chore: bump ubuntu version in docs.yml workflow

[KooshaPari]

User description

Automated from stash.

Note

Medium Risk
Changes affect merge gating and secret scanning paths; malformed workflow YAML or broken GH_TOKEN templating could disable or weaken CI/security checks without obvious application code changes.

Overview
Adds workflow concurrency (cancel-in-progress) across CI, journey gate, security scans, and manual gate workflows so newer runs on the same ref supersede stale ones.

Introduces a new lint workflow that runs golangci-lint on push/PR to main, master, and develop. Docs CI switches docs dependency install from npm install to npm ci --frozen-lockfile. TruffleHog scanning drops the trufflehog/actions/setup@main action in favor of Go setup + go install of trufflehog v3.

Several workflow files were edited in ways that merge step metadata onto a single step (e.g. checkout + run/uses/name on one step in ci.yml, codeql.yml, docs.yml, sast-quick.yml, and gate scripts), which likely breaks YAML step structure unless fixed in a follow-up. TruffleHog’s GH_TOKEN env uses a backslash-escaped \${{ secrets.GITHUB_TOKEN }}, which may prevent secret injection.

^{Reviewed by Cursor Bugbot for commit 050ddc3. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

CodeAnt-AI Description

Tighten CI and security checks, add repo linting, and make docs builds more reproducible

What Changed

• Newer CI, security, and gate runs now replace older runs on the same branch, so stale checks stop blocking the latest changes
• A new lint workflow runs Go lint checks on pushes and pull requests to the main development branches
• Docs installs now use a locked dependency install, and the secrets scan switches to installing TruffleHog through Go before running the scan
• Several workflow steps were cleaned up so docs, CI, and scan jobs keep running with the intended actions and labels

Impact

✅ Fewer blocked merges from stale checks
✅ Earlier lint feedback on Go changes
✅ More reproducible docs builds

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

Summary by CodeRabbit

• New Features

  • Added automated Go linting to the CI/CD pipeline.

• Chores

  • Updated CI/CD workflows to cancel redundant concurrent runs.
  • Updated workflow dependencies and refined configuration across multiple workflows.
  • Updated documentation publishing workflow dependencies.
  • Updated submodule references.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key: "pre_merge_checks"

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

📝 Walkthrough

Walkthrough

Adds workflow-level concurrency cancellation (cancel-in-progress) to eight existing GitHub Actions workflows, introduces a new golangci-lint workflow, replaces the Trufflehog setup action with a Go toolchain install step, switches docs dependency installation to npm ci, fixes YAML step-name formatting in four workflows, and bumps a submodule pointer.

Changes

CI/CD Workflow Hardening

Layer / File(s)	Summary
New golangci-lint workflow .github/workflows/lint.yml	Introduces a new lint workflow triggered on push and pull_request to main/master/develop that checks out the repo, sets up Go stable, and runs golangci/golangci-lint-action@v6.
Concurrency cancellation across eight workflows .github/workflows/ci.yml, .github/workflows/journey-gate.yml, .github/workflows/policy-gate.yml, .github/workflows/quality-gate.yml, .github/workflows/sast-quick.yml, .github/workflows/scorecard.yml, .github/workflows/self-merge-gate.yml, .github/workflows/trufflehog.yml	Adds a top-level concurrency block keyed on ${{ github.workflow }}-${{ github.ref }} with cancel-in-progress: true to each of these workflows.
Trufflehog Go install and docs npm ci .github/workflows/trufflehog.yml, .github/workflows/docs.yml	Replaces trufflehog/actions/setup@main with actions/setup-go (stable) + go install github.com/trufflehog/trufflehog/v3@latest. Changes docs workflow dependency installation from npm install --frozen-lockfile to npm ci --frozen-lockfile.
YAML step-name formatting fixes .github/workflows/ci.yml, .github/workflows/codeql.yml, .github/workflows/docs.yml, .github/workflows/sast-quick.yml	Corrects malformed step definitions where a subsequent step's name field was concatenated onto the preceding uses line, properly separating each step.

Submodule Update

Layer / File(s)	Summary
Submodule revision bump cliproxyapi-plusplus-wtrees/shell-quality-2026-06-08	Advances the tracked submodule gitlink to commit 43a2ba32e2bc2fdd954f0a36c812a5e3e065d657.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hoppity-hop through the workflow files,
Concurrency added in YAML styles,
No more collisions on the same ref — hurray!
Trufflehog hops the go install way,
Step names untangled from their uses lines,
The lint bunny checks with golangci signs. 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title refers only to bumping Ubuntu version in docs.yml, but the changeset encompasses 11 modified workflow files with multiple significant updates including concurrency configuration across multiple workflows, a new lint workflow, dependency installation changes, and TruffleHog security scanning updates.	Update the title to reflect the primary changes such as 'chore: add concurrency and modernize GitHub Actions workflows' or similar to better represent the comprehensive scope of modifications across all workflow files.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/ubuntu-24-docs-yml

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch chore/ubuntu-24-docs-yml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[codeant-ai]

🔴 Architect Review — CRITICAL

The first docs build step defines both checkout and Node setup in a single step with duplicate uses keys, so the actions/checkout invocation is overridden and the repository is never actually checked out before bun/npm commands run, causing the docs build to run against an empty workspace.

Suggestion: Split this into two separate sequential steps (one uses: actions/checkout@<pinned-sha>, then one uses: actions/setup-node@<pinned-sha> with the existing with: block) so the workspace is checked out before any bun/npm-based build steps execute.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/docs.yml
**Line:** 22:24
**Comment:**
	*CRITICAL: The first docs build step defines both checkout and Node setup in a single step with duplicate `uses` keys, so the `actions/checkout` invocation is overridden and the repository is never actually checked out before `bun`/`npm` commands run, causing the docs build to run against an empty workspace.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

🔴 Architect Review — CRITICAL

The Pages deploy job merges actions/configure-pages and actions/deploy-pages into a single step with duplicate uses keys, so configure-pages is never invoked and the job calls only deploy-pages, which can break the required GitHub Pages deployment contract on main.

Suggestion: Restore two explicit steps in order—a Configure Pages step that runs actions/configure-pages@<pinned-sha>, followed by a Deploy step running actions/deploy-pages@<pinned-sha> with the existing id and url wiring—so the Pages environment is configured before deployment.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/docs.yml
**Line:** 75:77
**Comment:**
	*CRITICAL: The Pages deploy job merges `actions/configure-pages` and `actions/deploy-pages` into a single step with duplicate `uses` keys, so `configure-pages` is never invoked and the job calls only `deploy-pages`, which can break the required GitHub Pages deployment contract on `main`.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

🟠 Architect Review — HIGH

Multiple workflows in this PR define "combined steps" that include both uses and run, or multiple uses keys, in a single step mapping (e.g. CI test checkout/run, docs checkout/Node setup, CodeQL checkout/init, SAST license checkout/reuse, quality-gate/policy-gate checkout/run), which GitHub Actions does not support and results in earlier actions (typically actions/checkout or actions/configure-pages) being ignored or steps failing validation so intended gates do not run correctly.

Suggestion: Normalize all seven affected locations so each step has exactly one uses or one run and each logical operation (checkout, setup, analysis, gate script, etc.) is its own list item, ensuring that required checkouts and setup actions execute before dependent scripts across CI, docs, CodeQL, SAST, quality-gate, and policy-gate workflows.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/ci.yml
**Line:** 25:27
**Comment:**
	*HIGH: Multiple workflows in this PR define "combined steps" that include both `uses` and `run`, or multiple `uses` keys, in a single step mapping (e.g. CI test checkout/run, docs checkout/Node setup, CodeQL checkout/init, SAST license checkout/reuse, quality-gate/policy-gate checkout/run), which GitHub Actions does not support and results in earlier actions (typically `actions/checkout` or `actions/configure-pages`) being ignored or steps failing validation so intended gates do not run correctly.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Autofix Details

Bugbot Autofix prepared fixes for both issues found in the latest run.

