feat(security): add CodeQL analysis and pre-release version gate#208
feat(security): add CodeQL analysis and pre-release version gate#208
Conversation
WalkthroughAdds a Pre-release Version Check composite action; integrates optional CodeQL analysis into the reusable pr-security-scan workflow (new inputs and conditional job); wires prerelease findings into the PR reporter; pins/upgrades several action refs; and updates docs and CI validation. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
lerian-studio
added
size/M
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
🛡️ CodeQL Analysis ResultsLanguages analyzed: ✅ No security issues found. 🔍 View full scan logs | 🛡️ Security tab |
🔍 Lint Analysis
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 5
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/pr-security-scan-workflow.md (1)
182-199:⚠️ Potential issue | 🟡 MinorThe Inputs table is still out of sync with the workflow contract.
.github/workflows/pr-security-scan.ymlalso exposesshared_paths,app_name_prefix,app_name_overrides,normalize_to_filter,docker_build_args, andbuild_context_from_working_dir, but they are missing here. That leaves the caller-facing contract incomplete.As per coding guidelines, "Flag if inputs table is out of sync with the corresponding workflow changes in this PR."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/pr-security-scan-workflow.md` around lines 182 - 199, The Inputs table in docs/pr-security-scan-workflow.md is missing inputs added in the workflow (.github/workflows/pr-security-scan.yml); update the table to include the missing inputs shared_paths, app_name_prefix, app_name_overrides, normalize_to_filter, docker_build_args, and build_context_from_working_dir with correct Type, Default, and Description entries matching the workflow contract (use the exact input names as in pr-security-scan.yml and ensure descriptions reflect their behavior so the caller-facing contract is complete).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 92-95: The default for the reusable workflow input
enable_prerelease_check currently defaults to true which will break existing
callers; change its default to false (or gate it behind a new major/minor
version boundary) so the prerelease blocking is opt-in for existing consumers,
updating the input declaration for enable_prerelease_check accordingly to avoid
hard-failing PRs for callers that don’t supply the new input.
- Around line 209-216: The workflow references a feature branch tag in the
composite actions (the `uses:` entries like
LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease)
which will break once that branch is deleted; update each `uses:` to point to a
released semantic version tag (e.g., change
`@feat/pr-security-scan-codeql-prerelease` to the appropriate `@vX.Y.Z` release)
so the Pre-release Version Check (`id: prerelease-check`) and the other four
composite action references resolve reliably after merges.
In `@docs/pr-security-scan-workflow.md`:
- Around line 167-180: The docs are inconsistent about default pre-release
gating and the behavior of enable_docker_scan; update the "CLI / Non-Docker
Projects" section so it matches the new "With Pre-release Version Gate" wording:
state that enable_prerelease_check is enabled by default and clarify that when
enable_docker_scan: false the workflow performs only filesystem secret scanning
plus pre-release checks (i.e., scanning go.mod/package.json/Dockerfile for
-beta/-rc) and does not run Docker Scout; reference the config flags
enable_prerelease_check and enable_docker_scan and update any wording that
currently says "only filesystem scanning" or still references Docker Scout to
reflect the new combined filesystem + pre-release behavior.
In `@src/security/prerelease-check/README.md`:
- Around line 12-15: Update the Inputs table in
src/security/prerelease-check/README.md so the Default for `app-name` exactly
matches the exported default in action.yml (currently an empty string ''), i.e.,
replace the `—` with `''`; ensure the input name `app-name` and the Required and
Default cells match action.yml verbatim to satisfy the action contract
verification.
- Around line 24-30: Update the "Dockerfile" row in the "What it scans" table to
reflect all filename patterns the action actually scans — replace the single
`Dockerfile` cell with `Dockerfile`, `*.dockerfile`, `Dockerfile.*` (keep the
existing pattern `:X.Y.Z-beta.*` / `:X.Y.Z-rc.*` and example
`golang:1.21.0-beta1` unchanged) so callers see the exact coverage used by the
gate.
---
Outside diff comments:
In `@docs/pr-security-scan-workflow.md`:
- Around line 182-199: The Inputs table in docs/pr-security-scan-workflow.md is
missing inputs added in the workflow (.github/workflows/pr-security-scan.yml);
update the table to include the missing inputs shared_paths, app_name_prefix,
app_name_overrides, normalize_to_filter, docker_build_args, and
build_context_from_working_dir with correct Type, Default, and Description
entries matching the workflow contract (use the exact input names as in
pr-security-scan.yml and ensure descriptions reflect their behavior so the
caller-facing contract is complete).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: c6b503cb-09cf-4402-b8ce-154c21e84bbe
📒 Files selected for processing (4)
.github/workflows/pr-security-scan.ymldocs/pr-security-scan-workflow.mdsrc/security/prerelease-check/README.mdsrc/security/prerelease-check/action.yml
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 2
♻️ Duplicate comments (2)
.github/workflows/pr-security-scan.yml (2)
92-95:⚠️ Potential issue | 🟠 MajorDefault the new pre-release gate off for existing callers.
This turns a new failing behavior on by default in a reusable workflow. Callers already pinned to this shared ref will start failing PRs without changing their own workflows, so this is a breaking rollout and should ship default-off or behind a version boundary.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 92 - 95, The new boolean input enable_prerelease_check currently defaults to true which will break existing callers; change its default to false (or gate behind a major-versioned reusable workflow) so existing workflows don't start failing; update the input definition for enable_prerelease_check to default: false and, if desired, add a note in the workflow description or README about the opt-in change and versioning plan.
213-213:⚠️ Potential issue | 🔴 CriticalDo not merge reusable-workflow refs that point at a feature branch.
These
uses:entries still resolve through@feat/pr-security-scan-codeql-prerelease. Once that branch is deleted or drifts, external callers of this reusable workflow will stop resolving the composites. Move every new internal action reference to the released ref before merge. Based on learnings: reusable workflows called from external repositories must reference them via an absolute external ref, and this repository’s workflow files use absoluteLerianStudio/github-actions-shared-workflows/src/...@<ref>references for externally consumed composites.Also applies to: 258-258, 265-265, 284-284, 291-291
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml at line 213, Change all reusable-workflow `uses:` references that point to the feature branch `@feat/pr-security-scan-codeql-prerelease` to a released immutable ref (a released tag or commit SHA) so external callers won't break when the branch is deleted; update each `uses: LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease` (and the other identical `uses:` entries) to `@<released-tag-or-sha>` (for example a vX.Y.Z tag or the commit SHA of the release) so the composite resolves reliably for external repositories.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 270-276: The step "Configure private Go modules access" currently
hardcodes GOPRIVATE=github.com/LerianStudio/* and makes the reusable workflow
org-specific; change this to accept a parameter (e.g., an input like
private_go_pattern or private_go_host) or derive the pattern from the GitHub
context (github.repository_owner / github.server_url) and use that value when
setting the git config and GOPRIVATE; update references to the git config line
and the GOPRIVATE assignment so they interpolate the input/context value instead
of the literal "LerianStudio". Ensure the new input has a sensible default and
is documented so callers can override it for other orgs/hosts.
- Around line 79-87: The workflow allows enable_codeql to be true with an empty
codeql_languages, which causes the codeql_scan job to silently skip; add an
early validation job (e.g., validate_codeql_inputs) that runs before codeql_scan
and uses an if condition checking inputs.enable_codeql is true and
inputs.codeql_languages is empty, and in that job run a single step that prints
a clear error (mentioning enable_codeql and codeql_languages) and exits non‑zero
to fail fast; update job dependencies so codeql_scan depends_on this validation
to guarantee callers get an explicit error rather than silent skipping.
---
Duplicate comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 92-95: The new boolean input enable_prerelease_check currently
defaults to true which will break existing callers; change its default to false
(or gate behind a major-versioned reusable workflow) so existing workflows don't
start failing; update the input definition for enable_prerelease_check to
default: false and, if desired, add a note in the workflow description or README
about the opt-in change and versioning plan.
- Line 213: Change all reusable-workflow `uses:` references that point to the
feature branch `@feat/pr-security-scan-codeql-prerelease` to a released
immutable ref (a released tag or commit SHA) so external callers won't break
when the branch is deleted; update each `uses:
LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease`
(and the other identical `uses:` entries) to `@<released-tag-or-sha>` (for
example a vX.Y.Z tag or the commit SHA of the release) so the composite resolves
reliably for external repositories.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 5b9c11d5-2975-4c28-a825-1df86339de92
📒 Files selected for processing (1)
.github/workflows/pr-security-scan.yml
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 232-236: The workflow step "Gate - Fail on Pre-release Versions"
currently interpolates steps.prerelease-check.outputs.findings-count directly
into the shell command; map that output into an environment variable (e.g., set
env: PRERELEASE_FINDINGS: ${{ steps.prerelease-check.outputs.findings-count }})
and then reference and quote that env var in the run block (use
"$PRERELEASE_FINDINGS" in the echo and exit logic) to satisfy the code-injection
check and silence CodeQL warnings.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 7e2b259b-c964-4721-95d6-0e441d249e14
📒 Files selected for processing (1)
.github/workflows/pr-security-scan.yml
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/security/codeql-analyze/action.yml (1)
20-21:⚠️ Potential issue | 🟠 MajorPin
github/codeql-action/analyzeto a commit SHA, not@v4.Line 21 uses a mutable tag for a third-party action. Per repository policy, third-party actions must be pinned by commit SHA with a version comment for readability (e.g.,
uses: github/codeql-action/analyze@abc123def456... # v4). Tags can be force-pushed by upstream maintainers, weakening supply-chain guarantees.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/codeql-analyze/action.yml` around lines 20 - 21, Replace the mutable tag in the GitHub Actions step that currently reads "uses: github/codeql-action/analyze@v4" with a pinned commit SHA (e.g., "uses: github/codeql-action/analyze@<full-commit-sha>") and add a trailing comment indicating the human-readable version (e.g., "# v4") for readability; update the "Perform CodeQL Analysis" step to use that SHA to satisfy the repository policy while preserving the version intent.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/security/codeql-analyze/action.yml`:
- Around line 12-15: The new action input 'upload' in action.yml defaults to
'false', which changes behavior for callers that omit it; update the default to
'true' (or ensure callers explicitly pass 'upload: \"true\"') so SARIF upload
remains enabled by default. Modify the inputs block for the 'upload' input in
action.yml to set default: 'true' (or update any workflows invoking the action
to pass upload: 'true' where necessary) and keep the value forwarded as before.
