Feat/sp 4479 include oss file info annotation

[agustingroh]

Summary by CodeRabbit

• New Features

  • Match comments on pull requests now include direct links to GitHub-hosted component source files with matched line ranges for snippets
  • Registry-sourced components display an informational note explaining that browsable source links are unavailable

• Documentation

  • Added "Match Comments" section documenting how the action posts pull request comments with component, license, and source information

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds getOssFileGithubUrl and buildLineAnchor helpers in github-comment-api.ts to construct GitHub permalinks from OSS match metadata. Rewrites formatSnippetAnnotationMessage and formatFileAnnotationMessage to conditionally render linked file/line references for GitHub-native components or a fallback note for registry-sourced ones. Updates the createFileCommitComment deduplication key. Bumps version to 1.7.0 and adds README and CHANGELOG documentation.

Changes

OSS GitHub permalink links in match comments

Layer / File(s)	Summary
Permalink helpers and annotation formatter rewrites src/utils/github-comment-api.ts	Adds getOssFileGithubUrl (builds a GitHub permalink from match.url + version + file, rejecting non-GitHub URLs) and buildLineAnchor (converts oss_lines to #Lx or #Lx-Ly). Rewrites formatSnippetAnnotationMessage to strip leading v from version, branch on GitHub-native vs. registry-sourced to emit linked OSS File/OSS Lines or a NOTE. Updates formatFileAnnotationMessage with the same branching. Strips leading v from fileMatch.version in the component label. Changes createFileCommitComment dedup key to omit the v prefix from the version segment.
Version bump, README docs, and CHANGELOG package.json, README.md, CHANGELOG.md	Bumps version from 1.6.4 to 1.7.0. Adds a "Match Comments" section to README.md describing linked File/OSS Lines for GitHub-hosted components and the registry fallback note. Adds the [1.7.0] changelog entry with Added and Notes bullets and its compare link.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• scanoss/gha-code-scan#98: Modifies the same createFileCommitComment deduplication key logic and owner/repo/sha resolution in github-comment-api.ts, directly related to the dedup key change in this PR.

Suggested reviewers

• eeisegn

Poem

🐰 Hop hop, the links now gleam,
GitHub sources in the stream!
A snippet matched? A permalink flows,
Registry files? A kind NOTE shows.
Version bumped, the changelog sings —
The rabbit celebrates these things! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding OSS file information to annotations in the GitHub action.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/SP-4479-include-OSS-file-info-annotation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

🔍 SCANOSS Code Similarity Detected

📄 1 snippet matches found

🔗 View detailed findings on commit beb07d5

Files with similarities:

• dist/index.js

💡 Click the commit link above to see detailed annotations for each match.

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 3
• Undeclared components: 1
• Declared components: 2
• Detected files: 67
• Detected files undeclared: 1
• Detected files declared: 66
• Licenses detected: 2
• Licenses detected with copyleft: 0
• Policies: ❌ 1 fail ✅ 1 pass (2 total)

View more details on SCANOSS Action Summary

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/utils/github-comment-api.ts`:
- Around line 73-77: The prefix stripping logic at lines 76, 113, and 167
incorrectly uses indexOf('/') which finds the first slash in the string, but
this breaks for components containing slashes like 'owner/repo' or '`@scope/pkg`'.
Instead of searching for the first slash, construct the full expected prefix
pattern (combining match.component, '-', and match.ref) and search for that
complete pattern in the filePath, then extract everything after it. This ensures
the prefix is stripped correctly regardless of whether the component name
contains slashes.
- Line 275: The deduplicationKey construction uses the raw fileMatch.version
without normalization, while displayed versions are normalized elsewhere (line
147), causing semantically identical versions like v1.2.3 and 1.2.3 to generate
different dedup keys and result in duplicate comments. Apply the same version
normalization logic used on line 147 to the fileMatch.version when building the
deduplicationKey to ensure consistent deduplication across different version
formats.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 49a10ac4-9f82-4dce-9393-eaae42721888

📥 Commits

Reviewing files that changed from the base of the PR and between 821f15b and beb07d5.

