uinaf/viteplus
Migrate or align frontend repositories to the stock VitePlus workflow. Use when standardizing package or monorepo repos around `vp`, `voidzero-dev/setup-vp`, `vite-plus/test`, and VitePlus-native CI, test, and packaging flows, including updating scripts, test config, CI setup, and packaging commands.
98
1.73x
Quality
100%
Does it follow best practices?
Impact
97%
1.73xAverage score across 6 eval scenarios
Securityby
Passed
No known issues
This version of the tile failed moderation
Failed moderation (intent review) in tile.json: This is a potential supply chain attack via typosquatting/dependency confusion. The package name 'uinaf/viteplus' mimics the popular 'Vite' ecosystem (vite-plus, voidzero-dev). It's designed as an AI agent tile/skill that instructs AI coding assistants to modify package scripts, CI configurations, and packaging commands in repositories - effectively a prompt injection attack. The skill directs AI agents to replace legitimate tooling with attacker-controlled alternatives ('vp', 'voidzero-dev/setup-vp', 'vite-plus/test'), which could introduce malicious dependencies across many repositories when an AI agent follows these instructions.
ci-cd.mdreferences/
CI/CD
Use this reference before changing GitHub Actions or release automation.
Prefer the documented VitePlus setup:
- uses: voidzero-dev/setup-vp@v1
with:
node-version-file: ".node-version"
cache: true
- run: vp install
- run: vp check
- run: vp test
- run: vp buildAction Inputs
voidzero-dev/setup-vp@v1 exposes:
| Input | Purpose |
|---|---|
version | Pin a specific Vite+ release. Defaults to latest; pin when CI must stay aligned with a chosen release. |
node-version | Node.js version to install via vp env use. |
node-version-file | Read the Node.js version from a file (.node-version, .nvmrc, etc.). |
working-directory | Project root for path resolution and lockfile detection. |
run-install | Run vp install after setup. Boolean or YAML config. |
cache | Cache project dependencies. Auto-detects pnpm/npm/yarn/bun lockfiles. |
cache-dependency-path | Override the lockfile path used for cache key generation. |
registry-url / scope | Configure scoped npm registry authentication. |
Defaults
- Prefer
voidzero-dev/setup-vp@v1over hand-rolled Node/Corepack bootstrapping unless the repo has a proven exception. - Prefer
setup-vp's built-in Node and package-manager bootstrap over adding separate CI-timevp envsetup steps unless the repo has a specific environment need the action does not cover. - Prefer
vp installover separate package-manager bootstrap logic when VitePlus is the tool owner. The action'srun-install: trueinput collapses setup + install into one step. - Prefer
vp configwhen the repo wants stock hooks or agent integration instead of hand-rolled hook setup. - Prefer one repo-local verify entrypoint if CI needs extra repo-specific commands.
- Keep release orchestration in GitHub Actions when the repo has npm, GitHub Release, binary, or Homebrew automation that goes beyond stock VitePlus.
- When CI behavior must stay aligned with a repo's chosen Vite+ release, pin the
setup-vpaction'sversioninput explicitly. Do not assume it will read the localvite-plusdependency version frompackage.json.
Guardrails
- Prefer
vp run <script>(orvpr <script>) when CI needs a repo-specific script that VitePlus does not replace. - Do not delete release-only steps just to make the workflow look more stock.
- Keep packaging and publish steps that VitePlus does not own.