---
Outside diff comments:
In `@src/security/codeql-analyze/action.yml`:
- Around line 20-21: Replace the mutable tag in the GitHub Actions step that
currently reads "uses: github/codeql-action/analyze@v4" with a pinned commit SHA
(e.g., "uses: github/codeql-action/analyze@<full-commit-sha>") and add a
trailing comment indicating the human-readable version (e.g., "# v4") for
readability; update the "Perform CodeQL Analysis" step to use that SHA to
satisfy the repository policy while preserving the version intent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 4be93de3-e8cd-4b62-9f57-9bee3c55f109
📒 Files selected for processing (1)
src/security/codeql-analyze/action.yml
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
docs/pr-security-scan-workflow.md (2)
184-200:⚠️ Potential issue | 🟡 MinorInputs table is out of sync with the workflow.
The following workflow inputs are missing from the documentation table:
shared_pathsapp_name_prefixapp_name_overridesnormalize_to_filterdocker_build_argsbuild_context_from_working_dirIf these are intentionally omitted as "advanced" inputs, add a note indicating additional inputs exist. Otherwise, document them for completeness.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/pr-security-scan-workflow.md` around lines 184 - 200, The Inputs table is missing several workflow inputs; update the docs to either document these inputs or clearly note that additional advanced inputs exist. Specifically add entries for `shared_paths`, `app_name_prefix`, `app_name_overrides`, `normalize_to_filter`, `docker_build_args`, and `build_context_from_working_dir` (each with Type, Default, and Description), or append a short note under the table stating that advanced inputs such as those named above exist and where to find full input reference; ensure the documented names exactly match the workflow input keys (`shared_paths`, `app_name_prefix`, `app_name_overrides`, `normalize_to_filter`, `docker_build_args`, `build_context_from_working_dir`).
217-225:⚠️ Potential issue | 🟡 MinorPermissions section missing
actions: read.The workflow now requires
actions: readfor CodeQL status reporting. Update the documented permissions block to match.📝 Add missing permission
permissions: + actions: read # Required for CodeQL status reporting id-token: write # Required for OIDC authentication contents: read # Required to checkout the repository pull-requests: write # Allows commenting on PRs security-events: write # Required for security scanning🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/pr-security-scan-workflow.md` around lines 217 - 225, Update the "Required Permissions" YAML block to include the missing "actions: read" permission so CodeQL status reporting can work; locate the permissions snippet under the "Required Permissions" heading (the YAML block containing id-token, contents, pull-requests, security-events) and add a line "actions: read" alongside the other entries, keeping the same indentation and comment style..github/workflows/pr-security-scan.yml (1)
10-99:⚠️ Potential issue | 🟠 MajorMissing required
dry_runinput.Per coding guidelines, every reusable workflow must include a
dry_runinput (type: boolean,default: false). When true, it should enable verbose output and tool-native preview flags. This workflow is missing this required input.🛠️ Add dry_run input
build_context_from_working_dir: description: 'Use the component working_dir as Docker build context instead of repo root. Useful for independent modules (e.g., tools with their own go.mod).' type: boolean default: false + dry_run: + description: 'Enable dry-run mode with verbose output. Does not fail on findings.' + type: boolean + default: false enable_codeql:🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 10 - 99, The workflow is missing the required dry_run input under on.workflow_call.inputs; add a new input named dry_run with type: boolean and default: false, and update any steps that run scanners or builds (e.g., CodeQL, Docker scans referenced by enable_codeql, enable_docker_scan) to honor this flag by enabling verbose output and tool-native "preview"/"dry-run" options when dry_run is true.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 10-99: The workflow is missing the required dry_run input under
on.workflow_call.inputs; add a new input named dry_run with type: boolean and
default: false, and update any steps that run scanners or builds (e.g., CodeQL,
Docker scans referenced by enable_codeql, enable_docker_scan) to honor this flag
by enabling verbose output and tool-native "preview"/"dry-run" options when
dry_run is true.
In `@docs/pr-security-scan-workflow.md`:
- Around line 184-200: The Inputs table is missing several workflow inputs;
update the docs to either document these inputs or clearly note that additional
advanced inputs exist. Specifically add entries for `shared_paths`,
`app_name_prefix`, `app_name_overrides`, `normalize_to_filter`,
`docker_build_args`, and `build_context_from_working_dir` (each with Type,
Default, and Description), or append a short note under the table stating that
advanced inputs such as those named above exist and where to find full input
reference; ensure the documented names exactly match the workflow input keys
(`shared_paths`, `app_name_prefix`, `app_name_overrides`, `normalize_to_filter`,
`docker_build_args`, `build_context_from_working_dir`).
- Around line 217-225: Update the "Required Permissions" YAML block to include
the missing "actions: read" permission so CodeQL status reporting can work;
locate the permissions snippet under the "Required Permissions" heading (the
YAML block containing id-token, contents, pull-requests, security-events) and
add a line "actions: read" alongside the other entries, keeping the same
indentation and comment style.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 77be3519-e970-4f9c-a444-f3fc782ba607
📒 Files selected for processing (2)
.github/workflows/pr-security-scan.ymldocs/pr-security-scan-workflow.md
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 2
♻️ Duplicate comments (5)
.github/workflows/pr-security-scan.yml (4)
96-103:⚠️ Potential issue | 🟠 MajorDefault-on prerelease gating is a breaking rollout.
Existing callers pick up this behavior without changing their workflow. Any repo with
-beta/-rcpins will start warning ondevelopand hard-failing onmain/release-candidateas soon as it consumes this ref. Ship this default-off, or only enable it behind a new version boundary.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 96 - 103, The workflow sets enable_prerelease_check to true by default, which changes behavior for existing users; change its default to false (or remove the default so callers must opt-in) and keep prerelease_block_branches unchanged; update the enable_prerelease_check key in the workflow so existing repos do not get blocking prerelease gating unless they explicitly opt in.
79-87:⚠️ Potential issue | 🟠 MajorFail fast when CodeQL is enabled without languages.
enable_codeql: truewith an emptycodeql_languagesjust skipscodeql_scanbecause of the jobif:. That hides caller misconfiguration. Add an explicit validation step/job that errors when CodeQL is enabled and the language list is blank.Also applies to: 267-267
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 79 - 87, Add a validation step/job that fails fast when enable_codeql is true but codeql_languages is empty: detect the combination of the inputs (enable_codeql and codeql_languages) before the codeql_scan job runs (or as the first step of codeql_scan) and exit with a clear error message if codeql_languages is blank; reference the input names enable_codeql and codeql_languages and the affected job codeql_scan so the check runs only when enable_codeql is true and prevents silently skipping the scan when languages are not provided.
222-222:⚠️ Potential issue | 🔴 CriticalReplace the feature-branch refs before merge.
A reusable workflow consumed by external repositories cannot depend on
@feat/pr-security-scan-codeql-prerelease; those refs stop resolving once the branch is deleted or drifts. Pin these composites to a release tag, or use@developonly while testing.As per coding guidelines, "
LerianStudio/*actions must use release tags (@v1.2.3) or branches (@developfor testing)`."Also applies to: 285-319
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml at line 222, The workflow is referencing a feature branch ref (uses: LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease), which will break once that branch is removed; update all such "uses: LerianStudio/github-actions-shared-workflows/..." entries (including the similar blocks at lines 285-319) to pin to a stable release tag like `@vX.Y.Z`, or temporarily to `@develop` for testing, ensuring the ref is not a feature branch so the reusable workflow resolves after merge.
297-303:⚠️ Potential issue | 🟠 Major
GOPRIVATEis hardcoded to LerianStudio.This makes the reusable workflow fail for callers whose private Go modules live under a different owner or host. Derive the pattern from context or expose it as an input before shipping this as shared workflow logic.
As per coding guidelines, "Never hardcode tokens, org names, or internal URLs — always use inputs or secrets."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 297 - 303, The workflow hardcodes GOPRIVATE to "github.com/LerianStudio/*"; change it to derive or accept the pattern as an input and use that instead: add an input (e.g., input name goprivate_pattern) with a sensible default like using github.repository_owner (or construct "${{ github.repository_owner }}/*"), then replace the hardcoded GOPRIVATE write with that input value; ensure the TOKEN env use remains unchanged and the conditional if: steps.codeql-config.outputs.skip != 'true' still guards the run.docs/pr-security-scan-workflow.md (1)
120-142:⚠️ Potential issue | 🟡 MinorCLI/non-Docker docs still describe the old behavior.
With
enable_prerelease_checkdefaulting totrue, this mode also runs the prerelease scan. The bullet list here omits that and still mentions Docker Scout, which now contradicts the later note in Line 250.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/pr-security-scan-workflow.md` around lines 120 - 142, Update the docs block describing the "disable Docker scanning" example to reflect current behavior: mention that with enable_prerelease_check defaulting to true the prerelease scan will still run, and remove or clarify the outdated Docker Scout statement so it matches the later note referenced (Line 250). Specifically edit the PR Security Scan example text to state that setting enable_docker_scan: false skips Docker build/vuln scanning but does not disable the prerelease check (enable_prerelease_check remains true by default) and ensure the bullet list no longer incorrectly implies Docker Scout behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@docs/pr-security-scan-workflow.md`:
- Around line 167-180: Update the prose describing the prerelease gate to
reflect that it is branch-aware: state that when enable_prerelease_check is true
the workflow scans go.mod, package.json, and Dockerfile for prerelease suffixes
(e.g., -beta, -rc) and emits a warning on non-blocking branches, and only fails
the PR (exits non‑zero) for branches listed in prerelease_block_branches; adjust
the wording around the “With Pre-release Version Gate” section and the
corresponding lines mentioned so they reference the enable_prerelease_check
input and the prerelease_block_branches behavior instead of saying it
unconditionally fails the PR.
- Around line 163-165: Update the documentation text that currently states
"Results are posted as a separate PR comment and uploaded to the GitHub Security
tab" to clarify that SARIF upload to the Security tab is opt-in and only happens
when the configuration flag codeql_upload_sarif: true is set; change the wording
around the CodeQL section (references to "CodeQL analysis" and the upload
behavior) to explicitly note the default is not to upload SARIF and callers must
enable codeql_upload_sarif to have results uploaded, and apply the same
correction at the other occurrences mentioned.
---
Duplicate comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 96-103: The workflow sets enable_prerelease_check to true by
default, which changes behavior for existing users; change its default to false
(or remove the default so callers must opt-in) and keep
prerelease_block_branches unchanged; update the enable_prerelease_check key in
the workflow so existing repos do not get blocking prerelease gating unless they
explicitly opt in.
- Around line 79-87: Add a validation step/job that fails fast when
enable_codeql is true but codeql_languages is empty: detect the combination of
the inputs (enable_codeql and codeql_languages) before the codeql_scan job runs
(or as the first step of codeql_scan) and exit with a clear error message if
codeql_languages is blank; reference the input names enable_codeql and
codeql_languages and the affected job codeql_scan so the check runs only when
enable_codeql is true and prevents silently skipping the scan when languages are
not provided.
- Line 222: The workflow is referencing a feature branch ref (uses:
LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease),
which will break once that branch is removed; update all such "uses:
LerianStudio/github-actions-shared-workflows/..." entries (including the similar
blocks at lines 285-319) to pin to a stable release tag like `@vX.Y.Z`, or
temporarily to `@develop` for testing, ensuring the ref is not a feature branch so
the reusable workflow resolves after merge.