⛔ Files ignored due to path filters (2)

• dist/index.js is excluded by !**/dist/**
• dist/licenses.txt is excluded by !**/dist/**

📒 Files selected for processing (4)

• CHANGELOG.md
• README.md
• package.json
• src/utils/github-comment-api.ts

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Prefix stripping is incorrect for components containing /, yielding broken OSS links.

At Line 76, Line 113, and Line 167, indexOf('/') is evaluated from the beginning of the string. For components like owner/repo or @scope/pkg, this trims inside the component name instead of after "{component}-{ref}/".

Suggested fix

+function stripArchivePrefix(filePath: string, component: string): string {
+  const prefix = `${component}-`;
+  if (!component || !filePath.startsWith(prefix)) return filePath;
+  const slashAfterRef = filePath.indexOf('/', prefix.length);
+  return slashAfterRef === -1 ? filePath : filePath.substring(slashAfterRef + 1);
+}
+
 function getOssFileGithubUrl(
   match: { url?: string; version?: string; file: string; component: string },
   lineAnchor?: string
 ): string | null {
   if (!match.version || !match.file || !match.url) return null;
   if (!match.url.startsWith('https://github.com/')) return null;
 
-  // Strip the "{component}-{ref}/" prefix when present
-  let filePath = match.file;
-  if (filePath.includes('/') && match.component && filePath.startsWith(`${match.component}-`)) {
-    filePath = filePath.substring(filePath.indexOf('/') + 1);
-  }
+  const filePath = stripArchivePrefix(match.file, match.component);
 
   const base = `${match.url}/blob/${match.version}/${filePath}`;
   return lineAnchor ? `${base}${lineAnchor}` : base;
 }
@@
-    let ossRelativePath = snippet.file;
-    if (ossRelativePath.includes('/') && snippet.component && ossRelativePath.startsWith(`${snippet.component}-`)) {
-      ossRelativePath = ossRelativePath.substring(ossRelativePath.indexOf('/') + 1);
-    }
+    const ossRelativePath = stripArchivePrefix(snippet.file, snippet.component);
@@
-    const ossRelativePath =
-      fileMatch.file.includes('/') && fileMatch.file.startsWith(`${fileMatch.component}-`)
-        ? fileMatch.file.substring(fileMatch.file.indexOf('/') + 1)
-        : fileMatch.file;
+    const ossRelativePath = stripArchivePrefix(fileMatch.file, fileMatch.component);

Also applies to: 112-114, 166-168

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/utils/github-comment-api.ts` around lines 73 - 77, The prefix stripping
logic at lines 76, 113, and 167 incorrectly uses indexOf('/') which finds the
first slash in the string, but this breaks for components containing slashes
like 'owner/repo' or '`@scope/pkg`'. Instead of searching for the first slash,
construct the full expected prefix pattern (combining match.component, '-', and
match.ref) and search for that complete pattern in the filePath, then extract
everything after it. This ensures the prefix is stripped correctly regardless of
whether the component name contains slashes.

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Normalize version in the file-comment dedup key to avoid duplicate comments.

Line 275 uses raw fileMatch.version, but displayed versions are normalized (Line 147). v1.2.3 and 1.2.3 will be treated as different dedup keys for the same semantic version.

Suggested fix

-    const deduplicationKey = `file-comment:${sha}:${filePath}:${fileMatch.component}${fileMatch.version ? `:${fileMatch.version}` : ''}`;
+    const normalizedVersion = fileMatch.version?.replace(/^v/, '');
+    const deduplicationKey = `file-comment:${sha}:${filePath}:${fileMatch.component}${normalizedVersion ? `:${normalizedVersion}` : ''}`;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/utils/github-comment-api.ts` at line 275, The deduplicationKey
construction uses the raw fileMatch.version without normalization, while
displayed versions are normalized elsewhere (line 147), causing semantically
identical versions like v1.2.3 and 1.2.3 to generate different dedup keys and
result in duplicate comments. Apply the same version normalization logic used on
line 147 to the fileMatch.version when building the deduplicationKey to ensure
consistent deduplication across different version formats.