• ✅ Fixed: YAML indentation error breaks entire docs workflow
  • Corrected indentation and added missing list indicator to separate Configure Pages and Deploy steps.
• ✅ Fixed: Steps merged into one due to missing list indicators
  • Added missing list indicators to separate workflow steps in docs.yml, codeql.yml, and sast-quick.yml.

Or push these changes by commenting:

@cursor push 90d565a23e

Preview (90d565a23e)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -20,18 +20,21 @@
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with:
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
           languages: ${{ matrix.language }}
           config-file: .github/codeql/codeql-config.yml
       - name: Set up Go
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with:
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
           go-version-file: go.mod
           cache: true
       - name: Build
         run: go build ./...
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4analyze-skip-for-migrated-router-fix:
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+  analyze-skip-for-migrated-router-fix:
     name: Analyze (Go)
     if: ${{ startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }}
     runs-on: ubuntu-latest

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -20,14 +20,16 @@
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4with:
+      - name: Setup Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
+        with:
           node-version: "20"
           cache: "npm"
           cache-dependency-path: docs/package.json
 
       - name: Setup Bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2with:
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        with:
           bun-version: latest
 
       - name: Install OXC dependencies
@@ -51,7 +53,8 @@
         run: test -f docs/.vitepress/dist/index.html
 
       - name: Upload pages artifact
-        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with:
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
+        with:
           path: docs/.vitepress/dist/
 
   build-skip-branch-ci-unblock:
@@ -73,6 +76,6 @@
     steps:
       - name: Configure Pages
         uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
-         name: Deploy
+      - name: Deploy
         id: deployment
         uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
\ No newline at end of file

diff --git a/.github/workflows/sast-quick.yml b/.github/workflows/sast-quick.yml
--- a/.github/workflows/sast-quick.yml
+++ b/.github/workflows/sast-quick.yml
@@ -21,9 +21,11 @@
     # Tier 3: Advisory - security enrichment only
     continue-on-error: true
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
           fetch-depth: 0
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with:
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
           python-version: "3.12"
       - name: Install Semgrep
         run: python -m pip install --disable-pip-version-check semgrep==1.157.0
@@ -33,7 +35,8 @@
         run: |
           semgrep scan --sarif --sarif-output=semgrep.sarif --max-target-bytes 1000000 --quiet --config=auto || true
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always()
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        if: always()
         with:
           sarif_file: semgrep.sarif
 
@@ -46,14 +49,16 @@
     continue-on-error: true
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        name: Analyze licenses
-        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true  # Allow findings but don't fail
+      - name: Analyze licenses
+        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4
+        continue-on-error: true  # Allow findings but don't fail
       - name: Check for non-reusable licenses
         run: |
           # Check for problematic licenses
           grep -r "GPL\|AGPL" --include="*.toml" --include="*.json" . || true
       - name: Check license compliance
-        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true
+        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4
+        continue-on-error: true
 
   # Secret Scanning - Tier 2: Important (runs in parallel)
   secrets:
@@ -61,10 +66,12 @@
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
           fetch-depth: 0
       - name: Run Gitleaks
-        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2env:
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
+        env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           args: --verbose --redact
@@ -77,6 +84,7 @@
           output: trivy-results.sarif
         continue-on-error: true
       - name: Upload Trivy results
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always()
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        if: always()
         with:
           sarif_file: 'trivy-results.sarif'

_{You can send follow-ups to the cloud agent here.}

[cursor]

YAML indentation error breaks entire docs workflow

High Severity

The name: Deploy line has 9 spaces of indentation while all sibling properties (uses:, id:) in the same step mapping have 8 spaces. YAML block mappings require all keys at the same level to share identical indentation. This mismatch will cause a YAML parse error, preventing the entire docs.yml workflow file from loading — breaking both the build and deploy jobs.

 

^{Reviewed by Cursor Bugbot for commit 6733dc6. Configure here.}

[cursor]

Steps merged into one due to missing list indicators

High Severity

The commit splits step names that were previously embedded in YAML comments (e.g., # v4- name: Setup Node) into separate lines, but adds them as properties of the same step instead of creating new list items with - . This produces duplicate name: and uses: keys in single steps. YAML's last-wins behavior silently drops the first action (typically actions/checkout), so the repository is never checked out before subsequent steps run.

Additional Locations (2)

• .github/workflows/codeql.yml#L21-L24
• .github/workflows/sast-quick.yml#L47-L50

 

^{Reviewed by Cursor Bugbot for commit 6733dc6. Configure here.}

[codeant-ai]

CodeAnt AI is running Incremental review

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI Incremental review completed.

[cursor]

Cursor Bugbot has reviewed your changes and found 5 potential issues.

There are 7 total unresolved issues (including 2 from previous reviews).

^{Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issues.}

^{Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.}

[cursor]

Invalid flag on npm ci

Medium Severity

The docs install step runs npm ci --frozen-lockfile, but --frozen-lockfile is an npm install / Yarn option, not valid for npm ci. That can make the install step exit with a CLI usage error and block the docs build.

 

^{Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.}

[cursor]

Deploy step YAML broken

High Severity

The Pages deploy job folds configure-pages and deploy-pages into one step, with a mis-indented name: Deploy line. GitHub Actions expects separate steps; duplicate uses keys and bad indentation can prevent the deploy job from running or from setting steps.deployment correctly.

 

^{Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.}

[cursor]

Checkout step includes run

High Severity

The first CI step sets uses: actions/checkout and also defines a run block for refreshing models.json. A single step cannot combine an action and run, so the catalog refresh may never execute and tests may use a missing or stale models file.

 

^{Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.}

[cursor]

CodeQL init merged with checkout

High Severity

The CodeQL job combines actions/checkout and github/codeql-action/init in one step with two uses keys. That can skip checkout or init and break the subsequent go build and analysis steps.

 

^{Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.}

[cursor]

License scan step malformed

Medium Severity

The license-compliance job puts actions/checkout and fsfe/reuse-action in one step with two uses entries. The REUSE license check may not run, weakening that advisory job.

 

^{Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.}

[codeant-ai]

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[cursor]

Risk: medium. Not approving: Cursor Bugbot reported 5 potential issues with 7 unresolved threads, and this PR touches multiple CI workflow files beyond the docs.yml scope. No reviewers assigned (author is the sole CODEOWNER for .github/).

  

_{Sent by Cursor Approval Agent: Pull Request Approver}

[coderabbitai]

Actionable comments posted: 9

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (20)

.github/workflows/lint.yml (2)

1-19: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit permissions block to follow least privilege.

The workflow does not specify a permissions block, so it defaults to broad GITHUB_TOKEN permissions. For a lint workflow that only needs to read code, this violates the principle of least privilege.

🔒 Proposed fix to add minimal permissions

 name: lint
+
+permissions:
+  contents: read
+
 on:
   push:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint.yml around lines 1 - 19, The lint workflow lacks an
explicit permissions block, which causes the GITHUB_TOKEN to default to broad
permissions violating the principle of least privilege. Add a top-level
permissions block to the workflow (at the same indentation level as the on and
jobs keys) that specifies only the minimal permissions needed for a lint job to
read the repository contents, such as contents: read. This ensures the workflow
operates with the minimum required permissions.

Source: Linters/SAST tools

---

1-19: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add concurrency control to prevent redundant runs.

