chore: standardize repository config

[afc163]

Summary

• Redesign README with npm/bundlephobia badges, Ant Design brand context, installation, usage, API, development, and release sections.
• Standardize repository config: package scripts, dumi/father/tsconfig, FUNDING, Dependabot, Vercel preview, Surge preview fallback, React Doctor, and CodeQL workflow.
• Remove the legacy now-build path and align preview output on docs-dist.

Test plan

• npm run tsc
• npm test -- --runInBand
• npm run lint
• npm run build
• npx vercel build --yes

Refs ant-design/ant-design#58514

Summary by CodeRabbit

• New Features
  • 新增文档站点预览与自动化部署流程，覆盖构建与发布产物输出路径，便于及时查看示例与演示页。
• Bug Fixes
  • 优化文档站点在不同部署场景下的基础路径/资源加载表现，提升跳转与页面访问稳定性。
• Documentation
  • 重写并完善 README：更新安装/使用/Examples/API/Development/Release 内容与示例用法；同步文档标题与水平滚动示例代码引用。

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
virtual-list	Ready	Preview, Comment	Jun 26, 2026 5:52pm

[github-actions]

❌ Deploy failed

	❌ Failed
	🔗 Preview https://react-component-virtual-list-preview-pr-361.surge.sh (may be unavailable)
	📝 Commit	5a51454
	🪵 Logs	View logs

📋 Build log (last lines)

npm warn exec The following package was not found and will be installed: surge@0.27.4

   Running as afc163@gmail.com (Student)

        project: ./docs-dist
         domain: react-component-virtual-list-preview-pr-361.surge.sh
           size: 51 files, 1.7 MB

   Aborted - you do not have permission to publish to react-component-virtual-list-preview-pr-361.surge.sh

_{🤖 Powered by surge-preview}

[coderabbitai]

Warning

Review limit reached

@afc163, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 11 minutes and 11 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 53b07e0f-e0b2-4fc7-9acd-8d6f51646f66

📥 Commits

Reviewing files that changed from the base of the PR and between ec16320 and 5a51454.

📒 Files selected for processing (4)

• .github/workflows/surge-preview.yml
• README.md
• package.json
• tsconfig.json

Walkthrough

PR 更新了 Virtual List 的站点与发布配置：调整路径别名和文档输出目录，重写 README 与示例文档，并同步更新 GitHub 资助、依赖检查和多项工作流配置。

Changes

Virtual List 文档与自动化刷新

Layer / File(s)	Summary
路径与别名 .dumirc.ts, tsconfig.json	GH_PAGES 下的基础路径计算和 @rc-component/virtual-list 相关路径映射被更新。
构建与发布 .dumirc.ts, package.json, vercel.json, .gitignore	包描述、docs-dist 输出、发布脚本/依赖、部署配置和忽略规则被更新。
文档内容 README.md, docs/index.md, docs/demo/horizontal-scroll.md	README 的结构、API 表、安装/使用/发布说明和文档首页、示例引用被更新。
仓库设置 .github/FUNDING.yml, .github/dependabot.yml	添加 funding 条目，并将 Dependabot 的 npm 更新计划改为每周一且移除忽略规则。
GitHub Actions .github/workflows/*	CodeQL、复用测试、React Doctor 和 Surge Preview 工作流被更新。

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

我是小兔，蹦进新站台，
docs-dist 亮起，胡萝卜也开怀。
路径一跳，别名轻轻改，
README 翻新，示例排排来。
预览和工作流，咚咚跑得快 🐰

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	标题准确概括了本次以仓库配置标准化为主的变更。
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/standardize-rc-config

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​cross-env@​10.1.0
	npm/​gh-pages@​6.3.0
	npm/​prettier@​3.8.5

View full report

[gemini-code-assist]

Code Review

This pull request updates the repository configuration, documentation, and build scripts to align with modern rc-component standards. It introduces a revamped README, configures Dumi for documentation, updates TypeScript paths, and adds Vercel deployment settings. The review feedback highlights a few critical issues: the gh-pages script in package.json incorrectly scopes the GH_PAGES environment variable, a redundant alias is defined in .dumirc.ts, and the tsconfig.json file includes an incorrect path for the examples directory.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

In shell execution, chaining commands with && (e.g., cross-env VAR=val cmd1 && cmd2) only applies the environment variable to the first command (cmd1). Since GH_PAGES=1 is required by dumi build (run via npm run docs:build) to set the correct basePath and publicPath, the cross-env prefix should be placed directly before npm run docs:build.

Suggested change

	"gh-pages": "cross-env GH_PAGES=1 npm run compile && npm run docs:build && npm run docs:deploy",
	"gh-pages": "npm run compile && cross-env GH_PAGES=1 npm run docs:build && npm run docs:deploy",

[gemini-code-assist]

The wildcard alias '@rc-component/virtual-list/es/*' is redundant and potentially problematic. In Webpack/Dumi, prefix matching for '@rc-component/virtual-list/es' is already sufficient to resolve all subpaths (e.g., '@rc-component/virtual-list/es/foo' to 'src/foo').

  alias: {
    '@rc-component/virtual-list$': path.resolve('src'),
    '@rc-component/virtual-list/es': path.resolve('src'),
  },

[gemini-code-assist]

The examples directory is located at the root of the repository (examples/), not inside the docs folder (as seen in docs/demo/horizontal-scroll.md which references ../../examples/horizontal-scroll.tsx). Update the include path to examples so that TypeScript correctly type-checks the example files.

