chore(go-pr-analysis): resolve accumulated lint debt#232
Merged
bedatty merged 28 commits intodependabot/github_actions/develop/utilities-556be15a16from Apr 17, 2026
Merged
Conversation
…to support Introduce config/deployment-matrix.yaml as the single source of truth for which apps deploy to which clusters. The workflow now reads the manifest at the same pinned ref as itself (sparse checkout) and resolves the cluster set from app_name. Adds anacleto as the third deployment target. deploy_in_<cluster> inputs become force-off overrides — they subtract clusters from the manifest-resolved set but cannot add a cluster the manifest does not list. This prevents accidental cross-cluster spillover while still allowing emergency containment. Adds src/lint/deployment-matrix composite (Python embedded, follows the composite-schema pattern) that validates schema, app/cluster integrity, duplicates, and orphan apps. Wired into self-pr-validation as a gated job that only runs when config/deployment-matrix.yaml changes. The manifest topology was inferred empirically from the GitOps repo by cross-referencing folder presence with CI commit history — only apps that are real callers of this workflow are included (excludes apps managed manually like underwriter, jd-mock-api, mock-btg-server, control-plane, platform-console, ledger, dockerhub-secret).
…tution Address PR #212 lint failures: 1. Pin all `actions/checkout@v6` occurrences in self-pr-validation.yml to the SHA already used in gitops-update.yml. Required by pinned-actions lint for external (non-LerianStudio) actions. Also clears pre-existing tech debt in this file that surfaced because the new deployment-matrix job touched it. 2. Replace `echo "$RESOLVED" | sed 's/^/ - /'` with a bash `while read` loop in the resolve_clusters step. Fixes shellcheck SC2001 (prefer bash parameter expansion over sed for simple substitutions).
Resolves 6 medium-severity findings from github-advanced-security:
CODE INJECTION (4 findings — actions/code-injection/medium):
- Move `${{ github.workflow_ref }}` to step env: WORKFLOW_REF
- Bonus: replace `echo | sed -E 's|.*@||'` with bash `${VAR##*@}`
- Eliminates injection vectors at lines 106 + 108
- Move resolve_clusters outputs (has_clusters, clusters) to step env:
HAS_CLUSTERS + RESOLVED_SERVERS in apply_tags step
- Move inputs.yaml_key_mappings + inputs.configmap_updates to step env:
MAPPINGS + CONFIGMAP_MAPPINGS
- Replace `${{ env.IS_BETA/RC/PRODUCTION/SANDBOX }}` with direct
`$IS_BETA/...` (already in job-level env, no need to re-interpolate)
- Replace `${{ github.ref }}` with `${GITHUB_REF}` (auto-set by runner)
UNTRUSTED CHECKOUT (2 findings — actions/untrusted-checkout/medium):
- Add `persist-credentials: false` to manifest sparse checkout (read-only,
no credentials needed, never executes code from this checkout)
- Document trust model inline for the GitOps repo checkout (workflow_call
is not triggered by untrusted PRs; inputs.gitops_repository comes from
trusted internal callers; MANAGE_TOKEN is required for the subsequent
commit/push step, so we cannot drop persist-credentials there)
1. [CRITICAL] Replace `github.workflow_ref` with `github.job_workflow_sha` for manifest checkout. In reusable workflows, github.workflow_ref points to the CALLER's workflow file/ref, not the called reusable workflow — my previous design would have failed for every external caller. `job_workflow_sha` is the commit SHA of the running reusable workflow, which is exactly what we need. Bonus: SHA is more secure than textual ref, and removes the need for the `Resolve shared-workflows ref` step entirely (−18 lines). 2. [HIGH] Remove `|| true` from the RESOLVED pipeline. Silenced yq/jq failures would collapse into the "app not registered" warning path, hiding real manifest/query errors. Now fails fast on parse errors; empty RESOLVED from a successful query remains the legitimate "no matching clusters" case (handled explicitly below). 3. [MEDIUM] Rename config/deployment-matrix.yaml → .yml to match the repo convention (77 .yml files vs 2 .yaml). Updated all references: workflow input default, self-pr-validation gate, composite default, README docs, and the workflow doc. 4. [LOW] Add prominent migration callout to docs about deploy_in_* semantic change — apps must be in the manifest; inputs only subtract. Declined: per-cluster warning when deploy_in_<cluster>: true but app is absent from that cluster's manifest list. Inputs default to true, so this would fire for every app missing from any cluster on every run — noise without signal. Existing "app in zero clusters" warning already covers the actionable case.
actionlint v1.7.x (pinned via raven-actions/actionlint@v2.1.2) does not
yet include `github.job_workflow_sha` in its GitHub context schema,
triggering a false-positive "property not defined" error on the previous
direct reference.
