chore(codeql): pin actions to SHA (PinnedDependencies wave 1)#962
Conversation
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 12 minutes and 20 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (23)
Note
|
|
codeant-ai
Bot
added
the
size:L
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 5 potential issues.
Bugbot Autofix prepared fixes for all 5 issues found in the latest run.
- ✅ Fixed: YAML
with:keyword consumed by trailing comment- Separated all
with:keywords from SHA comments onto their own lines across all affected workflows (auto-merge.yml, ci.yml, codeql.yml, docker-image.yml, pr-test-build.yml, release.yaml, release-drafter.yml, sast-full.yml, sast-quick.yml, pages-deploy.yml).
- Separated all
- ✅ Fixed: Step and job boundaries destroyed by comment concatenation
- Restored all step separators (
- name:) and job definitions to their own lines by removing comment concatenation in ci.yml, codeql.yml, docker-image.yml, pr-test-build.yml, sast-full.yml, and sast-quick.yml.
- Restored all step separators (
- ✅ Fixed: Action pinned to GitHub API 404 error JSON
- Replaced all 5 occurrences of the invalid 404 JSON string with valid commit SHA
b91d5d2c96a56797b48ac1e0e89220bf64044611for arduino/setup-task@v2 action in pr-test-build.yml.
- Replaced all 5 occurrences of the invalid 404 JSON string with valid commit SHA
- ✅ Fixed:
if:andenv:conditions lost in comment concatenation- Restored all
if:,env:, andcontinue-on-error:directives to their own lines in release.yaml, release-drafter.yml, sast-quick.yml, and sast-full.yml, ensuring conditions are properly parsed.
- Restored all
- ✅ Fixed: Three workflow steps collapsed onto single YAML line
- Separated the three collapsed steps (actions/checkout, actions/configure-pages, actions/upload-pages-artifact) in pages-deploy.yml onto individual lines with proper structure.
Or push these changes by commenting:
@cursor push ce51e1ce59
You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit cd8ef3c. Configure here.
| !contains(github.event.pull_request.labels.*.name, 'do-not-merge') | ||
| uses: peter-evans/enable-pull-request-automerge@v3 | ||
| with: | ||
| uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3with: |
There was a problem hiding this comment.
YAML with: keyword consumed by trailing comment
High Severity
Across virtually every workflow file, with: was appended to the SHA comment (e.g. # v3with:) instead of remaining on its own line. In YAML, # begins a comment that extends to the end of the line, so with: is swallowed by the comment. This causes all action inputs (github-token, go-version-file, languages, username, etc.) to become orphaned keys at the wrong indentation level, resulting in YAML parse errors that break every affected CI workflow.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit cd8ef3c. Configure here.
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Refresh models catalog | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Refresh models catalog |
There was a problem hiding this comment.
Step and job boundaries destroyed by comment concatenation
High Severity
Step separators (- name:) and job definitions were appended to SHA comments (e.g. # v4- name: Refresh models catalog), making them invisible to the YAML parser. This collapses separate steps into one, causing the subsequent run: to be paired with a uses: in the same step (which is invalid). In codeql.yml, the entire analyze-skip-for-migrated-router-fix job definition is swallowed by a comment. In sast-full.yml, the trivy-repo job definition is similarly lost.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit cd8ef3c. Configure here.
| - name: Install Task | ||
| uses: arduino/setup-task@v2 | ||
| with: | ||
| uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: |
There was a problem hiding this comment.
Action pinned to GitHub API 404 error JSON
High Severity
arduino/setup-task is pinned to the literal string {"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} instead of a valid commit SHA. The generation script apparently used the GitHub API to resolve the tag ref and stored the raw 404 JSON error response as the ref. This is not a valid git reference and will cause every job using this action (quality-ci, quality-staged-check, fmt-check, test-smoke, pre-release-config-compat-smoke) to fail immediately.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit cd8ef3c. Configure here.
| - name: Upload to Release | ||
| uses: softprops/action-gh-release@v2 | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2if: startsWith(github.ref, 'refs/tags/') |
There was a problem hiding this comment.
if: and env: conditions lost in comment concatenation
High Severity
Step-level if: conditions, env: blocks, and continue-on-error: directives were appended to SHA comments and lost. In release.yaml, softprops/action-gh-release lost its if: startsWith(github.ref, 'refs/tags/') guard, meaning it will attempt to upload to a release on every run, not just tag pushes. In release-drafter.yml, the env: block with GITHUB_TOKEN became part of a comment. In sast-quick.yml and sast-full.yml, if: always() on SARIF upload steps was lost, so security results won't upload on failure.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit cd8ef3c. Configure here.
| - uses: actions/configure-pages@v4 | ||
| - uses: actions/upload-pages-artifact@v3 | ||
| with: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with: |
There was a problem hiding this comment.