Suggested change

	"include": [".dumirc.ts", "src", "tests", "docs/examples"],
	"include": [".dumirc.ts", "src", "tests", "examples"],

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.50%. Comparing base (2e032d4) to head (5a51454).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #361   +/-   ##
=======================================
  Coverage   97.50%   97.50%           
=======================================
  Files          19       19           
  Lines         800      800           
  Branches      193      191    -2     
=======================================
  Hits          780      780           
  Misses         20       20           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/react-component-ci.yml:
- Around line 14-15: The reusable workflow call in react-component/rc-test
should not inherit all repository secrets while pointing at a mutable branch.
Update the workflow reference in
react-component/rc-test/.github/workflows/test-utoo.yml from main to a fixed
commit SHA, and replace secrets: inherit with an explicit secrets mapping that
passes only CODECOV_TOKEN. Keep the change in the workflow job that uses the
reusable workflow so the remote workflow gets only the minimum secret it
actually needs.

In `@README.md`:
- Around line 88-98: Update the Release section in README so it matches the
actual prepublishOnly workflow: describe that publishing first runs npm run
compile and then rc-np, and clarify that rc-np comes from the `@rc-component/np`
package. Keep the wording aligned with the existing Release heading and the
prepublishOnly script reference so readers understand the full release flow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c05c0246-b4da-4cb4-a1d6-38bdda4f3ed7

📥 Commits

Reviewing files that changed from the base of the PR and between 2e032d4 and bbca1c7.

📒 Files selected for processing (15)

• .dumirc.ts
• .github/FUNDING.yml
• .github/dependabot.yml
• .github/workflows/codeql.yml
• .github/workflows/main.yml
• .github/workflows/react-component-ci.yml
• .github/workflows/react-doctor.yml
• .github/workflows/surge-preview.yml
• .gitignore
• README.md
• docs/demo/horizontal-scroll.md
• docs/index.md
• package.json
• tsconfig.json
• vercel.json

💤 Files with no reviewable changes (1)

• .github/workflows/main.yml

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 查看上游可复用工作流当前内容，确认是否真的消费了 secrets / 额外权限
curl -fsSL https://raw.githubusercontent.com/react-component/rc-test/main/.github/workflows/test-utoo.yml | sed -n '1,240p'

# 解析 main 当前指向的不可变提交，便于把 `@main` 改成固定 SHA
curl -fsSL https://api.github.com/repos/react-component/rc-test/commits/main | jq -r '.sha'

Repository: react-component/virtual-list

Length of output: 749

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 尝试通过 GitHub API v3 获取 react-component/rc-test 的 main commit SHA
curl -fsSL \
  -H "Accept: application/vnd.github.v3+json" \
  "https://api.github.com/repos/react-component/rc-test/commits/main" \
  | jq -r '.sha' || echo "failed"

Repository: react-component/virtual-list

Length of output: 222

---

不要把全部 secrets 继承给外部且可变的工作流。

当前工作流引用了外部仓库 react-component/rc-test 的 main 分支（可变引用），并通过 secrets: inherit 将本仓库的完整 secrets 透传给上游。上游工作流 test-utoo.yml 确实使用了 CODECOV_TOKEN，但这并不意味着它需要访问本仓库的所有 secrets。

若上游分支被意外修改或被劫持，本仓库的敏感信息（如部署凭证、API 密钥等）可能泄露。建议按以下两步修复：

1. 固定引用：将 .github/workflows/test-utoo.yml@main 替换为具体的 commit SHA。请在 GitHub 上查看 react-component/rc-test 仓库 main 分支的最新提交 SHA（例如通过 UI 或 gh api），并填入。
2. 显式传递 secrets：移除 secrets: inherit，改为仅传递工作流实际需要的 CODECOV_TOKEN：

    secrets:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

    uses: react-component/rc-test/.github/workflows/test-utoo.yml@<请替换为具体 SHA>
    secrets:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

🧰 Tools

🪛 zizmor (1.26.1)

[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[warning] 14-14: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/react-component-ci.yml around lines 14 - 15, The reusable
workflow call in react-component/rc-test should not inherit all repository
secrets while pointing at a mutable branch. Update the workflow reference in
react-component/rc-test/.github/workflows/test-utoo.yml from main to a fixed
commit SHA, and replace secrets: inherit with an explicit secrets mapping that
passes only CODECOV_TOKEN. Keep the change in the workflow job that uses the
reusable workflow so the remote workflow gets only the minimum secret it
actually needs.

Source: Linters/SAST tools

[vercel]

Deployment failed with the following error:

Resource is limited - try again in 24 hours (more than 100, code: "api-deployments-free-per-day").

Learn More: https://vercel.com/afc163s-projects?upgradeToPro=build-rate-limit

[vercel]

Deployment failed with the following error:

Resource is limited - try again in 24 hours (more than 100, code: "api-deployments-free-per-day").

Learn More: https://vercel.com/react-component?upgradeToPro=build-rate-limit