Replace the inline `${{ github.job_workflow_sha }}` expression with an
intermediate step that reads the equivalent auto-set env var
GITHUB_JOB_WORKFLOW_SHA and exports it as a step output. Functionally
identical (the runner populates both from the same source) but the
`steps.X.outputs.Y` expression is recognized by actionlint.
Also adds a defensive guard that fails fast if GITHUB_JOB_WORKFLOW_SHA
is empty — which would mean the workflow is being called outside a
reusable-workflow context, catching that misconfiguration loudly.
fix(release): merge develop into main
…ssuming auto env var GITHUB_JOB_WORKFLOW_SHA is not exposed automatically by the runner. The github.job_workflow_sha context must be mapped explicitly through the step's env: block like any other context value. Prior implementation relied on a nonexistent auto env var and failed with 'is this job really running as part of a reusable workflow?' on every execution. Validated against real run: https://github.com/LerianStudio/plugin-br-pix-indirect-btg/actions/runs/24458387402/job/71466177318
Drops the 'Resolve reusable workflow SHA' step entirely — github.job_workflow_sha is empty when evaluated inside a job of a reusable workflow invoked via jobs.X.uses (empirically confirmed on run 24461037331). Three prior attempts to source that SHA all failed for different reasons: - parsing github.workflow_ref: points to the caller, not the reusable - GITHUB_JOB_WORKFLOW_SHA env var: does not exist - github.job_workflow_sha context: empty in this evaluation context This commit is a TEMP workaround for end-to-end validation: manifest checkout is hardcoded to the feature branch. Before merging #212 this will be replaced with a proper 'deployment_matrix_ref' input (default 'main').
… external action The LerianStudio/github-actions-argocd-sync action suppresses stderr via '> /dev/null 2>&1' on every CLI invocation. Any failure (auth, permission, network, malformed URL, expired token) is rendered indistinguishable from 'app does not exist' and skipped silently when skip-if-not-exists=true. Replaces the external action with inline argocd CLI calls that surface the real error output. Preserves the skip-if-not-exists semantics (warn + exit 0 on app get failure), but syncs fail the job loudly.
…to validate resolution Temporary change for end-to-end testing of the manifest-driven gitops pipeline on PR #212. Expected behavior on next beta of plugin-br-pix-indirect-btg: - resolve_clusters: {firmino, anacleto} (clotilde dropped) - values.yaml updated only in firmino/dev and anacleto/dev - argocd_sync fan-out: 2 jobs (firmino-*-dev, anacleto-*-dev) Revert this commit before merging #212.
…d restore matrix - Adds deployment_matrix_ref input (default 'main'). Callers on pinned tags get the latest manifest automatically; test runs can override via the input without editing the workflow. - Drops the temporary hardcoded ref to the feature branch. - Restores plugin-br-pix-indirect-btg in the clotilde cluster (removed temporarily during exclusion-validation test). End-to-end validation completed against plugin-br-pix-indirect-btg: - v1.5.2-beta.9: full fan-out to firmino + clotilde + anacleto, sync OK - v1.5.2-beta.10: manifest exclusion respected (firmino + anacleto only)
…anges - New 'deployment-matrix' label auto-applied by the labeler on PRs that touch config/deployment-matrix.yml. - config/deployment-matrix.yml added to self-release.yml paths-ignore: since callers resolve the manifest from main at runtime (via the deployment_matrix_ref input with default 'main'), matrix-only changes propagate to all callers without requiring a new release tag. - Mixed commits that touch the matrix plus workflow/action code still trigger a release as usual.
…ix-anacleto feat(gitops-update): manifest-driven topology + anacleto cluster
…fault resolution Addresses CodeRabbit feedback on PR #221. The workflow no longer checks out the manifest at the same ref as itself — it defaults to 'main' (via the deployment_matrix_ref input) so manifest updates propagate to every caller without bumping the pinned workflow tag. - Lead paragraph: replace 'same pinned ref' description. - Optional inputs table: add deployment_matrix_ref row. - 'How it works' step 2: rewrite to reflect the new behavior and rationale.