The workflow is missing a concurrency block to cancel outdated runs when newer commits are pushed to the same ref. Although this is a new workflow, the pattern across the repository (as noted in the PR objectives) is to add cancel-in-progress settings to workflows.

⚡ Proposed fix to add concurrency control

 name: lint
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   push:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint.yml around lines 1 - 19, The lint workflow is missing
concurrency control configuration that should cancel outdated runs when new
commits are pushed. Add a concurrency block at the top level of the workflow (at
the same level as the name, on, and jobs keys) that defines a concurrency group
based on the GitHub reference and sets cancel-in-progress to true to ensure that
only the latest run for a given ref executes, canceling any in-progress runs
from previous commits.

Source: Linters/SAST tools

.github/workflows/ci.yml (4)

53-54: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: with: concatenated onto the uses: line.

Line 53 has # v3with: at the end, concatenating the with: keyword onto the comment. The with: must be a separate key on its own line.

This will cause workflow parsing to fail.

🔧 Proposed fix

       - name: Upload coverage
-        uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3with:
+        uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3
+        with:
           files: ./coverage.out

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 53 - 54, The codecov/codecov-action
step has a YAML syntax error where the `with:` keyword is incorrectly
concatenated to the end of the `uses:` line comment. Separate the `with:`
keyword onto its own line at the same indentation level as `uses:`, ensuring it
appears as a distinct key in the YAML structure. The comment `# v3` should end
the `uses:` line, and `with:` should begin on the next line followed by its
nested `files:` parameter.

---

33-34: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: with: concatenated onto the uses: line.

Line 33 has # v5with: at the end, which concatenates the with: keyword onto the comment. In YAML, with: must be a separate key on its own line at the same indentation as uses:.

This will cause workflow parsing to fail.

🔧 Proposed fix

       - name: Setup Go
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with:
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
           go-version: ${{ matrix.go-version }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 33 - 34, The YAML workflow file has a
syntax error where the `with:` keyword is concatenated onto the end of the
`uses:` action comment instead of being on its own separate line. Fix this by
removing `with:` from the comment on the `uses: actions/setup-go` line (so it
reads only `# v5` or similar version comment) and then place `with:` as its own
top-level key on a new line at the same indentation level as `uses:`, followed
by the `go-version:` property indented one level deeper.

---

25-30: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: malformed action reference and step structure.

Line 25 contains two commit SHAs separated by @, which is invalid GitHub Actions syntax. Additionally, this step appears to have both uses: (line 25) and run: (line 27), which is impossible—a step must be either an action (uses) or a script (run), not both.

This will cause workflow syntax validation to fail.

🔧 Proposed fix

The checkout step and the refresh command should be separate steps:

-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        name: Refresh models catalog
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Refresh models catalog
         run: |
           git fetch --depth 1 https://github.com/router-for-me/models.git main
           mkdir -p pkg/llmproxy/registry/models
           git show FETCH_HEAD:models.json > pkg/llmproxy/registry/models/models.json

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 25 - 30, Separate this into two
distinct GitHub Actions steps. The first step should use the `actions/checkout`
action with a single valid commit SHA reference (remove the duplicate SHA after
the first @). The second step should be a separate step with only the `run:`
command that contains the git fetch, mkdir, and git show commands for refreshing
the models catalog. Each step must use either `uses:` or `run:`, never both in
the same step.

---

37-41: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: with: concatenated onto the uses: line.

Line 37 has # v4with: at the end, concatenating the with: keyword onto the comment. The with: must be a separate key on its own line.

This will cause workflow parsing to fail.

🔧 Proposed fix

       - name: Cache Go modules
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4with:
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 37 - 41, The `uses:` line for the
actions/cache action has a critical YAML syntax error where the `with:` keyword
is incorrectly appended to the end of the comment. The comment should end
cleanly after the version reference, and `with:` must be placed on its own line
as a separate key at the appropriate indentation level. Remove the `with:` text
from the comment at the end of the `uses:` line and add `with:` as a properly
indented standalone key on the next line before the `path:` property.

.github/workflows/sast-quick.yml (7)

56-56: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: continue-on-error: concatenated onto the uses: line.

Line 56 has # v4continue-on-error: at the end, concatenating the continue-on-error: field onto the comment. This field must be on its own line at the same indentation as uses:.

This will cause workflow parsing to fail.

🔧 Proposed fix

       - name: Check license compliance
-        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true
+        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4
+        continue-on-error: true

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sast-quick.yml at line 56, The `continue-on-error:` field
is incorrectly concatenated onto the `uses:` line in the fsfe/reuse-action step.
You need to separate the comment and the continue-on-error field: move
`continue-on-error: true` to its own line at the same indentation level as the
`uses:` field (keeping only the version comment `# v4` on the uses line). This
will fix the YAML syntax error that is preventing the workflow from parsing
correctly.

---

26-27: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: with: concatenated onto the uses: line.

Line 26 has # v5with: at the end, concatenating the with: keyword onto the comment. The with: must be a separate key on its own line.

This will cause workflow parsing to fail.

🔧 Proposed fix

-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with:
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
           python-version: "3.12"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sast-quick.yml around lines 26 - 27, The YAML syntax in
the workflow file has a critical error where the `with:` keyword is concatenated
onto the comment at the end of the `uses:` line in the setup-python action.
Remove the `with:` text from the comment (keeping just `# v5`) and add `with:`
as a separate YAML key on its own line after the `uses:` line, ensuring it is at
the same indentation level as `uses:`. The `python-version: "3.12"` should then
be properly nested as a child of the `with:` key with appropriate indentation.
This will fix the YAML parsing error that prevents the workflow from running.

---

36-38: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: if: concatenated onto the uses: line.

Line 36 has # v4if: at the end, concatenating the if: condition onto the comment. The if: must be a separate key on its own line.

This will cause workflow parsing to fail.

🔧 Proposed fix

       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always()
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        if: always()
         with:
           sarif_file: semgrep.sarif

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sast-quick.yml around lines 36 - 38, The if: always()
condition is incorrectly concatenated onto the end of the uses: line in the
github/codeql-action/upload-sarif step. Separate the if: always() onto its own
line below the uses: statement so that it becomes a proper YAML key-value pair
at the step level, not appended to the comment. This will ensure the workflow
YAML is syntactically valid and the conditional execution logic is properly
recognized by GitHub Actions.

---

67-70: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: env: concatenated onto the uses: line.

Line 67 has # v2env: at the end, concatenating the env: keyword onto the comment. The env: must be a separate key on its own line.

This will cause workflow parsing to fail.

🔧 Proposed fix

       - name: Run Gitleaks
-        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2env:
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
+        env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           args: --verbose --redact

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sast-quick.yml around lines 67 - 70, The YAML syntax in
the gitleaks-action step is invalid because the env keyword has been
concatenated onto the end of the uses line in the comment as # v2env:. Fix this
by separating the env key onto its own line at the proper indentation level.
Remove the env text from the comment so it reads # v2 instead, then add env: as
a separate key on the next line, followed by the GITHUB_TOKEN definition at the
correct indentation level.

---

80-82: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: if: concatenated onto the uses: line.

Line 80 has # v4if: at the end, concatenating the if: condition onto the comment. The if: must be a separate key on its own line.

This will cause workflow parsing to fail.

🔧 Proposed fix

       - name: Upload Trivy results
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always()
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        if: always()
         with:
           sarif_file: 'trivy-results.sarif'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sast-quick.yml around lines 80 - 82, The upload-sarif step
for the github/codeql-action has a YAML syntax error where the if condition is
concatenated onto the uses line's version comment, appearing as "# v4if:
always()". Fix this by moving the if: always() condition to its own separate
line as a proper YAML key at the same indentation level as the uses and with
keys, ensuring the version comment on the uses line ends correctly with just the
version number like "# v4".