- Around line 297-303: The workflow hardcodes GOPRIVATE to
"github.com/LerianStudio/*"; change it to derive or accept the pattern as an
input and use that instead: add an input (e.g., input name goprivate_pattern)
with a sensible default like using github.repository_owner (or construct "${{
github.repository_owner }}/*"), then replace the hardcoded GOPRIVATE write with
that input value; ensure the TOKEN env use remains unchanged and the conditional
if: steps.codeql-config.outputs.skip != 'true' still guards the run.
In `@docs/pr-security-scan-workflow.md`:
- Around line 120-142: Update the docs block describing the "disable Docker
scanning" example to reflect current behavior: mention that with
enable_prerelease_check defaulting to true the prerelease scan will still run,
and remove or clarify the outdated Docker Scout statement so it matches the
later note referenced (Line 250). Specifically edit the PR Security Scan example
text to state that setting enable_docker_scan: false skips Docker build/vuln
scanning but does not disable the prerelease check (enable_prerelease_check
remains true by default) and ensure the bullet list no longer incorrectly
implies Docker Scout behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 28ceb1fc-df29-4c55-9cbd-58a47af7fe67
📒 Files selected for processing (2)
.github/workflows/pr-security-scan.ymldocs/pr-security-scan-workflow.md
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
♻️ Duplicate comments (2)
src/security/prerelease-check/README.md (2)
15-15:⚠️ Potential issue | 🟡 MinorFix the
app-namedefault to match action metadata.Line 15 documents
—, but the action exportsapp-namewith default''. Keep the inputs contract exact.As per coding guidelines, "Verify inputs table matches
action.ymlexactly (name, required, default)."🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/README.md` at line 15, The README inputs table documents `app-name` default as `—` but the action metadata exports `app-name` with default `''`; update the inputs table entry for `app-name` to exactly match action metadata (set the Default column to `''`) so the inputs contract matches the `app-name` input defined in the action metadata.
32-32:⚠️ Potential issue | 🟡 MinorDocument all Dockerfile filename patterns actually scanned.
Line 32 lists only
Dockerfile, while the action scansDockerfile,*.dockerfile, andDockerfile.*. This under-documents gate coverage.As per coding guidelines, "
DockerfilepathsDockerfile,*.dockerfile, andDockerfile.*underscan-ref."🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/README.md` at line 32, The README entry currently lists only "Dockerfile" but the scanner actually checks three filename patterns; update the documentation to enumerate all patterns scanned under the scan-ref: "Dockerfile", "*.dockerfile", and "Dockerfile.*" so the table row (the value currently shown as `Dockerfile`) accurately reflects the gate coverage referenced by scan-ref.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/security/prerelease-check/action.yml`:
- Around line 90-96: The loop that emits GitHub Actions annotations uses
unescaped values and the existing escape_cmd only handled message escaping;
update or add an escape function (e.g., escape_cmd or escape_property) to
implement the full mappings: for message values replace % -> %25, \n -> %0A, \r
-> %0D; for property values (used for file and line) replace % -> %25, \n ->
%0A, \r -> %0D, : -> %3A, , -> %2C. Apply the message escaping to CONTENT when
building the annotation message and apply the property escaping to FILE and LINE
before interpolating into the ::warning file=...,line=...::... command so both
properties and the message are safely encoded.
---
Duplicate comments:
In `@src/security/prerelease-check/README.md`:
- Line 15: The README inputs table documents `app-name` default as `—` but the
action metadata exports `app-name` with default `''`; update the inputs table
entry for `app-name` to exactly match action metadata (set the Default column to
`''`) so the inputs contract matches the `app-name` input defined in the action
metadata.
- Line 32: The README entry currently lists only "Dockerfile" but the scanner
actually checks three filename patterns; update the documentation to enumerate
all patterns scanned under the scan-ref: "Dockerfile", "*.dockerfile", and
"Dockerfile.*" so the table row (the value currently shown as `Dockerfile`)
accurately reflects the gate coverage referenced by scan-ref.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: f00a24ab-b386-479c-a17f-43de088b27c1
📒 Files selected for processing (2)
src/security/prerelease-check/README.mdsrc/security/prerelease-check/action.yml
There was a problem hiding this comment.
♻️ Duplicate comments (1)
src/security/prerelease-check/action.yml (1)
120-125:⚠️ Potential issue | 🟠 MajorEscape annotation properties and message before emitting
::warning.Line 125 still interpolates
FILE,LINE, andCONTENTdirectly into a workflow command. That lets reserved characters break command parsing and inject extra annotations/log output from scanned content.🔒 Proposed fix
+ escape_cmd_message() { + local s="$1" + s=${s//'%'/'%25'} + s=${s//$'\r'/'%0D'} + s=${s//$'\n'/'%0A'} + printf '%s' "$s" + } + + escape_cmd_property() { + local s + s="$(escape_cmd_message "$1")" + s=${s//':'/'%3A'} + s=${s//','/'%2C'} + printf '%s' "$s" + } + for f in "${FINDINGS[@]}"; do FILE="${f%%|*}" REST="${f#*|}" LINE="${REST%%:*}" CONTENT="${REST#*:}" - echo "::warning file=${FILE},line=${LINE}::Unstable version pin: $(echo "$CONTENT" | sed 's/^[[:space:]]*//')" + FILE_ESCAPED="$(escape_cmd_property "$FILE")" + LINE_ESCAPED="$(escape_cmd_property "$LINE")" + CONTENT_ESCAPED="$(escape_cmd_message "$(printf '%s' "$CONTENT" | sed 's/^[[:space:]]*//')")" + echo "::warning file=${FILE_ESCAPED},line=${LINE_ESCAPED}::Unstable version pin: ${CONTENT_ESCAPED}" doneIn GitHub Actions workflow commands (::warning / ::error), what escaping is required for message values and for property values such as file= and line=?🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/action.yml` around lines 120 - 125, The loop emits raw variables into a GitHub Actions workflow command allowing injected annotations; add proper escaping functions and use them when building the echo string: implement an escape_property helper (escape % -> %25, \r -> %0D, \n -> %0A, : -> %3A, , -> %2C) and an escape_message helper (escape % -> %25, \r -> %0D, \n -> %0A) and replace direct uses of FILE, LINE and the message CONTENT in the echo with their escaped versions (e.g., ESC_FILE="$(escape_property "$FILE")", ESC_LINE="$(escape_property "$LINE")", ESC_MSG="$(escape_message "$(echo "$CONTENT" | sed 's/^[[:space:]]*//')")") and then emit echo "::warning file=${ESC_FILE},line=${ESC_LINE}::${ESC_MSG}" so special characters cannot break command parsing or inject annotations.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@src/security/prerelease-check/action.yml`:
- Around line 120-125: The loop emits raw variables into a GitHub Actions
workflow command allowing injected annotations; add proper escaping functions
and use them when building the echo string: implement an escape_property helper
(escape % -> %25, \r -> %0D, \n -> %0A, : -> %3A, , -> %2C) and an
escape_message helper (escape % -> %25, \r -> %0D, \n -> %0A) and replace direct
uses of FILE, LINE and the message CONTENT in the echo with their escaped
versions (e.g., ESC_FILE="$(escape_property "$FILE")",
ESC_LINE="$(escape_property "$LINE")", ESC_MSG="$(escape_message "$(echo
"$CONTENT" | sed 's/^[[:space:]]*//')")") and then emit echo "::warning
file=${ESC_FILE},line=${ESC_LINE}::${ESC_MSG}" so special characters cannot
break command parsing or inject annotations.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 462cee9c-8c34-4156-9456-2a198d1c689b
📒 Files selected for processing (1)
src/security/prerelease-check/action.yml
lerian-studio
added
size/L
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
♻️ Duplicate comments (3)
.github/workflows/pr-security-scan.yml (2)
298-304:⚠️ Potential issue | 🟠 MajorStop hardcoding the Git host/org in CodeQL autobuild.
Lines 303-304 force GitHub.com and
LerianStudio, so private Go module resolution breaks for callers under other orgs or on GHES. Derive both the host and namespace from context or inputs before settinginsteadOfandGOPRIVATE.Suggested fix
- name: Configure private Go modules access if: steps.codeql-config.outputs.skip != 'true' env: TOKEN: ${{ secrets.MANAGE_TOKEN || secrets.GITHUB_TOKEN }} + SERVER_URL: ${{ github.server_url }} + REPO_OWNER: ${{ github.repository_owner }} run: | - git config --global url."https://x-access-token:${TOKEN}@github.com/".insteadOf "https://github.com/" - echo "GOPRIVATE=github.com/LerianStudio/*" >> "$GITHUB_ENV" + host="${SERVER_URL#*://}" + git config --global url."https://x-access-token:${TOKEN}@${host}/".insteadOf "https://${host}/" + echo "GOPRIVATE=${host}/${REPO_OWNER}/*" >> "$GITHUB_ENV"As per coding guidelines: Never hardcode tokens, org names, or internal URLs — always use
inputsorsecrets.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 298 - 304, The workflow currently hardcodes the Git host and org in the CodeQL autobuild step (the git config --global url."https://x-access-token:${TOKEN}@github.com/".insteadOf "https://github.com/" and the echo "GOPRIVATE=github.com/LerianStudio/*" >> "$GITHUB_ENV" lines); change this to compute the host and org from workflow inputs or repository context (e.g., an input like host or using github.server_url and github.repository_owner) and build the insteadOf URL and GOPRIVATE value from those variables, and ensure TOKEN comes from an input/secret (not hardcoded) before writing them to git config and GITHUB_ENV so the step works for other orgs and GHES installations.
222-222:⚠️ Potential issue | 🔴 CriticalReplace temporary feature-branch refs before merge.
This reusable workflow is called from other repositories.
@feat/pr-security-scan-codeql-prereleaseis ephemeral; once that branch is deleted or diverges, callers will stop resolving these composites. Switch all fiveuses:entries to the durable ref you intend to publish with this PR (@developor the release tag).Based on learnings: reusable workflows called from external repositories must reference composites via an absolute external ref, and
@developis an accepted durable ref in this repository.Also applies to: 286-286, 293-293, 312-312, 320-320
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml at line 222, The workflow references an ephemeral branch ref in the uses entries (e.g., "LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease"); update all five occurrences of that uses string to a durable ref you will publish with this PR (for example replace "@feat/pr-security-scan-codeql-prerelease" with "@develop" or a release tag) so external callers resolve the composite reliably; ensure you change every matching uses entry (the five repetitions noted in the comment) to the same stable ref.src/security/prerelease-check/action.yml (1)
151-156:⚠️ Potential issue | 🔴 CriticalEscape workflow-command payloads before emitting annotations.
