Contributing to bestax-bulma
Thanks for your interest in contributing! This page mirrors the highlights of the repository's
CONTRIBUTING.md — which stays the
canonical source — and gives you a copy-pasteable local development command reference for the
pnpm toolchain.
Requirements
Before opening a PR, make sure:
- All tests pass (
pnpm test&pnpm test:coverage) — coverage must stay ≥ 95%. - Lint, format, and type checks pass (
pnpm lint,pnpm format:check,pnpm typecheck). - Storybook covers UI changes — any UI change needs a corresponding story.
- Docs are updated for new or changed behavior.
- CI passes (
pnpm all) and the PR targetsmain(direct pushes tomainaren't allowed).
Prerequisites
Use Node 22 (the LTS this repo targets — see .nvmrc).
The repo uses pnpm, pinned via the packageManager field. The simplest way to get the exact
version on any Node is to enable Corepack (bundled with Node):
corepack enable
pnpm powers the project's supply-chain hardening — lifecycle/postinstall scripts are blocked by
default and a 3-day release-age cooldown prevents installing just-published versions. See
pnpm-workspace.yaml for the
exact settings.
Local Development Commands
Everything here is safe to run locally; nothing publishes (see the note at the end).
1. One-time setup
corepack enable # makes `pnpm` use the pinned [email protected]
pnpm install --frozen-lockfile # exact CI-parity install (fails if the lockfile drifts)
# or just `pnpm install` for a normal dev install
2. Run the whole CI suite locally (the big one)
pnpm run all
# = turbo: build, typecheck, test, test:coverage, bundle:stats, lint,
# format:check && build-storybook (bulma-ui)
3. Individual checks
pnpm run build # turbo build all packages
pnpm run typecheck
pnpm run test # jest (bulma-ui + create-bestax)
pnpm run test:coverage # coverage (must stay >= 95%)
pnpm run lint
pnpm run format:check # prettier check (use `pnpm run format` to auto-fix)
pnpm run bundle:stats # writes bulma-ui/dist/stats.html
4. Docusaurus (docs site → http://localhost:3000)
pnpm docs # dev server (hot reload)
# production build + preview:
pnpm exec turbo run build --filter=@allxsmith/bestax-docs # builds docs + bulma-ui dep
pnpm --filter @allxsmith/bestax-docs run serve # serves the built site
The build also regenerates /llms.txt and /llms-full.txt under docs/build/.
5. Storybook (→ http://localhost:6006)
pnpm storybook # dev server
pnpm --filter @allxsmith/bestax-bulma run build-storybook # static build -> bulma-ui/storybook-static
6. Turbo directly (filters + caching)
pnpm exec turbo run build --filter=@allxsmith/bestax-bulma # one package (+ its deps)
pnpm exec turbo run test --filter=create-bestax
pnpm exec turbo run build # everything (cached on re-run)
pnpm exec turbo run build --force # ignore turbo cache
7. create-bestax — scaffold a throwaway app
Scaffold outside the repo so it's a standalone app (inside the repo you'd need
--ignore-workspace):
pnpm --filter create-bestax run build
node "$PWD/create-bestax/dist/index.js" /tmp/my-bestax-app -t vite-ts -b complete -i fontawesome -y
cd /tmp/my-bestax-app && pnpm install && pnpm dev # verify the generated app runs
8. Supply-chain / pnpm hardening checks
pnpm audit --audit-level=high # the CI gate (should exit 0)
pnpm approve-builds # shows which install scripts are blocked/allowed
pnpm why serialize-javascript # trace a transitive dep (confirms the >=7.0.3 override)
pnpm why prettier # confirm a single pinned version
pnpm outdated -r # what's behind (the cooldown may hold some back)
pnpm list --depth 0 # top-level deps per workspace
pnpm dedupe --check # report duplicate versions without changing anything
Want to see the cooldown block something? Try adding a just-published package — pnpm refuses it (then discard the change):
pnpm add -w some-brand-new-package # expect ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION
git checkout package.json pnpm-lock.yaml # undo
9. Preview the release without publishing (semantic-release dry-run)
Runs the real commit analysis and next-version calc, but publishes nothing:
export GITHUB_TOKEN=your_token # the github plugin needs a repo-read token even in dry-run
cd bulma-ui && pnpm exec semantic-release --dry-run --no-ci ; cd ..
cd create-bestax && pnpm exec semantic-release --dry-run --no-ci ; cd ..
It prints "The next release version is X.Y.Z" per package (or "no release") from your local commits —
no npm publish, no tag, no GitHub release.
Everything above is safe. The only things that actually publish are pnpm exec semantic-release
without --dry-run (CI-only, on merge to main) and a manual npm publish — neither of which
is in this list.
Workflow & conventions
- Branch off
main, make your change in the right workspace (bulma-ui,create-bestax, ordocs). - Add/update tests (≥ 95% coverage) and Storybook stories for UI changes.
- Run
pnpm all, then open a PR targetingmain.
Commits follow Conventional Commits — the type and scope
drive semantic-release. Releasing types (feat, fix,
perf, refactor, style) must be scoped to bulma-ui or create-bestax; docs, chore, ci,
build, and test don't publish. Publishing uses npm OIDC trusted publishing with provenance
(no long-lived token). See CONTRIBUTING.md
for the full details.