---

24-25: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: with: concatenated onto the uses: line.

Line 24 has # v4with: at the end, concatenating the with: keyword onto the comment. The with: must be a separate key on its own line.

This will cause workflow parsing to fail.

🔧 Proposed fix

     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
           fetch-depth: 0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sast-quick.yml around lines 24 - 25, The GitHub Actions
workflow has a YAML syntax error where the `with:` keyword is incorrectly
concatenated onto the `uses:` line as part of the comment (showing as `#
v4with:`). Fix this by separating the `with:` keyword onto its own line with the
same indentation level as the `uses:` line, and ensure the comment on the
`uses:` line ends with just `# v4` without the `with:` text attached. This will
restore proper YAML structure and allow the workflow to parse correctly.

---

64-65: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: with: concatenated onto the uses: line.

Line 64 has # v4with: at the end, concatenating the with: keyword onto the comment. The with: must be a separate key on its own line.

This will cause workflow parsing to fail.

🔧 Proposed fix

     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
           fetch-depth: 0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sast-quick.yml around lines 64 - 65, The `with:` keyword
in the actions/checkout step is incorrectly concatenated onto the end of the
`uses:` line comment as `# v4with:`, causing a YAML syntax error. Fix this by
removing `with:` from the comment (change `# v4with:` to `# v4`), then add
`with:` as a separate key on its own line at the same indentation level as
`uses:`, with `fetch-depth: 0` properly indented beneath it as a child of the
`with:` key.

.github/workflows/scorecard.yml (4)

31-32: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: with: concatenated onto the uses: line.

Line 31 has # v4with: at the end, concatenating the with: keyword onto the comment. The with: must be a separate key on its own line.

This will cause workflow parsing to fail.

🔧 Proposed fix

     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
           persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/scorecard.yml around lines 31 - 32, The YAML syntax error
in the GitHub Actions workflow has the `with:` keyword incorrectly concatenated
into the comment on the `uses: actions/checkout...` line. Fix this by removing
the `with:` text from the comment so it reads `# v4` instead of `# v4with:`,
then add `with:` as a separate YAML key on its own line at the same indentation
level as `uses:`, and keep the `persist-credentials: false` properly indented as
a child of the `with:` key.

---

44-45: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: with: concatenated onto the uses: line.

Line 44 has # v3with: at the end, concatenating the with: keyword onto the comment. The with: must be a separate key on its own line.

This will cause workflow parsing to fail.

🔧 Proposed fix

-      - uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3with:
+      - uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
+        with:
           sarif_file: results.sarif

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/scorecard.yml around lines 44 - 45, The YAML syntax error
in the scorecard workflow is caused by the `with:` keyword being concatenated
onto the end of the `uses:` line comment as part of `# v3with:`. The `with:`
keyword must be moved to its own separate line at the same indentation level as
the `uses:` key in the
`github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a`
step. The comment on the uses line should end cleanly with `# v3`, and then
`with:` should appear on the next line as a proper YAML key followed by
`sarif_file: results.sarif` as its nested content.

---

34-37: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: with: concatenated onto the uses: line.

Line 34 has # v2.4.2with: at the end, concatenating the with: keyword onto the comment. The with: must be a separate key on its own line.

This will cause workflow parsing to fail.

🔧 Proposed fix

-      - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2with:
+      - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        with:
           results_file: results.sarif
           results_format: sarif
           publish_results: true

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/scorecard.yml around lines 34 - 37, The YAML syntax error
occurs because the `with:` keyword is concatenated to the end of the comment on
the same line as the `uses:` key for the ossf/scorecard-action action (showing
as `# v2.4.2with:`). Fix this by ensuring the comment on the `uses:` line ends
cleanly with just `# v2.4.2`, and then place the `with:` keyword on its own
separate line at the same indentation level as the `uses:` line above it,
followed by the configuration properties on subsequent indented lines.

---

39-42: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: malformed action reference.

Line 39 contains two commit SHAs separated by @ (@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a), which is invalid GitHub Actions syntax. Additionally, # v4with: concatenates the with: keyword onto the comment.

This will cause workflow parsing to fail.

🔧 Proposed fix

-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4with:
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4
+        with:
           name: SARIF file
           path: results.sarif
           retention-days: 5

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/scorecard.yml around lines 39 - 42, The
actions/upload-artifact action reference contains two commit SHAs separated by @
symbols, which is invalid GitHub Actions syntax. Remove the second commit SHA
(043fb46d1a93c77aae656e7c1c64a875d1fc6a0a) from the uses statement so there is
only one @ separator. Additionally, the comment is malformed with # v4with:
concatenating the with keyword onto the comment. Fix this by separating the
comment to just # v4 and then place with: on its own line as a proper YAML key,
ensuring proper indentation for the nested with block containing name, path, and
retention-days properties.

.github/workflows/policy-gate.yml (1)

14-15: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: malformed action reference and concatenated step.

Line 14 contains multiple syntax errors:

1. Two commit SHAs in the action reference (@SHA1@SHA2), which is invalid
2. The next step's - name: Enforce engineering policies is concatenated onto the same line after the comment
3. Line 15 would then be orphaned as a run: without a proper step definition

This will cause workflow parsing to fail.

🔧 Proposed fix

     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Enforce engineering policies
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Enforce engineering policies
         run: ./scripts/policy-gate.sh

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/policy-gate.yml around lines 14 - 15, The workflow file
has malformed YAML syntax on line 14 where the actions/checkout action reference
contains two concatenated commit SHAs separated by @ symbol, and the next step
definition is incorrectly appended to the same line after a comment. Fix this by
removing one of the duplicate SHAs from the actions/checkout reference (keeping
only a single valid SHA), then place the - name: Enforce engineering policies
step on its own new line with proper YAML indentation to create a separate step
definition, ensuring the run: directive on line 15 is properly associated with
its parent step.

.github/workflows/quality-gate.yml (1)

14-15: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: malformed action reference and concatenated step.

Line 14 contains multiple syntax errors:

1. Two commit SHAs in the action reference (@SHA1@SHA2), which is invalid
2. The next step's - name: Run quality checks is concatenated onto the same line after the comment
3. Line 15 would then be orphaned as a run: without a proper step definition

This will cause workflow parsing to fail.

🔧 Proposed fix

     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Run quality checks
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Run quality checks
         run: ./scripts/quality-gate.sh verify

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/quality-gate.yml around lines 14 - 15, The
actions/checkout reference in the quality-gate.yml workflow contains two commit
SHAs concatenated with @ symbols, making the action reference invalid.
Additionally, the next step's name declaration is incorrectly concatenated on
the same line after a comment. Fix this by using only the second commit SHA in
the checkout action reference, placing the comment on a separate line, and
ensuring each workflow step starts on its own line with proper YAML indentation
so that the step named "Run quality checks" and its associated run command are
properly defined as a separate step.

.github/workflows/docs.yml (1)

21-27: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Malformed YAML prevents workflow execution.

The "Checkout" step contains duplicate name keys and invalid syntax on multiple levels:

1. Duplicate name keys: Line 23 adds a second name: Setup Node to the Checkout step instead of starting a new step with - name: Setup Node
2. Invalid Git ref syntax: Line 22 contains @34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 (two commit hashes separated by @), which is invalid
3. Missing newline/indentation: Line 24 shows # v4with: instead of # v4 followed by a newline and properly indented with:

These errors will cause GitHub Actions to fail parsing the workflow file, completely blocking the docs CI pipeline.

