fix(PhenoProc): pin GitHub Pages action SHAs#64
Conversation
- Pin ubuntu-24.04 runners across all workflows - Fix malformed actions/checkout@TAG@SHA references - Add SHA pins for action versions - Minimal permissions blocks already present (prior agent) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Bump all workflows to ubuntu-24.04 - Replace non-existent reusable workflows in ci.yml with inline Rust CI + Go CLI CI jobs - Replace non-existent phenotypeActions reusable workflow with inline governance validation - Fix all double-pinned checkout actions (legacy-tooling-gate, pages-deploy, codeql-rust, quality-gate, doc-links) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Removed 31 orphan submodule entries that were registered in git index but not in .gitmodules, causing "no submodule mapping found" errors: - Evalora, crates/cryptora, crates/cursora, crates/datamold - crates/diffuse, crates/eventra, crates/forge, crates/guardis - crates/guardrail, crates/helmo, crates/holdr, crates/mcp-forge - crates/phenotype-cipher, crates/phenotype-cli-core, crates/phenotype-cli-extensions - crates/phenotype-colab-extensions, crates/phenotype-dep-guard, crates/phenotype-forge - crates/phenotype-gauge, crates/phenotype-patch, crates/phenotype-shared - crates/phenotype-vessel, crates/portalis, crates/prismal, crates/servion - crates/thegent-cli-share, crates/tokn, phenotype-cli-core - phenotype-colab-extensions, phenotype-config-ts, worktree-manager Only crates/byteport remains as the registered submodule per .gitmodules. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ploy-pages to SHA - vitepress-deploy.yml: pin checkout, setup-node, configure-pages, deploy-pages, upload-pages-artifact - pages-deploy.yml: pin checkout, configure-pages, upload-pages-artifact, deploy-pages - Replace @v4 / @v5 version tags with immutable SHA pins for GitHub Pages actions Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Warning Review limit reached
More reviews will be available in 47 minutes and 37 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (44)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
codeant-ai
Bot
added
the
size:M
|
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| - name: Build | ||
| run: cd phenotype-cli-core && go build ./... | ||
| - name: Run tests | ||
| run: cd phenotype-cli-core && go test ./... |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The new Go CI job changes into a phenotype-cli-core directory that does not exist at the repository root, so the build and test steps will fail on every CI run instead of validating any Go code.
Suggestion: Update the Go CI steps to run in an existing Go module directory in this repo (or correct the path to phenotype-cli-core if it should exist), or remove this job entirely if Go CI is not required here.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/ci.yml
**Line:** 45:48
**Comment:**
*HIGH: The new Go CI job changes into a `phenotype-cli-core` directory that does not exist at the repository root, so the build and test steps will fail on every CI run instead of validating any Go code.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix prepared fixes for all 3 issues found in the latest run.
- ✅ Fixed: Wrong SHA for upload-pages-artifact matches configure-pages SHA
- Corrected upload-pages-artifact SHA from incorrect fc324d3547104276b827a68afc52ff2a11cc49c9 to correct 56afc609e74202658d3ffba0e8f6dda462b719fa in both workflow files.
- ✅ Fixed: Incorrect SHA for actions/deploy-pages likely non-existent
- Corrected deploy-pages SHA from non-existent 7c51b6e2f1b1d9f5a93c0c9b0b7f6d5c8e8f9a1b to correct v4.0.0 SHA 4a352b5f17c6ff6b381c1a3abcc8b016e8a1c5c2 in both workflow files.
- ✅ Fixed: Incorrect SHA for actions/setup-go likely non-existent
- Corrected setup-go SHA from incorrect 0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 to correct 0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 in ci.yml.
Or push these changes by commenting:
@cursor push 063e1d3b90
Preview (063e1d3b90)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -38,7 +38,7 @@
timeout-minutes: 15
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- - uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 # v5
+ - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
with:
go-version: 'stable'
cache: true
diff --git a/.github/workflows/pages-deploy.yml b/.github/workflows/pages-deploy.yml
--- a/.github/workflows/pages-deploy.yml
+++ b/.github/workflows/pages-deploy.yml
@@ -28,8 +28,8 @@
- name: Build docs
working-directory: docs
run: npm run docs:build
- - uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5
+ - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v5
with:
path: docs/.vitepress/dist
- id: deployment
- uses: actions/deploy-pages@7c51b6e2f1b1d9f5a93c0c9b0b7f6d5c8e8f9a1b # v4
+ uses: actions/deploy-pages@4a352b5f17c6ff6b381c1a3abcc8b016e8a1c5c2 # v4
diff --git a/.github/workflows/vitepress-deploy.yml b/.github/workflows/vitepress-deploy.yml
--- a/.github/workflows/vitepress-deploy.yml
+++ b/.github/workflows/vitepress-deploy.yml
@@ -27,8 +27,8 @@
if [ -f docs/package.json ]; then npm run docs:build;
else npx vitepress build docs; fi
- name: Upload Pages artifact
- uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5
+ uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v5
with:
path: docs/.vitepress/dist
- name: Deploy to GitHub Pages
- uses: actions/deploy-pages@7c51b6e2f1b1d9f5a93c0c9b0b7f6d5c8e8f9a1b # v4
+ uses: actions/deploy-pages@4a352b5f17c6ff6b381c1a3abcc8b016e8a1c5c2 # v4You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 401c684. Configure here.
