Conversation
- scope id-token:write to build/docker jobs only (least privilege) - pin cosign-sign composite ref to v1.23.0 (remove mutable branch) - use inputs.ghcr_org fallback in build.yml cosign-refs step - scope certificate-identity-regexp in all cosign verify examples - add id-token:write to typescript-build.md basic example - qualify image ref in cosign-sign README single-image example - warn against secrets in docker_build_args descriptions - fix workflow_dispatch contradiction in cursor rules
…-findings fix(security): address CodeRabbit PR#195 review findings
The {{major}}.{{minor}} semver pattern (e.g. 1.4) conflicts with
DockerHub tag immutability on patch releases. When v1.4.0 is
published the 1.4 tag is created and locked, so subsequent patch
releases like v1.4.1 fail trying to overwrite it.
Remove the floating minor tag, keeping only the exact version tag
(e.g. 1.4.1) and the major tag (e.g. 1).
…push When multiple services update the same GitOps repo concurrently, the push can be rejected because the remote already has new commits. This adds a retry loop (up to 5 attempts) with git pull --rebase and exponential backoff (2s, 4s, 6s, 8s, 10s) to handle race conditions. Closes #197
fix(build): remove floating minor version tag from Docker metadata
…rebase fix(gitops-update): add retry with rebase and exponential backoff on push
Bumps the docker group with 1 update: [docker/login-action](https://github.com/docker/login-action). Updates `docker/login-action` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@b45d80f...4907a6d) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 9a127d869fb706213d29cdf8eef3a4ea2b869415 to ec59f474b9834571250b370d4735c50f8e2d1e29. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@9a127d8...ec59f47) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-version: ec59f474b9834571250b370d4735c50f8e2d1e29 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…evelop/goreleaser/goreleaser-action-ec59f474b9834571250b370d4735c50f8e2d1e29 chore(deps): bump goreleaser/goreleaser-action from 9a127d869fb706213d29cdf8eef3a4ea2b869415 to ec59f474b9834571250b370d4735c50f8e2d1e29
…evelop/docker-cb5fd4910d chore(deps): bump docker/login-action from 4.0.0 to 4.1.0 in the docker group
…release group across 1 directory (#147) * chore(deps): bump actions/create-github-app-token in the release group Bumps the release group with 1 update: [actions/create-github-app-token](https://github.com/actions/create-github-app-token). Updates `actions/create-github-app-token` from 2 to 3 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@v2...v3) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major dependency-group: release ... Signed-off-by: dependabot[bot] <support@github.com> * fix(deps): pin create-github-app-token to SHA for v3 tag * fix(deps): pin all remaining actions to commit SHA * fix(deps): revert internal modules back to tags --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Lucas Bedatty <lucas.bedatty@lerian.studio>
WalkthroughRemoved Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Suggested labels
🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning Review ran into problems🔥 ProblemsTimed out fetching pipeline failures after 30000ms Comment |
lerian-studio
added
size/S
🔍 Lint Analysis
|
🛡️ CodeQL Analysis ResultsLanguages analyzed: Found 4 issue(s): 4 Medium
🔍 View full scan logs | 🛡️ Security tab |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.cursor/rules/reusable-workflows.mdc (1)
134-158:⚠️ Potential issue | 🟠 MajorRemove the
workflow_dispatchsection from the example.Lines 149-158 demonstrate a
workflow_dispatchtrigger, directly contradicting the prohibition on line 131. This inconsistency will mislead users.📝 Proposed fix to remove the conflicting example
on: workflow_call: inputs: environment: required: true type: string dry_run: description: Preview changes without applying them required: false type: boolean default: false secrets: DEPLOY_TOKEN: required: true - workflow_dispatch: - inputs: - environment: - required: true - type: string - dry_run: - description: Preview changes without applying them - type: boolean - default: false🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.cursor/rules/reusable-workflows.mdc around lines 134 - 158, The example contains a conflicting workflow trigger: remove the entire workflow_dispatch block (the "workflow_dispatch" key and its nested inputs for "environment" and "dry_run") so the example only shows the allowed "workflow_call" trigger and its inputs/secrets; ensure the remaining YAML preserves the "workflow_call" inputs (environment, dry_run) and DEPLOY_TOKEN secret without adding any workflow_dispatch entries..github/workflows/build.yml (1)
293-295:⚠️ Potential issue | 🟠 MajorDocker metadata tags misalignment: {{major}}.{{minor}} removed from workflow but documented as "Always" available.