🔧 Proposed fix for YAML structure

      - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4with:
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: Setup Node
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
+        with:
          node-version: "20"
          cache: "npm"
          cache-dependency-path: docs/package.json

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml around lines 21 - 27, The Checkout step in the
GitHub Actions workflow has three critical YAML syntax errors that need to be
fixed. First, remove the duplicate `name: Setup Node` key that appears on line
23 - this should be a separate step entirely, not part of the Checkout step.
Second, fix the invalid Git ref syntax on line 22 which contains two commit
hashes separated by @ symbols; replace
`@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683`
with the correct format using only one commit hash reference. Third, add a
proper newline after the comment `# v4` on line 24 so that `with:` starts on its
own line with correct indentation, fixing the malformed `# v4with:` syntax. Then
create the Setup Node as a separate step with its own `- name: Setup Node` entry
and properly indented uses and with blocks.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/codeql.yml:
- Around line 21-26: The CodeQL workflow has three YAML structure errors that
prevent parsing. First, separate the Checkout and Initialize CodeQL into two
distinct workflow steps by properly formatting the second step with its own `-
name: Initialize CodeQL` line instead of adding it as a duplicate name key
within the Checkout step. Second, fix the invalid Git reference in the Checkout
action by replacing the malformed syntax (with two commit hashes separated by @)
with a single valid reference format like
`actions/checkout@<single-commit-hash>`. Third, properly format the comment and
with block by ensuring the comment `# v4` appears on its own line, followed by
the `with:` keyword and its configuration block on separate lines. This will
restore proper YAML parsing for the workflow.

In @.github/workflows/docs.yml:
- Around line 42-44: The Install dependencies step in the docs workflow is
running npm ci with the --frozen-lockfile flag, which is redundant since npm ci
already enforces a frozen lockfile by default and will error if package.json and
package-lock.json are out of sync. Remove the --frozen-lockfile flag from the
npm ci command so it reads simply as npm ci, keeping the functionality intact
while removing the unnecessary flag that is actually a Yarn-specific option.
- Around line 74-78: The "Configure Pages" step in the docs.yml workflow has
malformed YAML structure with the Deploy step improperly merged into it. Fix
this by ensuring the Configure Pages step is properly closed after the uses
directive, then create a separate new step item (starting with a dash) for the
Deploy step with correct indentation. The Configure Pages step should contain
only its name and uses properties, while the Deploy step should be a distinct
list item with its own name (Deploy), id (deployment), and uses
(actions/deploy-pages) properties. Verify all indentation is consistent
throughout with proper YAML list and mapping alignment.

In @.github/workflows/lint.yml:
- Line 11: The actions/checkout@v4 step does not explicitly disable credential
persistence, which poses a security risk by allowing Git credentials to
potentially leak through artifacts or subsequent workflow steps. Add a `with:`
section to the checkout action and set `persist-credentials: false` to prevent
credentials from being persisted in the environment. This ensures that Git
credentials are only valid for the duration of the checkout step and are not
available to downstream jobs or actions.
- Line 18: The golangci-lint configuration is using `version: latest` which
should be replaced with a specific pinned version number. Locate the `version:
latest` setting in the golangci-lint action and replace the value with a
specific version string (for example, a version number like v1.54.2). This
ensures the CI pipeline uses a consistent version and prevents unexpected
behavior changes from automatic updates.
- Line 14: The go-version field in the lint workflow is set to stable, which is
a moving target and may introduce version drift from the go.mod declaration of
go 1.26.0. Replace the go-version: stable value with the explicit version
go-version: 1.26.0 to ensure the workflow uses the same Go version as declared
in go.mod, maintaining consistency across the codebase and preventing potential
linting issues caused by version mismatches.

In @.github/workflows/sast-quick.yml:
- Around line 48-50: The workflow contains a single step with multiple `uses:`
fields, which is invalid GitHub Actions syntax. The actions/checkout action on
the first line and the fsfe/reuse-action on the third line must be separated
into two distinct steps. Create two separate step entries in the workflow array:
one for actions/checkout and one for fsfe/reuse-action, each with their own
`uses:` field. Additionally, fix the malformed comment on line 50 where `#
v4continue-on-error:` is concatenated incorrectly—separate the version comment
from the `continue-on-error: true` property by placing `continue-on-error` on a
proper line within the fsfe/reuse-action step.

In @.github/workflows/trufflehog.yml:
- Line 24: The GH_TOKEN environment variable has an escaped dollar sign that
prevents the GitHub Actions template expression from being interpolated. Remove
the backslash before the dollar sign in the GH_TOKEN assignment so that
secrets.GITHUB_TOKEN is properly evaluated to the actual secret value instead of
being treated as a literal string. Change `\${{ secrets.GITHUB_TOKEN }}` to `${{
secrets.GITHUB_TOKEN }}` to allow the token to be correctly passed to
TruffleHog.
- Around line 18-21: The actions/setup-go action uses an invalid commit SHA that
does not exist, which will cause the workflow to fail. Replace the commit SHA in
the actions/setup-go reference with a valid version tag such as `@v5` or `@v5.0.2`.
Additionally, the go install command for trufflehog uses `@latest`, which results
in unpinned and unreproducible builds. Replace `@latest` in the
github.com/trufflehog/trufflehog/v3@latest command with a pinned version tag
such as `@v3.63.0` to ensure consistent and reproducible workflow runs.

---

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 53-54: The codecov/codecov-action step has a YAML syntax error
where the `with:` keyword is incorrectly concatenated to the end of the `uses:`
line comment. Separate the `with:` keyword onto its own line at the same
indentation level as `uses:`, ensuring it appears as a distinct key in the YAML
structure. The comment `# v3` should end the `uses:` line, and `with:` should
begin on the next line followed by its nested `files:` parameter.
- Around line 33-34: The YAML workflow file has a syntax error where the `with:`
keyword is concatenated onto the end of the `uses:` action comment instead of
being on its own separate line. Fix this by removing `with:` from the comment on
the `uses: actions/setup-go` line (so it reads only `# v5` or similar version
comment) and then place `with:` as its own top-level key on a new line at the
same indentation level as `uses:`, followed by the `go-version:` property
indented one level deeper.
- Around line 25-30: Separate this into two distinct GitHub Actions steps. The
first step should use the `actions/checkout` action with a single valid commit
SHA reference (remove the duplicate SHA after the first @). The second step
should be a separate step with only the `run:` command that contains the git
fetch, mkdir, and git show commands for refreshing the models catalog. Each step
must use either `uses:` or `run:`, never both in the same step.
- Around line 37-41: The `uses:` line for the actions/cache action has a
critical YAML syntax error where the `with:` keyword is incorrectly appended to
the end of the comment. The comment should end cleanly after the version
reference, and `with:` must be placed on its own line as a separate key at the
appropriate indentation level. Remove the `with:` text from the comment at the
end of the `uses:` line and add `with:` as a properly indented standalone key on
the next line before the `path:` property.

In @.github/workflows/docs.yml:
- Around line 21-27: The Checkout step in the GitHub Actions workflow has three
critical YAML syntax errors that need to be fixed. First, remove the duplicate
`name: Setup Node` key that appears on line 23 - this should be a separate step
entirely, not part of the Checkout step. Second, fix the invalid Git ref syntax
on line 22 which contains two commit hashes separated by @ symbols; replace
`@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683`
with the correct format using only one commit hash reference. Third, add a
proper newline after the comment `# v4` on line 24 so that `with:` starts on its
own line with correct indentation, fixing the malformed `# v4with:` syntax. Then
create the Setup Node as a separate step with its own `- name: Setup Node` entry
and properly indented uses and with blocks.

