Code quality stack — Dependabot + biome + CodeRabbit + Sonarcloud
Code quality stack — Dependabot + biome + CodeRabbit + Sonarcloud
Decision
Adopt a 4-layer code-quality stack across every repo in the chirag127/oriz family:
- Dependabot — automated dependency / security update PRs (GitHub-native).
- biome — lint + format on every commit and in CI (already in place).
- CodeRabbit — AI code review on every pull request (free for OSS).
- Sonarcloud — deeper static analysis (SAST, code smells, complexity, duplication, coverage) on merge to
main(free for OSS).
Why
Each layer catches a class of issues the others miss:
- Dependabot = supply chain (CVEs)
- biome = style + obvious bugs (deterministic, fast)
- CodeRabbit = logic + design + security smells (LLM-grade review of intent)
- Sonarcloud = data-flow + cyclomatic complexity + duplication (whole-codebase static analysis)
All four are free forever for the family's public OSS repos, fitting the no-paid-tier rule.
Implications
- Each repo's
.github/dependabot.ymlenables weekly version updates fornpm(security updates are on by default GitHub-wide). - Each repo's
.github/workflows/ci.ymlcontinues to run biome locally; this rule keeps repos working independently per repos-work-independently. - The CodeRabbit GitHub App is installed at the org level, no per-repo setup needed.
- Sonarcloud is wired through a
.github/workflows/sonar.ymlper repo plus a Sonarcloud project per repo. Adds one more PR check. - PR flow: open ? biome runs ? CodeRabbit comments ? reviewer merges ? Sonarcloud analyses ? quality gate visible on dashboard.
- Dependabot's PRs flow through the same checks. CodeRabbit reviews dependency PRs the same way it reviews human PRs.