Create codacy.yml

[LCSOGthb]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
tools	Ready	Preview, Comment	Apr 18, 2026 0:49am

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a67c6e9c-ec7a-485b-a548-6f6cb5fde030

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch LCSOGthb-patch-1-1

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch LCSOGthb-patch-1-1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Add Codacy security scanning GitHub Actions workflow

✨ Enhancement

Walkthroughs

Description

• Add Codacy security scanning workflow to GitHub Actions
• Scan code on push, pull requests, and weekly schedule
• Generate SARIF reports for GitHub Advanced Security integration
• Upload security analysis results automatically

Diagram

flowchart LR
  A["Code Push/PR/Schedule"] --> B["Checkout Code"]
  B --> C["Run Codacy Analysis"]
  C --> D["Generate SARIF Report"]
  D --> E["Upload to GitHub Security"]

Loading

File Changes

1. .github/workflows/codacy.yml ⚙️ Configuration changes +61/-0

Codacy security scan workflow configuration

• Create new GitHub Actions workflow for Codacy security scanning
• Configure triggers for push to main, pull requests, and weekly schedule
• Run Codacy Analysis CLI with SARIF output format
• Upload results to GitHub Advanced Security code scanning feature

.github/workflows/codacy.yml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Fork PR scan will fail 🐞 Bug ☼ Reliability

Description

The workflow runs on pull_request but relies on secrets.CODACY_PROJECT_TOKEN and uploads SARIF
with security-events: write; on fork-based PRs, secrets are not provided and the token permissions
are restricted, so the job will fail and/or never upload results.

Code

.github/workflows/codacy.yml[R16-61]

+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  schedule:
+    - cron: '22 19 * * 5'
+
+permissions:
+  contents: read
+
+jobs:
+  codacy-security-scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Codacy Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout the repository to the GitHub Actions runner
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
+      - name: Run Codacy Analysis CLI
+        uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b
+        with:
+          # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository
+          # You can also omit the token and run the tools that support default configurations
+          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+          verbose: true
+          output: results.sarif
+          format: sarif
+          # Adjust severity of non-security issues
+          gh-code-scanning-compat: true
+          # Force 0 exit code to allow SARIF file generation
+          # This will handover control about PR rejection to the GitHub side
+          max-allowed-issues: 2147483647
+
+      # Upload the SARIF file generated in the previous step
+      - name: Upload SARIF results file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

Evidence

The workflow is triggered for PRs to main and then attempts to use a repository secret plus upload
to Code Scanning with elevated permissions. This combination is incompatible with GitHub’s fork-PR
security model (no secrets for forks; restricted GITHUB_TOKEN prevents writing security events),
which results in failing PR checks and missing scan uploads for external contributors.

.github/workflows/codacy.yml[16-22]
.github/workflows/codacy.yml[30-33]
.github/workflows/codacy.yml[43-61]
Best Practice: GitHub Actions security model (fork PRs)

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The workflow runs on `pull_request` but depends on repository secrets and SARIF upload permissions that are not available for fork PRs.

## Issue Context
Fork PRs do not receive repository secrets and typically cannot write `security-events`, so the Codacy step and/or SARIF upload will fail, breaking PR checks and preventing results from appearing in Code Scanning.

## Fix Focus Areas
- Add job/step `if:` conditions to skip secret-dependent and `security-events` upload steps when the PR is from a fork (or when the secret is missing), and optionally upload SARIF as an artifact instead.
- Example gating condition: `if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository`

- .github/workflows/codacy.yml[16-61]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Unpinned SARIF upload action 🐞 Bug ⛨ Security

Description

The workflow uses github/codeql-action/upload-sarif@v3, which is a mutable tag; this weakens
supply-chain integrity because the executed code can change without review.

Code

.github/workflows/codacy.yml[R58-61]

+      - name: Upload SARIF results file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

Evidence

In the new workflow, the SARIF upload step references a moving @v3 tag instead of an immutable
commit SHA. The repo already demonstrates SHA pinning for Actions in other workflows, indicating
this hardening approach is feasible here too.