Line 156 still interpolates
FILE,LINE, and matched content directly into::warning.%, CR/LF,:or,in repository content can break command parsing and inject extra annotations.Suggested fix
+ escape_data() { + local s="$1" + s=${s//'%'/'%25'} + s=${s//$'\r'/'%0D'} + s=${s//$'\n'/'%0A'} + printf '%s' "$s" + } + + escape_property() { + local s + s=$(escape_data "$1") + s=${s//':'/'%3A'} + s=${s//','/'%2C'} + printf '%s' "$s" + } + for f in "${FINDINGS[@]}"; do FILE="${f%%|*}" REST="${f#*|}" LINE="${REST%%:*}" CONTENT="${REST#*:}" - echo "::warning file=${FILE},line=${LINE}::Unstable version pin: $(echo "$CONTENT" | sed 's/^[[:space:]]*//')" + FILE_ESCAPED=$(escape_property "$FILE") + LINE_ESCAPED=$(escape_property "$LINE") + MESSAGE_ESCAPED=$(escape_data "Unstable version pin: $(echo "$CONTENT" | sed 's/^[[:space:]]*//')") + echo "::warning file=${FILE_ESCAPED},line=${LINE_ESCAPED}::${MESSAGE_ESCAPED}" done🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/action.yml` around lines 151 - 156, The workflow is emitting annotations by interpolating FILE, LINE and CONTENT directly into the ::warning command which allows special chars (%, CR/LF, :, ,) to break parsing; update the loop that builds the annotation (the block using variables FILE, LINE and CONTENT and the echo "::warning file=${FILE},line=${LINE}::...") to first escape these values per GitHub Actions command escaping rules (replace % -> %25, \r -> %0D, \n -> %0A, : -> %3A, , -> %2C) and then use the escaped variables in the echo so the annotation payload cannot inject extra annotations or break parsing.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/security/prerelease-check/action.yml`:
- Around line 73-79: The current grep only matches quoted bare prerelease
versions; update the pattern so prerelease pins with range operators are caught
by allowing optional leading range chars. Modify PRERELEASE_PATTERN (used in the
grep call that currently does grep -nE "\"${PRERELEASE_PATTERN}" ) to include an
optional leading character class like [~^<>]=?* or more simply [~^<>]* before
the semver, e.g. change PRERELEASE_PATTERN to include a prefix like '[~^<>]*' so
the grep in the while loop (the line that adds to FINDINGS) will match entries
such as "^1.2.3-rc.1" and "~1.2.3-beta.2" as well as unprefixed "1.2.3-rc.1".
---
Duplicate comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 298-304: The workflow currently hardcodes the Git host and org in
the CodeQL autobuild step (the git config --global
url."https://x-access-token:${TOKEN}@github.com/".insteadOf
"https://github.com/" and the echo "GOPRIVATE=github.com/LerianStudio/*" >>
"$GITHUB_ENV" lines); change this to compute the host and org from workflow
inputs or repository context (e.g., an input like host or using
github.server_url and github.repository_owner) and build the insteadOf URL and
GOPRIVATE value from those variables, and ensure TOKEN comes from an
input/secret (not hardcoded) before writing them to git config and GITHUB_ENV so
the step works for other orgs and GHES installations.
- Line 222: The workflow references an ephemeral branch ref in the uses entries
(e.g.,
"LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease");
update all five occurrences of that uses string to a durable ref you will
publish with this PR (for example replace
"@feat/pr-security-scan-codeql-prerelease" with "@develop" or a release tag) so
external callers resolve the composite reliably; ensure you change every
matching uses entry (the five repetitions noted in the comment) to the same
stable ref.
In `@src/security/prerelease-check/action.yml`:
- Around line 151-156: The workflow is emitting annotations by interpolating
FILE, LINE and CONTENT directly into the ::warning command which allows special
chars (%, CR/LF, :, ,) to break parsing; update the loop that builds the
annotation (the block using variables FILE, LINE and CONTENT and the echo
"::warning file=${FILE},line=${LINE}::...") to first escape these values per
GitHub Actions command escaping rules (replace % -> %25, \r -> %0D, \n -> %0A, :
-> %3A, , -> %2C) and then use the escaped variables in the echo so the
annotation payload cannot inject extra annotations or break parsing.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 8c4c32f5-db98-437b-9334-ce530feac43f
📒 Files selected for processing (2)
.github/workflows/pr-security-scan.ymlsrc/security/prerelease-check/action.yml
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 2
♻️ Duplicate comments (2)
src/security/prerelease-check/action.yml (2)
72-79:⚠️ Potential issue | 🟠 MajorCatch npm prereleases hidden behind range operators.
Line 79 only matches quoted bare versions. Entries like
"lib": "^1.2.3-rc.1"and"lib": "~1.2.3-beta.2"bypass the gate completely.Minimal fix
- done < <(grep -nE "\"${PRERELEASE_PATTERN}" "$base/package.json" || true) + done < <(grep -nE "\"[~^<>=]*${PRERELEASE_PATTERN}" "$base/package.json" || true)🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/action.yml` around lines 72 - 79, The grep only matches quoted bare prerelease versions and misses range operators; update the package.json scan (the block that reads package.json and uses PRERELEASE_PATTERN) to match prerelease versions even when prefixed by range operators like ^, ~, >=, <=, >, < or =; modify the grep/regex to look for a quoted value after a key that contains optional leading range characters before the version (e.g., match patterns like "lib": "^\s*[\^~<>]=?\s*1.2.3-rc.1") so FINDINGS captures entries such as "^1.2.3-rc.1" and "~1.2.3-beta.2" as well as bare versions. Ensure the change still uses PRERELEASE_PATTERN for the prerelease suffix matching.
151-156:⚠️ Potential issue | 🟠 MajorEscape annotation fields before emitting
::warning.Line 156 writes repo-controlled content directly into a workflow command.
%, carriage return, and newline in the message — and additionally:and,in property values likefile=— can break command parsing and inject extra annotations. EscapeFILEandLINEas workflow-command properties, and escape the trimmed content as workflow-command data before interpolation.In GitHub Actions workflow commands (`::warning file=...,line=...::message`), what escaping is required for message values and property values?🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/action.yml` around lines 151 - 156, The workflow is emitting unescaped repo-controlled values via the echo of "::warning file=${FILE},line=${LINE}::${CONTENT}" which can break annotation parsing; sanitize FILE and LINE as workflow-command property values and CONTENT as workflow-command data by percent-encoding special chars: replace %→%25, CR→%0D, LF→%0A and for property values also encode ':'→%3A and ','→%2C; implement this by transforming FILE and LINE with a small shell helper (or parameter expansion/sed) to perform those substitutions before the echo and use the encoded variables in the ::warning invocation.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/security/prerelease-check/action.yml`:
- Around line 164-165: The PR-comment step ("Post PR comment with pre-release
findings") should run whenever a PR token is present (change the step condition
to check only inputs.github-token != '' rather than gating on
steps.scan.outputs.has_findings), and modify the step logic that posts the
shared marker comment "<!-- prerelease-check -->" so that when findings.length
=== 0 it deletes or clears that shared comment (instead of doing nothing).
Locate the posting logic that reads steps.scan.outputs.has_findings and adjust
it to always fetch the findings array, then call the comment deletion/replace
routine when findings.length is zero; when findings exist, continue to upsert
the shared marker comment as before. Ensure the step still only runs on
pull_request and with the provided github-token.
- Around line 36-40: PRERELEASE_PATTERN currently flags any x.y.z-<letter> as
unstable, causing false positives for Docker tags like
python:3.12.2-slim-bookworm; split the logic by introducing a new
DOCKER_PRERELEASE_PATTERN and keep PRERELEASE_PATTERN strictly for semver
prereleases (anchor it to full semver + prerelease identifiers), then update the
workflow checks to use PRERELEASE_PATTERN when validating semantic version tags
and DOCKER_PRERELEASE_PATTERN when validating Docker image tags; reference
PRERELEASE_PATTERN and add DOCKER_PRERELEASE_PATTERN in action.yml and wire the
correct pattern into the places that validate Docker tags.
---
Duplicate comments:
In `@src/security/prerelease-check/action.yml`:
- Around line 72-79: The grep only matches quoted bare prerelease versions and
misses range operators; update the package.json scan (the block that reads
package.json and uses PRERELEASE_PATTERN) to match prerelease versions even when
prefixed by range operators like ^, ~, >=, <=, >, < or =; modify the grep/regex
to look for a quoted value after a key that contains optional leading range
characters before the version (e.g., match patterns like "lib":
"^\s*[\^~<>]=?\s*1.2.3-rc.1") so FINDINGS captures entries such as "^1.2.3-rc.1"
and "~1.2.3-beta.2" as well as bare versions. Ensure the change still uses
PRERELEASE_PATTERN for the prerelease suffix matching.
- Around line 151-156: The workflow is emitting unescaped repo-controlled values
via the echo of "::warning file=${FILE},line=${LINE}::${CONTENT}" which can
break annotation parsing; sanitize FILE and LINE as workflow-command property
values and CONTENT as workflow-command data by percent-encoding special chars:
replace %→%25, CR→%0D, LF→%0A and for property values also encode ':'→%3A and
','→%2C; implement this by transforming FILE and LINE with a small shell helper
(or parameter expansion/sed) to perform those substitutions before the echo and
use the encoded variables in the ::warning invocation.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: ebff9092-324c-4fe6-a4ed-d5bdc2abdc04
📒 Files selected for processing (1)
src/security/prerelease-check/action.yml
…ecurity scan PR comment
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
♻️ Duplicate comments (4)
.github/workflows/pr-security-scan.yml (3)
79-87:⚠️ Potential issue | 🟠 MajorFail fast when CodeQL is enabled without languages.
The input description says
enable_codeqlrequirescodeql_languages, but Line 268 just skipscodeql_scanwhen the language list is empty. That turns a caller error into a silent no-op. Add a small validation job or step that exits non-zero when CodeQL is enabled with no languages configured.Also applies to: 265-268
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 79 - 87, The workflow currently treats enable_codeql=true with an empty codeql_languages string as a silent no-op; add a short validation step or job that checks the inputs (enable_codeql and codeql_languages) before the codeql_scan job and exits non-zero when enable_codeql is true but codeql_languages is empty or only whitespace, so callers get a clear failing error; tie the validation as a prerequisite for the codeql_scan job (or run it as an initial job) and surface a clear error message referencing the inputs enable_codeql and codeql_languages.
218-239:⚠️ Potential issue | 🔴 CriticalAlign all internal action refs to the release that contains this feature.
This workflow currently mixes transient
@feat/pr-security-scan-codeql-prereleaserefs withpr-security-reporter@v1.23.1, which is not the implementation being changed in this PR. That leaves the workflow wired to a combination of branch-only actions that disappear after merge and an older reporter version that doesn't track the new prerelease integration. Pin the whole set to the release tag that will contain this change.As per coding guidelines: "In reusable workflows called by external repos, use external composite action references pinned to release tags."
