Contributor fix

[Yuvraj-Sarathe]

🔗 Related Issue

Closes #61

---

📝 Description of Changes

Tried somethings

---

🏷️ Proposed Labels

• UI/UX
• Documentation
• CI/CD
• Backend Logic
• Anything else

---

📂 Core Files Changed

.github\workflows\update-contributors.yml
.github\scripts\update-contributors.js

---

🤖 AI Assistance Declaration

Did you use an AI tool to write or assist with this code OR Pull Request?

• Yes
• No (If no, you can skip the rest of this section)

⚠️ IF YOU CHECKED "YES", YOU MUST ANSWER THE FOLLOWING:

• Which AI Model did you use? (e.g., GPT-4o, Claude 4.5 Sonnet):
• Which Platform/Tool? (e.g., Cursor, OpenCode, Codex, Claude Code, GitHub Copilot, standard web chat):
• What exactly did the AI do?:
• What exactly did YOU do?:
• What is the advantage of using this AI approach here?:

---

⚠️ Reviewer Notes

Review Please

---

✅ The "I Swear I Didn't Break Anything" Pledge

• I have thoroughly tested these changes in my own local branch.
• I verified multiple times that this code compiles into a standalone build and does not break existing production features.

Summary by CodeRabbit

• Chores
  • Prevented automated workflows from retriggering themselves to avoid recursive runs.
  • Improved API rate-limit handling with pauses and low-limit warnings for more reliable updates.
  • Strengthened contributor verification and filtering so only confirmed identities are added; commits now include CI-skip tags and the update can abort if there are no net changes.

[vercel]

@Yuvraj-Sarathe is attempting to deploy a commit to the Rishi Bhardwaj's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 41a61261-09bd-4f59-b3db-790887fd0dd9

📥 Commits

Reviewing files that changed from the base of the PR and between 4402c3a and 6deb652.

📒 Files selected for processing (1)

• .github/scripts/update-contributors.js

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/scripts/update-contributors.js

---

📝 Walkthrough

Walkthrough

Tightens contributor enrichment: adds rate-limit sleep/warning, stricter noreply username verification (returns null for unverified), filters nulls during seeding/updates, appends [skip ci] to commits, re-deduplicates after rebase, and prevents bot-triggered workflow runs.

Changes

Contributor enrichment and safety improvements

Layer / File(s)	Summary
Workflow recursion prevention .github/workflows/update-contributors.yml	Adds an if: guard that excludes github-actions[bot] and github-actions actors so bot-triggered runs are skipped.
API rate-limit handling .github/scripts/update-contributors.js	Adds delay(ms) and checkRateLimit(response) to sleep until resets when exhausted and warn when remaining calls are low.
Enrichment ordering, commit-search, and noreply verification .github/scripts/update-contributors.js	Uses commit-search-by-email (checks rate limits after search), prefers a strict users.noreply.github.com pattern for username guessing, performs a noreply-only direct user lookup with a short delay and strict field validation, and returns null when identity cannot be verified. Historical username derivation updated to the same pattern.
Null-profile filtering and commit safety .github/scripts/update-contributors.js	Filters out null profiles during seeding and new-contributor accumulation so only verified contributors are added. Seeding and add-contributor git commits append [skip ci].
Post-rebase deduplication and abort guard .github/scripts/update-contributors.js	After git pull --rebase, re-reads origin/main:README.md, recomputes existing usernames, filters trulyNew to stillNew, and aborts the push if no remaining new contributors are present.

sequenceDiagram
  participant Script as update-contributors.js
  participant CommitSearch as GitHub Commit Search API
  participant UserLookup as GitHub Users API
  participant README as README.md

  Script->>CommitSearch: search commits by author-email
  CommitSearch-->>Script: commit results (checkRateLimit)
  Script->>UserLookup: (noreply-only, after brief delay) GET /users/{guessedUsername}
  UserLookup-->>Script: user profile (validated fields)
  Script->>README: write only verified contributor objects (filter null)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hop through commits with careful eyes,
I wait for limits, watch the skies.
Noreply names I gently test,
Only verified join the guest.
Rebase and skip-CI—now all is wise.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Contributor fix' is vague and generic, using non-descriptive language that doesn't convey the specific changes or main objective of the changeset.	Use a more descriptive title that explains the core fix, such as 'Improve contributor validation to prevent incorrect user attribution' or 'Fix contributor script to only add verified contributors'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	The PR directly addresses issue #61 by refactoring the contributor bot logic to prevent incorrect user attribution through stricter validation and verification of contributors.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the contributor bot logic: workflow guard to prevent bot-triggered execution and script improvements for verified contributor handling.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/scripts/update-contributors.js:
- Around line 434-441: The current check reads the local README (freshContent)
after the rebase, so getExistingContributors() sees the rebased commit and
mistakenly treats trulyNew as already added; instead fetch or read the README
from origin/main and compare against that remote content. Replace the
fs.readFileSync(README_PATH) usage with a remote-read of origin/main (e.g., git
fetch origin then git show origin/main:README.md or equivalent) and pass that
content into getExistingContributors to compute freshExisting, keeping the rest
of the logic around trulyNew/stillNew unchanged.
- Around line 39-45: checkRateLimit() currently only sleeps and returns
undefined, so callers (the commit search and direct lookup that store responses
in commitSearch and direct) proceed to check `.ok` on the exhausted response and
skip retries; change the callers so that after calling await
checkRateLimit(resp) you reissue the same fetch when checkRateLimit indicates a
wait occurred (e.g., returns true) and replace commitSearch/direct with the new
fetch response before checking `.ok`. Concretely: in the commit-search path (the
code that assigns commitSearch) and in the direct-lookup path (the code that
assigns direct), preserve the original fetch arguments, call await
checkRateLimit(response) when rate-limited, then call fetch(...) again with the
same arguments and assign that new Response back to commitSearch or direct prior
to continuing.

In @.github/workflows/update-contributors.yml:
- Around line 16-21: The step named "Skip if triggered by bot" doesn't stop the
job because exit 0 only ends the step; move the condition to the job level by
adding an if at the job declaration that checks the actor (e.g., if:
github.actor != 'github-actions[bot]' && github.actor != 'github-actions') so
the entire job is skipped for bot triggers; remove the existing "Skip if
triggered by bot" step (or keep it for logging only) and ensure subsequent steps
(checkout, setup-node, run script) are under the job guarded by that job-level
if.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8eddee29-f783-422c-9a21-f02844390ca7

📥 Commits

Reviewing files that changed from the base of the PR and between 98fa2df and 606ac3d.

📒 Files selected for processing (2)

• .github/scripts/update-contributors.js
• .github/workflows/update-contributors.yml