The
type=semver,pattern={{major}}.{{minor}}tag pattern is no longer generated by the workflow (only{{version}}and{{major}}patterns remain), butdocs/build-workflow.md(line 142) still documents it as "Always" available. This is a breaking change for callers relying on the1.0-style tags.Update the Docker Image Tags table in the documentation to remove the
{{major}}.{{minor}}row, or restore this pattern in the workflow's metadata actiontagssection.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/build.yml around lines 293 - 295, The workflow's Docker metadata "tags" block no longer emits the {{major}}.{{minor}} pattern but the docs still claim it's "Always" available; either restore the tag pattern in the workflow or update the docs: to restore, add a tags entry like `type=semver,pattern={{major}}.{{minor}},value=${{ steps.version.outputs.version }},enable=${{ needs.prepare.outputs.is_release }}` back into the `tags:` list in .github/workflows/build.yml (alongside the existing `pattern={{version}}` and `pattern={{major}}` entries), or remove the `{{major}}.{{minor}}` row from the Docker Image Tags table in docs/build-workflow.md so the documentation matches the current `tags` output.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/build.yml:
- Line 233: Update the version comment on the docker/login-action usage to
follow vX.Y.Z format: replace the existing comment "# v4" after the uses:
docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 with "# v4.1.0";
apply the same change for the other occurrence noted (the uses entry at the
other spot referenced in the review).
In @.github/workflows/gitops-update.yml:
- Around line 448-465: The current retry loop uses a linear backoff
(BACKOFF=$((i * 2))) causing 2,4,6... seconds; change it to exponential backoff
so waits grow like 1,2,4,8... (e.g. use BACKOFF as 2**(i-1) or equivalent)
inside the same for i in $(seq 1 $MAX_RETRIES) loop, optionally add a
MAX_BACKOFF cap variable and compute BACKOFF=min(2**(i-1), MAX_BACKOFF) before
the sleep and echo; keep the rest of the logic (git pull --rebase, git push,
error/exit) unchanged and reference MAX_RETRIES and BACKOFF variables.
---
Outside diff comments:
In @.cursor/rules/reusable-workflows.mdc:
- Around line 134-158: The example contains a conflicting workflow trigger:
remove the entire workflow_dispatch block (the "workflow_dispatch" key and its
nested inputs for "environment" and "dry_run") so the example only shows the
allowed "workflow_call" trigger and its inputs/secrets; ensure the remaining
YAML preserves the "workflow_call" inputs (environment, dry_run) and
DEPLOY_TOKEN secret without adding any workflow_dispatch entries.
In @.github/workflows/build.yml:
- Around line 293-295: The workflow's Docker metadata "tags" block no longer
emits the {{major}}.{{minor}} pattern but the docs still claim it's "Always"
available; either restore the tag pattern in the workflow or update the docs: to
restore, add a tags entry like
`type=semver,pattern={{major}}.{{minor}},value=${{ steps.version.outputs.version
}},enable=${{ needs.prepare.outputs.is_release }}` back into the `tags:` list in
.github/workflows/build.yml (alongside the existing `pattern={{version}}` and
`pattern={{major}}` entries), or remove the `{{major}}.{{minor}}` row from the
Docker Image Tags table in docs/build-workflow.md so the documentation matches
the current `tags` output.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 1a20e3b9-4dd4-445e-9519-6018bdc6a071
📒 Files selected for processing (15)
.cursor/rules/reusable-workflows.mdc.github/workflows/build.yml.github/workflows/gitops-update.yml.github/workflows/go-release.yml.github/workflows/gptchangelog.yml.github/workflows/helm-update-chart.yml.github/workflows/pr-security-scan.yml.github/workflows/release-notification.yml.github/workflows/release.yml.github/workflows/typescript-build.yml.github/workflows/typescript-release.ymldocs/build-workflow.mddocs/go-release-workflow.mddocs/typescript-build.mdsrc/security/cosign-sign/README.md
5 tasks
- Remove contradictory workflow_dispatch example from reusable-workflows rules
- Remove stale {{major}}.{{minor}} tag from build-workflow docs
- Fix linear backoff to true exponential (2**i) in gitops-update retry loop
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.cursor/rules/reusable-workflows.mdc:
- Line 131: The rule prohibiting workflow_dispatch in reusable workflows creates
a breaking change because six existing reusable workflows (typescript-build.yml,
s3-upload.yml, release-notification.yml, labels-sync.yml, go-fuzz.yml,
branch-cleanup.yml) currently include it; update the rule text to require either
(a) an explicit exceptions list naming those six workflows with justification
and linkage to a documented gating pattern (see pr-security-scan.yml and the
github.event_name == 'pull_request' gating example) or (b) an action item to
migrate each listed workflow into a separate self-invoking workflow
`.github/workflows/self-*` per the rule, and add a short remediation checklist
and owner assignment so the non-compliance is tracked to completion.