Also applies to: 284-320
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 218 - 239, The workflow mixes a transient branch ref (LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease) with an older reporter tag (pr-security-reporter@v1.23.1); update both uses so they point to the same stable release tag that contains this prerelease integration (replace the feat/... ref and the v1.23.1 ref with the unified release tag), and make the same replacements for the other occurrences noted (the block around lines 284-320) so all internal action refs are pinned consistently to that release tag.
298-304:⚠️ Potential issue | 🟠 MajorDon't hardcode
LerianStudiointo reusable CodeQL autobuild.Line 304 bakes
github.com/LerianStudio/*into a shared workflow. Callers with private Go modules under a different owner or host will still fail the autobuild even if they provide a valid token. Move this pattern to an input, or derive it from repository context.As per coding guidelines: "Never hardcode tokens, org names, or internal URLs — always use
inputsorsecrets."🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 298 - 304, The shared workflow step "Configure private Go modules access" currently hardcodes GOPRIVATE to "github.com/LerianStudio/*"; change it to accept a caller-provided value (e.g., an input like inputs.goprivate or an env var) or derive it from the repository context (e.g., using github.repository_owner or github.repository) instead of baking the org name; update the step that sets GOPRIVATE so it uses the input/env/derived value while keeping the TOKEN behavior the same, and document the new input name so callers can supply their private module pattern.src/security/prerelease-check/action.yml (1)
32-36:⚠️ Potential issue | 🟠 MajorThe prerelease matcher still misclassifies npm and Docker entries.
package.jsonscanning only matches bare quoted prerelease versions, so common pins like"^1.2.3-rc.1"or"~1.2.3-beta.2"still bypass the gate. The same genericx.y.z-<letter>regex is then reused for Docker tags, which will flag stable variants likepython:3.12.2-slim-bookwormornode:20.11.1-alpine3.19. Split the Docker matcher from the semver matcher and allow optional npm range operators.Also applies to: 68-88
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/action.yml` around lines 32 - 36, Update the prerelease detection by splitting the single PRERELEASE_PATTERN into two focused patterns: (1) PRERELEASE_PATTERN used for package.json/NPM scans should accept optional npm range operators (e.g., ^, ~, >=, <=, =) and match semver with a prerelease that starts with a letter and uses dot-separated identifiers (so it will catch "^1.2.3-rc.1" and "~1.2.3-beta.2"); (2) DOCKER_PRERELEASE_PATTERN used for Docker tags should be stricter and anchored to the whole tag, matching only pure semver prereleases where the prerelease portion is dot-separated identifiers (no extra hyphen-separated segments like "-slim-bookworm"), so replace the shared PRERELEASE_PATTERN with these two targeted patterns and update code paths that reference PRERELEASE_PATTERN to use DOCKER_PRERELEASE_PATTERN for Docker tag checks and PRERELEASE_PATTERN for package.json/NPM checks.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/security/prerelease-check/action.yml`:
- Around line 14-20: Add the missing composite action output named artifact-file
to the outputs: block so the composite exports the artifact path (set value to
${{ steps.scan.outputs.artifact_file }} and add a brief description), and update
the workflow invocation to use the kebab-case output name artifact-file (replace
references to artifact_file with artifact-file) so the pr-security-reporter
receives the JSON artifact path; locate the outputs block and the lines that set
steps.scan.outputs.artifact_file and the workflow step that passes
prerelease-check outputs to pr-security-reporter (use the symbols outputs,
artifact-file, steps.scan.outputs.artifact_file, and
steps.prerelease-check.outputs.artifact-file to find the spots).
---
Duplicate comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 79-87: The workflow currently treats enable_codeql=true with an
empty codeql_languages string as a silent no-op; add a short validation step or
job that checks the inputs (enable_codeql and codeql_languages) before the
codeql_scan job and exits non-zero when enable_codeql is true but
codeql_languages is empty or only whitespace, so callers get a clear failing
error; tie the validation as a prerequisite for the codeql_scan job (or run it
as an initial job) and surface a clear error message referencing the inputs
enable_codeql and codeql_languages.
- Around line 218-239: The workflow mixes a transient branch ref
(LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease)
with an older reporter tag (pr-security-reporter@v1.23.1); update both uses so
they point to the same stable release tag that contains this prerelease
integration (replace the feat/... ref and the v1.23.1 ref with the unified
release tag), and make the same replacements for the other occurrences noted
(the block around lines 284-320) so all internal action refs are pinned
consistently to that release tag.
- Around line 298-304: The shared workflow step "Configure private Go modules
access" currently hardcodes GOPRIVATE to "github.com/LerianStudio/*"; change it
to accept a caller-provided value (e.g., an input like inputs.goprivate or an
env var) or derive it from the repository context (e.g., using
github.repository_owner or github.repository) instead of baking the org name;
update the step that sets GOPRIVATE so it uses the input/env/derived value while
keeping the TOKEN behavior the same, and document the new input name so callers
can supply their private module pattern.
In `@src/security/prerelease-check/action.yml`:
- Around line 32-36: Update the prerelease detection by splitting the single
PRERELEASE_PATTERN into two focused patterns: (1) PRERELEASE_PATTERN used for
package.json/NPM scans should accept optional npm range operators (e.g., ^, ~,
>=, <=, =) and match semver with a prerelease that starts with a letter and uses
dot-separated identifiers (so it will catch "^1.2.3-rc.1" and "~1.2.3-beta.2");
(2) DOCKER_PRERELEASE_PATTERN used for Docker tags should be stricter and
anchored to the whole tag, matching only pure semver prereleases where the
prerelease portion is dot-separated identifiers (no extra hyphen-separated
segments like "-slim-bookworm"), so replace the shared PRERELEASE_PATTERN with
these two targeted patterns and update code paths that reference
PRERELEASE_PATTERN to use DOCKER_PRERELEASE_PATTERN for Docker tag checks and
PRERELEASE_PATTERN for package.json/NPM checks.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: fae3ff47-9ea2-4e9c-99cf-74a12b267c5b
📒 Files selected for processing (3)
.github/workflows/pr-security-scan.ymlsrc/security/pr-security-reporter/action.ymlsrc/security/prerelease-check/action.yml
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
♻️ Duplicate comments (2)
.github/workflows/pr-security-scan.yml (2)
96-103:⚠️ Potential issue | 🟠 MajorThis new prerelease gate is caller-breaking at
default: true.Existing consumers do not need to change their caller YAML to get broken by this: upgrading to a ref that contains this workflow is enough to start failing PRs when
-betaor-rcpins exist onmainorrelease-candidate. Ship it opt-in first, or only behind a new version boundary.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 96 - 103, The new workflow input enable_prerelease_check is breaking callers by default (default: true) so PRs start failing without opt-in; change the input to be opt-in by setting enable_prerelease_check default to false (or remove the default so callers must set it) and keep prerelease_block_branches as-is; alternatively gate this behind a new major/workflow-version flag so existing consumers are not affected. Ensure you update any documentation/README to note the new opt-in behavior and reference the enable_prerelease_check and prerelease_block_branches inputs.
218-222:⚠️ Potential issue | 🔴 CriticalReplace the feature-branch refs before merge.
These
uses:entries point at@feat/pr-security-scan-codeql-prerelease. External callers of this reusable workflow will stop resolving them as soon as that branch is deleted or diverges. Pin these composites to the release tag that will ship this change.As per coding guidelines, "
LerianStudio/*actions must use release tags (@v1.2.3) or branches (@developfor testing); no SHA pinning needed for org-owned actions`."Also applies to: 228-231, 284-286, 291-293, 310-320
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 218 - 222, The workflow currently references feature-branch refs in the reusable workflow `uses:` entries (e.g., `LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease`) which will break after the branch is deleted; update these `uses:` values to point to the appropriate release tag (for example `@vX.Y.Z`) or the agreed test branch (`@develop`) for all occurrences mentioned (lines around the `Pre-release Version Check` step and the other `uses:` blocks at 228-231, 284-286, 291-293, 310-320) so external callers resolve consistently. Ensure you replace the feature-branch suffix only (keep the repo/path `LerianStudio/github-actions-shared-workflows/...`) and use the final release tag that will ship this change.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 88-91: The workflow currently sets codeql_fail_on_findings default
to true which will make CodeQL blocking; change the default value of the input
named codeql_fail_on_findings to false and ensure the reporter's
fail-on-findings input (the mapping that consumes codeql_fail_on_findings when
enable_codeql is true) continues to use that input so the reporter remains
non-blocking during rollout; reference the input symbol codeql_fail_on_findings
and the reporter parameter fail-on-findings (and the flag enable_codeql) when
making this change.
---
Duplicate comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 96-103: The new workflow input enable_prerelease_check is breaking
callers by default (default: true) so PRs start failing without opt-in; change
the input to be opt-in by setting enable_prerelease_check default to false (or
remove the default so callers must set it) and keep prerelease_block_branches
as-is; alternatively gate this behind a new major/workflow-version flag so
existing consumers are not affected. Ensure you update any documentation/README
to note the new opt-in behavior and reference the enable_prerelease_check and
prerelease_block_branches inputs.
- Around line 218-222: The workflow currently references feature-branch refs in
the reusable workflow `uses:` entries (e.g.,
`LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease`)
which will break after the branch is deleted; update these `uses:` values to
point to the appropriate release tag (for example `@vX.Y.Z`) or the agreed test
branch (`@develop`) for all occurrences mentioned (lines around the `Pre-release
Version Check` step and the other `uses:` blocks at 228-231, 284-286, 291-293,
310-320) so external callers resolve consistently. Ensure you replace the
feature-branch suffix only (keep the repo/path
`LerianStudio/github-actions-shared-workflows/...`) and use the final release
tag that will ship this change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: c474f004-7772-4464-85a6-f256a099b07c
📒 Files selected for processing (1)
.github/workflows/pr-security-scan.yml
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
♻️ Duplicate comments (7)
.github/workflows/pr-security-scan.yml (4)
88-91:⚠️ Potential issue | 🟠 MajorKeep CodeQL non-blocking during the rollout.
Line 324 passes this input straight into
codeql-reporter, so defaultingcodeql_fail_on_findingstotruemakes the first opt-in immediately block on the existing CodeQL baseline.Suggested fix
codeql_fail_on_findings: description: 'Fail the workflow when CodeQL detects security issues' type: boolean - default: true + default: falseBased on learnings,
.github/workflows/pr-security-scan.ymlintentionally keeps the CodeQL reporter non-blocking during the initial rollout to avoid failing repos on existing baseline alerts.Also applies to: 318-324
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 88 - 91, The workflow default for the input codeql_fail_on_findings is set to true which will make CodeQL reporter block on existing baseline findings; change the default to false so CodeQL remains non-blocking during rollout and ensure the codeql-reporter invocation still reads the input variable codeql_fail_on_findings (keep the input name and its usage unchanged, only flip the default to false).
