Skip to content

chore: bump ubuntu version in docs.yml workflow #1014

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
KooshaPari wants to merge 7 commits into from
Closed

chore: bump ubuntu version in docs.yml workflow #1014

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
452103f
security(ci): replace trufflehog/actions/setup with go install + setu…
KooshaPari May 6, 2026
9be7dba
chore: add concurrency to CI workflows
KooshaPari May 6, 2026
fe13450
ci(cliproxyapi-plusplus): add golangci-lint workflow
KooshaPari May 6, 2026
e71b49e
index on main: fe134506 ci(cliproxyapi-plusplus): add golangci-lint w…
KooshaPari May 28, 2026
6733dc6
On main: sync-20260528
KooshaPari May 28, 2026
050ddc3
chore(governance): confirm shared CODEOWNERS template is in use
claude Jun 9, 2026
77e47b2
chore: apply ubuntu-24 docs CI changes
claude Jun 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: CI
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true


on:
push:
Expand All @@ -18,7 +22,8 @@ jobs:
go-version: ['1.21', '1.22']

steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Refresh models catalog
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
name: Refresh models catalog

@cursor cursor Bot Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checkout step includes run

High Severity

The first CI step sets uses: actions/checkout and also defines a run block for refreshing models.json. A single step cannot combine an action and run, so the catalog refresh may never execute and tests may use a missing or stale models file.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.

run: |
Comment on lines +25 to 27

@codeant-ai codeant-ai Bot May 29, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Architect Review — HIGH

Multiple workflows in this PR define "combined steps" that include both uses and run, or multiple uses keys, in a single step mapping (e.g. CI test checkout/run, docs checkout/Node setup, CodeQL checkout/init, SAST license checkout/reuse, quality-gate/policy-gate checkout/run), which GitHub Actions does not support and results in earlier actions (typically actions/checkout or actions/configure-pages) being ignored or steps failing validation so intended gates do not run correctly.

Suggestion: Normalize all seven affected locations so each step has exactly one uses or one run and each logical operation (checkout, setup, analysis, gate script, etc.) is its own list item, ensuring that required checkouts and setup actions execute before dependent scripts across CI, docs, CodeQL, SAST, quality-gate, and policy-gate workflows.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖 
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/ci.yml
**Line:** 25:27
**Comment:**
	*HIGH: Multiple workflows in this PR define "combined steps" that include both `uses` and `run`, or multiple `uses` keys, in a single step mapping (e.g. CI test checkout/run, docs checkout/Node setup, CodeQL checkout/init, SAST license checkout/reuse, quality-gate/policy-gate checkout/run), which GitHub Actions does not support and results in earlier actions (typically `actions/checkout` or `actions/configure-pages`) being ignored or steps failing validation so intended gates do not run correctly.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

git fetch --depth 1 https://github.com/router-for-me/models.git main
mkdir -p pkg/llmproxy/registry/models
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@ jobs:
language: [go]
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Initialize CodeQL
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
name: Initialize CodeQL

@cursor cursor Bot Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeQL init merged with checkout

High Severity

The CodeQL job combines actions/checkout and github/codeql-action/init in one step with two uses keys. That can skip checkout or init and break the subsequent go build and analysis steps.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.

uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with:
languages: ${{ matrix.language }}
config-file: .github/codeql/codeql-config.yml
Comment on lines 21 to 26

@coderabbitai coderabbitai Bot Jun 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Malformed YAML prevents CodeQL security scanning.

The "Checkout" step contains the same structural errors as in docs.yml:

  1. Duplicate name keys: Line 23 adds name: Initialize CodeQL to the Checkout step instead of creating a new step with - name: Initialize CodeQL
  2. Invalid Git ref syntax: Line 22 contains two commit hashes separated by @, which is invalid
  3. Missing newline: Line 24 shows # v4with: instead of # v4 followed by a properly formatted with: block

These errors prevent the workflow from parsing, which means CodeQL security scanning will not run, creating a security blind spot.

