fix(PhenoProc): CI hygiene -- ubuntu-24.04 + inline CI + double-pinned fixes

[KooshaPari]

User description

Summary

• Bump all workflows to ubuntu-24.04
• Replace non-existent KooshaPari/template-commons reusable workflows with inline Rust CI + Go CLI CI jobs
• Replace non-existent KooshaPari/phenotypeActions/validate-governance.yml with inline validation
• Fix all double-pinned checkout actions across workflows
• Also committed pre-existing dirty submodule state

Test plan

• Verify Rust CI passes
• Verify Go CLI CI passes
• Verify Trufflehog scan passes

---

Note

Medium Risk
Main CI drops the external Semgrep security scan and replaces full governance validation with a file-existence check, which narrows coverage until separate workflows compensate.

Overview
CI hygiene across GitHub Actions: every touched workflow now uses ubuntu-24.04 instead of ubuntu-latest, and actions/checkout (and related steps) are corrected from invalid double-pinned refs to a single commit SHA.

The main ci.yml no longer calls missing KooshaPari/template-commons reusable Rust/security workflows or phenotypeActions governance validation. It adds rust-ci (build, test, clippy, fmt), go-ci for phenotype-cli-core, and inline phenotype-validate that only checks presence of README.md, CLAUDE.md, AGENTS.md, and PLAN.md. Workflow-level contents: read is added there; the previous Semgrep-based security job from the reusable workflow is not replaced in this file.

Secret scanning workflows pin TruffleHog and setup actions to commit SHAs instead of @main. VitePress deploy bumps upload-pages-artifact to a pinned v5-compatible ref.

^{Reviewed by Cursor Bugbot for commit ed7e7a0. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

CodeAnt-AI Description

Stabilize CI and deployment workflows

What Changed

• All GitHub Actions workflows now run on ubuntu-24.04 instead of the older runner image.
• The main CI workflow now runs Rust checks, Go CLI checks, and governance file validation directly in the repo, instead of relying on missing shared workflows.
• Workflow actions are pinned to valid single versions, and the secret-scanning jobs no longer depend on moving main branches.
• Pages and documentation deploy jobs use corrected action versions so releases and site builds are less likely to fail.

Impact

✅ Fewer broken CI runs
✅ More reliable release and docs deploys
✅ Safer scheduled security scans

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Warning

Review limit reached

@KooshaPari, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 36 minutes and 51 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0454c42e-6b6b-4e80-9d65-49d73c728011

📥 Commits

Reviewing files that changed from the base of the PR and between 2437faf and ed7e7a0.

📒 Files selected for processing (44)

• .github/workflows/cargo-audit.yml
• .github/workflows/cargo-deny.yml
• .github/workflows/ci.yml
• .github/workflows/codeql-rust.yml
• .github/workflows/doc-links.yml
• .github/workflows/fr-coverage.yml
• .github/workflows/legacy-tooling-gate.yml
• .github/workflows/pages-deploy.yml
• .github/workflows/quality-gate.yml
• .github/workflows/scorecard.yml
• .github/workflows/secrets-scan.yml
• .github/workflows/trufflehog.yml
• .github/workflows/vitepress-deploy.yml
• Evalora
• crates/cryptora
• crates/cursora
• crates/datamold
• crates/diffuse
• crates/eventra
• crates/forge
• crates/guardis
• crates/guardrail
• crates/helmo
• crates/holdr
• crates/mcp-forge
• crates/phenotype-cipher
• crates/phenotype-cli-core
• crates/phenotype-cli-extensions
• crates/phenotype-colab-extensions
• crates/phenotype-dep-guard
• crates/phenotype-forge
• crates/phenotype-gauge
• crates/phenotype-patch
• crates/phenotype-shared
• crates/phenotype-vessel
• crates/portalis
• crates/prismal
• crates/servion
• crates/thegent-cli-share
• crates/tokn
• phenotype-cli-core
• phenotype-colab-extensions
• phenotype-config-ts
• worktree-manager

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/workflow-hygiene-20260528-v2