298-304:⚠️ Potential issue | 🟠 Major
GOPRIVATEis hardcoded toLerianStudio.Any caller that needs private Go modules outside that org will still fail CodeQL autobuild even with a valid token. Derive the pattern from workflow context or expose it as an input.
As per coding guidelines, reusable workflows should not hardcode org names; parameterize them via inputs or context.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 298 - 304, The workflow step "Configure private Go modules access" hardcodes GOPRIVATE to "github.com/LerianStudio/*" causing failures for callers outside that org; change this to derive the pattern from workflow inputs or context (e.g., an input like `private_orgs` or use `github.repository_owner`/a provided `org` input) and set GOPRIVATE from that value, ensure the `TOKEN` and git config usage remain but replace the hardcoded string with the parameterized variable so the step works for any organization or list of orgs.
222-231:⚠️ Potential issue | 🔴 CriticalDo not ship reusable-workflow
uses:refs pointing at this PR branch.These
@feat/pr-security-scan-codeql-prereleaserefs only resolve while the branch exists. Once it is merged and the branch is deleted, external callers ofpr-security-scan.ymlwill not be able to load the composites.As per coding guidelines, reusable workflows must reference shared composites via stable external release refs, not ephemeral feature branches.
Also applies to: 286-320
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 222 - 231, The workflow currently references ephemeral branch refs in the reusable workflow `uses:` lines (e.g., `LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease` and `LerianStudio/github-actions-shared-workflows/src/security/pr-security-reporter@feat/pr-security-scan-codeql-prerelease`), which will break for external callers once the branch is deleted; change these `uses:` refs to a stable external release tag or commit SHA (for both the block shown and the other occurrences around lines 286-320) so the reusable composites are referenced by a permanent tag (e.g., `@vX.Y.Z` or a pinned SHA) instead of the feature branch name.
79-87:⚠️ Potential issue | 🟠 MajorFail fast when CodeQL is enabled without languages.
The
codeql_scanjob condition just skips the entire job whenenable_codeqlistrueandcodeql_languagesis blank. That makes caller misconfiguration look green instead of surfacing an actionable error.Also applies to: 266-268
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 79 - 87, The workflow currently allows enable_codeql to be true while codeql_languages is empty, which silently skips the codeql_scan job; update the workflow to fail fast when enable_codeql is true but codeql_languages is blank by adding a validation check (e.g., a small preliminary job or a step at the top of the codeql_scan job) that inspects the enable_codeql and codeql_languages inputs and exits with a non-zero status and clear error message if enable_codeql is true and codeql_languages is empty; ensure this validation references the input names enable_codeql and codeql_languages and also add the same check where the duplicate logic exists (the other occurrence around the codeql_scan condition at the second location mentioned).src/security/prerelease-check/action.yml (3)
150-155:⚠️ Potential issue | 🟠 MajorEscape annotation properties and message before emitting
::warning.
FILE,LINE, andCONTENTcome from scanned repository files. Unescaped%, CR/LF,:or,can break the workflow command parser and inject malformed annotations into the log. Apply GitHub's property escaping tofile/lineand message escaping to the annotation body before writing the command.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/action.yml` around lines 150 - 155, The loop emitting GitHub workflow annotations (for f in "${FINDINGS[@]}", using FILE, LINE, CONTENT) currently writes raw values and can break the parser; add two escaping helpers (e.g., escape_property and escape_message) and use them before emitting the annotation: apply GitHub property escaping to FILE and LINE (escape % → %25, \r → %0D, \n → %0A, : → %3A, , → %2C) and apply message escaping to the annotation body (escape % → %25, \r → %0D, \n → %0A, and any special sequences per GitHub guidance) and then replace the echo line with a call that writes ::warning file=<escaped FILE>,line=<escaped LINE>::<escaped message> so all values are safe.
72-78:⚠️ Potential issue | 🟠 MajorRange-prefixed npm prereleases still bypass the gate.
grep -nE "\"${PRERELEASE_PATTERN}"only catches bare quoted versions. Entries like"^1.2.3-rc.1"or"~1.2.3-beta.2"inpackage.jsonstay invisible, so this can report a false clean scan.Suggested fix
- done < <(grep -nE "\"${PRERELEASE_PATTERN}" "$base/package.json" || true) + done < <(grep -nE "\"[~^<>=]*${PRERELEASE_PATTERN}" "$base/package.json" || true)As per coding guidelines, the prerelease gate must scan
package.jsonfor unstable version pins, and range-prefixed semver pins are part of that surface.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/action.yml` around lines 72 - 78, The grep currently only matches a bare quoted version and misses range-prefixed semver pins; update the package.json scan (the loop that uses PRERELEASE_PATTERN inside the block that checks if [ -f "$base/package.json" ]) to match an opening quote followed by optional range operators/whitespace (e.g. caret, tilde, <, >, =, *) before the semver so range-prefixed entries like "^1.2.3-rc.1" or "~1.2.3-beta.2" are detected; keep the existing use of PRERELEASE_PATTERN and ensure FINDINGS still records "${base}/package.json|$match" and that already_seen/SEEN_FILES logic remains unchanged.
35-39:⚠️ Potential issue | 🟠 MajorGeneric semver matching will flag stable Docker variant tags.
:${PRERELEASE_PATTERN}matches stable image tags likepython:3.12.2-slim-bookwormandnode:20.11.1-alpine3.19. With this check enabled by default in the workflow, that becomes a high-noise false-positive source.As per coding guidelines, Dockerfile scanning here is meant to catch unstable
-beta/-rc-style pins, not stable image flavor suffixes.Also applies to: 82-91
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/action.yml` around lines 35 - 39, The current PRERELEASE_PATTERN is too generic and matches stable Docker flavor tags; change the pattern to explicitly match only known pre-release tokens (e.g., alpha, beta, rc, dev, preview, canary, snapshot) instead of any letter after the hyphen so it won't flag stable variants like "slim-bookworm" or "alpine3.19"; update the PRERELEASE_PATTERN definition and the equivalent checks referenced around the other occurrence (lines ~82-91) to use an explicit token-alternative regex (e.g., a non-capturing group of allowed tokens with word-boundary) so only unstable pre-release suffixes are detected.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 228-239: The "Post Security Scan Results to PR" step (id:
post-results) is currently making prerelease findings blocking by passing
fail-on-findings: 'true' to the LerianStudio pr-security-reporter action
(prerelease-findings-file), which ignores the workflow's
prerelease_block_branches logic; change the invocation so prerelease findings
are not unconditionally fatal (e.g., set fail-on-findings to 'false' here) and
instead apply a branch-aware gate that fails only when the current branch is
listed in prerelease_block_branches (use a conditional that tests membership of
github.ref_name against prerelease_block_branches or call the reporter with a
fail-on-prerelease flag computed from that check), ensuring the action receives
non-failing reporting and the workflow enforces prerelease_block_branches later.
---
Duplicate comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 88-91: The workflow default for the input codeql_fail_on_findings
is set to true which will make CodeQL reporter block on existing baseline
findings; change the default to false so CodeQL remains non-blocking during
rollout and ensure the codeql-reporter invocation still reads the input variable
codeql_fail_on_findings (keep the input name and its usage unchanged, only flip
the default to false).
- Around line 298-304: The workflow step "Configure private Go modules access"
hardcodes GOPRIVATE to "github.com/LerianStudio/*" causing failures for callers
outside that org; change this to derive the pattern from workflow inputs or
context (e.g., an input like `private_orgs` or use `github.repository_owner`/a
provided `org` input) and set GOPRIVATE from that value, ensure the `TOKEN` and
git config usage remain but replace the hardcoded string with the parameterized
variable so the step works for any organization or list of orgs.
- Around line 222-231: The workflow currently references ephemeral branch refs
in the reusable workflow `uses:` lines (e.g.,
`LerianStudio/github-actions-shared-workflows/src/security/prerelease-check@feat/pr-security-scan-codeql-prerelease`
and
`LerianStudio/github-actions-shared-workflows/src/security/pr-security-reporter@feat/pr-security-scan-codeql-prerelease`),
which will break for external callers once the branch is deleted; change these
`uses:` refs to a stable external release tag or commit SHA (for both the block
shown and the other occurrences around lines 286-320) so the reusable composites
are referenced by a permanent tag (e.g., `@vX.Y.Z` or a pinned SHA) instead of
the feature branch name.
- Around line 79-87: The workflow currently allows enable_codeql to be true
while codeql_languages is empty, which silently skips the codeql_scan job;
update the workflow to fail fast when enable_codeql is true but codeql_languages
is blank by adding a validation check (e.g., a small preliminary job or a step
at the top of the codeql_scan job) that inspects the enable_codeql and
codeql_languages inputs and exits with a non-zero status and clear error message
if enable_codeql is true and codeql_languages is empty; ensure this validation
references the input names enable_codeql and codeql_languages and also add the
same check where the duplicate logic exists (the other occurrence around the
codeql_scan condition at the second location mentioned).
In `@src/security/prerelease-check/action.yml`:
- Around line 150-155: The loop emitting GitHub workflow annotations (for f in
"${FINDINGS[@]}", using FILE, LINE, CONTENT) currently writes raw values and can
break the parser; add two escaping helpers (e.g., escape_property and
escape_message) and use them before emitting the annotation: apply GitHub
property escaping to FILE and LINE (escape % → %25, \r → %0D, \n → %0A, : → %3A,
, → %2C) and apply message escaping to the annotation body (escape % → %25, \r →
%0D, \n → %0A, and any special sequences per GitHub guidance) and then replace
the echo line with a call that writes ::warning file=<escaped
FILE>,line=<escaped LINE>::<escaped message> so all values are safe.
- Around line 72-78: The grep currently only matches a bare quoted version and
misses range-prefixed semver pins; update the package.json scan (the loop that
uses PRERELEASE_PATTERN inside the block that checks if [ -f
"$base/package.json" ]) to match an opening quote followed by optional range
operators/whitespace (e.g. caret, tilde, <, >, =, *) before the semver so
range-prefixed entries like "^1.2.3-rc.1" or "~1.2.3-beta.2" are detected; keep
the existing use of PRERELEASE_PATTERN and ensure FINDINGS still records
"${base}/package.json|$match" and that already_seen/SEEN_FILES logic remains
unchanged.