fix(release): merge develop into main
…trix-ref docs(gitops-update): document deployment_matrix_ref input
docs(release): merge develop into main
…rs-214 fix(gptchangelog): resolve contributors via github api
fix(self-release): generate changelog after stable release on main
fix(release): merge develop into main
…230) * feat(self-release): force-update floating major tag on stable release * refactor(update-major-tag): extract major-tag logic into composite * feat(update-major-tag): expose skip and tag-updated outputs * fix(update-major-tag): qualify tag refs to avoid branch/tag ambiguity
WalkthroughGitHub Actions workflow hardened through explicit SHA pinning of actions, shell variable quoting in Git commands and output handling, safer golangci-lint installation with quoted path variables, and coverage summary output redirection. No public API changes. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
lerian-studio
added
size/S
Contributor
🔍 Lint Analysis
❌ Failures (2)Action Lint
Pinned Actions
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| git fetch origin $BASE_SHA --depth=1 2>/dev/null || true | ||
| FILES=$(git diff --name-only $BASE_SHA $HEAD_SHA 2>/dev/null || git diff --name-only origin/${{ github.base_ref }}...HEAD) | ||
| git fetch origin "$BASE_SHA" --depth=1 2>/dev/null || true | ||
| FILES=$(git diff --name-only "$BASE_SHA" "$HEAD_SHA" 2>/dev/null || git diff --name-only "origin/${{ github.base_ref }}...HEAD") |
| fi | ||
| else | ||
| FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }}) | ||
| FILES=$(git diff --name-only "${{ github.event.before }}" "${{ github.sha }}") |
| fi | ||
| else | ||
| FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }}) | ||
| FILES=$(git diff --name-only "${{ github.event.before }}" "${{ github.sha }}") |
| } >> "$GITHUB_STEP_SUMMARY" | ||
|
|
||
| # ============================================ | ||
| # BUILD VERIFICATION |
| @@ -738,10 +742,10 @@ jobs: | |||
| app: ${{ fromJson(needs.detect-changes.outputs.matrix) }} | |||
| @@ -738,10 +742,10 @@ jobs: | |||
| app: ${{ fromJson(needs.detect-changes.outputs.matrix) }} | |||
| steps: | |||
Contributor
🛡️ CodeQL Analysis ResultsLanguages analyzed: Found 6 issue(s): 6 Medium
🔍 View full scan logs | 🛡️ Security tab |
bedatty
changed the base branch from
develop
to
dependabot/github_actions/develop/utilities-556be15a16
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/go-pr-analysis.yml:
- Around line 249-255: The workflow step "Install golangci-lint" is fetching the
installer from the mutable master branch; update the curl URL to pin to the
release tag that matches GOLANGCI_LINT_VERSION so the installer comes from a
fixed commit (e.g. use
raw.githubusercontent.com/golangci/golangci-lint/${GOLANGCI_LINT_VERSION}/install.sh
or otherwise substitute GOLANGCI_LINT_VERSION into the URL) while keeping the
existing GOPATH_BIN and $GITHUB_PATH logic intact.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 4dbd14ab-36df-4458-8b7f-efb7dc8b67f4
📒 Files selected for processing (1)
.github/workflows/go-pr-analysis.yml
Comment on lines
249
to
+255
| - name: Install golangci-lint | ||
| env: | ||
| GOLANGCI_LINT_VERSION: ${{ inputs.golangci_lint_version }} | ||
| run: | | ||
| curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${{ inputs.golangci_lint_version }} | ||
| echo "$(go env GOPATH)/bin" >> $GITHUB_PATH | ||
| GOPATH_BIN="$(go env GOPATH)/bin" | ||
| curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "$GOPATH_BIN" "$GOLANGCI_LINT_VERSION" | ||
| echo "$GOPATH_BIN" >> "$GITHUB_PATH" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify there are no mutable master/main installer URLs left in workflow/composite YAML.
rg -n --type=yaml 'raw\.githubusercontent\.com/golangci/golangci-lint/(master|main)/install\.sh'Repository: LerianStudio/github-actions-shared-workflows
Length of output: 70
🏁 Script executed:
sed -n '249,255p' .github/workflows/go-pr-analysis.ymlRepository: LerianStudio/github-actions-shared-workflows
Length of output: 460
Pin the golangci-lint installer to a release tag; master is mutable.