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch chore/workflow-hygiene-20260528-v2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codeant-ai]

Suggestion: This updates a gitlink commit for crates/mcp-forge, but that submodule path is not declared in .gitmodules. On fresh clones/CI, Git has no URL mapping for this path, so the submodule cannot be initialized and the directory remains empty, which can break builds or tooling expecting crate contents. Add a matching .gitmodules entry (or stop tracking it as a submodule). [incomplete implementation]

Severity Level: Major ⚠️

- ⚠️ `git submodule update` cannot initialize `crates/mcp-forge`.
- ⚠️ Clean clones see `crates/mcp-forge` as an empty directory.
- ⚠️ Future builds using `mcp-forge` will fail to compile.
- ⚠️ Developers cannot reliably work on `mcp-forge` from this repo.

Steps of Reproduction ✅

1. Clone the repository at this PR revision and open `.gitmodules` at
`/workspace/PhenoProc/.gitmodules`; observe that it only defines `worktree-manager` and
`crates/byteport` (lines 1–6) and has no entry for `crates/mcp-forge`.

2. Inspect the gitlink definition for `crates/mcp-forge` in the PR diff: the file
`crates/mcp-forge` is a submodule pointer set to `Subproject commit
8204eccbfc528b81e63727744f1b72299d6b51ae` at line 1.

3. In a fresh checkout of this revision, inspect the directory
`/workspace/PhenoProc/crates/mcp-forge`; it exists but is effectively empty (no
`Cargo.toml`, no source files), confirming there is no initialized working tree for that
gitlink path.

4. Run `git submodule update --init crates/mcp-forge` in the repository root; Git cannot
find a submodule mapping for `crates/mcp-forge` in `.gitmodules`, so it fails to populate
the directory, leaving `crates/mcp-forge` empty and making it impossible to build or
develop against this crate from a clean clone without manual intervention.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** crates/mcp-forge
**Line:** 1:1
**Comment:**
	*Incomplete Implementation: This updates a gitlink commit for `crates/mcp-forge`, but that submodule path is not declared in `.gitmodules`. On fresh clones/CI, Git has no URL mapping for this path, so the submodule cannot be initialized and the directory remains empty, which can break builds or tooling expecting crate contents. Add a matching `.gitmodules` entry (or stop tracking it as a submodule).

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

Suggestion: This commit advances crates/prismal as a gitlink, but there is no corresponding .gitmodules entry for that path. In clean checkouts, this leaves the directory empty because Git cannot resolve where to fetch it from, causing integration/build failures if the crate is needed. Register the submodule in .gitmodules or convert it back to normal tracked files. [incomplete implementation]

Severity Level: Major ⚠️

- ⚠️ `git submodule update` cannot initialize `crates/prismal`.
- ⚠️ Clean clones see `crates/prismal` as an empty directory.
- ⚠️ Future builds using `prismal` will fail to compile.
- ⚠️ Developers cannot reliably work on `prismal` from this repo.

Steps of Reproduction ✅

1. Clone the repository at this PR revision and open `.gitmodules` at
`/workspace/PhenoProc/.gitmodules`; verify that only `worktree-manager` and
`crates/byteport` are listed (lines 1–6) and there is no entry for `crates/prismal`.

2. Inspect the gitlink definition for `crates/prismal` in the PR diff: the file
`crates/prismal` is a submodule pointer set to `Subproject commit
e8439351cdc6918ea916fe65d9b28f95083434e4` at line 1.

3. In a fresh checkout of this revision, inspect `/workspace/PhenoProc/crates/prismal`;
the directory exists but is empty (no `Cargo.toml`, no source files), showing that the
submodule working tree has not been initialized.