- Around line 35-39: The current PRERELEASE_PATTERN is too generic and matches
stable Docker flavor tags; change the pattern to explicitly match only known
pre-release tokens (e.g., alpha, beta, rc, dev, preview, canary, snapshot)
instead of any letter after the hyphen so it won't flag stable variants like
"slim-bookworm" or "alpine3.19"; update the PRERELEASE_PATTERN definition and
the equivalent checks referenced around the other occurrence (lines ~82-91) to
use an explicit token-alternative regex (e.g., a non-capturing group of allowed
tokens with word-boundary) so only unstable pre-release suffixes are detected.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: e1f1a221-6460-4b43-9f25-f733a7c2a247
📒 Files selected for processing (2)
.github/workflows/pr-security-scan.ymlsrc/security/prerelease-check/action.yml
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
♻️ Duplicate comments (6)
.github/workflows/pr-security-scan.yml (3)
81-89:⚠️ Potential issue | 🟠 MajorFail fast when
enable_codeqlis true butcodeql_languagesis empty.Lines 81-89 describe
codeql_languagesas required when CodeQL is enabled, but Line 271 just skips the entire job if the value is blank. That hides caller misconfiguration and silently drops the scan instead of surfacing an actionable error.Also applies to: 269-271
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 81 - 89, The workflow currently allows enable_codeql=true while codeql_languages is blank and silently skips the job; update the workflow to fail fast when enable_codeql is true but codeql_languages is empty by adding an explicit validation step: detect the combination of inputs (enable_codeql and codeql_languages) at the start of the job (or in the job's if/validation step), and if enable_codeql is true and codeql_languages is empty, emit a clear error and exit non‑zero (or mark the job as failed) so callers see the misconfiguration; reference the input names enable_codeql and codeql_languages when locating where to add the check.
90-93:⚠️ Potential issue | 🟠 MajorKeep CodeQL non-blocking by default during the rollout.
Line 93 defaults
codeql_fail_on_findingstotrue, and Line 327 forwards it directly. Any caller that enables CodeQL will start failing on the existing baseline alerts unless it already knows to override the new input.Suggested fix
codeql_fail_on_findings: description: 'Fail the workflow when CodeQL detects security issues' type: boolean - default: true + default: falseBased on learnings,
.github/workflows/pr-security-scan.ymlintentionally keeps the CodeQL reporterfail-on-findings: 'false'during the rollout period to avoid blocking PRs on existing baseline alerts.Also applies to: 321-327
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 90 - 93, The workflow input codeql_fail_on_findings currently defaults to true which makes CodeQL blocking by default; change its default to false so CodeQL remains non-blocking during rollout and ensure any places that forward this input (the job step that sets fail-on-findings) continue to use the codeql_fail_on_findings value unchanged (look for the input/key named codeql_fail_on_findings and the action step parameter fail-on-findings to update the default only).
231-242:⚠️ Potential issue | 🔴 CriticalThis makes prerelease findings blocking on every branch.
Line 241 passes the prerelease JSON into
pr-security-reporter, and Line 242 keepsfail-on-findings: 'true'. Insrc/security/pr-security-reporter/action.yml:166-221, prerelease entries sethasFindings = true, so the job can fail before Lines 244-266 applyprerelease_block_branches. Prerelease findings need a separate non-blocking path in the reporter, or a dedicated branch-aware prerelease gate inside the reporter itself.As per coding guidelines, pre-release findings should hard-fail only on branches listed in
prerelease_block_branches; otherwise they are warnings.Also applies to: 244-266
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-security-scan.yml around lines 231 - 242, The post-results step currently treats prerelease findings as blocking by setting fail-on-findings: 'true' while also passing prerelease-findings-file; change the step so fail-on-findings is conditional and only true when the current branch is listed in prerelease_block_branches (or when a dedicated prerelease-block flag/input is true). Specifically, update the post-results step that uses LerianStudio/.../pr-security-reporter to compute fail-on-findings from a conditional expression that checks the current branch (github.head_ref or github.ref_name) against the prerelease_block_branches input (or a step output from your prerelease-check), and keep passing prerelease-findings-file; alternatively, modify the pr-security-reporter action to accept a new input (e.g., treat-prerelease-as-blocking) and only set hasFindings=true for prerelease entries when that input is true so prerelease warnings remain non-blocking by default.src/security/prerelease-check/action.yml (3)
35-39:⚠️ Potential issue | 🟠 MajorDo not reuse the generic semver regex for Docker tags.
Lines 39 and 91 treat any
x.y.z-<letter>suffix as unstable. That falsely flags stable tags likepython:3.12.2-slim-bookwormandnode:20.11.1-alpine3.19, and it also misses common prerelease tags with avprefix such asmyimage:v1.2.3-rc.1. Docker needs its own prerelease pattern.As per coding guidelines,
src/security/prerelease-check/action.ymlmust allow stable pins while flagging only unstable pre-release versions.Also applies to: 83-91
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/action.yml` around lines 35 - 39, The PRERELEASE_PATTERN variable currently flags any x.y.z-<letter> suffix and misclassifies many Docker tags; create a separate Docker-specific prerelease regex (e.g., DOCKER_PRERELEASE_PATTERN) that (1) allows common stable Docker suffixes like "-slim-...", "-alpine...", numeric components, and distro names, and (2) still matches true prereleases like "v1.2.3-rc.1" and "myimage:v1.2.3-rc.1" (handle optional leading 'v'). Replace usages at the two locations that apply to Docker (the checks referenced by the existing lines using PRERELEASE_PATTERN) to use DOCKER_PRERELEASE_PATTERN for Docker/image tag checks while keeping PRERELEASE_PATTERN for generic semver checks so stable Docker tags aren’t falsely flagged; update variable names and the matching logic where referenced to ensure correct pattern is applied.
150-155:⚠️ Potential issue | 🟠 MajorEscape annotation properties and message data before emitting
::warning.Line 155 writes
FILE,LINE, and the matched content directly into a workflow command. Repository content can contain%, CR/LF,:, or,, which breaks annotation parsing and allows extra annotations to be injected. Escape message data and property values separately before building the command.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/action.yml` around lines 150 - 155, The current loop emits a GitHub Actions workflow command using FILE, LINE, and CONTENT directly which allows special characters (%, CR/LF, :, ,) to break annotation parsing or inject extra annotations; update the script to escape annotation property values and message text separately before echoing the command: implement small helper routines (e.g., escape_property and escape_message) that percent-encode % -> %25, carriage return -> %0D, newline -> %0A for both, and also encode ':' and ',' for property values as %3A and %2C, then use those helpers to produce the echo in the loop (replace direct use of FILE, LINE, CONTENT in the ::warning file=...,line=...:: message with the escaped versions) so annotation parsing cannot be broken or injected into.
72-78:⚠️ Potential issue | 🟠 MajorMatch prerelease ranges in
package.json.Line 78 only catches bare quoted versions. Common dependency specs like
"^1.2.3-rc.1"and"~1.2.3-beta.2"bypass the gate entirely.Suggested fix
- done < <(grep -nE "\"${PRERELEASE_PATTERN}" "$base/package.json" || true) + done < <(grep -nE "\"[~^<>=]*${PRERELEASE_PATTERN}" "$base/package.json" || true)As per coding guidelines,
src/security/prerelease-check/action.ymlmust scanpackage.jsonfor unstable pinned versions whose suffix starts with a letter.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/security/prerelease-check/action.yml` around lines 72 - 78, The current grep invocation in the package.json scan only matches bare quoted versions and misses common range prefixes like ^ or ~; update the grep pattern used in the while loop that feeds FINDINGS (the line using grep -nE "\"${PRERELEASE_PATTERN}" "$base/package.json") so it also matches dependency specs with optional leading range operators and a prerelease suffix that starts with a letter (e.g. ^1.2.3-rc.1 or ~1.2.3-beta.2). Concretely, extend PRERELEASE_PATTERN (or replace the inline pattern) to allow optional range chars before the numeric semver and require a hyphen followed by a letter ([A-Za-z]) in the prerelease identifier, then keep the same read loop that appends to FINDINGS and SEEN_FILES (functions/variables: already_seen, SEEN_FILES, FINDINGS) so those entries are captured.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/pr-security-scan.yml:
- Around line 81-89: The workflow currently allows enable_codeql=true while
codeql_languages is blank and silently skips the job; update the workflow to
fail fast when enable_codeql is true but codeql_languages is empty by adding an
explicit validation step: detect the combination of inputs (enable_codeql and
codeql_languages) at the start of the job (or in the job's if/validation step),
and if enable_codeql is true and codeql_languages is empty, emit a clear error
and exit non‑zero (or mark the job as failed) so callers see the
misconfiguration; reference the input names enable_codeql and codeql_languages
when locating where to add the check.
- Around line 90-93: The workflow input codeql_fail_on_findings currently
defaults to true which makes CodeQL blocking by default; change its default to
false so CodeQL remains non-blocking during rollout and ensure any places that
forward this input (the job step that sets fail-on-findings) continue to use the
codeql_fail_on_findings value unchanged (look for the input/key named
codeql_fail_on_findings and the action step parameter fail-on-findings to update
the default only).
- Around line 231-242: The post-results step currently treats prerelease
findings as blocking by setting fail-on-findings: 'true' while also passing
prerelease-findings-file; change the step so fail-on-findings is conditional and
only true when the current branch is listed in prerelease_block_branches (or
when a dedicated prerelease-block flag/input is true). Specifically, update the
post-results step that uses LerianStudio/.../pr-security-reporter to compute
fail-on-findings from a conditional expression that checks the current branch
(github.head_ref or github.ref_name) against the prerelease_block_branches input
(or a step output from your prerelease-check), and keep passing
prerelease-findings-file; alternatively, modify the pr-security-reporter action
to accept a new input (e.g., treat-prerelease-as-blocking) and only set
hasFindings=true for prerelease entries when that input is true so prerelease
warnings remain non-blocking by default.
In `@src/security/prerelease-check/action.yml`:
- Around line 35-39: The PRERELEASE_PATTERN variable currently flags any
x.y.z-<letter> suffix and misclassifies many Docker tags; create a separate
Docker-specific prerelease regex (e.g., DOCKER_PRERELEASE_PATTERN) that (1)
allows common stable Docker suffixes like "-slim-...", "-alpine...", numeric
components, and distro names, and (2) still matches true prereleases like
"v1.2.3-rc.1" and "myimage:v1.2.3-rc.1" (handle optional leading 'v'). Replace
usages at the two locations that apply to Docker (the checks referenced by the
existing lines using PRERELEASE_PATTERN) to use DOCKER_PRERELEASE_PATTERN for
Docker/image tag checks while keeping PRERELEASE_PATTERN for generic semver
checks so stable Docker tags aren’t falsely flagged; update variable names and
the matching logic where referenced to ensure correct pattern is applied.
- Around line 150-155: The current loop emits a GitHub Actions workflow command
using FILE, LINE, and CONTENT directly which allows special characters (%,
CR/LF, :, ,) to break annotation parsing or inject extra annotations; update the
script to escape annotation property values and message text separately before
echoing the command: implement small helper routines (e.g., escape_property and
escape_message) that percent-encode % -> %25, carriage return -> %0D, newline ->
%0A for both, and also encode ':' and ',' for property values as %3A and %2C,
then use those helpers to produce the echo in the loop (replace direct use of
FILE, LINE, CONTENT in the ::warning file=...,line=...:: message with the
escaped versions) so annotation parsing cannot be broken or injected into.