Three workflow steps collapsed onto single YAML line
High Severity
Three originally separate steps (actions/checkout, actions/configure-pages, and actions/upload-pages-artifact) were concatenated onto a single line. The YAML parser sees only one step with uses: actions/checkout@... because the remaining two uses: directives are swallowed by the comment. The configure-pages and upload-pages-artifact steps are completely lost, so the pages deployment pipeline will fail.
Reviewed by Cursor Bugbot for commit cd8ef3c. Configure here.
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Initialize CodeQL | ||
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with: | ||
| languages: ${{ matrix.language }} | ||
| config-file: .github/codeql/codeql-config.yml | ||
| - name: Set up Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: | ||
| go-version-file: go.mod | ||
| cache: true | ||
| - name: Build | ||
| run: go build ./... | ||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v4 | ||
|
|
||
| analyze-skip-for-migrated-router-fix: | ||
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4analyze-skip-for-migrated-router-fix: | ||
| name: Analyze (Go) | ||
| if: ${{ startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }} |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The pinning rewrite corrupted the CodeQL workflow: a single step now has duplicate uses keys with languages/config-file at step level (invalid keys), and the analyze-skip-for-migrated-router-fix job header was merged into a comment, leaving stray name/if/runs-on fields without a job key. This makes the workflow YAML invalid and removes the second job, so CodeQL analysis cannot run.
Suggestion: Restore distinct steps for checkout and CodeQL init/analyze, and reintroduce the separate analyze-skip-for-migrated-router-fix job with proper indentation and keys; then pin only the uses: values and validate the workflow with a linter or act.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/codeql.yml
**Line:** 22:35
**Comment:**
*CRITICAL: The pinning rewrite corrupted the CodeQL workflow: a single step now has duplicate `uses` keys with `languages`/`config-file` at step level (invalid keys), and the `analyze-skip-for-migrated-router-fix` job header was merged into a comment, leaving stray `name`/`if`/`runs-on` fields without a job key. This makes the workflow YAML invalid and removes the second job, so CodeQL analysis cannot run.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Refresh models catalog | ||
| run: | | ||
| git fetch --depth 1 https://github.com/router-for-me/models.git main | ||
| mkdir -p pkg/llmproxy/registry/models | ||
| git show FETCH_HEAD:models.json > pkg/llmproxy/registry/models/models.json | ||
|
|
||
| - name: Setup Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: | ||
| go-version: ${{ matrix.go-version }} | ||
|
|
||
| - name: Cache Go modules | ||
| uses: actions/cache@v4 | ||
| with: | ||
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4with: | ||
| path: ~/go/pkg/mod |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
In the main CI workflow, multiple steps are now structurally invalid: the checkout step combines uses and run in a single step, and several action steps (e.g. actions/setup-go, actions/cache, codecov/codecov-action) have their with: blocks collapsed so that keys like go-version and path appear as top-level step keys. These patterns violate GitHub Actions step schema and will cause the CI workflow to fail to load or run.
Suggestion: Split combined steps so each uses either uses or run, restore proper with: mappings under action steps, and then pin action versions only in the uses: values; add an automated check that validates workflow syntax after pinning.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/ci.yml
**Line:** 21:33
**Comment:**
*CRITICAL: In the main CI workflow, multiple steps are now structurally invalid: the checkout step combines `uses` and `run` in a single step, and several action steps (e.g. `actions/setup-go`, `actions/cache`, `codecov/codecov-action`) have their `with:` blocks collapsed so that keys like `go-version` and `path` appear as top-level step keys. These patterns violate GitHub Actions step schema and will cause the CI workflow to fail to load or run.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: | ||
| version: 3.x | ||
| repo-token: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The Install Task steps now reference arduino/setup-task@{"message":"Not Found",...,"status":"404"} as the action ref, which is not a valid Git ref and will cause the action checkout to fail. All jobs that rely on arduino/setup-task (quality CI, staged checks, fmt-check, smoke and release-compat tests) will fail whenever they run.
