chore: standardize repository tooling

[afc163]

Summary

• Redesign README with a centered @rc-component/tree-select header, package-specific emoji description, focused highlights, install, usage, examples, API, development, and release sections.
• Restore the Bundlephobia minzip badge, keep the explicit npm install @rc-component/tree-select command, and add a subtle Ant Design ecosystem note.
• Standardize repository tooling scripts by adding a tsc check and broadening the Prettier command.
• Align the ESLint TypeScript toolchain with the existing @umijs/fabric config so lint and compile remain runnable.
• Include dumi/father config files in TypeScript project scope.
• Switch the primary rc-test reusable workflow to test-utoo.yml.
• Add explicit Vercel preview configuration for the dumi build output.
• Add Surge Preview and optional Cloudflare Pages Preview fallback workflows.
• Add the React Doctor GitHub Action for pull requests and pushes to master.
• Add .github/FUNDING.yml with Ant Design sponsorship entries.
• Update CodeQL to the current v4 action and pin touched actions to immutable SHAs, using checkout v7 with persisted credentials disabled.
• Review AI feedback; README development docs already include the new tsc command.

Compatibility

No runtime code changes. This should not introduce breaking changes.

Verification

• npm run lint
• npm test
• npm run tsc
• npm run compile
• npm run build
• git diff --check

Summary by CodeRabbit

• 新功能

  • 新增拉取请求预览部署，支持在多个托管平台上自动生成预览链接。
  • 新增仓库健康检查与安全扫描相关的自动化流程。

• 文档

  • 全面更新 README，重组安装、使用、示例与 API 说明。
  • 补充弃用项、配置说明和开发/发布指引。

• 维护

  • 更新构建、类型检查与代码格式化配置。
  • 优化持续集成设置与部署输出配置。

---

Refs ant-design/ant-design#58514

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
tree-select	Ready	Preview, Comment	Jun 26, 2026 4:47pm

[coderabbitai]

Warning

Review limit reached

@afc163, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 2 minutes and 54 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4de16deb-f299-4818-bfde-e84d7e4bc976

📥 Commits

Reviewing files that changed from the base of the PR and between 9b43b63 and 419097c.

📒 Files selected for processing (3)

• .github/workflows/surge-preview.yml
• README.md
• package.json

Walkthrough

更新了 README 与资助入口，调整了 TypeScript/格式化脚本和编译范围，新增或修改了多个 GitHub Actions 工作流，并扩展了 Cloudflare、Surge 和 Vercel 的预览/部署配置。

Changes

仓库文档、工具链与自动化

Layer / File(s)	Summary
README 头部与示例 .github/FUNDING.yml, README.md	README 的头部、Highlights、安装、用法和示例内容被重写，并新增 GitHub Sponsors 与 Open Collective 资助配置。
README API 与说明 README.md	README 的 TreeSelect、SearchConfig、DataNode、TreeNode、Notes、Development、Release 和 License 章节被重构。
脚本与 TypeScript 配置 package.json, tsconfig.json	prettier/tsc 脚本、TypeScript ESLint 依赖，以及顶层 include 编译范围被更新。
预览部署配置 .github/workflows/cloudflare-pages-preview.yml, .github/workflows/surge-preview.yml, vercel.json	新增 Cloudflare Pages 与 Surge 预览工作流，并扩展 Vercel 的安装、构建和输出目录配置。
CI 与代码扫描工作流 .github/workflows/codeql.yml, .github/workflows/react-doctor.yml, .github/workflows/react-component-ci.yml	CodeQL 触发与 action 版本被调整，新增 React Doctor 工作流，并切换 React 组件 CI 复用的测试工作流引用。

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• react-component/tree-select#582: package.json 的脚本和开发依赖都被更新，和该 PR 的 tooling 变更直接重合。
• react-component/tree-select#654: vercel.json 的部署配置扩展与该 PR 的同类 Vercel 配置修改直接相关。

Poem

我是一只小兔，蹦进春风里，
README 开花，脚本也排齐。
预览部署闪闪，检查像星粒，
啃一口胡萝卜，代码更整齐。
🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	标题准确概括了此次以仓库工具链、文档和工作流标准化为主的改动。
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/standardize-rc-config

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.84%. Comparing base (08a9beb) to head (419097c).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #659   +/-   ##
=======================================
  Coverage   99.84%   99.84%           
=======================================
  Files          17       17           
  Lines         633      633           
  Branches      196      188    -8     
=======================================
  Hits          632      632           
  Misses          1        1           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gemini-code-assist]

Code Review

This pull request comprehensively updates the README.md with installation, usage, and API documentation. It also updates package.json by simplifying the Prettier script, adding a new tsc script for type-checking, adding TypeScript ESLint dependencies, and downgrading eslint-plugin-jest. Additionally, tsconfig.json is updated to include specific configuration files. The feedback suggests documenting the new tsc script in the README's development section.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Since a new tsc script has been added to package.json to perform type-checking, it should be documented in the Development section of the README.md so that contributors are aware of it and can run it locally.

Suggested change

	npm install
	npm start
	npm test
	npm run lint
	npm run compile
	npm install
	npm start
	npm test
	npm run tsc
	npm run lint
	npm run compile

[github-actions]

❌ Deploy failed

	❌ Failed
	🔗 Preview https://react-component-tree-select-preview-pr-659.surge.sh (may be unavailable)
	📝 Commit	419097c
	🪵 Logs	View logs

📋 Build log (last lines)

npm warn exec The following package was not found and will be installed: surge@0.27.4

   Running as afc163@gmail.com (Student)

        project: ./dist
         domain: react-component-tree-select-preview-pr-659.surge.sh
           size: 74 files, 2.1 MB

   Aborted - you do not have permission to publish to react-component-tree-select-preview-pr-659.surge.sh

_{🤖 Powered by surge-preview}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cloudflare-pages-preview.yml:
- Around line 13-17: The Cloudflare deployment secrets are currently set at the
job level, so every step including npm install and build inherits them. Move
CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID out of the job-wide env in this
workflow and pass them only to the final Deploy preview step, while keeping
non-sensitive values like CLOUDFLARE_PAGES_PROJECT and PREVIEW where
appropriate. Update the affected workflow job and the Deploy preview step so the
secrets are only available at deployment time.

In @.github/workflows/react-component-ci.yml:
- Line 5: The reusable workflow reference in the CI workflow is using a mutable
branch, which should be pinned to an immutable commit SHA. Update the workflow
call in the rc-test reusable workflow reference to use a full commit hash
instead of the current branch reference, so the executed workflow content is
locked to a reviewed version.
- Around line 5-6: The workflow call is inheriting all repository secrets and
leaving the token scope too broad. Update the reusable workflow invocation in
react-component-ci to pass only the specific needed secrets instead of using
secrets: inherit, and add an explicit permissions block on the caller with the
minimum required GITHUB_TOKEN access. Use the existing workflow call to
react-component/rc-test/.github/workflows/test-utoo.yml as the place to tighten
both secrets and permissions.

In @.github/workflows/surge-preview.yml:
- Around line 20-30: The Surge preview step currently runs build commands
through afc163/surge-preview while injecting SURGE_TOKEN, which can expose the
token during build execution. Move the npm install and npm run build logic out
of the surge-preview action so it runs in a separate step before the action, and
then invoke afc163/surge-preview without a build block while keeping surge_token
only for the deployment step.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a018738f-d909-4902-89d3-9dc6e3b9e9e0

📥 Commits

Reviewing files that changed from the base of the PR and between 08a9beb and 9b43b63.

📒 Files selected for processing (10)

• .github/FUNDING.yml
• .github/workflows/cloudflare-pages-preview.yml
• .github/workflows/codeql.yml
• .github/workflows/react-component-ci.yml
• .github/workflows/react-doctor.yml
• .github/workflows/surge-preview.yml
• README.md
• package.json
• tsconfig.json
• vercel.json

[coderabbitai]

🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win

把复用工作流固定到提交 SHA。

@main 会直接信任外部仓库的最新分支内容；一旦上游分支被改写或被入侵，这里的 CI 就会在未审查的代码上运行。改成完整 commit SHA 才能把执行内容锁住。

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 5-6: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{}}

🪛 zizmor (1.26.1)

[error] 5-5: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[warning] 5-5: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/react-component-ci.yml at line 5, The reusable workflow
reference in the CI workflow is using a mutable branch, which should be pinned
to an immutable commit SHA. Update the workflow call in the rc-test reusable
workflow reference to use a full commit hash instead of the current branch
reference, so the executed workflow content is locked to a reviewed version.

Source: Linters/SAST tools

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

不要对外部工作流无条件继承全部 secrets。

secrets: inherit 会把当前仓库的所有可用 secret 交给 react-component/rc-test，而这个工作流当前也没有显式 permissions 去收紧 GITHUB_TOKEN。至少改成按需逐个传递 secret，并在调用方声明最小权限。

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 5-6: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{}}

🪛 zizmor (1.26.1)

[error] 5-5: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[warning] 5-5: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/react-component-ci.yml around lines 5 - 6, The workflow
call is inheriting all repository secrets and leaving the token scope too broad.
Update the reusable workflow invocation in react-component-ci to pass only the
specific needed secrets instead of using secrets: inherit, and add an explicit
permissions block on the caller with the minimum required GITHUB_TOKEN access.
Use the existing workflow call to
react-component/rc-test/.github/workflows/test-utoo.yml as the place to tighten
both secrets and permissions.

Source: Linters/SAST tools

[coderabbitai]

🔒 Security & Privacy | 🟠 Major

构建脚本存在泄露 SURGE_TOKEN 的安全风险

该 action (afc163/surge-preview) 会将 surge_token 设置为执行 build 命令时的环境变量。如果 build 脚本（如本例中的 npm install 和 npm run build）由外部 PR 控制，恶意代码可以在构建阶段读取该环境变量并泄露部署令牌。

建议将构建逻辑移至 action 之前独立执行，确保构建步骤运行时无敏感令牌注入。

# 修改前
- uses: afc163/surge-preview@...
  with:
    surge_token: ${{ env.SURGE_TOKEN }}
    build: |
      npm install
      npm run build

# 修改后
- run: npm install && npm run build
- uses: afc163/surge-preview@...
  with:
    surge_token: ${{ env.SURGE_TOKEN }}
    # 移除 build 参数或留空

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/surge-preview.yml around lines 20 - 30, The Surge preview
step currently runs build commands through afc163/surge-preview while injecting
SURGE_TOKEN, which can expose the token during build execution. Move the npm
install and npm run build logic out of the surge-preview action so it runs in a
separate step before the action, and then invoke afc163/surge-preview without a
build block while keeping surge_token only for the deployment step.

[vercel]

Deployment failed with the following error:

Resource is limited - try again in 24 hours (more than 100, code: "api-deployments-free-per-day").

Learn More: https://vercel.com/react-component?upgradeToPro=build-rate-limit