- Around line 72-78: The current grep invocation in the package.json scan only
matches bare quoted versions and misses common range prefixes like ^ or ~;
update the grep pattern used in the while loop that feeds FINDINGS (the line
using grep -nE "\"${PRERELEASE_PATTERN}" "$base/package.json") so it also
matches dependency specs with optional leading range operators and a prerelease
suffix that starts with a letter (e.g. ^1.2.3-rc.1 or ~1.2.3-beta.2).
Concretely, extend PRERELEASE_PATTERN (or replace the inline pattern) to allow
optional range chars before the numeric semver and require a hyphen followed by
a letter ([A-Za-z]) in the prerelease identifier, then keep the same read loop
that appends to FINDINGS and SEEN_FILES (functions/variables: already_seen,
SEEN_FILES, FINDINGS) so those entries are captured.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: e6bda720-5fd8-4e80-a5b5-ea71b99d0a0c
📒 Files selected for processing (4)
.github/workflows/pr-security-scan.ymlsrc/security/codeql-analyze/action.ymlsrc/security/codeql-init/action.ymlsrc/security/prerelease-check/action.yml
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/pr-security-scan-workflow.md (1)
137-142:⚠️ Potential issue | 🟡 MinorRemove the stale Docker Scout note from the non-Docker example.
Line 141 says
enable_docker_scan: falseskips Docker Scout analysis, but this workflow no longer runs Docker Scout. That line is now outdated and conflicts with the health-score / pre-release flow documented below.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/pr-security-scan-workflow.md` around lines 137 - 142, Remove the stale Docker Scout mention from the non-Docker example: update the bullet list that follows the example so it no longer claims "❌ Skip Docker Scout analysis" (and/or any text tying that behavior to the configuration key `enable_docker_scan: false`), leaving only accurate items like Trivy filesystem secret scanning and Docker build/scan status; ensure the doc's bullets align with the current health-score / pre-release flow and the fact Docker Scout is not run here.
♻️ Duplicate comments (1)
docs/pr-security-scan-workflow.md (1)
252-262:⚠️ Potential issue | 🟡 MinorThe remaining SARIF wording is still unconditional.
These sections still say CodeQL analysis uploads SARIF whenever the job runs, but
codeql_upload_sarifdefaults tofalse. Callers following this doc will expect Security-tab results that never appear until they opt in.Also applies to: 541-547
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/pr-security-scan-workflow.md` around lines 252 - 262, Update the Job 3: codeql_scan documentation to make SARIF upload wording conditional: clearly state that SARIF is uploaded only when the configuration option codeql_upload_sarif is true (it defaults to false), and adjust the descriptions for "Perform CodeQL Analysis" and "Post CodeQL Results" to reflect that upload/PR security-tab results are optional; apply the same conditional wording change to the other occurrence of the SARIF wording referenced in the doc so both places consistently note codeql_upload_sarif defaults to false and must be enabled to see Security-tab results.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/security/pr-security-reporter/action.yml`:
- Around line 287-314: If PRERELEASE_FINDINGS_FILE is set but the file is
missing, unreadable, unparsable, or the parsed value is not an array, treat this
as a scan error (only a genuine empty array should be considered success);
update the helper that reads PRERELEASE_FINDINGS_FILE to return a non-success
error section string (with an error/alert icon and explanatory text) in those
failure cases so the reporter's gate sees findings, and ensure this path results
in hasFindings being effectively true for the gate in
prerelease-check/action.yml rather than returning the green "No unstable version
pins found" message.
---
Outside diff comments:
In `@docs/pr-security-scan-workflow.md`:
- Around line 137-142: Remove the stale Docker Scout mention from the non-Docker
example: update the bullet list that follows the example so it no longer claims
"❌ Skip Docker Scout analysis" (and/or any text tying that behavior to the
configuration key `enable_docker_scan: false`), leaving only accurate items like
Trivy filesystem secret scanning and Docker build/scan status; ensure the doc's
bullets align with the current health-score / pre-release flow and the fact
Docker Scout is not run here.
---
Duplicate comments:
In `@docs/pr-security-scan-workflow.md`:
- Around line 252-262: Update the Job 3: codeql_scan documentation to make SARIF
upload wording conditional: clearly state that SARIF is uploaded only when the
configuration option codeql_upload_sarif is true (it defaults to false), and
adjust the descriptions for "Perform CodeQL Analysis" and "Post CodeQL Results"
to reflect that upload/PR security-tab results are optional; apply the same
conditional wording change to the other occurrence of the SARIF wording
referenced in the doc so both places consistently note codeql_upload_sarif
defaults to false and must be enabled to see Security-tab results.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 66ad5a69-b605-4687-bd06-2cf269e12eaf
📒 Files selected for processing (5)
.github/workflows/self-pr-validation.ymldocs/pr-security-scan-workflow.mdsrc/security/pr-security-reporter/action.ymlsrc/security/prerelease-check/README.mdsrc/security/prerelease-check/action.yml
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/self-pr-validation.yml (1)
206-212:⚠️ Potential issue | 🟠 MajorGuard SARIF upload for fork PRs to prevent permission failures.
The
upload: 'true'setting on line 211 is unconditional. When this workflow runs on apull_requestfrom a fork, GitHub Actions downgrades theGITHUB_TOKENpermissions regardless of the workflow's declaredsecurity-events: write. The CodeQL analysis step will fail because the forked PR lacks permission to upload results.Suggested fix
- name: Perform CodeQL Analysis if: steps.codeql-config.outputs.skip != 'true' uses: ./src/security/codeql-analyze with: category: '/language:actions' - upload: 'true' + upload: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/self-pr-validation.yml around lines 206 - 212, The "Perform CodeQL Analysis" step currently sets upload: 'true' unconditionally which causes SARIF upload failures for forked pull requests; update the step that uses ./src/security/codeql-analyze (the "Perform CodeQL Analysis" step) so its SARIF upload is disabled for fork PRs by making the upload input conditional (or by adding an if that only allows the upload when the PR repo equals the upstream repo / when the workflow has permission), i.e., make the 'upload' input evaluate to false for forked PRs and true otherwise so uploads are only attempted when permitted.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In @.github/workflows/self-pr-validation.yml:
- Around line 206-212: The "Perform CodeQL Analysis" step currently sets upload:
'true' unconditionally which causes SARIF upload failures for forked pull
requests; update the step that uses ./src/security/codeql-analyze (the "Perform
CodeQL Analysis" step) so its SARIF upload is disabled for fork PRs by making
the upload input conditional (or by adding an if that only allows the upload
when the PR repo equals the upstream repo / when the workflow has permission),
i.e., make the 'upload' input evaluate to false for forked PRs and true
otherwise so uploads are only attempted when permitted.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2d547b5f-278c-4a06-97e7-caed8cbd1605
📒 Files selected for processing (1)
.github/workflows/self-pr-validation.yml
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/security/pr-security-reporter/action.yml`:
- Around line 308-316: The prerelease findings table currently renders all
entries with full lines, which can produce an oversized comment; limit the table
to a bounded number of rows (e.g., introduce a MAX_TABLE_ROWS constant and only
iterate the first N entries of the findings array) and truncate long cell text
(e.g., a truncate helper used for md(f.content) to cap characters and append
"…") so the comment body stays small; also update the header line to indicate
"Showing X of Y findings" and reuse/implement a small truncateFunction and
MAX_TABLE_ROWS constant near the code that builds the out string (the block that
constructs the Pre-release Version Check table and iterates over findings).
- Around line 308-313: The table rows are unsafe because you wrap f.file and
f.content with literal backticks after only escaping backticks, which lets a
finding close the inline code span; fix by using a proper code-span helper (or
the existing md(...) return value) that guarantees a safe inline-code rendering
and do not add extra surrounding backticks. Update the loop that builds out (the
for (const f of findings) block) to call the safe helper (e.g., md(f.file) and
md(f.content) directly) or replace with a dedicated
safeCodeSpan(f.file)/safeCodeSpan(f.content) that implements proper
backtick-fencing, and remove the manual surrounding backticks in the string
template so the table cells use the helper output only.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 425eed23-5e4f-4cd4-a715-c669dad8d6da
📒 Files selected for processing (1)
src/security/pr-security-reporter/action.yml
There was a problem hiding this comment.
Warning
CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.
Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/security/pr-security-reporter/action.yml`:
- Around line 310-318: The message text built where variables findings and
MAX_PRERELEASE are used should be narrowed to state that this check only flags
version strings containing prerelease suffixes (e.g., -alpha, -beta, -rc, -dev)
rather than asserting the only valid format is strictly x.y.z; update the two
user-facing lines constructed with out += (the summary line and the guidance
line) to say this rule disallows prerelease suffixes and recommend replacing
them with the corresponding stable release or a SHA-based pin, leaving other
valid stable formats untouched; locate the string concatenations near usages of
md(...) and truncate(...) and adjust wording accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 94691daa-e565-4149-b5ce-3cdec8ff378a
📒 Files selected for processing (1)
src/security/pr-security-reporter/action.yml
3 participants
GitHub Actions Shared Workflows
Description
Adds two new security capabilities to the
pr-security-scanreusable workflow:enable_codeql+codeql_languagesinputs. Runs as a separatecodeql_scanjob in parallel with the existingsecurity_scanjob. Scopes analysis to changed paths usingcodeql-config, then runs init → autobuild → analyze → reporter. Results are posted as a PR comment and uploaded to the GitHub Security tab.enable_prerelease_check: true). Newprerelease-checkcomposite scansgo.mod,package.json, andDockerfilefor version pins containing-betaor-rcsuffixes. Findings are reported via GitHub annotations and step summary, and the workflow fails if any are found.Additional changes:
@v1.18.0to@v1.23.1notifyjob to aggregate CodeQL scan resultsdocs/pr-security-scan-workflow.mdwith new inputs, job descriptions, and usage examplesType of Change
feat: New workflow or new input/output/step in an existing workflowfix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)perf: Performance improvement (e.g. caching, parallelism, reduced steps)refactor: Internal restructuring with no behavior changedocs: Documentation only (README, docs/, inline comments)ci: Changes to self-CI (workflows under.github/workflows/that run on this repo)chore: Dependency bumps, config updates, maintenancetest: Adding or updating testsBREAKING CHANGE: Callers must update their configuration after this PRBreaking Changes
None. CodeQL is opt-in (
enable_codeql: falseby default). Pre-release check is enabled by default but can be disabled viaenable_prerelease_check: false.Testing
@developor the beta tagCaller repo / workflow run: Pending — composite refs point to
@feat/pr-security-scan-codeql-prereleasefor testing from caller repos.Related Issues
Summary by CodeRabbit
New Features
Updates
Documentation