4. Run `git submodule update --init crates/prismal`; Git reports that there is no
submodule mapping in `.gitmodules` for `crates/prismal`, so the directory remains empty,
and any attempt to use or build the `prismal` crate from this superproject fails unless
the developer manually configures or populates that path.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** crates/prismal
**Line:** 1:1
**Comment:**
	*Incomplete Implementation: This commit advances `crates/prismal` as a gitlink, but there is no corresponding `.gitmodules` entry for that path. In clean checkouts, this leaves the directory empty because Git cannot resolve where to fetch it from, causing integration/build failures if the crate is needed. Register the submodule in `.gitmodules` or convert it back to normal tracked files.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Autofix Details

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Invalid commit hash for actions/setup-go action pin
  • Replaced invalid commit hash 0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 with correct hash 0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 (v5.0.2).

Or push these changes by commenting:

@cursor push c4fd00edb7

Preview (c4fd00edb7)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -38,7 +38,7 @@
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 # v5
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
         with:
           go-version: 'stable'
           cache: true

_{You can send follow-ups to the cloud agent here.}

[cursor]

Invalid commit hash for actions/setup-go action pin

High Severity

The commit hash 0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 pinned for actions/setup-go does not exist in that repository. The only commit matching prefix 0a12ed9 is 0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 (v5.0.2). The hash in this PR differs at the 8th character and beyond, making it an unresolvable reference that will cause the go-ci job to fail immediately with an "Unable to resolve action" error.

 

^{Reviewed by Cursor Bugbot for commit 1f724a4. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Go CI job references wrong directory for source
  • Changed the go-ci job directory from non-existent phenotype-cli-core/ to the correct apps/pheno-cli/ where the Go module actually resides.

Or push these changes by commenting:

@cursor push 333a3e349f

Preview (333a3e349f)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -43,9 +43,9 @@
           go-version: 'stable'
           cache: true
       - name: Build
-        run: cd phenotype-cli-core && go build ./...
+        run: cd apps/pheno-cli && go build ./...
       - name: Run tests
-        run: cd phenotype-cli-core && go test ./...
+        run: cd apps/pheno-cli && go test ./...
 
   phenotype-validate:
     name: Governance Validation

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit 0771db4. Configure here.}

[cursor]

Go CI job references wrong directory for source

High Severity

The go-ci job runs cd phenotype-cli-core && go build ./... and cd phenotype-cli-core && go test ./..., but phenotype-cli-core/ contains no Go source files and no go.mod. The actual Go CLI module lives in apps/pheno-cli/ (where go.mod, main.go, etc. reside). This job will always fail because go build will find nothing to build.

 

^{Reviewed by Cursor Bugbot for commit 0771db4. Configure here.}

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[kilo-code-bot]

Code Review Summary

Status: 2 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	1
WARNING	1
SUGGESTION	0

Issue Details (click to expand)

CRITICAL

File	Line	Issue
.github/workflows/ci.yml	41-48	Go CI job references phenotype-cli-core directory which does not exist in this repository. This will cause the Go build and test steps to fail with "no such file or directory" errors.

WARNING

File	Line	Issue
.github/workflows/vitepress-deploy.yml	14	actions/checkout@v4 uses a tag reference instead of SHA pinning. All other workflows in this PR use SHA-pinned actions for stability (e.g., actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683). Should be consistent.

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File	Line	Issue
.github/workflows/ci.yml	31	Uses cargo clippy --all-targets -- -D warnings instead of cargo clippy --workspace -- -D warnings as specified in AGENTS.md. Should align with repository standards.

Files Reviewed (12 files)

• .github/workflows/ci.yml - 1 CRITICAL, 1 WARNING
• .github/workflows/vitepress-deploy.yml - 1 WARNING

---

_{Reviewed by laguna-m.1-20260312:free · 387,057 tokens}

[kilo-code-bot]

CRITICAL: Go CI job references phenotype-cli-core directory which does not exist in this repository. This will cause go build to fail with "no such file or directory: phenotype-cli-core" error.

Consider removing this job entirely since the referenced directory was deleted in this PR.

[kilo-code-bot]

CRITICAL: Same issue - references non-existent phenotype-cli-core directory. Remove this job or restore the directory.

[kilo-code-bot]

WARNING: actions/checkout@v4 uses tag reference instead of SHA pinning. For consistency with other workflows in this PR, should use SHA-pinned version like actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683.