ci: block newly added JavaScript files

[cv]

Summary

Adds a pull_request_target guardrail that blocks PRs from adding new .js, .cjs, or .mjs files. This nudges new Node.js code toward TypeScript while still allowing existing JavaScript files to be modified or deleted.

Changes

• Adds a Block newly added JavaScript files step to .github/workflows/codebase-growth-guardrails.yaml.
• Uses GitHub PR file metadata only, without checking out or executing PR code.
• Fails added JavaScript files and non-JS-to-JS renames, while allowing existing JavaScript edits and JS-to-JS renames.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

• Chores
  • Added a new CI guardrail that blocks pull requests introducing new JavaScript source files.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: dc490543-81f2-45ad-a5a0-6745605c27b5

📥 Commits

Reviewing files that changed from the base of the PR and between 9248f5e and 239c7fd.

📒 Files selected for processing (1)

• .github/workflows/codebase-growth-guardrails.yaml

---

📝 Walkthrough

Walkthrough

This PR adds a new CI guardrail step to the codebase growth workflow that blocks pull requests introducing newly added JavaScript source files (.js, .cjs, .mjs). The step uses GitHub's CLI to enumerate PR changes, filters for newly added or non-extension-changing renames into these JavaScript formats, and fails the job with an explanatory message if matches are found.

Changes

JavaScript File Guardrail

Layer / File(s)	Summary
Block newly added JavaScript files .github/workflows/codebase-growth-guardrails.yaml	Adds a "Block newly added JavaScript files" step that queries PR file metadata, filters for newly added .js, .cjs, and .mjs sources, and fails with a multi-line error message listing blocked files when detected.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A guardian hops through the workflow gate,
Spotting JavaScript files before it's too late,
With gh api and filters so fine,
It blocks the JS to keep codebases aligned. 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: block newly added JavaScript files' is concise, clear, and directly summarizes the main change: adding a CI guardrail to block new JavaScript files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/block-new-javascript-files

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: None

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None. No E2E is recommended because this PR only changes a CI guardrail workflow. The added logic is metadata-only policy enforcement for newly added JavaScript files and cannot affect runtime behavior or end-user assistant flows.

Optional E2E

• None.

New E2E recommendations

• None.

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• None. Only .github/workflows/codebase-growth-guardrails.yaml changed, which is not a scenario E2E workflow, scenario metadata, expected-state contract, suite catalog, runtime code, suite script, or onboarding/install helper under test/e2e-scenario/. This cannot affect scenario E2E behavior.

Optional scenario E2E

• None.

Relevant changed files

• None.

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 1 worth checking, 0 nice ideas
Since last review: 1 prior item resolved, 0 still apply, 1 new item found

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Case-sensitive JavaScript extension check can miss uppercase variants (.github/workflows/codebase-growth-guardrails.yaml:28): The new guardrail blocks filenames matching lowercase .js, .cjs, and .mjs only. If the policy goal is to prevent newly added JavaScript source, test, and script files, a PR can still add uppercase or mixed-case variants such as tool.JS or script.MJS because jq test() is case-sensitive by default.
  • Recommendation: Make the extension match case-insensitive, for example by normalizing filenames to lowercase before testing or by using a case-insensitive jq regex flag, and apply the same normalization to previous_filename for rename handling.
  • Evidence: The selector uses `test("\\.(js|cjs|mjs)$")` for `.filename` and `.previous_filename`, with no lowercase normalization or regex flags.

🌱 Nice ideas

• None.

Since last review details

Current findings:

• Case-sensitive JavaScript extension check can miss uppercase variants (.github/workflows/codebase-growth-guardrails.yaml:28): The new guardrail blocks filenames matching lowercase .js, .cjs, and .mjs only. If the policy goal is to prevent newly added JavaScript source, test, and script files, a PR can still add uppercase or mixed-case variants such as tool.JS or script.MJS because jq test() is case-sensitive by default.
  • Recommendation: Make the extension match case-insensitive, for example by normalizing filenames to lowercase before testing or by using a case-insensitive jq regex flag, and apply the same normalization to previous_filename for rename handling.
  • Evidence: The selector uses `test("\\.(js|cjs|mjs)$")` for `.filename` and `.previous_filename`, with no lowercase normalization or regex flags.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.