Suggestion: Replace the broken uses: arduino/setup-task@{...404...} value with a valid pinned commit SHA for arduino/setup-task in all affected steps, and extend the pinning generator to reject or flag any non-tag/non-SHA ref transformations.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/pr-test-build.yml
**Line:** 82:84
**Comment:**
*CRITICAL: The `Install Task` steps now reference `arduino/setup-task@{"message":"Not Found",...,"status":"404"}` as the action ref, which is not a valid Git ref and will cause the action checkout to fail. All jobs that rely on `arduino/setup-task` (quality CI, staged checks, fmt-check, smoke and release-compat tests) will fail whenever they run.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with: | ||
| path: '.' |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The pages deployment workflow collapsed three separate steps (checkout, actions/configure-pages, and actions/upload-pages-artifact) into a single step with only uses: actions/checkout@… plus a stray top-level path: '.' key. The configure and upload actions are no longer executed and the remaining step is structurally invalid due to the unexpected path key, so the workflow cannot correctly prepare or upload the pages artifact.
Suggestion: Restore checkout, configure-pages, and upload-pages-artifact as distinct sequential steps with a proper with: { path: '.' } block for the upload step, then pin each action's uses: value independently and verify the workflow with a syntax validator.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/pages-deploy.yml
**Line:** 15:16
**Comment:**
*CRITICAL: The pages deployment workflow collapsed three separate steps (checkout, `actions/configure-pages`, and `actions/upload-pages-artifact`) into a single step with only `uses: actions/checkout@…` plus a stray top-level `path: '.'` key. The configure and upload actions are no longer executed and the remaining step is structurally invalid due to the unexpected `path` key, so the workflow cannot correctly prepare or upload the pages artifact.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4trivy-repo: | ||
| name: Trivy Repository Scan | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 15 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: aquasecurity/trivy-action@v0.35.0 | ||
| with: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0with: |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
In the full SAST workflow, the trivy-repo job header was merged into a comment on the CodeQL analyze step (# v4trivy-repo:), leaving name, runs-on, and timeout-minutes fields at the job level without an associated job key. This corrupts the jobs mapping, effectively dropping the separate Trivy repository scan job and making the YAML invalid.
Suggestion: Recreate a proper trivy-repo: job entry with its own name, runs-on, timeout-minutes, and steps, and ensure the CodeQL job's steps only contain valid step keys; then apply SHA pins only to uses: lines and confirm all intended jobs (codeql, trivy-repo, full-semgrep, full-secrets) appear in the workflow graph.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/sast-full.yml
**Line:** 26:31
**Comment:**
*CRITICAL: In the full SAST workflow, the `trivy-repo` job header was merged into a comment on the CodeQL analyze step (`# v4trivy-repo:`), leaving `name`, `runs-on`, and `timeout-minutes` fields at the job level without an associated job key. This corrupts the jobs mapping, effectively dropping the separate Trivy repository scan job and making the YAML invalid.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The env: key for the release-drafter step was removed and merged into the uses comment (# v6env:), leaving GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} as an unexpected top-level step key. As a result, the workflow definition is invalid and the GITHUB_TOKEN environment variable is no longer passed to the action as intended, breaking release-drafter authentication.
Suggestion: Restore a proper env: block under the release-drafter step with GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}, keep the uses: value pinned to the commit SHA, and run a workflow syntax check to ensure no stray keys remain.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/release-drafter.yml
**Line:** 12:13
**Comment:**
*HIGH: The `env:` key for the release-drafter step was removed and merged into the `uses` comment (`# v6env:`), leaving `GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}` as an unexpected top-level step key. As a result, the workflow definition is invalid and the `GITHUB_TOKEN` environment variable is no longer passed to the action as intended, breaking release-drafter authentication.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:L
Sequence DiagramThis PR updates CI, release, docs, and security workflows so that all third-party GitHub Actions they call are pinned to specific commit SHAs, keeping the overall job flows the same while fixing dependency versions. sequenceDiagram
participant Developer
participant GitHub
participant CIWorkflows as CI and release workflows
participant SecurityWorkflows as Security workflows
participant PinnedActions as Pinned third party actions
Developer->>GitHub: Push code or open pull request
GitHub->>CIWorkflows: Trigger build test and release jobs
CIWorkflows->>PinnedActions: Use checkout setup language build and publish actions
GitHub->>SecurityWorkflows: Trigger CodeQL SAST and scorecard jobs
SecurityWorkflows->>PinnedActions: Use scanning and upload actions
PinnedActions-->>GitHub: Return results and update checks and releases
Generated by CodeAnt AI |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Refresh models catalog | ||
| run: | | ||
| git fetch --depth 1 https://github.com/router-for-me/models.git main | ||
| mkdir -p pkg/llmproxy/registry/models | ||
| git show FETCH_HEAD:models.json > pkg/llmproxy/registry/models/models.json | ||
|
|
||
| - name: Setup Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: | ||
| go-version: ${{ matrix.go-version }} | ||
|
|
||
| - name: Cache Go modules | ||
| uses: actions/cache@v4 | ||
| with: | ||
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4with: | ||
| path: ~/go/pkg/mod |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The pinning rewrite merged step boundaries in the test job: the first step now has both uses (checkout) and a run script in the same step, and the with: blocks for actions/setup-go and actions/cache were removed so their inputs (go-version, path, key, etc.) are now top‑level step keys instead of action inputs. This produces an invalid workflow (a step cannot have both uses and run) and misconfigures the pinned actions, so the CI job will fail or not behave as before in normal runs.
Suggestion: Restore separate steps for checkout and the "Refresh models catalog" run, and reintroduce proper with: mappings for actions/setup-go and actions/cache so their inputs are under with. Regenerate pinning changes with a YAML-aware transform and add a workflow linter (e.g., actionlint) to prevent structural breakage.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/ci.yml
**Line:** 21:33
**Comment:**
*CRITICAL: The pinning rewrite merged step boundaries in the `test` job: the first step now has both `uses` (checkout) and a `run` script in the same step, and the `with:` blocks for `actions/setup-go` and `actions/cache` were removed so their inputs (`go-version`, `path`, `key`, etc.) are now top‑level step keys instead of action inputs. This produces an invalid workflow (a step cannot have both `uses` and `run`) and misconfigures the pinned actions, so the CI job will fail or not behave as before in normal runs.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Initialize CodeQL | ||
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with: | ||
| languages: ${{ matrix.language }} | ||
| config-file: .github/codeql/codeql-config.yml | ||
| - name: Set up Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: | ||
| go-version-file: go.mod | ||
| cache: true | ||
| - name: Build | ||
| run: go build ./... | ||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v4 | ||
|
|
||
| analyze-skip-for-migrated-router-fix: | ||
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4analyze-skip-for-migrated-router-fix: | ||
| name: Analyze (Go) |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The analyze-skip-for-migrated-router-fix job key was concatenated into a comment on the uses: github/codeql-action/analyze@… line, and the following name, if, runs-on, and steps keys are no longer nested under a job id. As a result, the skip-path job for ci/fix-migrated-router-… branches is no longer declared as a separate job, changing the intended branch-specific behavior and required-check identity.
Suggestion: Reintroduce analyze-skip-for-migrated-router-fix: as an explicit job key under jobs: with its own name, if, runs-on, and steps, distinct from analyze, and ensure the CodeQL analyze step's pinning comment does not absorb the job id. Validate both branch paths by dry-running the workflow and confirming the expected check names.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/codeql.yml
**Line:** 22:34
**Comment:**
*HIGH: The `analyze-skip-for-migrated-router-fix` job key was concatenated into a comment on the `uses: github/codeql-action/analyze@…` line, and the following `name`, `if`, `runs-on`, and `steps` keys are no longer nested under a job id. As a result, the skip-path job for `ci/fix-migrated-router-…` branches is no longer declared as a separate job, changing the intended branch-specific behavior and required-check identity.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with: | ||
| path: '.' |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
Three separate steps (actions/checkout, actions/configure-pages, and actions/upload-pages-artifact) were collapsed into a single malformed step where only actions/checkout is actually used and the other uses: entries are embedded in a comment, with path: '.' now passed as a with block to checkout. This means the Pages-specific setup and artifact upload actions are no longer executed, so the deploy step runs without the expected prepared artifact.
Suggestion: Restore three distinct steps for checkout, actions/configure-pages@…, and actions/upload-pages-artifact@…, each with its own uses and with, and then pin those actions to SHAs without merging them into a single step.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/pages-deploy.yml
**Line:** 15:16
**Comment:**
*CRITICAL: Three separate steps (`actions/checkout`, `actions/configure-pages`, and `actions/upload-pages-artifact`) were collapsed into a single malformed step where only `actions/checkout` is actually used and the other `uses:` entries are embedded in a comment, with `path: '.'` now passed as a `with` block to checkout. This means the Pages-specific setup and artifact upload actions are no longer executed, so the deploy step runs without the expected prepared artifact.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| - name: Install Task | ||
| uses: arduino/setup-task@v2 | ||
| with: | ||
| uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: | ||
| version: 3.x |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The Install Task steps now use arduino/setup-task@{"message":"Not Found",...,"status":"404"} as the ref instead of a real commit SHA, which is not a valid GitHub Action ref. Any job that reaches these steps (e.g., quality-ci, quality-staged-check, fmt-check, test-smoke, pre-release-config-compat-smoke) cannot install Task and will fail before running the intended quality/test commands.
Suggestion: Replace the invalid JSON blob ref with a real commit SHA from arduino/setup-task for all affected steps, and update the pinning tooling to reject non-SHA API responses instead of inlining them.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/pr-test-build.yml
**Line:** 81:83
**Comment:**
*CRITICAL: The `Install Task` steps now use `arduino/setup-task@{"message":"Not Found",...,"status":"404"}` as the ref instead of a real commit SHA, which is not a valid GitHub Action ref. Any job that reaches these steps (e.g., `quality-ci`, `quality-staged-check`, `fmt-check`, `test-smoke`, `pre-release-config-compat-smoke`) cannot install Task and will fail before running the intended quality/test commands.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| uses: actions/checkout@v4 | ||
|
|
||
| - uses: KooshaPari/phenotypeActions/actions/lint-test@main | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- uses: KooshaPari/phenotypeActions/actions/lint-test@main |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The checkout step and the reusable KooshaPari/phenotypeActions/actions/lint-test@main call were merged into a single line, leaving only a checkout step and effectively removing execution of the external lint/test action. The lint-test job now performs checkout only and no longer enforces the intended lint/test gate.
Suggestion: Reintroduce the reusable KooshaPari/phenotypeActions/actions/lint-test@… job step as a separate uses: step after checkout while pinning it to a SHA, ensuring the workflow still runs the external lint/test logic and fails on issues.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/lint-test.yml
**Line:** 15:15
**Comment:**
*HIGH: The checkout step and the reusable `KooshaPari/phenotypeActions/actions/lint-test@main` call were merged into a single line, leaving only a checkout step and effectively removing execution of the external lint/test action. The `lint-test` job now performs checkout only and no longer enforces the intended lint/test gate.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| - name: Upload to Release | ||
| uses: softprops/action-gh-release@v2 | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2if: startsWith(github.ref, 'refs/tags/') | ||
| with: |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
In the Upload to Release step, the if: startsWith(github.ref, 'refs/tags/') guard was concatenated into the uses: comment (# v2if: …), so the step no longer has an if: condition and now runs unconditionally on every workflow_dispatch run. This changes the release behavior by attempting to upload release artifacts even when the workflow is not triggered from a tag, diverging from the previous tag-only semantics.
Suggestion: Restore if: startsWith(github.ref, 'refs/tags/') as a separate key on the Upload to Release step while keeping uses: softprops/action-gh-release@… pinned independently, and verify that uploads still occur only for tagged runs.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/release.yaml
**Line:** 64:66
**Comment:**
*HIGH: In the `Upload to Release` step, the `if: startsWith(github.ref, 'refs/tags/')` guard was concatenated into the `uses:` comment (`# v2if: …`), so the step no longer has an `if:` condition and now runs unconditionally on every workflow_dispatch run. This changes the release behavior by attempting to upload release artifacts even when the workflow is not triggered from a tag, diverging from the previous tag-only semantics.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:L
Sequence DiagramThis PR pins all third-party GitHub Actions in the CI, security, docs, and release workflows to specific commit SHAs so that builds, tests, and security scans run with fixed, auditable action versions. sequenceDiagram
participant Developer
participant GitHubActions
participant CIWorkflows
participant SecurityWorkflows
participant ThirdPartyActions
participant ArtifactStore
Developer->>GitHubActions: Push code or open pull request
GitHubActions->>CIWorkflows: Trigger build and test workflows
CIWorkflows->>ThirdPartyActions: Run checkout, language setup, build and tests with pinned SHAs
GitHubActions->>SecurityWorkflows: Trigger CodeQL and other security workflows
SecurityWorkflows->>ThirdPartyActions: Run CodeQL, Semgrep, Trivy and secret scans with pinned SHAs
ThirdPartyActions-->>SecurityWorkflows: Return analysis results
CIWorkflows-->>ArtifactStore: Upload build artifacts and coverage reports
SecurityWorkflows-->>ArtifactStore: Upload security reports and scan outputs
GitHubActions-->>Developer: Report combined CI and security status
Generated by CodeAnt AI |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Initialize CodeQL | ||
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with: | ||
| languages: ${{ matrix.language }} | ||
| config-file: .github/codeql/codeql-config.yml | ||
| - name: Set up Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: | ||
| go-version-file: go.mod | ||
| cache: true | ||
| - name: Build | ||
| run: go build ./... | ||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v4 | ||
|
|
||
| analyze-skip-for-migrated-router-fix: | ||
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4analyze-skip-for-migrated-router-fix: | ||
| name: Analyze (Go) |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The CodeQL workflow's second job (analyze-skip-for-migrated-router-fix) was merged into the analyze job: its job key now appears only inside an inline comment on the analyze uses line, and the following name/if/steps fields are attached to the same job, overriding the original job definition so the dedicated skip job is effectively dropped and the CodeQL analysis steps are replaced by the skip stub.