🔧 Proposed fix for YAML structure 
      - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with:
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
          languages: ${{ matrix.language }}
          config-file: .github/codeql/codeql-config.yml
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Initialize CodeQL
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with:
languages: ${{ matrix.language }}
config-file: .github/codeql/codeql-config.yml
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
with:
languages: ${{ matrix.language }}
config-file: .github/codeql/codeql-config.yml
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 23-23: duplication of key "name" in mapping

(key-duplicates)

[error] 24-24: duplication of key "uses" in mapping

(key-duplicates)

[error] 25-25: syntax error: expected , but found ''

(syntax)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml around lines 21 - 26, The CodeQL workflow has
three YAML structure errors that prevent parsing. First, separate the Checkout
and Initialize CodeQL into two distinct workflow steps by properly formatting
the second step with its own `- name: Initialize CodeQL` line instead of adding
it as a duplicate name key within the Checkout step. Second, fix the invalid Git
reference in the Checkout action by replacing the malformed syntax (with two
commit hashes separated by @) with a single valid reference format like
`actions/checkout@<single-commit-hash>`. Third, properly format the comment and
with block by ensuring the comment `# v4` appears on its own line, followed by
the `with:` keyword and its configuration block on separate lines. This will
restore proper YAML parsing for the workflow.

Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Setup Node
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
name: Setup Node

@cursor cursor Bot May 29, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Steps merged into one due to missing list indicators

High Severity

The commit splits step names that were previously embedded in YAML comments (e.g., # v4- name: Setup Node) into separate lines, but adds them as properties of the same step instead of creating new list items with - . This produces duplicate name: and uses: keys in single steps. YAML's last-wins behavior silently drops the first action (typically actions/checkout), so the repository is never checked out before subsequent steps run.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 6733dc6. Configure here.

uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4with:
Comment on lines +22 to 24

@codeant-ai codeant-ai Bot May 29, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Architect Review — CRITICAL

The first docs build step defines both checkout and Node setup in a single step with duplicate uses keys, so the actions/checkout invocation is overridden and the repository is never actually checked out before bun/npm commands run, causing the docs build to run against an empty workspace.

Suggestion: Split this into two separate sequential steps (one uses: actions/checkout@<pinned-sha>, then one uses: actions/setup-node@<pinned-sha> with the existing with: block) so the workspace is checked out before any bun/npm-based build steps execute.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖 
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/docs.yml
**Line:** 22:24
**Comment:**
	*CRITICAL: The first docs build step defines both checkout and Node setup in a single step with duplicate `uses` keys, so the `actions/checkout` invocation is overridden and the repository is never actually checked out before `bun`/`npm` commands run, causing the docs build to run against an empty workspace.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

node-version: "20"
cache: "npm"
Expand All @@ -40,7 +41,7 @@ jobs:

- name: Install dependencies
working-directory: docs
run: npm install --frozen-lockfile
run: npm ci --frozen-lockfile

@cursor cursor Bot Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Invalid flag on npm ci

Medium Severity

The docs install step runs npm ci --frozen-lockfile, but --frozen-lockfile is an npm install / Yarn option, not valid for npm ci. That can make the install step exit with a CLI usage error and block the docs build.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.

Comment on lines 42 to +44

@coderabbitai coderabbitai Bot Jun 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove redundant --frozen-lockfile flag.

The npm ci command already treats the lockfile as frozen by default and will error if package.json and package-lock.json are out of sync. The --frozen-lockfile flag is redundant (and is actually a Yarn flag, not an npm flag).

♻️ Proposed fix 
      - name: Install dependencies
        working-directory: docs
-        run: npm ci --frozen-lockfile
+        run: npm ci
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Install dependencies
working-directory: docs
run: npm install --frozen-lockfile
run: npm ci --frozen-lockfile
- name: Install dependencies
working-directory: docs
run: npm ci
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml around lines 42 - 44, The Install dependencies
step in the docs workflow is running npm ci with the --frozen-lockfile flag,
which is redundant since npm ci already enforces a frozen lockfile by default
and will error if package.json and package-lock.json are out of sync. Remove the
--frozen-lockfile flag from the npm ci command so it reads simply as npm ci,
keeping the functionality intact while removing the unnecessary flag that is
actually a Yarn-specific option.


- name: Build docs
working-directory: docs
Expand Down Expand Up @@ -71,6 +72,7 @@ jobs:
url: ${{ steps.deployment.outputs.page_url }}
steps:
- name: Configure Pages
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5- name: Deploy
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
name: Deploy

@cursor cursor Bot May 29, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

YAML indentation error breaks entire docs workflow

High Severity

The name: Deploy line has 9 spaces of indentation while all sibling properties (uses:, id:) in the same step mapping have 8 spaces. YAML block mappings require all keys at the same level to share identical indentation. This mismatch will cause a YAML parse error, preventing the entire docs.yml workflow file from loading — breaking both the build and deploy jobs.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 6733dc6. Configure here.

@cursor cursor Bot Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deploy step YAML broken

High Severity

The Pages deploy job folds configure-pages and deploy-pages into one step, with a mis-indented name: Deploy line. GitHub Actions expects separate steps; duplicate uses keys and bad indentation can prevent the deploy job from running or from setting steps.deployment correctly.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.

id: deployment
Comment on lines +75 to 77

@codeant-ai codeant-ai Bot May 29, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Architect Review — CRITICAL

The Pages deploy job merges actions/configure-pages and actions/deploy-pages into a single step with duplicate uses keys, so configure-pages is never invoked and the job calls only deploy-pages, which can break the required GitHub Pages deployment contract on main.

Suggestion: Restore two explicit steps in order—a Configure Pages step that runs actions/configure-pages@<pinned-sha>, followed by a Deploy step running actions/deploy-pages@<pinned-sha> with the existing id and url wiring—so the Pages environment is configured before deployment.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖 
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/docs.yml
**Line:** 75:77
**Comment:**
	*CRITICAL: The Pages deploy job merges `actions/configure-pages` and `actions/deploy-pages` into a single step with duplicate `uses` keys, so `configure-pages` is never invoked and the job calls only `deploy-pages`, which can break the required GitHub Pages deployment contract on `main`.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
Comment on lines 74 to 78

@coderabbitai coderabbitai Bot Jun 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Malformed YAML in deploy job.

The "Configure Pages" step has duplicate name keys and improper structure:

  1. Line 76 adds name: Deploy to the Configure Pages step instead of starting a new step
  2. Line 76 has incorrect indentation (single space instead of proper alignment)
  3. The Deploy step is merged into Configure Pages instead of being separate

This YAML syntax error will prevent the workflow from running.

🔧 Proposed fix for YAML structure 
      - name: Configure Pages
        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
-         name: Deploy
+      - name: Deploy
        id: deployment
        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Configure Pages
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5- name: Deploy
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
name: Deploy
id: deployment
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
- name: Configure Pages
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
- name: Deploy
id: deployment
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 78-78: duplication of key "uses" in mapping

(key-duplicates)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml around lines 74 - 78, The "Configure Pages" step
in the docs.yml workflow has malformed YAML structure with the Deploy step
improperly merged into it. Fix this by ensuring the Configure Pages step is
properly closed after the uses directive, then create a separate new step item
(starting with a dash) for the Deploy step with correct indentation. The
Configure Pages step should contain only its name and uses properties, while the
Deploy step should be a distinct list item with its own name (Deploy), id
(deployment), and uses (actions/deploy-pages) properties. Verify all indentation
is consistent throughout with proper YAML list and mapping alignment.

4 changes: 4 additions & 0 deletions .github/workflows/journey-gate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@
# =============================================================================

name: Journey Gate
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true


on:
push:
Expand Down
18 changes: 18 additions & 0 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: lint
on:
push:
branches: [main, master, develop]
pull_request:
branches: [main, master, develop]
jobs:
golangci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

@coderabbitai coderabbitai Bot Jun 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Set persist-credentials: false to prevent credential leakage.

The checkout action does not explicitly set persist-credentials: false, which means Git credentials are persisted and could potentially leak through artifacts or subsequent steps.

🛡️ Proposed fix 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 11-11: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 11-11: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint.yml at line 11, The actions/checkout@v4 step does not
explicitly disable credential persistence, which poses a security risk by
allowing Git credentials to potentially leak through artifacts or subsequent
workflow steps. Add a `with:` section to the checkout action and set
`persist-credentials: false` to prevent credentials from being persisted in the
environment. This ensures that Git credentials are only valid for the duration
of the checkout step and are not available to downstream jobs or actions.

Source: Linters/SAST tools

- uses: actions/setup-go@v5
with:
go-version: stable

@coderabbitai coderabbitai Bot Jun 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider aligning Go version with go.mod declaration.

The workflow uses go-version: stable, which is a moving target that may introduce drift from the go 1.26.0 declared in go.mod. While stable is acceptable for linting, explicitly specifying the version ensures consistency with the codebase target.

📌 Proposed fix to align with go.mod 
       - uses: actions/setup-go@v5
         with:
-          go-version: stable
+          go-version: '1.26'
       - name: golangci-lint
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
go-version: stable
- uses: actions/setup-go@v5
with:
go-version: '1.26'
- name: golangci-lint
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint.yml at line 14, The go-version field in the lint
workflow is set to stable, which is a moving target and may introduce version
drift from the go.mod declaration of go 1.26.0. Replace the go-version: stable
value with the explicit version go-version: 1.26.0 to ensure the workflow uses
the same Go version as declared in go.mod, maintaining consistency across the
codebase and preventing potential linting issues caused by version mismatches.

- name: golangci-lint
uses: golangci/golangci-lint-action@v6
with:
version: latest

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
Comment on lines +9 to +18

@coderabbitai coderabbitai Bot Jun 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider pinning golangci-lint version for stability.

Using version: latest allows golangci-lint to update automatically, which may introduce new linter rules or breaking changes that cause unexpected CI failures. Pinning to a specific version provides more predictable behavior.

📌 Proposed fix to pin version 
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
-          version: latest
+          version: v1.61

Note: Verify the desired version at https://github.com/golangci/golangci-lint/releases

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
version: latest
version: v1.61
🧰 Tools
🪛 GitHub Check: CodeQL

[warning] 9-18: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint.yml at line 18, The golangci-lint configuration is
using `version: latest` which should be replaced with a specific pinned version
number. Locate the `version: latest` setting in the golangci-lint action and
replace the value with a specific version string (for example, a version number
like v1.54.2). This ensures the CI pipeline uses a consistent version and
prevents unexpected behavior changes from automatic updates.

4 changes: 4 additions & 0 deletions .github/workflows/policy-gate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: policy-gate
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

on: [workflow_dispatch]
permissions:
contents: read
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/quality-gate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: quality-gate
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

on: [workflow_dispatch]
permissions:
contents: read
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/sast-quick.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: SAST Quick Check
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true


on:
pull_request:
Expand Down Expand Up @@ -41,7 +45,8 @@ jobs:
# Tier 3: Advisory - security enrichment only
continue-on-error: true
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Analyze licenses
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
name: Analyze licenses

@cursor cursor Bot Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

License scan step malformed

Medium Severity

The license-compliance job puts actions/checkout and fsfe/reuse-action in one step with two uses entries. The REUSE license check may not run, weakening that advisory job.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.

uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true # Allow findings but don't fail
Comment on lines +48 to 50

@coderabbitai coderabbitai Bot Jun 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: step contains multiple uses: fields.

This step has uses: actions/checkout on line 48, then a name: field on line 49, and then another uses: fsfe/reuse-action on line 50. A GitHub Actions step cannot have multiple uses: fields—these should be separate steps.

This will cause workflow parsing to fail.

🔧 Proposed fix 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
       - name: Analyze licenses
         uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true  # Allow findings but don't fail
+        continue-on-error: true

Note: Line 50 also has # v4continue-on-error: which needs to be separated.

🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 50-50: duplication of key "uses" in mapping

(key-duplicates)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sast-quick.yml around lines 48 - 50, The workflow contains
a single step with multiple `uses:` fields, which is invalid GitHub Actions
syntax. The actions/checkout action on the first line and the fsfe/reuse-action
on the third line must be separated into two distinct steps. Create two separate
step entries in the workflow array: one for actions/checkout and one for
fsfe/reuse-action, each with their own `uses:` field. Additionally, fix the
malformed comment on line 50 where `# v4continue-on-error:` is concatenated
incorrectly—separate the version comment from the `continue-on-error: true`
property by placing `continue-on-error` on a proper line within the
fsfe/reuse-action step.

- name: Check for non-reusable licenses
run: |
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: OpenSSF Scorecard
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

on:
branch_protection_rule:
schedule:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/self-merge-gate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: self-merge-gate
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

on: [workflow_dispatch]
permissions:
contents: read
Expand Down
9 changes: 8 additions & 1 deletion .github/workflows/trufflehog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: Trufflehog Secrets Scan
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

on:
push:
branches: [main]
Expand All @@ -11,7 +15,10 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 0
- uses: trufflehog/actions/setup@main
- uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1
with:
go-version: 'stable'
- run: go install github.com/trufflehog/trufflehog/v3@latest
Comment on lines +18 to +21

@coderabbitai coderabbitai Bot Jun 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the actions/setup-go commit SHA exists

gh api repos/actions/setup-go/commits/0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 \
  --jq '.sha' 2>&1 || echo "ERROR: Invalid commit SHA"

Repository: KooshaPari/cliproxyapi-plusplus

Length of output: 356

🏁 Script executed:

# Check if the trufflehog.yml file exists and examine lines 18-21
if [ -f ".github/workflows/trufflehog.yml" ]; then
  echo "=== File found ==="
  wc -l ".github/workflows/trufflehog.yml"
  echo "=== Lines 18-21 ==="
  sed -n '18,21p' ".github/workflows/trufflehog.yml"
else
  echo "File .github/workflows/trufflehog.yml not found"
  ls -la .github/workflows/ 2>/dev/null || echo ".github/workflows directory not found"
fi

Repository: KooshaPari/cliproxyapi-plusplus

Length of output: 334

🏁 Script executed:

# Search for actions/setup-go references in the repository
rg "actions/setup-go" --type yaml -A 2 -B 2

Repository: KooshaPari/cliproxyapi-plusplus

Length of output: 57

🌐 Web query:

GitHub Actions setup-go action valid references versions best practices

💡 Result:

To use the actions/setup-go action effectively, follow these best practices regarding version specification and configuration [1][2][3]. ### Version Specification Best Practices For stable and reproducible builds, it is recommended to pin a specific Go version (e.g., '1.25.5') or at least a specific major/minor version (e.g., '1.25') [1]. - Use single quotes in your YAML configuration to prevent the parser from misinterpreting version numbers (e.g., '1.20' might be trimmed to '1.2' if unquoted) [2][3]. - You can specify exact versions (e.g., '1.24.11'), semantic version ranges (e.g., '^1.25.1'), or aliases like 'stable' or 'oldstable' [2][3]. - If you prefer stability and want to ensure a consistent Go version is always used, keep the default check-latest: false [1][4]. - Set check-latest: true only if you want the action to always fetch the latest available patch release from the GitHub runner's manifest, which may cause your build environment to change over time [1][5]. ### Configuration Recommendations - Use the go-version-file input to automatically sync the Go version with your local project files (e.g., 'go.mod', '.go-version', or '.tool-versions') [2][5]. Note that if both go-version and go-version-file are provided, go-version takes precedence [2][3]. - Caching is enabled by default [2][3][6]. The action automatically looks for 'go.sum' in the repository root to generate cache keys [2][3]. - If you have multiple dependency files or they are located in non-standard directories, use the cache-dependency-path input to explicitly define the paths for caching [2][4]. { "top_results": [1][2][3][4][5] }

Citations:

🌐 Web query:

actions/setup-go commit SHA vs tag version reference GitHub Actions

💡 Result:

