780c91e.

⛔ Files ignored due to path filters (1)

• site/assets/icon.svg is excluded by !**/*.svg

📒 Files selected for processing (7)

• .github/workflows/pages.yml
• package.json
• readme.md
• site/index.html
• site/robots.txt
• site/sitemap.xml
• site/styles.css

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/github-pages-website

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

Review Summary by Qodo

Add GitHub Pages site with SEO, deployment workflow, and Dependabot automation

✨ Enhancement 📝 Documentation

Walkthroughs

Description

• Add GitHub Pages landing site with SEO metadata and branding
• Implement automated Pages deployment workflow on site changes
• Add Dependabot auto-merge workflow for safe npm patch updates
• Clarify branch migration guidance in README documentation
• Fix Dependabot lockfile fixer condition for reopened PRs

Diagram

flowchart LR
  A["Site Assets<br/>HTML, CSS, Icon"] -->|Deploy| B["GitHub Pages<br/>Workflow"]
  B -->|Publish| C["Live Site<br/>with SEO"]
  D["Dependabot PR"] -->|Auto-merge| E["Dependabot<br/>Auto-merge Workflow"]
  E -->|Safe Updates| F["npm Patches"]
  G["README"] -->|Migration Guide| H["Branch Config<br/>Documentation"]

Loading

File Changes

1. site/index.html 📝 Documentation +143/-0

Landing page with full SEO metadata

• Create landing page with hero section, install/usage examples, and feature cards
• Include comprehensive SEO metadata: Open Graph, Twitter Card, JSON-LD schema
• Add canonical URL and robots meta for search engine optimization
• Link favicon and Google Fonts for visual branding

site/index.html

---

2. site/styles.css ✨ Enhancement +184/-0

Minimal visual design system and responsive styles

• Define CSS custom properties for consistent color scheme and typography
• Implement responsive grid layout with mobile breakpoints
• Add animations for hero section and button interactions
• Style components: hero, panels, cards, buttons with modern design system

site/styles.css

---

3. site/robots.txt 📝 Documentation +4/-0

Crawler configuration for SEO

• Allow all crawlers to index the site
• Reference sitemap for search engine discovery

site/robots.txt

---

View more (5)

4. site/sitemap.xml 📝 Documentation +8/-0

XML sitemap for search engines

• Define single URL entry for the landing page
• Set weekly change frequency and priority 1.0

site/sitemap.xml

---

5. .github/workflows/pages.yml ✨ Enhancement +41/-0

GitHub Pages deployment automation workflow

• Create workflow to deploy site directory to GitHub Pages on main branch pushes
• Trigger on changes to site/** or workflow file itself
• Use official GitHub Pages actions for setup and deployment
• Include manual workflow dispatch option

.github/workflows/pages.yml

---

6. .github/workflows/dependabot-auto-merge.yml ✨ Enhancement +41/-0

Dependabot auto-merge workflow for patch updates

• Create workflow to auto-merge safe Dependabot npm patch updates
• Trigger on PR opened, reopened, synchronize, and ready_for_review events
• Fetch Dependabot metadata and enable auto-merge for semver-patch updates only
• Use concurrency to prevent duplicate runs

.github/workflows/dependabot-auto-merge.yml

---

7. .github/workflows/dependabot-lockfile-fixer.yml 🐞 Bug fix +1/-1

Fix Dependabot detection for reopened PRs

• Fix condition to use github.event.pull_request.user.login instead of github.actor
• Ensures lockfile fixer runs on reopened Dependabot PRs correctly

.github/workflows/dependabot-lockfile-fixer.yml

---

8. readme.md 📝 Documentation +18/-0

Document branch configuration and Dependabot features

• Add migration notice highlighting that preset does not hardcode release branches
• Include example configuration for repositories releasing from master branch
• Update changelog to document branch migration and Dependabot auto-merge feature
• Clarify that consumers must set branches config when not using main

readme.md

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0) 🎨 UX Issues (0)

1. Lockfile fixer rerun loop 🐞 Bug ☼ Reliability

Description

The lockfile-fixer job now keys off PR author (dependabot) rather than the triggering actor, so it
will also run on later pull_request_target synchronize events for that PR even when the actor is
not Dependabot (e.g., GitHub Actions), increasing the likelihood of repeated runs on the same PR
branch. Because the workflow checks out the PR head ref and runs with write permissions, this also
expands when privileged execution against the PR branch can occur.