.github/workflows/codacy.yml[58-61]
.github/workflows/scorecard.yml[35-43]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`github/codeql-action/upload-sarif` is referenced via a mutable `@v3` tag.

## Issue Context
Pinning to a commit SHA reduces the risk of supply-chain attacks and unexpected behavior changes.

## Fix Focus Areas
- Replace `github/codeql-action/upload-sarif@v3` with a specific commit SHA corresponding to the intended v3 release.

- .github/workflows/codacy.yml[58-61]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	tools	c214f17	Apr 18 2026, 12:50 AM

[deepsource-io]

DeepSource Code Review

We reviewed changes in 5f393e7...c214f17 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
Scala		Apr 18, 2026 12:50a.m.	Review ↗
Swift		Apr 18, 2026 12:50a.m.	Review ↗
JavaScript		Apr 18, 2026 12:50a.m.	Review ↗
Ruby		Apr 18, 2026 12:50a.m.	Review ↗
C & C++		Apr 18, 2026 12:50a.m.	Review ↗
C#		Apr 18, 2026 12:50a.m.	Review ↗
Rust		Apr 18, 2026 12:50a.m.	Review ↗
Shell		Apr 18, 2026 12:50a.m.	Review ↗
Terraform		Apr 18, 2026 12:50a.m.	Review ↗
Code coverage		Apr 18, 2026 12:50a.m.	Review ↗
SQL		Apr 18, 2026 12:50a.m.	Review ↗
Secrets		Apr 18, 2026 12:50a.m.	Review ↗
Ansible		Apr 18, 2026 12:50a.m.	Review ↗

---

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

[codethreat-appsec]

Summary

Adds an automated Codacy security scanning workflow to the repository, integrating Codacy’s SARIF output with GitHub Advanced Security code scanning.

Features

• Codacy Security Scan workflow: Introduces .github/workflows/codacy.yml to run Codacy Analysis CLI on push and pull_request events targeting main, as well as on a weekly cron schedule.
• SARIF integration: Generates results.sarif from Codacy Analysis CLI and uploads it using github/codeql-action/upload-sarif@v3 so findings appear in GitHub’s code scanning UI.
• Scoped permissions: Configures job-level permissions for contents, security-events, and actions to support checkout and SARIF upload.

Bug Fixes

[None]

Breaking Changes

[None]

Architecture Diagram

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub Actions
    participant Repo as Repository
    participant Codacy as Codacy Analysis CLI
    participant GHSec as GitHub Code Scanning

    Dev->>GH: Push/PR to main or scheduled run
    GH->>Repo: actions/checkout@v4
    GH->>Codacy: Run codacy-analysis-cli-action (analyze code)
    Codacy-->>GH: results.sarif
    GH->>GHSec: github/codeql-action/upload-sarif@v3 (upload SARIF)
    GHSec-->>Dev: Code scanning alerts in GitHub UI

Loading

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[qltysh]

❌ 1 blocking issue (1 total)

Tool	Category	Rule	Count
zizmor	Vulnerability	credential persistence through GitHub Actions artifacts	1	❌

[qltysh]

credential persistence through GitHub Actions artifacts [zizmor:zizmor/artipacked]

[qodo-code-review]

1. Fork pr scan will fail 🐞 Bug ☼ Reliability

The workflow runs on pull_request but relies on secrets.CODACY_PROJECT_TOKEN and uploads SARIF
with security-events: write; on fork-based PRs, secrets are not provided and the token permissions
are restricted, so the job will fail and/or never upload results.

Agent Prompt

## Issue description
The workflow runs on `pull_request` but depends on repository secrets and SARIF upload permissions that are not available for fork PRs.

## Issue Context
Fork PRs do not receive repository secrets and typically cannot write `security-events`, so the Codacy step and/or SARIF upload will fail, breaking PR checks and preventing results from appearing in Code Scanning.

## Fix Focus Areas
- Add job/step `if:` conditions to skip secret-dependent and `security-events` upload steps when the PR is from a fork (or when the secret is missing), and optionally upload SARIF as an artifact instead.
- Example gating condition: `if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository`

- .github/workflows/codacy.yml[16-61]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud