Conversation
…c/validate/ Extract all inline business logic from pr-validation.yml into 7 reusable composite actions under src/validate/. Add dry_run input, fix script injection risks (use env vars instead of direct interpolation), fix notify ref for external callers, and update conventions to prohibit workflow_dispatch on reusable workflows due to injection risk.
- Fix code-injection: move needs.*.result and inputs.dry_run to env vars
in pr-checks-summary job (use process.env instead of ${{ }} interpolation)
- Wire MANAGE_TOKEN into auto-labeler job (was hardcoded to github.token)
- Include pr-changelog in Slack notification status and failed_jobs
- Handle empty git diff output in pr-size (CHANGED_LINES defaults to 0)
- Support all * wildcard patterns in pr-source-branch (not just /*)
- Fix broken markdown links in docs (add -workflow suffix)
- Fix docs examples to use @v1.2.3 placeholder instead of @v1.x.x
- Update jobs table with non-draft condition for all gated jobs
…d of COMP_NAME The workflow was using COMP_NAME to build configmap/secret template paths (e.g. templates/plugin-br-pix-indirect-btg-worker-inbound/configmap.yaml) but the actual directory structure uses VALUES_KEY names (e.g. templates/inbound/configmap.yaml). This caused the if [ -f ] check to silently fail, resulting in detected env vars never being injected into configmap/secret templates. Changes: - Use VALUES_KEY for CONFIGMAP_FILE and SECRET_FILE paths - Update create_secret_template to take VALUES_KEY as single arg - Add ::warning:: annotations when template files are not found Closes #167
…eferences Resolves SC2086 (double quote to prevent globbing) and SC2129 (group redirects) shellcheck warnings flagged by the PR lint analysis.
- Pin crazy-max/ghaction-import-gpg and mikefarah/yq to commit SHAs - Move inputs.base_branch to env var to prevent code injection in step summary - Add inline comment dismissing untrusted-checkout false positive
Update all rules and commands (Claude, Cursor, AGENTS.md) to require third-party actions to be pinned by commit SHA instead of mutable tags. LerianStudio org actions remain pinned by release tag.
fix(helm-update-chart): use VALUES_KEY for template file paths instead of COMP_NAME
…branch refs for testing
Consolidate 9 parallel jobs into 4 with a 2-tier architecture: - Tier 1 (blocking-checks): title, source-branch, description — no checkout, fail-fast - Tier 2 (advisory-checks): metadata, size, labels, changelog — shared checkout, only runs if Tier 1 passes Reduces runner cost (9 → 4 runners, 3 checkouts → 1) while providing faster feedback on blocking validation failures.
CHANGELOG.md is now generated by semantic-release, so the reminder comment is unnecessary noise. Removed the comment step, github-token and dry-run inputs from the composite.
The composite already auto-skips when the target branch is not in target_branches_for_source_check (default: main), so enabling by default is safe and avoids silent misconfiguration.
Rewrite pr-description composite to: - Extract content under "## Description" heading and strip HTML comments - Fail if description section is empty or below min-length - Fail if no "Type of Change" checkbox is checked - Remove github-token input (no API calls needed) - Consolidate two github-script steps into one Also pin amannn/action-semantic-pull-request to commit SHA in pr-title.
Replace the warning-only assignee and linked issues checks with an actionable auto-assign: if no assignee is set, assign the PR author automatically. Bot accounts are skipped.
- Check current labels before removing/adding — skip entirely if the correct size label is already set - Only remove stale size labels that actually exist on the PR - Remove the XL comment (generic noise on every sync)
…y SHA - Remove pr-changelog from workflow, summary, and inputs — CHANGELOG.md is auto-generated by semantic-release - Pin actions/github-script@v8 and actions/checkout@v6 to commit SHAs across all validate composites
Display results as two tables (Blocking / Advisory) instead of flat lines. Skipped checks now use ⏭️ instead of⚠️ for clarity.
- Remove stale check_changelog references from docs and examples - Remove pr-changelog from jobs table and pr-checks-summary README - Fix related-workflow links to current doc naming - Make missing "Type of Change" section an error, not a warning - Add null-safety for pr.assignees in pr-metadata - Add dry-run gate to pr-metadata auto-assign - Fix yamllint inline-comment spacing in pr-labels
- Align min_description_length default to 30 (matches composite) - Remove stale check_changelog from self-pr-validation.yml - Update metadata feature description in docs - Validate min-length input against NaN in pr-description
…dation refactor(pr-validation): modularize workflow into composites
fix(lint): enforce SHA pinning for externals, warnings for internals
WalkthroughComprehensive GitHub Actions security hardening: enforces commit SHA pinning for external actions while permitting release tags for Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~50 minutes Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
🔍 Lint Analysis
❌ Failures (6)YAML Lint
Action Lint
Pinned Actions
Markdown Link CheckNo annotation details available — view full logs. Spelling Check
Shell Check
|
🛡️ CodeQL Analysis ResultsLanguages analyzed: Found 1 issue(s): 1 Medium
🔍 View full scan logs | 🛡️ Security tab |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 18
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (4)
.github/workflows/helm-update-chart.yml (2)
189-189:⚠️ Potential issue | 🟠 MajorPin to full commit SHA per repo policy.
actions/setup-go@v6uses a semver tag and must be pinned to a commit SHA. Useactions/setup-go@4b73464 # v6.3.0(latest v6 as of 2026-02-26) or specify an earlier v6 release SHA if required.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/helm-update-chart.yml at line 189, Replace the semver tag usage "uses: actions/setup-go@v6" with a pinned full commit SHA for that action (e.g. "uses: actions/setup-go@4b73464") and add an inline comment with the corresponding tag version (e.g. "# v6.3.0") so the workflow uses a fixed commit; update the line that contains actions/setup-go@v6 accordingly.
103-103:⚠️ Potential issue | 🟠 MajorExternal actions must be pinned to commit SHAs per repo policy.
Pinned external actions: lines 103, 156, and 189 use semver tags (
@v2,@v6,@v6) instead of commit SHAs. Replace with full commit SHA and add version comment (e.g.,abc123 # v2).Examples of correct pinning in this file:
- Line 164:
crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7- Line 202:
mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/helm-update-chart.yml at line 103, Replace the semver-tagged external actions with pinned commit SHAs and add a trailing version comment: locate the usages of actions/create-github-app-token@v2 and the two actions currently using `@v6` (as shown in the diff) and update each to the form owner/action@<full-commit-sha> # <original-tag> (e.g., actions/create-github-app-token@<sha> # v2), ensuring the exact commit SHA is used instead of the semver tag and the original tag is preserved in the comment..cursor/rules/reusable-workflows.mdc (1)
119-119:⚠️ Potential issue | 🟠 MajorConflicting
workflow_dispatchpolicy in the same document.Line 119 forbids
workflow_dispatchon reusable workflows, but Lines 398–405 allow it under exceptions. Keep one rule model; current contradiction makes security guidance non-enforceable.Also applies to: 398-405
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.cursor/rules/reusable-workflows.mdc at line 119, There is a conflicting policy: one rule forbids using workflow_dispatch on reusable workflows while another exceptions block permits it; pick a single authoritative model and make the document consistent by either removing the forbidding rule or removing/rewriting the exceptions that allow workflow_dispatch. Locate the rule that explicitly "forbids workflow_dispatch on reusable workflows" and the separate "exceptions" section that "allows workflow_dispatch for reusable workflows," then consolidate them into one clear rule (or convert the exception into conditional wording) so the policy is non-contradictory and enforceable..github/workflows/pr-validation.yml (1)
44-59:⚠️ Potential issue | 🟠 MajorThese modified defaults change caller behavior without an opt-in.
Repos that omit these inputs now get shorter accepted PR descriptions and mandatory source-branch enforcement. In a shared reusable workflow, default changes alter existing callers immediately; keep the prior defaults or treat this as an explicit breaking contract change.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-validation.yml around lines 44 - 59, Revert the changed default inputs or make the change explicit: restore the previous defaults for min_description_length and enforce_source_branches (and any other inputs you altered) so callers that omit inputs keep existing behavior, or if you intend a breaking change, bump the workflow major version and document it in the README/usage; specifically update the input definitions for min_description_length, enable_auto_labeler, labeler_config_path, and enforce_source_branches in the workflow to either the original default values or add explicit migration notes and a version increment so consumers must opt into the new behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.claude/commands/gha.md:
- Around line 467-469: The examples use abbreviated SHAs that will fail the
repo's pinned-actions lint; update the two `uses:` lines (e.g., `uses:
actions/checkout@abc123def456` and `uses:
crazy-max/ghaction-import-gpg@2dc316deee8e`) to reference the full 40–64
character lowercase commit SHA for each external action and keep the version
comment (e.g., "# v6"/"# v7") so the workflow meets the pinned-actions rule
requiring full lowercase commit SHAs.
- Around line 526-532: Remove the special-case text that allows
workflow_dispatch on reusable workflows: delete or replace the entire bullet
block that begins "When `workflow_dispatch` is allowed on a reusable workflow"
and all sub-bullets (including references to `workflow_dispatch`, `type:
choice`, `type: boolean`, and the `# Security: workflow_dispatch approved —
<reason>` comment). Update the guidance to state unequivocally that reusable
workflows must NOT include `workflow_dispatch` and that manual testing must use
the separate `self-*` entrypoints; ensure any remaining text does not
reintroduce exceptions or allowed patterns for `workflow_dispatch`.
In @.claude/commands/workflow.md:
- Line 119: Change the contradictory guidance about workflow_dispatch so both
spots state one consistent rule: reusable workflows must not declare
workflow_dispatch except as an explicit, narrow exception for self-* entrypoints
used only for manual testing; update the bullet that currently reads "**must NOT
have `workflow_dispatch`** — manual testing belongs in `self-*` entrypoints (see
[script injection risk](`#script-injection--workflow_dispatch`))" and the later
"allowed cases" block to the same wording and structure (explicitly list the
self-* exception and its constraints), ensuring the "script injection risk"
section and the allowed-case examples use identical text and constraints.
- Around line 21-23: Replace the abbreviated commit SHAs used in the examples
(e.g., the `uses: actions/checkout@abc123` and `uses:
actions/checkout@abc123def456` examples) with full 40–64 character hexadecimal
commit SHAs (for example `uses: actions/checkout@<40+ hex chars> # v6`),
preserving the human-readable `# vX.Y.Z` comment; ensure all third-party action
pins in the file use full-length SHAs and keep `LerianStudio/*` examples using
release tags/branches unchanged.
In @.cursor/rules/composite-actions.mdc:
- Around line 31-33: Replace the short example commit SHA in the third-party
action example (the line showing uses: actions/checkout@abc123 # v6) with a
realistic 40–64 character lowercase hex commit hash while preserving the
trailing human-readable comment (the " # v6" part); ensure the example
demonstrates a full-length SHA (40–64 hex chars) to satisfy the pinned-actions
lint rule and keep the surrounding wording unchanged.
In @.cursor/rules/reusable-workflows.mdc:
- Around line 31-33: The example commit SHA in the third-party actions guidance
is invalid (`@abc123 # v6`); replace that sample with a full 40-character hex
commit SHA (for example use the provided
`@6bb3ce3dfc91657a6a39f8e5cef869a28606e946 # v6`) so the `uses:
actions/checkout@...` example demonstrates a valid pinned SHA; update the
example line accordingly (leave the `# v6` readability comment intact).
In @.github/labels.yml:
- Around line 94-97: Add a rule to the labeler config to auto-apply the existing
"validate" label when files under the validation action directory change: open
the labeler config and add a mapping for the "validate" label with the pattern
"src/validate/**" so changes in that folder trigger the validate label (ensure
the key is "validate" to match the label defined in labels.yml).
In @.github/workflows/helm-update-chart.yml:
- Line 156: Replace the semantic tag for the external action used in the
workflow with a commit SHA pin: change the reference to actions/checkout@v6 so
it uses the full commit SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd (you can
append a version comment like "# v6"); update the uses entry that currently
reads "uses: actions/checkout@v6" to the SHA-pinned form to satisfy the
pinned-actions policy.
In @.github/workflows/pr-validation.yml:
- Around line 120-131: The workflow treats steps.source-branch.outcome as
"skipped" but the composite returns early which yields a success outcome; fix
this by having the composite action explicitly emit an output (e.g.,
outputs.skipped or outputs.result) when it early-returns and then read that
output here (steps.source-branch.outputs.skipped) to set SOURCE_BRANCH to
"skipped" instead of relying on steps.source-branch.outcome; update the
composite (action.yml) to set the named output on early return and change the
collect step to prefer steps.source-branch.outputs.skipped (or the new
outputs.result) when present before falling back to steps.source-branch.outcome.
In `@AGENTS.md`:
- Around line 159-166: Add blank lines immediately before and after the fenced
YAML code block to satisfy MD031, and update the example SHA pins (e.g., the
abbreviated `abc123def456` and `2dc316d`) to realistic 40-character commit SHAs
while preserving the inline human-readable `# vX.Y.Z` comments and the org-owned
tagged example (`LerianStudio/...@v1.2.3`); ensure the closing ``` is followed
by a blank line and the surrounding prose remains unchanged.
In `@docs/pr-validation.md`:
- Line 122: Update the docs table entry for the min_description_length default
to match the workflow change: change the documented default value from `50` to
`30` in the PR validation inputs table (the `min_description_length` row) so it
reflects the actual default set in .github/workflows/pr-validation.yml; ensure
the `min_description_length` description and type stay the same and only the
default value is corrected.
In `@src/notify/pr-lint-reporter/action.yml`:
- Around line 162-166: The call to github.rest.actions.listJobsForWorkflowRun
executes unconditionally even when needsAnnotations is empty; guard the API call
by checking needsAnnotations.length > 0 before invoking
github.rest.actions.listJobsForWorkflowRun so the request is skipped when there
are no checks requiring annotation fetching (place the if check immediately
before the listJobsForWorkflowRun invocation referenced in the diff).
In `@src/validate/pr-changelog/action.yml`:
- Around line 24-27: The current shell block masks git errors because the
pipeline relies on grep exit code; enable strict failure handling by setting
"set -o pipefail" (and ensure "set -euo pipefail" earlier in the script) before
running git diff, then run git diff "origin/${BASE_REF}...HEAD" and check its
exit status explicitly: if git fails (non-zero) exit the action with an error
instead of writing updated=false, otherwise pipe the diff to grep to set
updated=true/false; reference the pipeline lines that call git diff and the
surrounding action.yml shell step so you update that step to fail loudly on
missing base refs or insufficient history.
In `@src/validate/pr-labels/README.md`:
- Around line 24-27: Update the README usage example that currently shows the
Checkout step as "uses: actions/checkout@v6" to SHA-pin the external action:
replace that tag with the exact commit SHA for actions/checkout (e.g.,
actions/checkout@<commit-sha>) in the usage example block and add a brief note
that external actions must be pinned by SHA per repo policy; locate the example
by finding the Checkout step in the README usage snippet referencing
actions/checkout.
In `@src/validate/pr-metadata/action.yml`:
- Around line 34-37: The bot-detection condition in the auto-assign logic is
redundant: remove the explicit "author === 'dependabot'" check and rely on the
existing authorType === 'Bot' and author.endsWith('[bot]') checks in the same
block (the variables authorType and author are used in the conditional that logs
"Skipping auto-assign — author '${author}' is a bot" and returns); update that
conditional to only test authorType === 'Bot' || author.endsWith('[bot]') so
dependabot is covered by the endsWith check.
In `@src/validate/pr-size/README.md`:
- Line 41: Update the README example that currently uses actions/checkout@v6 to
follow the repository's policy of pinning third-party actions by full commit SHA
plus a version comment; locate the Checkout example in
src/validate/pr-size/README.md (the line containing "uses: actions/checkout@v6")
and replace the tag with the action pinned to the corresponding full 40–64 hex
commit SHA and append a comment with the readable version (e.g., " # v6") to
match the pattern shown in action.yml.
In `@src/validate/pr-title/action.yml`:
- Around line 43-47: The subjectPattern currently requires at least two
characters (^[a-z].+$) which incorrectly rejects single-character subjects;
update the subjectPattern to allow a single lowercase starting character (e.g.
change subjectPattern to ^[a-z].*$) so titles like "fix: x" pass while
preserving the lowercase-first-character rule in the subjectPattern used by the
validator (also keep subjectPatternError as-is).
---
Outside diff comments:
In @.cursor/rules/reusable-workflows.mdc:
- Line 119: There is a conflicting policy: one rule forbids using
workflow_dispatch on reusable workflows while another exceptions block permits
it; pick a single authoritative model and make the document consistent by either
removing the forbidding rule or removing/rewriting the exceptions that allow
workflow_dispatch. Locate the rule that explicitly "forbids workflow_dispatch on
reusable workflows" and the separate "exceptions" section that "allows
workflow_dispatch for reusable workflows," then consolidate them into one clear
rule (or convert the exception into conditional wording) so the policy is
non-contradictory and enforceable.
In @.github/workflows/helm-update-chart.yml:
- Line 189: Replace the semver tag usage "uses: actions/setup-go@v6" with a
pinned full commit SHA for that action (e.g. "uses: actions/setup-go@4b73464")
and add an inline comment with the corresponding tag version (e.g. "# v6.3.0")
so the workflow uses a fixed commit; update the line that contains
actions/setup-go@v6 accordingly.
- Line 103: Replace the semver-tagged external actions with pinned commit SHAs
and add a trailing version comment: locate the usages of
actions/create-github-app-token@v2 and the two actions currently using `@v6` (as
shown in the diff) and update each to the form owner/action@<full-commit-sha> #
<original-tag> (e.g., actions/create-github-app-token@<sha> # v2), ensuring the
exact commit SHA is used instead of the semver tag and the original tag is
preserved in the comment.
In @.github/workflows/pr-validation.yml:
- Around line 44-59: Revert the changed default inputs or make the change
explicit: restore the previous defaults for min_description_length and
enforce_source_branches (and any other inputs you altered) so callers that omit
inputs keep existing behavior, or if you intend a breaking change, bump the
workflow major version and document it in the README/usage; specifically update
the input definitions for min_description_length, enable_auto_labeler,
labeler_config_path, and enforce_source_branches in the workflow to either the
original default values or add explicit migration notes and a version increment
so consumers must opt into the new behavior.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 6c933df5-38c3-4a14-a4a6-2d951bb1f37d
📒 Files selected for processing (33)
.claude/commands/composite.md.claude/commands/gha.md.claude/commands/workflow.md.cursor/rules/composite-actions.mdc.cursor/rules/reusable-workflows.mdc.github/labels.yml.github/workflows/helm-update-chart.yml.github/workflows/pr-validation.yml.github/workflows/self-pr-validation.ymlAGENTS.mddocs/pr-validation-workflow.mddocs/pr-validation.mddocs/slack-notify-workflow.mdsrc/lint/pinned-actions/action.ymlsrc/notify/pr-lint-reporter/action.ymlsrc/security/codeql-config/action.ymlsrc/security/codeql-reporter/action.ymlsrc/validate/pr-changelog/README.mdsrc/validate/pr-changelog/action.ymlsrc/validate/pr-checks-summary/README.mdsrc/validate/pr-checks-summary/action.ymlsrc/validate/pr-description/README.mdsrc/validate/pr-description/action.ymlsrc/validate/pr-labels/README.mdsrc/validate/pr-labels/action.ymlsrc/validate/pr-metadata/README.mdsrc/validate/pr-metadata/action.ymlsrc/validate/pr-size/README.mdsrc/validate/pr-size/action.ymlsrc/validate/pr-source-branch/README.mdsrc/validate/pr-source-branch/action.ymlsrc/validate/pr-title/README.mdsrc/validate/pr-title/action.yml
💤 Files with no reviewable changes (2)
- .github/workflows/self-pr-validation.yml
- docs/pr-validation-workflow.md
bedatty
dismissed
coderabbitai[bot]’s stale review
All comments addressed. Valid findings noted for follow-up PRs against develop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GitHub Actions Shared Workflows
Description
Type of Change
feat: New workflow or new input/output/step in an existing workflowfix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)perf: Performance improvement (e.g. caching, parallelism, reduced steps)refactor: Internal restructuring with no behavior changedocs: Documentation only (README, docs/, inline comments)ci: Changes to self-CI (workflows under.github/workflows/that run on this repo)chore: Dependency bumps, config updates, maintenancetest: Adding or updating testsBREAKING CHANGE: Callers must update their configuration after this PRBreaking Changes
None.
Testing
@developor the beta tagCaller repo / workflow run:
Related Issues
Closes #
Summary by CodeRabbit
Release Notes
New Features
Documentation