In GitHub Actions, referencing an action by a tag (e.g., @v5) is considered insecure because tags are mutable [1][2][3]. A tag can be deleted and recreated by an attacker or a compromised account to point to a different, malicious commit, which would cause all workflows using that tag to execute the new, untrusted code [1][4][5]. Referencing an action by its full 40-character commit SHA (e.g., @a1b2c3d4...) is the industry-standard security practice [1][6][7]. Because a commit SHA is a cryptographic hash of the commit's content, it is immutable; it cannot be changed to point to different code [2][4][8]. Pinning to a SHA ensures that your workflow consistently runs the exact code you have reviewed [4][9][5]. Best practices for managing action references include: 1. Always use full-length (40-character) commit SHAs [10][7][5]. Never use short SHAs, as they are not guaranteed to be unique and can be forged. 2. Maintain human readability by appending the tag version as a comment [1][9][5]. This allows automated dependency management tools like Dependabot or Renovate to recognize the version and open pull requests when updates are available [1][2][5]. Example: - uses: actions/setup-go@0a12ed9 # v5.0.2 [1] 3. Use automated tooling (e.g., Dependabot, Renovate, pinact) to keep these pinned SHAs up to date with the latest releases [1][3][6][5]. 4. Enable organization-level policies in GitHub to enforce SHA pinning, which will cause any workflow using non-pinned references to fail, ensuring compliance across your organization [4][6][11][5]. 5. When reviewing updates, verify that the new SHA belongs to a release tag or branch within the official repository to avoid "orphaned" commits from untrusted forks [8]. While SHA pinning is a critical security control, it does not replace the need to audit the actions you use or ensure that the actions themselves do not pull unpinned, mutable dependencies (like 'latest' Docker images or unversioned shell scripts) at runtime [6][8].

Citations:

Fix the invalid actions/setup-go reference and pin TruffleHog version.

The commit SHA 0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 does not exist in the actions/setup-go repository and will cause the workflow to fail. Use a valid commit SHA (e.g., pinning to a specific release tag like @v5.0.2) or use the tag directly (e.g., @v5). Additionally, line 21 uses @latest for TruffleHog, which installs an unpinned version that may change between runs. Pin the TruffleHog version to a specific release (e.g., @v3.63.0) for consistency and reproducibility.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/trufflehog.yml around lines 18 - 21, The actions/setup-go
action uses an invalid commit SHA that does not exist, which will cause the
workflow to fail. Replace the commit SHA in the actions/setup-go reference with
a valid version tag such as `@v5` or `@v5.0.2`. Additionally, the go install command
for trufflehog uses `@latest`, which results in unpinned and unreproducible
builds. Replace `@latest` in the github.com/trufflehog/trufflehog/v3@latest
command with a pinned version tag such as `@v3.63.0` to ensure consistent and
reproducible workflow runs.

- run: trufflehog github --only-verified --no-update
env:
GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}

@coderabbitai coderabbitai Bot Jun 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Escaped secret variable prevents interpolation.

Line 24 has \${{ secrets.GITHUB_TOKEN }} with a backslash before the dollar sign. This escapes the template expression, causing GitHub Actions to set the environment variable to the literal string ${{ secrets.GITHUB_TOKEN }} instead of interpolating the actual secret value.

TruffleHog will fail because it won't receive a valid GitHub token.

🔧 Proposed fix 
       - run: trufflehog github --only-verified --no-update
         env:
-          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/trufflehog.yml at line 24, The GH_TOKEN environment
variable has an escaped dollar sign that prevents the GitHub Actions template
expression from being interpolated. Remove the backslash before the dollar sign
in the GH_TOKEN assignment so that secrets.GITHUB_TOKEN is properly evaluated to
the actual secret value instead of being treated as a literal string. Change
`\${{ secrets.GITHUB_TOKEN }}` to `${{ secrets.GITHUB_TOKEN }}` to allow the
token to be correctly passed to TruffleHog.

1 change: 1 addition & 0 deletions cliproxyapi-plusplus-wtrees/shell-quality-2026-06-08
Open in desktop
Submodule shell-quality-2026-06-08 added at 43a2ba
Loading