Code

.github/workflows/dependabot-lockfile-fixer.yml[R22-23]

+      github.event.pull_request.user.login == 'dependabot[bot]' &&
      github.event.pull_request.head.repo.full_name == github.repository

Evidence

The workflow is triggered by pull_request_target including synchronize, and it grants write
permissions, checks out the PR head ref using secrets.GITHUB_TOKEN, and then runs the
lockfile-fixer action; changing the gate from github.actor to
github.event.pull_request.user.login means future synchronize events for the same
Dependabot-authored PR are no longer filtered by who caused the synchronize event.

.github/workflows/dependabot-lockfile-fixer.yml[3-13]
.github/workflows/dependabot-lockfile-fixer.yml[20-34]
.github/workflows/dependabot-lockfile-fixer.yml[40-45]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`dependabot-lockfile-fixer.yml` now uses the PR author (`github.event.pull_request.user.login`) to gate execution. This allows the workflow to run on `synchronize` events for the same Dependabot PR even when the event actor is *not* Dependabot (e.g., `github-actions[bot]` after automation updates the PR branch), which can cause repeated executions and expands when privileged execution occurs.

### Issue Context
This workflow runs on `pull_request_target` and checks out the PR head ref with a write-scoped token.

### Fix Focus Areas
- .github/workflows/dependabot-lockfile-fixer.yml[20-34]

### Suggested fix
Amend the job `if:` to also require the triggering actor to not be `github-actions[bot]` (or to be `dependabot[bot]`). For example:

```yaml
if: >
 github.event.pull_request.user.login == 'dependabot[bot]' &&
 github.event.pull_request.head.repo.full_name == github.repository &&
 github.actor != 'github-actions[bot]'
```

(Alternatively, revert to `github.actor == 'dependabot[bot]'` if you explicitly only want Dependabot-triggered events.)

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Unpinned privileged PR action 🐞 Bug ⛨ Security

Description

The new Dependabot auto-merge workflow runs on pull_request_target with contents: write and
pull-requests: write and executes dependabot/fetch-metadata@v2 using secrets.GITHUB_TOKEN, so
a compromised third-party action (or mutable tag) would execute with write-capable permissions in
the base-repo context. This increases the blast radius compared to pinning actions and/or separating
read-only metadata collection from the write-capable merge step.

Code

.github/workflows/dependabot-auto-merge.yml[R3-33]

+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: dependabot-auto-merge-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  enable-auto-merge:
+    if: >
+      github.event.pull_request.user.login == 'dependabot[bot]' &&
+      github.event.pull_request.head.repo.full_name == github.repository &&
+      !github.event.pull_request.draft
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+

Evidence

The workflow is pull_request_target-triggered, grants write permissions at workflow scope, and
calls a third-party action (dependabot/fetch-metadata@v2) while providing the repository token;
that action therefore runs with the job’s write permissions.

.github/workflows/dependabot-auto-merge.yml[3-14]
.github/workflows/dependabot-auto-merge.yml[27-33]
Best Practice: GitHub Actions Security Hardening

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`dependabot-auto-merge.yml` runs a third-party action (`dependabot/fetch-metadata@v2`) inside a `pull_request_target` workflow with write-scoped permissions. If the action (or the mutable `v2` tag) is compromised, it can act with write permissions to the repository.

### Issue Context
The workflow needs write permissions only for the final `gh pr merge --auto` step; metadata retrieval can be done with read-only permissions.

### Fix Focus Areas
- .github/workflows/dependabot-auto-merge.yml[3-41]

### Suggested fix
1) Pin `dependabot/fetch-metadata` to a specific commit SHA.
2) Split into two jobs:
  - Job A (read-only permissions) runs `fetch-metadata` and outputs whether the PR qualifies.
  - Job B (write permissions) runs only `gh pr merge --auto --merge` when Job A says it qualifies, and avoids running any third-party actions.

This preserves functionality while reducing the blast radius of third-party code in a privileged `pull_request_target` context.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[github-actions]

🎉 This PR is included in version 1.7.4-beta.2 🎉

The release is available on:

• npm package (@beta dist-tag)
• GitHub release

Your semantic-release bot 📦🚀