Suggestion: Restore analyze-skip-for-migrated-router-fix as its own job key with its original condition and skip-only steps, and keep each pinned CodeQL action (init/analyze) on its own uses line with a separate with block under the main analyze job.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/codeql.yml
**Line:** 22:34
**Comment:**
*CRITICAL: The CodeQL workflow's second job (`analyze-skip-for-migrated-router-fix`) was merged into the `analyze` job: its job key now appears only inside an inline comment on the analyze `uses` line, and the following `name/if/steps` fields are attached to the same job, overriding the original job definition so the dedicated skip job is effectively dropped and the CodeQL analysis steps are replaced by the skip stub.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: | ||
| version: 3.x | ||
| repo-token: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The arduino/setup-task action is now pinned to a JSON 404 payload ({"message":"Not Found", ...}) instead of a real ref or commit SHA, so every step that installs Task references a non-existent Git ref and will fail when GitHub Actions tries to fetch the action.
Suggestion: Pin arduino/setup-task to a valid commit SHA from the action repository and add validation to the pinning automation to ignore or fail on non-ref strings such as REST API error payloads.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/pr-test-build.yml
**Line:** 82:84
**Comment:**
*CRITICAL: The `arduino/setup-task` action is now pinned to a JSON 404 payload (`{"message":"Not Found", ...}`) instead of a real ref or commit SHA, so every step that installs Task references a non-existent Git ref and will fail when GitHub Actions tries to fetch the action.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| uses: actions/checkout@v4 | ||
|
|
||
| - uses: KooshaPari/phenotypeActions/actions/lint-test@main | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- uses: KooshaPari/phenotypeActions/actions/lint-test@main |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The KooshaPari/phenotypeActions/actions/lint-test@main step has been turned into an inline comment on the checkout uses line, leaving the lint-test job with only a checkout step and no invocation of the reusable lint/test action, so this workflow no longer runs any linting or tests.
Suggestion: Reintroduce the reusable lint-test action as a separate step after checkout with its own - uses: KooshaPari/phenotypeActions/actions/lint-test@<pinned-SHA> entry to restore the original lint/test gate behavior.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/lint-test.yml
**Line:** 15:15
**Comment:**
*HIGH: The `KooshaPari/phenotypeActions/actions/lint-test@main` step has been turned into an inline comment on the checkout `uses` line, leaving the `lint-test` job with only a checkout step and no invocation of the reusable lint/test action, so this workflow no longer runs any linting or tests.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4trivy-repo: | ||
| name: Trivy Repository Scan | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 15 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: aquasecurity/trivy-action@v0.35.0 | ||
| with: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0with: | ||
| scan-type: fs |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
In the SAST full workflow, the trivy-repo job header was collapsed into an inline comment on the CodeQL analyze uses line, and the subsequent name, runs-on, and steps fields are now attached to the existing codeql job, effectively removing the separate Trivy job and overwriting the original CodeQL job definition so the intended CodeQL + Trivy job structure is broken.