In @.github/workflows/lint.yml:
- Around line 1-19: The lint workflow lacks an explicit permissions block, which
causes the GITHUB_TOKEN to default to broad permissions violating the principle
of least privilege. Add a top-level permissions block to the workflow (at the
same indentation level as the on and jobs keys) that specifies only the minimal
permissions needed for a lint job to read the repository contents, such as
contents: read. This ensures the workflow operates with the minimum required
permissions.
- Around line 1-19: The lint workflow is missing concurrency control
configuration that should cancel outdated runs when new commits are pushed. Add
a concurrency block at the top level of the workflow (at the same level as the
name, on, and jobs keys) that defines a concurrency group based on the GitHub
reference and sets cancel-in-progress to true to ensure that only the latest run
for a given ref executes, canceling any in-progress runs from previous commits.

In @.github/workflows/policy-gate.yml:
- Around line 14-15: The workflow file has malformed YAML syntax on line 14
where the actions/checkout action reference contains two concatenated commit
SHAs separated by @ symbol, and the next step definition is incorrectly appended
to the same line after a comment. Fix this by removing one of the duplicate SHAs
from the actions/checkout reference (keeping only a single valid SHA), then
place the - name: Enforce engineering policies step on its own new line with
proper YAML indentation to create a separate step definition, ensuring the run:
directive on line 15 is properly associated with its parent step.

In @.github/workflows/quality-gate.yml:
- Around line 14-15: The actions/checkout reference in the quality-gate.yml
workflow contains two commit SHAs concatenated with @ symbols, making the action
reference invalid. Additionally, the next step's name declaration is incorrectly
concatenated on the same line after a comment. Fix this by using only the second
commit SHA in the checkout action reference, placing the comment on a separate
line, and ensuring each workflow step starts on its own line with proper YAML
indentation so that the step named "Run quality checks" and its associated run
command are properly defined as a separate step.

In @.github/workflows/sast-quick.yml:
- Line 56: The `continue-on-error:` field is incorrectly concatenated onto the
`uses:` line in the fsfe/reuse-action step. You need to separate the comment and
the continue-on-error field: move `continue-on-error: true` to its own line at
the same indentation level as the `uses:` field (keeping only the version
comment `# v4` on the uses line). This will fix the YAML syntax error that is
preventing the workflow from parsing correctly.
- Around line 26-27: The YAML syntax in the workflow file has a critical error
where the `with:` keyword is concatenated onto the comment at the end of the
`uses:` line in the setup-python action. Remove the `with:` text from the
comment (keeping just `# v5`) and add `with:` as a separate YAML key on its own
line after the `uses:` line, ensuring it is at the same indentation level as
`uses:`. The `python-version: "3.12"` should then be properly nested as a child
of the `with:` key with appropriate indentation. This will fix the YAML parsing
error that prevents the workflow from running.
- Around line 36-38: The if: always() condition is incorrectly concatenated onto
the end of the uses: line in the github/codeql-action/upload-sarif step.
Separate the if: always() onto its own line below the uses: statement so that it
becomes a proper YAML key-value pair at the step level, not appended to the
comment. This will ensure the workflow YAML is syntactically valid and the
conditional execution logic is properly recognized by GitHub Actions.
- Around line 67-70: The YAML syntax in the gitleaks-action step is invalid
because the env keyword has been concatenated onto the end of the uses line in
the comment as # v2env:. Fix this by separating the env key onto its own line at
the proper indentation level. Remove the env text from the comment so it reads #
v2 instead, then add env: as a separate key on the next line, followed by the
GITHUB_TOKEN definition at the correct indentation level.
- Around line 80-82: The upload-sarif step for the github/codeql-action has a
YAML syntax error where the if condition is concatenated onto the uses line's
version comment, appearing as "# v4if: always()". Fix this by moving the if:
always() condition to its own separate line as a proper YAML key at the same
indentation level as the uses and with keys, ensuring the version comment on the
uses line ends correctly with just the version number like "# v4".
- Around line 24-25: The GitHub Actions workflow has a YAML syntax error where
the `with:` keyword is incorrectly concatenated onto the `uses:` line as part of
the comment (showing as `# v4with:`). Fix this by separating the `with:` keyword
onto its own line with the same indentation level as the `uses:` line, and
ensure the comment on the `uses:` line ends with just `# v4` without the `with:`
text attached. This will restore proper YAML structure and allow the workflow to
parse correctly.
- Around line 64-65: The `with:` keyword in the actions/checkout step is
incorrectly concatenated onto the end of the `uses:` line comment as `#
v4with:`, causing a YAML syntax error. Fix this by removing `with:` from the
comment (change `# v4with:` to `# v4`), then add `with:` as a separate key on
its own line at the same indentation level as `uses:`, with `fetch-depth: 0`
properly indented beneath it as a child of the `with:` key.

In @.github/workflows/scorecard.yml:
- Around line 31-32: The YAML syntax error in the GitHub Actions workflow has
the `with:` keyword incorrectly concatenated into the comment on the `uses:
actions/checkout...` line. Fix this by removing the `with:` text from the
comment so it reads `# v4` instead of `# v4with:`, then add `with:` as a
separate YAML key on its own line at the same indentation level as `uses:`, and
keep the `persist-credentials: false` properly indented as a child of the
`with:` key.
- Around line 44-45: The YAML syntax error in the scorecard workflow is caused
by the `with:` keyword being concatenated onto the end of the `uses:` line
comment as part of `# v3with:`. The `with:` keyword must be moved to its own
separate line at the same indentation level as the `uses:` key in the
`github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a`
step. The comment on the uses line should end cleanly with `# v3`, and then
`with:` should appear on the next line as a proper YAML key followed by
`sarif_file: results.sarif` as its nested content.
- Around line 34-37: The YAML syntax error occurs because the `with:` keyword is
concatenated to the end of the comment on the same line as the `uses:` key for
the ossf/scorecard-action action (showing as `# v2.4.2with:`). Fix this by
ensuring the comment on the `uses:` line ends cleanly with just `# v2.4.2`, and
then place the `with:` keyword on its own separate line at the same indentation
level as the `uses:` line above it, followed by the configuration properties on
subsequent indented lines.
- Around line 39-42: The actions/upload-artifact action reference contains two
commit SHAs separated by @ symbols, which is invalid GitHub Actions syntax.
Remove the second commit SHA (043fb46d1a93c77aae656e7c1c64a875d1fc6a0a) from the
uses statement so there is only one @ separator. Additionally, the comment is
malformed with # v4with: concatenating the with keyword onto the comment. Fix
this by separating the comment to just # v4 and then place with: on its own line
as a proper YAML key, ensuring proper indentation for the nested with block
containing name, path, and retention-days properties.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 60599326-054b-4b88-9819-f940c0351f9f

📥 Commits

Reviewing files that changed from the base of the PR and between b4f95c7 and 77e47b2.

📒 Files selected for processing (12)

• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/docs.yml
• .github/workflows/journey-gate.yml
• .github/workflows/lint.yml
• .github/workflows/policy-gate.yml
• .github/workflows/quality-gate.yml
• .github/workflows/sast-quick.yml
• .github/workflows/scorecard.yml
• .github/workflows/self-merge-gate.yml
• .github/workflows/trufflehog.yml
• cliproxyapi-plusplus-wtrees/shell-quality-2026-06-08

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Malformed YAML prevents CodeQL security scanning.

The "Checkout" step contains the same structural errors as in docs.yml:

1. Duplicate name keys: Line 23 adds name: Initialize CodeQL to the Checkout step instead of creating a new step with - name: Initialize CodeQL
2. Invalid Git ref syntax: Line 22 contains two commit hashes separated by @, which is invalid
3. Missing newline: Line 24 shows # v4with: instead of # v4 followed by a properly formatted with: block

These errors prevent the workflow from parsing, which means CodeQL security scanning will not run, creating a security blind spot.