In `@docs/build-workflow.md`:
- Line 227: The cosign verification regex in the --certificate-identity-regexp
option currently only matches refs/heads/* so tag-triggered workflows fail;
update the regexp used in the --certificate-identity-regexp argument to allow
both refs/heads/* and refs/tags/* (e.g., replace the current pattern that
contains refs/heads/ with a pattern that accepts refs/(heads|tags)/ or
refs/(?:heads|tags)/) so certificate identities from tag-triggered workflows
(refs/tags/<tag>) verify successfully.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: fc83c1c5-804a-4e01-aa6a-42db46d83125
📒 Files selected for processing (3)
.cursor/rules/reusable-workflows.mdc.github/workflows/gitops-update.ymldocs/build-workflow.md
4 tasks
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/security/cosign-sign/README.md`:
- Line 49: The workflows build.yml and typescript-build.yml currently assemble
DockerHub image refs as REFS="${DOCKERHUB_ORG}/${APP_NAME}@${DIGEST}" which
violates the action.yml fully-qualified requirement; update the REFS
construction to prepend the docker registry prefix (e.g., set
REFS="docker.io/${DOCKERHUB_ORG}/${APP_NAME}@${DIGEST}" or use
${DOCKER_REGISTRY:-docker.io} to default) so the produced ref matches the
fully-qualified form expected by action.yml and README.md; alternatively, if you
prefer unqualified refs, update the action.yml input description to explicitly
allow unqualified refs instead of changing the workflows.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 3e2a4f03-d27f-4b9c-8dfa-63ddac5a685f
📒 Files selected for processing (4)
docs/build-workflow.mddocs/go-release-workflow.mddocs/typescript-build.mdsrc/security/cosign-sign/README.md
4 tasks
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.github/workflows/build.yml (1)
325-330:⚠️ Potential issue | 🟠 MajorNormalize
ghcr_orgbefore composing cosign refs.Line 325 no longer lowercases a caller-supplied
ghcr_org, butSet image namesstill does on Lines 255-260. A caller passingghcr_org: LerianStudiowill pushghcr.io/lerianstudio/...and then try to signghcr.io/LerianStudio/..., which breaks signing whenenable_cosign_signis on.🐛 Proposed fix
env: DIGEST: ${{ steps.build-push.outputs.digest }} ENABLE_DOCKERHUB: ${{ inputs.enable_dockerhub }} ENABLE_GHCR: ${{ inputs.enable_ghcr }} DOCKERHUB_ORG: ${{ inputs.dockerhub_org }} APP_NAME: ${{ matrix.app.name }} - GHCR_ORG: ${{ inputs.ghcr_org || steps.normalize.outputs.owner_lower }} + INPUT_GHCR_ORG: ${{ inputs.ghcr_org }} + NORMALIZED_OWNER: ${{ steps.normalize.outputs.owner_lower }} run: | REFS="" + GHCR_ORG="$INPUT_GHCR_ORG" + if [ -z "$GHCR_ORG" ]; then + GHCR_ORG="$NORMALIZED_OWNER" + else + GHCR_ORG=$(echo "$GHCR_ORG" | tr '[:upper:]' '[:lower:]') + fi if [ "$ENABLE_DOCKERHUB" == "true" ]; then REFS="docker.io/${DOCKERHUB_ORG}/${APP_NAME}@${DIGEST}" fi🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/build.yml around lines 325 - 330, The GHCR_ORG value used when composing cosign refs must be normalized to lowercase to match how images are named; update the step that sets GHCR_ORG (the GHCR_ORG environment/value used when building REFS and cosign references) so it lowercases a caller-supplied ghcr_org (e.g. use the same normalization as steps.normalize.outputs.owner_lower or run a to-lower transformation on inputs.ghcr_org) before composing the cosign signing refs, ensuring GHCR_ORG and the pushed image names use identical lowercase host/org values when enable_cosign_sign is enabled.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/build.yml:
- Around line 325-330: The GHCR_ORG value used when composing cosign refs must
be normalized to lowercase to match how images are named; update the step that
sets GHCR_ORG (the GHCR_ORG environment/value used when building REFS and cosign
references) so it lowercases a caller-supplied ghcr_org (e.g. use the same
normalization as steps.normalize.outputs.owner_lower or run a to-lower
transformation on inputs.ghcr_org) before composing the cosign signing refs,
ensuring GHCR_ORG and the pushed image names use identical lowercase host/org
values when enable_cosign_sign is enabled.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 0af4fa54-773d-4b3c-84ee-0c405f5ea7fb
📒 Files selected for processing (2)
.github/workflows/build.yml.github/workflows/typescript-build.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GitHub Actions Shared Workflows
Description
Type of Change
feat: New workflow or new input/output/step in an existing workflowfix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)perf: Performance improvement (e.g. caching, parallelism, reduced steps)refactor: Internal restructuring with no behavior changedocs: Documentation only (README, docs/, inline comments)ci: Changes to self-CI (workflows under.github/workflows/that run on this repo)chore: Dependency bumps, config updates, maintenancetest: Adding or updating testsBREAKING CHANGE: Callers must update their configuration after this PRBreaking Changes
None.
Testing
@developor the beta tagCaller repo / workflow run:
Related Issues
Closes #
Summary by CodeRabbit
Chores
Documentation
Governance