Suggestion: Recreate trivy-repo as its own job key under jobs: with its original Trivy steps, and keep the codeql job solely for CodeQL analysis, pinning each action on its own uses line while preserving the original two-job layout.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/sast-full.yml
**Line:** 26:32
**Comment:**
*CRITICAL: In the SAST full workflow, the `trivy-repo` job header was collapsed into an inline comment on the CodeQL analyze `uses` line, and the subsequent `name`, `runs-on`, and `steps` fields are now attached to the existing `codeql` job, effectively removing the separate Trivy job and overwriting the original CodeQL job definition so the intended CodeQL + Trivy job structure is broken.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:L
Sequence DiagramThis PR updates CI, docs, release, and security workflows so that all third-party GitHub Actions are pinned to specific commit SHAs, keeping the existing build, test, and scan behavior while making workflow execution deterministic and safer. sequenceDiagram
participant Developer
participant GitHub
participant CIWorkflow
participant ThirdPartyActions
participant SecurityScans
Developer->>GitHub: Push code or open pull request
GitHub->>CIWorkflow: Trigger CI and security workflows
CIWorkflow->>ThirdPartyActions: Run pinned checkout and setup actions
CIWorkflow->>CIWorkflow: Build, test, and package application
CIWorkflow->>SecurityScans: Run CodeQL and other SAST scans via pinned actions
SecurityScans-->>CIWorkflow: Return analysis results
CIWorkflow-->>GitHub: Publish status checks and artifacts
Generated by CodeAnt AI |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:L
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Initialize CodeQL | ||
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with: | ||
| languages: ${{ matrix.language }} | ||
| config-file: .github/codeql/codeql-config.yml | ||
| - name: Set up Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with: | ||
| go-version-file: go.mod | ||
| cache: true | ||
| - name: Build | ||
| run: go build ./... | ||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v4 | ||
|
|
||
| analyze-skip-for-migrated-router-fix: | ||
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4analyze-skip-for-migrated-router-fix: | ||
| name: Analyze (Go) |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
In the CodeQL workflow, the pinning rewrite collapsed separate steps and the secondary job into a single malformed block: the "Checkout" step now has two uses keys (so actions/checkout is never actually invoked and only the CodeQL init action runs), and the analyze-skip-for-migrated-router-fix job key has been lost, with its fields incorrectly indented under jobs. This breaks the intended job structure and will cause the Go build/CodeQL analysis to fail under normal execution.
Suggestion: Revert this section to separate, well-formed steps (Checkout, Initialize CodeQL, Set up Go, Perform CodeQL Analysis) and restore analyze-skip-for-migrated-router-fix as its own job key, then reapply SHA pinning while keeping uses and with on distinct YAML keys.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/codeql.yml
**Line:** 22:34
**Comment:**
*CRITICAL: In the CodeQL workflow, the pinning rewrite collapsed separate steps and the secondary job into a single malformed block: the "Checkout" step now has two `uses` keys (so `actions/checkout` is never actually invoked and only the CodeQL init action runs), and the `analyze-skip-for-migrated-router-fix` job key has been lost, with its fields incorrectly indented under `jobs`. This breaks the intended job structure and will cause the Go build/CodeQL analysis to fail under normal execution.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- name: Setup Python | ||
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with: | ||
| python-version: '3.14' |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
In both SDK generation jobs, the pinning rewrite merged the checkout and setup steps into a single step with two uses entries, so GitHub Actions will only honor the last uses (actions/setup-python/actions/setup-node) and never run actions/checkout. As a result, the jobs attempt to run npm install and openapi-generator generate without the repository being checked out, breaking SDK generation.
Suggestion: Split these into separate steps again (one Checkout step using the pinned actions/checkout SHA and one Setup Python/Node step with a with: block for versions), and then validate the workflow with a YAML/workflow linter.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/generate-sdks.yaml
**Line:** 14:16
**Comment:**
*HIGH: In both SDK generation jobs, the pinning rewrite merged the checkout and setup steps into a single step with two `uses` entries, so GitHub Actions will only honor the last `uses` (`actions/setup-python`/`actions/setup-node`) and never run `actions/checkout`. As a result, the jobs attempt to run `npm install` and `openapi-generator generate` without the repository being checked out, breaking SDK generation.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| uses: arduino/setup-task@{"message":"Not Found","documentation_url":"https://docs.github.com/rest/git/refs#get-a-reference","status":"404"} # v2with: | ||
| version: 3.x |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
Multiple steps that install Task now reference arduino/setup-task@{"message":"Not Found",...,"status":"404"} instead of a valid commit SHA or tag, which is not a legal GitHub Action ref and will cause those steps—and thus all dependent PR CI jobs—to fail when the workflow is evaluated.
Suggestion: Replace the invalid JSON payload ref with a real commit SHA from arduino/setup-task for the intended version and update every arduino/setup-task usage in this workflow consistently.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/pr-test-build.yml
**Line:** 82:83
**Comment:**
*CRITICAL: Multiple steps that install Task now reference `arduino/setup-task@{"message":"Not Found",...,"status":"404"}` instead of a valid commit SHA or tag, which is not a legal GitHub Action ref and will cause those steps—and thus all dependent PR CI jobs—to fail when the workflow is evaluated.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4- uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with: | ||
| path: '.' |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The deploy job's first step has been collapsed into a single item with three uses entries (checkout, configure-pages, upload-pages-artifact), so only the last action (upload-pages-artifact) actually runs; actions/checkout and actions/configure-pages are never executed, and the with: path block is attached only to the artifact upload. This breaks the required Pages preparation and upload sequence.