🔧 Proposed fix for YAML structure

      - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with:
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
          languages: ${{ matrix.language }}
          config-file: .github/codeql/codeql-config.yml

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Initialize CodeQL
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
	name: Initialize CodeQL
	uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with:
	languages: ${{ matrix.language }}
	config-file: .github/codeql/codeql-config.yml
	- name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
	- name: Initialize CodeQL
	uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
	with:
	languages: ${{ matrix.language }}
	config-file: .github/codeql/codeql-config.yml

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 23-23: duplication of key "name" in mapping

(key-duplicates)

---

[error] 24-24: duplication of key "uses" in mapping

(key-duplicates)

---

[error] 25-25: syntax error: expected , but found ''

(syntax)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml around lines 21 - 26, The CodeQL workflow has
three YAML structure errors that prevent parsing. First, separate the Checkout
and Initialize CodeQL into two distinct workflow steps by properly formatting
the second step with its own `- name: Initialize CodeQL` line instead of adding
it as a duplicate name key within the Checkout step. Second, fix the invalid Git
reference in the Checkout action by replacing the malformed syntax (with two
commit hashes separated by @) with a single valid reference format like
`actions/checkout@<single-commit-hash>`. Third, properly format the comment and
with block by ensuring the comment `# v4` appears on its own line, followed by
the `with:` keyword and its configuration block on separate lines. This will
restore proper YAML parsing for the workflow.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove redundant --frozen-lockfile flag.

The npm ci command already treats the lockfile as frozen by default and will error if package.json and package-lock.json are out of sync. The --frozen-lockfile flag is redundant (and is actually a Yarn flag, not an npm flag).

♻️ Proposed fix

      - name: Install dependencies
        working-directory: docs
-        run: npm ci --frozen-lockfile
+        run: npm ci

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Install dependencies
	working-directory: docs
	run: npm install --frozen-lockfile
	run: npm ci --frozen-lockfile
	- name: Install dependencies
	working-directory: docs
	run: npm ci

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml around lines 42 - 44, The Install dependencies
step in the docs workflow is running npm ci with the --frozen-lockfile flag,
which is redundant since npm ci already enforces a frozen lockfile by default
and will error if package.json and package-lock.json are out of sync. Remove the
--frozen-lockfile flag from the npm ci command so it reads simply as npm ci,
keeping the functionality intact while removing the unnecessary flag that is
actually a Yarn-specific option.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Malformed YAML in deploy job.

The "Configure Pages" step has duplicate name keys and improper structure:

1. Line 76 adds name: Deploy to the Configure Pages step instead of starting a new step
2. Line 76 has incorrect indentation (single space instead of proper alignment)
3. The Deploy step is merged into Configure Pages instead of being separate

This YAML syntax error will prevent the workflow from running.

🔧 Proposed fix for YAML structure

      - name: Configure Pages
        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
-         name: Deploy
+      - name: Deploy
        id: deployment
        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Configure Pages
	uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5- name: Deploy
	uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
	name: Deploy
	id: deployment
	uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
	- name: Configure Pages
	uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
	- name: Deploy
	id: deployment
	uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 78-78: duplication of key "uses" in mapping

(key-duplicates)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml around lines 74 - 78, The "Configure Pages" step
in the docs.yml workflow has malformed YAML structure with the Deploy step
improperly merged into it. Fix this by ensuring the Configure Pages step is
properly closed after the uses directive, then create a separate new step item
(starting with a dash) for the Deploy step with correct indentation. The
Configure Pages step should contain only its name and uses properties, while the
Deploy step should be a distinct list item with its own name (Deploy), id
(deployment), and uses (actions/deploy-pages) properties. Verify all indentation
is consistent throughout with proper YAML list and mapping alignment.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Set persist-credentials: false to prevent credential leakage.

The checkout action does not explicitly set persist-credentials: false, which means Git credentials are persisted and could potentially leak through artifacts or subsequent steps.

🛡️ Proposed fix

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 11-11: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 11-11: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint.yml at line 11, The actions/checkout@v4 step does not
explicitly disable credential persistence, which poses a security risk by
allowing Git credentials to potentially leak through artifacts or subsequent
workflow steps. Add a `with:` section to the checkout action and set
`persist-credentials: false` to prevent credentials from being persisted in the
environment. This ensures that Git credentials are only valid for the duration
of the checkout step and are not available to downstream jobs or actions.

Source: Linters/SAST tools

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider aligning Go version with go.mod declaration.

The workflow uses go-version: stable, which is a moving target that may introduce drift from the go 1.26.0 declared in go.mod. While stable is acceptable for linting, explicitly specifying the version ensures consistency with the codebase target.

📌 Proposed fix to align with go.mod

       - uses: actions/setup-go@v5
         with:
-          go-version: stable
+          go-version: '1.26'
       - name: golangci-lint

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	go-version: stable
	- uses: actions/setup-go@v5
	with:
	go-version: '1.26'
	- name: golangci-lint

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint.yml at line 14, The go-version field in the lint
workflow is set to stable, which is a moving target and may introduce version
drift from the go.mod declaration of go 1.26.0. Replace the go-version: stable
value with the explicit version go-version: 1.26.0 to ensure the workflow uses
the same Go version as declared in go.mod, maintaining consistency across the
codebase and preventing potential linting issues caused by version mismatches.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider pinning golangci-lint version for stability.

Using version: latest allows golangci-lint to update automatically, which may introduce new linter rules or breaking changes that cause unexpected CI failures. Pinning to a specific version provides more predictable behavior.

📌 Proposed fix to pin version

       - name: golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
-          version: latest
+          version: v1.61

Note: Verify the desired version at https://github.com/golangci/golangci-lint/releases

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	version: latest
	version: v1.61

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 9-18: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint.yml at line 18, The golangci-lint configuration is
using `version: latest` which should be replaced with a specific pinned version
number. Locate the `version: latest` setting in the golangci-lint action and
replace the value with a specific version string (for example, a version number
like v1.54.2). This ensures the CI pipeline uses a consistent version and
prevents unexpected behavior changes from automatic updates.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical YAML syntax error: step contains multiple uses: fields.

This step has uses: actions/checkout on line 48, then a name: field on line 49, and then another uses: fsfe/reuse-action on line 50. A GitHub Actions step cannot have multiple uses: fields—these should be separate steps.

This will cause workflow parsing to fail.