Line 254 downloads an installer from a moving master branch, allowing remote code drift without PR changes. This undermines the supply-chain hardening applied to uses: steps throughout this PR. Use the version tag matching GOLANGCI_LINT_VERSION instead:
- name: Install golangci-lint
env:
GOLANGCI_LINT_VERSION: ${{ inputs.golangci_lint_version }}
run: |
GOPATH_BIN="$(go env GOPATH)/bin"
- curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "$GOPATH_BIN" "$GOLANGCI_LINT_VERSION"
+ curl -sSfL "https://raw.githubusercontent.com/golangci/golangci-lint/${GOLANGCI_LINT_VERSION}/install.sh" \
+ | sh -s -- -b "$GOPATH_BIN" "$GOLANGCI_LINT_VERSION"
echo "$GOPATH_BIN" >> "$GITHUB_PATH"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/go-pr-analysis.yml around lines 249 - 255, The workflow
step "Install golangci-lint" is fetching the installer from the mutable master
branch; update the curl URL to pin to the release tag that matches
GOLANGCI_LINT_VERSION so the installer comes from a fixed commit (e.g. use
raw.githubusercontent.com/golangci/golangci-lint/${GOLANGCI_LINT_VERSION}/install.sh
or otherwise substitute GOLANGCI_LINT_VERSION into the URL) while keeping the
existing GOPATH_BIN and $GITHUB_PATH logic intact.
7b4f8eb
into
dependabot/github_actions/develop/utilities-556be15a16
16 of 18 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Resolves accumulated lint debt in
.github/workflows/go-pr-analysis.ymlreported by the
pinned-actions,yaml-lint,action-lintandshell-checkcomposites. The individual failures were being masked bythe
validation / Blocking Checksaggregator but kept surfacing on everyPR that touched the file (e.g. Dependabot #211).
Changes
External action SHA pinning (20 sites). All external actions now use
the repository SHA-pin convention (
@<sha> # vX) matching the SHAsalready in use across the rest of the codebase:
actions/checkout@v6→@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6actions/setup-go@v6→@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6actions/upload-artifact@v7→@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7actions/download-artifact@v8→@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8securego/gosec@v2.25.0→@223e19b8856e00f02cc67804499a83f77e208f3c # v2.25.0github/codeql-action/upload-sarif@v4→@c10b8064de6f491fea524254123dbe5e09572f13 # v4Note:
actions/github-script@v8on line 635 is intentionally leftuntouched — it is owned by Dependabot PR #211, which bumps it to v9 and
pins the new SHA in the same branch.
Trailing whitespace (12 lines). Removed trailing spaces in
run:block scripts flagged by
yamllint.Shell issues in
run:blocks.Get changed files: refactoredPREV_COMMIT=$(...); if [[ $? -eq 0 ]]into
if PREV_COMMIT=$(... 2>/dev/null); then(SC2181), quoted$BASE_SHA,$HEAD_SHA,$PREV_COMMIT(SC2086).Install golangci-lint: lifted$(go env GOPATH)/bininto a$GOPATH_BINvariable and quoted it (SC2046), quoted$GITHUB_PATH(SC2086), routed
inputs.golangci_lint_versionthroughenv:block.echo ... >> $GITHUB_OUTPUTredirects quoted as>> "$GITHUB_OUTPUT"(21 sites, SC2086).
Coverage summary: consolidated 11 individual>> $GITHUB_STEP_SUMMARYwrites into a single grouped redirect
{ ... } >> "$GITHUB_STEP_SUMMARY"(SC2129 + SC2086 in one pass).
Run tests N times: quoted$PACKAGESbefore piping toxargs(SC2086; xargs still performs intended word splitting).
No behavior change
Purely lint/format cleanup — every shell behavior preserved:
$(git rev-parse HEAD^)stderr is now silenced with2>/dev/nullbutthe exit code check (via
if cmd;) is semantically identical.these scripts receive (tested patterns only).
Type of Change
feat: New workflow or new input/output/step in an existing workflowfix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)perf: Performance improvement (e.g. caching, parallelism, reduced steps)refactor: Internal restructuring with no behavior changedocs: Documentation only (README, docs/, inline comments)ci: Changes to self-CI (workflows under.github/workflows/that run on this repo)chore: Dependency bumps, config updates, maintenancetest: Adding or updating testsBREAKING CHANGE: Callers must update their configuration after this PRBreaking Changes
None. The workflow's public API (
workflow_callinputs/outputs) andruntime behavior are unchanged.
Testing
against SHAs already used elsewhere in the repo
@developor the beta tagCaller repo / workflow run: Will be validated via
self-pr-validation.ymlon this PR; the four failing lint checks (YAML / Action / Pinned / Shell)
should all transition to green.
Related Issues
Relates to #211 (Dependabot
actions/github-scriptv8 → v9).Summary by CodeRabbit
Release Notes
This release contains no user-facing changes. Updates were made to internal continuous integration and build infrastructure to improve reliability and security of development processes.