Suggestion: Restore three distinct sequential steps for actions/checkout, actions/configure-pages, and actions/upload-pages-artifact (each with its own uses and, for the upload step, a with: path block), then verify the Pages deploy job end-to-end.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/pages-deploy.yml
**Line:** 15:16
**Comment:**
*CRITICAL: The deploy job's first step has been collapsed into a single item with three `uses` entries (`checkout`, `configure-pages`, `upload-pages-artifact`), so only the last action (`upload-pages-artifact`) actually runs; `actions/checkout` and `actions/configure-pages` are never executed, and the `with: path` block is attached only to the artifact upload. This breaks the required Pages preparation and upload sequence.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| - name: Upload to Release | ||
| uses: softprops/action-gh-release@v2 | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2if: startsWith(github.ref, 'refs/tags/') | ||
| with: |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
In the Termux build job, the "Upload to Release" step lost its if: startsWith(github.ref, 'refs/tags/') condition, which has been appended into the uses comment instead; the step now runs unconditionally instead of only for tag refs, changing release behavior from tag-gated uploads to uploads on any workflow run.
Suggestion: Restore the if: startsWith(github.ref, 'refs/tags/') guard as a proper YAML key on the upload step (separate from the uses line and comment) so that artifacts are only uploaded when the workflow is running for a tag ref.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/release.yaml
**Line:** 64:66
**Comment:**
*HIGH: In the Termux build job, the "Upload to Release" step lost its `if: startsWith(github.ref, 'refs/tags/')` condition, which has been appended into the `uses` comment instead; the step now runs unconditionally instead of only for tag refs, changing release behavior from tag-gated uploads to uploads on any workflow run.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
Sequence DiagramThis PR pins all third party GitHub Actions used across CI, security, docs, and release workflows to fixed commit SHAs. The diagram shows how pull request events drive CI and security jobs that now rely on pinned actions for checkout, environment setup, scanning, and artifact publishing. sequenceDiagram
participant Developer
participant GitHub
participant CIWorkflows
participant SecurityWorkflows
participant ThirdPartyActions
Developer->>GitHub: Push code or open pull request
GitHub->>CIWorkflows: Trigger CI build and tests
CIWorkflows->>ThirdPartyActions: Checkout code and setup runtimes with pinned SHAs
CIWorkflows->>CIWorkflows: Build, test, and publish artifacts
GitHub->>SecurityWorkflows: Trigger CodeQL and SAST jobs
SecurityWorkflows->>ThirdPartyActions: Run scans and upload reports with pinned SHAs
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
1 similar comment
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
1 participant
User description
Pins all third-party GitHub Actions to commit SHAs to satisfy OpenSSF Scorecard / CodeQL Pinned-Dependencies alert.
KooshaPari/phenoShared,phenotype-tooling,phenotypeActions,template-commons@master,@main,@stable) — flagged for separate reviewGenerated via Contents API. Part of org-wide PinnedDependencies wave 1 (top-5 alert repos).
Note
Medium Risk
Mostly mechanical dependency pinning, but several workflows now contain malformed
uses:lines (e.g., merged comments/step keys and an invalidarduino/setup-task@{...404...}ref) that could break CI and release automation.Overview
Pins third-party GitHub Actions across the workflow suite (CI, CodeQL/SAST, docs/pages deploy, docker publish, release automation, SDK generation) from floating tags (e.g.
@v4) to specific commit SHAs, preserving the original version in trailing comments.Review carefully: multiple workflows appear to have invalid YAML/step definitions after pinning (notably
codeql.yml/sast-full.ymlwith concatenated step headers, andpr-test-build.ymlwitharduino/setup-taskreplaced by a404JSON blob), which may cause workflow parsing or runtime failures.Reviewed by Cursor Bugbot for commit cd8ef3c. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Pin GitHub Actions to fixed versions across CI, docs, security, and release workflows
What Changed
Impact
✅ Fewer CI runs changed by upstream Action updates✅ More predictable release and deploy workflows✅ Lower risk of unexpected workflow behavior from third-party updates🔄 Retrigger CodeAnt AI Review
Details
💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.