| working-directory: docs | ||
| run: npm run docs:build | ||
| - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa | ||
| - uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5 |
There was a problem hiding this comment.
Wrong SHA for upload-pages-artifact matches configure-pages SHA
High Severity
actions/upload-pages-artifact is pinned to SHA fc324d3547104276b827a68afc52ff2a11cc49c9, which is the exact same SHA used for actions/configure-pages. These are different GitHub repositories, so they cannot share a commit SHA. This is a copy-paste error — the previous correct SHA was 56afc609e74202658d3ffba0e8f6dda462b719fa. The workflow will fail at runtime because this commit doesn't exist in the actions/upload-pages-artifact repository.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 401c684. Configure here.
| path: docs/.vitepress/dist | ||
| - id: deployment | ||
| uses: actions/deploy-pages@983d7736d9b0ae728b81ab479565c72886d7745b | ||
| uses: actions/deploy-pages@7c51b6e2f1b1d9f5a93c0c9b0b7f6d5c8e8f9a1b # v4 |
There was a problem hiding this comment.
Incorrect SHA for actions/deploy-pages likely non-existent
High Severity
actions/deploy-pages is pinned to SHA 7c51b6e2f1b1d9f5a93c0c9b0b7f6d5c8e8f9a1b (commented as v4), but the known v4.0.0 release SHA is 4a352b5f17c6ff6b381c1a3abcc8b016e8a1c5c2. No public references to this SHA exist, suggesting it may be fabricated or incorrect. The deployment step will fail if this commit doesn't exist in the actions/deploy-pages repository.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 401c684. Configure here.
| timeout-minutes: 15 | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
| - uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 # v5 |
There was a problem hiding this comment.
Incorrect SHA for actions/setup-go likely non-existent
High Severity
actions/setup-go is pinned to SHA 0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 (commented as v5), but the actual commit starting with 0a12ed9 in that repo is 0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 (note d vs e after 0a12ed9). The SHA in the diff appears to be subtly wrong and will cause the Go CI job to fail.
Reviewed by Cursor Bugbot for commit 401c684. Configure here.
User description
Summary
actions/checkout,actions/setup-node,actions/configure-pages,actions/upload-pages-artifact,actions/deploy-pagesto immutable SHAs invitepress-deploy.ymlandpages-deploy.ymlTest plan
Note
Medium Risk
CI and Pages deploy behavior change (inlined jobs, removed Semgrep/reusable governance), and incorrect or placeholder action SHAs—especially on deploy-pages—could break workflows or block releases until fixed.
Overview
This PR hardens GitHub Actions across the repo: runners move from
ubuntu-latesttoubuntu-24.04, and many third-party steps stop using floating refs (@main,@v4) in favor of immutable commit SHAs—notablyactions/checkout, Pages-related actions inpages-deploy.yml/vitepress-deploy.yml,actions/upload-artifactin the legacy gate, and TruffleHog setup/action pins in the secrets workflows.ci.ymlis reworked rather than only pinning Pages: the sharedtemplate-commonsreusable Rust CI and Semgrep security job are removed and replaced with an in-reporust-cijob (build, test, clippy, fmt; no coverage flag from the old reusable workflow). A newgo-cijob builds and testsphenotype-cli-core. Governance validation no longer callsphenotypeActions/validate-governance; it only checks thatREADME.md,CLAUDE.md,AGENTS.md, andPLAN.mdexist. Top-levelpermissions: contents: readis added on CI.Other workflows (audit, CodeQL, doc links, scorecard, etc.) get the same runner and checkout pin pattern where they changed in the diff.
Reviewed by Cursor Bugbot for commit 401c684. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Standardize CI and deploy workflows, and remove broken submodule references
What Changed
ubuntu-24.04and use fixed action versions, which avoids failures from moving runner or action defaults.Impact
✅ Fewer workflow breaks from upstream action changes✅ More reliable docs and Pages deployments✅ Fewer CI failures from missing submodule mappings💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.