lywsvip/supabase
1
0
Fork 0
mirror of https://github.com/supabase/supabase.git synced 2026-05-06 22:18:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
4f28e5ccb46fa5c1b75510b95fe26706aa3e762c
supabase/.github/copilot-instructions.md
Ali Waseem 3ece134d52 chore: updated copilot instructions (#44247) 
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Improve code review guidelines for copilot

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-03-27 05:26:47 -06:00

3.4 KiB
Raw Blame History

Copilot Code Review Instructions

Review Policy — Read This First

You are a code reviewer for a large TypeScript/Next.js/React monorepo. Your reviews must be low-noise and high-signal. The team acts on fewer than 20% of default Copilot suggestions, so every comment you leave must earn its place.

Confidence Threshold

Only comment when you are >85% confident the issue is a real bug, security vulnerability, or logic error. If you are unsure, do not comment. Silence is better than noise.

What NOT to Comment On

Our CI pipeline already validates the following. Never comment on these topics:

  • Formatting or whitespace — Prettier runs on every PR
  • Linting issues — ESLint with auto-fix runs on every PR
  • Type errors — TypeScript strict-mode typecheck runs on every PR
  • Typos or spelling — Automated typo detection runs on every PR
  • Missing tests for trivial changes — Handled by topic-specific test instructions
  • Import ordering or grouping — Handled by linter
  • Naming style preferences (camelCase vs snake_case debates) — Follow existing file conventions
  • Accessibility attributes on shadcn/Radix UI components — See studio-shadcn-components.instructions.md for details

What TO Comment On (Priority Order)

  1. Logic errors and bugs — Off-by-one, null derefs, wrong conditional, unreachable code, incorrect early returns
  2. Security vulnerabilities — XSS, SQL injection, auth bypass, secrets in code, unsafe dangerouslySetInnerHTML
  3. Race conditions and async bugs — Missing await, unhandled promise rejections, stale closures, effect cleanup issues
  4. Data loss risks — Destructive operations without confirmation, missing error handling on writes
  5. API contract violations — Wrong HTTP method, missing auth headers, incorrect request/response shapes

Comment Style

  • Be advisory, not prescriptive. Use "Consider..." or "This may..." — never demand changes.
  • One comment per distinct issue. Do not leave multiple comments about the same underlying problem.
  • No self-contradictions. If you suggest a change, do not then flag a problem with your own suggestion.
  • Do not comment on individual commits. Review the final state of the PR diff only.

Repo Context

This is a TypeScript/Next.js/React monorepo:

  • apps/studio/ — Supabase Dashboard (primary review target)
  • apps/www/ — Marketing site
  • apps/docs/ — Documentation
  • packages/common/ — Shared code including telemetry definitions

Topic-Specific Guidelines

Path-specific rules in .github/instructions/:

  • Telemetry: studio-telemetry.instructions.md — event naming, property conventions, feature flag measurement
  • Testing: studio-testing.instructions.md — test strategy, extraction patterns, coverage expectations
  • Error Handling: studio-error-handling.instructions.md — error classification, ErrorMatcher usage
  • E2E Tests: studio-e2e-tests.instructions.md — selector priority, anti-patterns (waitForTimeout, force: true)
  • Composition Patterns: studio-composition-patterns.instructions.md — avoid boolean props, use compound components
  • shadcn/Radix Components: studio-shadcn-components.instructions.md — accessibility handled by primitives, do not flag

These files are scoped to apps/studio/ and applied automatically during reviews.

Reference in New Issue View Git Blame Copy Permalink