🔧 Proposed fix

     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
       - name: Analyze licenses
         uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true  # Allow findings but don't fail
+        continue-on-error: true

Note: Line 50 also has # v4continue-on-error: which needs to be separated.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 50-50: duplication of key "uses" in mapping

(key-duplicates)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sast-quick.yml around lines 48 - 50, The workflow contains
a single step with multiple `uses:` fields, which is invalid GitHub Actions
syntax. The actions/checkout action on the first line and the fsfe/reuse-action
on the third line must be separated into two distinct steps. Create two separate
step entries in the workflow array: one for actions/checkout and one for
fsfe/reuse-action, each with their own `uses:` field. Additionally, fix the
malformed comment on line 50 where `# v4continue-on-error:` is concatenated
incorrectly—separate the version comment from the `continue-on-error: true`
property by placing `continue-on-error` on a proper line within the
fsfe/reuse-action step.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the actions/setup-go commit SHA exists

gh api repos/actions/setup-go/commits/0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 \
  --jq '.sha' 2>&1 || echo "ERROR: Invalid commit SHA"

Repository: KooshaPari/cliproxyapi-plusplus

Length of output: 356

---

🏁 Script executed:

# Check if the trufflehog.yml file exists and examine lines 18-21
if [ -f ".github/workflows/trufflehog.yml" ]; then
  echo "=== File found ==="
  wc -l ".github/workflows/trufflehog.yml"
  echo "=== Lines 18-21 ==="
  sed -n '18,21p' ".github/workflows/trufflehog.yml"
else
  echo "File .github/workflows/trufflehog.yml not found"
  ls -la .github/workflows/ 2>/dev/null || echo ".github/workflows directory not found"
fi

Repository: KooshaPari/cliproxyapi-plusplus

Length of output: 334

---

🏁 Script executed:

# Search for actions/setup-go references in the repository
rg "actions/setup-go" --type yaml -A 2 -B 2

Repository: KooshaPari/cliproxyapi-plusplus

Length of output: 57

---

🌐 Web query:

GitHub Actions setup-go action valid references versions best practices

💡 Result:

To use the actions/setup-go action effectively, follow these best practices regarding version specification and configuration [1][2][3]. ### Version Specification Best Practices For stable and reproducible builds, it is recommended to pin a specific Go version (e.g., '1.25.5') or at least a specific major/minor version (e.g., '1.25') [1]. - Use single quotes in your YAML configuration to prevent the parser from misinterpreting version numbers (e.g., '1.20' might be trimmed to '1.2' if unquoted) [2][3]. - You can specify exact versions (e.g., '1.24.11'), semantic version ranges (e.g., '^1.25.1'), or aliases like 'stable' or 'oldstable' [2][3]. - If you prefer stability and want to ensure a consistent Go version is always used, keep the default check-latest: false [1][4]. - Set check-latest: true only if you want the action to always fetch the latest available patch release from the GitHub runner's manifest, which may cause your build environment to change over time [1][5]. ### Configuration Recommendations - Use the go-version-file input to automatically sync the Go version with your local project files (e.g., 'go.mod', '.go-version', or '.tool-versions') [2][5]. Note that if both go-version and go-version-file are provided, go-version takes precedence [2][3]. - Caching is enabled by default [2][3][6]. The action automatically looks for 'go.sum' in the repository root to generate cache keys [2][3]. - If you have multiple dependency files or they are located in non-standard directories, use the cache-dependency-path input to explicitly define the paths for caching [2][4]. { "top_results": [1][2][3][4][5] }

Citations:

• 1: https://github.com/actions/setup-go/blob/main/docs/advanced-usage.md
• 2: https://github.com/actions/setup-go/blob/main/README.md
• 3: https://github.com/actions/setup-go?tab=readme-ov-file
• 4: https://github.com/actions/setup-go/tree/v5.6.0
• 5: https://deepwiki.com/actions/setup-go/2.1-version-resolution
• 6: https://github.blog/changelog/2023-03-24-github-actions-the-setup-go-action-now-enables-caching-by-default/

---

🌐 Web query:

actions/setup-go commit SHA vs tag version reference GitHub Actions

💡 Result:

In GitHub Actions, referencing an action by a tag (e.g., @v5) is considered insecure because tags are mutable [1][2][3]. A tag can be deleted and recreated by an attacker or a compromised account to point to a different, malicious commit, which would cause all workflows using that tag to execute the new, untrusted code [1][4][5]. Referencing an action by its full 40-character commit SHA (e.g., @a1b2c3d4...) is the industry-standard security practice [1][6][7]. Because a commit SHA is a cryptographic hash of the commit's content, it is immutable; it cannot be changed to point to different code [2][4][8]. Pinning to a SHA ensures that your workflow consistently runs the exact code you have reviewed [4][9][5]. Best practices for managing action references include: 1. Always use full-length (40-character) commit SHAs [10][7][5]. Never use short SHAs, as they are not guaranteed to be unique and can be forged. 2. Maintain human readability by appending the tag version as a comment [1][9][5]. This allows automated dependency management tools like Dependabot or Renovate to recognize the version and open pull requests when updates are available [1][2][5]. Example: - uses: actions/setup-go@0a12ed9 # v5.0.2 [1] 3. Use automated tooling (e.g., Dependabot, Renovate, pinact) to keep these pinned SHAs up to date with the latest releases [1][3][6][5]. 4. Enable organization-level policies in GitHub to enforce SHA pinning, which will cause any workflow using non-pinned references to fail, ensuring compliance across your organization [4][6][11][5]. 5. When reviewing updates, verify that the new SHA belongs to a release tag or branch within the official repository to avoid "orphaned" commits from untrusted forks [8]. While SHA pinning is a critical security control, it does not replace the need to audit the actions you use or ensure that the actions themselves do not pull unpinned, mutable dependencies (like 'latest' Docker images or unversioned shell scripts) at runtime [6][8].

Citations:

• 1: https://carlosbecker.com/posts/pinning-github-actions/
• 2: https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash
• 3: https://emmer.dev/blog/pin-your-github-actions-to-protect-against-mutability/
• 4: https://www.romainlespinasse.dev/posts/github-actions-commit-sha-pinning/
• 5: https://architecture.lullabot.com/adr/20260505-pin-github-actions-to-hash/
• 6: https://mikael.barbero.tech/blog/post/2026-03-24-stop-trusting-mutable-references/
• 7: https://safeguard.sh/resources/blog/how-to-pin-github-actions-to-shas-correctly
• 8: https://rosesecurity.dev/2026/03/24/sha-pinning-is-not-enough.html
• 9: https://safeguard.sh/resources/blog/github-actions-pinning-sha-vs-tag
• 10: https://www.codewrecks.com/post/github/github-sha-pinning/
• 11: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/

---

Fix the invalid actions/setup-go reference and pin TruffleHog version.

The commit SHA 0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 does not exist in the actions/setup-go repository and will cause the workflow to fail. Use a valid commit SHA (e.g., pinning to a specific release tag like @v5.0.2) or use the tag directly (e.g., @v5). Additionally, line 21 uses @latest for TruffleHog, which installs an unpinned version that may change between runs. Pin the TruffleHog version to a specific release (e.g., @v3.63.0) for consistency and reproducibility.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/trufflehog.yml around lines 18 - 21, The actions/setup-go
action uses an invalid commit SHA that does not exist, which will cause the
workflow to fail. Replace the commit SHA in the actions/setup-go reference with
a valid version tag such as `@v5` or `@v5.0.2`. Additionally, the go install command
for trufflehog uses `@latest`, which results in unpinned and unreproducible
builds. Replace `@latest` in the github.com/trufflehog/trufflehog/v3@latest
command with a pinned version tag such as `@v3.63.0` to ensure consistent and
reproducible workflow runs.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Escaped secret variable prevents interpolation.

Line 24 has \${{ secrets.GITHUB_TOKEN }} with a backslash before the dollar sign. This escapes the template expression, causing GitHub Actions to set the environment variable to the literal string ${{ secrets.GITHUB_TOKEN }} instead of interpolating the actual secret value.

TruffleHog will fail because it won't receive a valid GitHub token.

🔧 Proposed fix

       - run: trufflehog github --only-verified --no-update
         env:
-          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/trufflehog.yml at line 24, The GH_TOKEN environment
variable has an escaped dollar sign that prevents the GitHub Actions template
expression from being interpolated. Remove the backslash before the dollar sign
in the GH_TOKEN assignment so that secrets.GITHUB_TOKEN is properly evaluated to
the actual secret value instead of being treated as a literal string. Change
`\${{ secrets.GITHUB_TOKEN }}` to `${{ secrets.GITHUB_TOKEN }}` to allow the
token to be correctly passed to TruffleHog.