feat(ci): New structure started

[bedatty]

GitHub Actions Shared Workflows

---

Description

Type of Change

• feat: New workflow or new input/output/step in an existing workflow
• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

None.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @develop or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run:

Related Issues

Closes #

Summary by CodeRabbit

Release Notes

• New Features

  • Added Branch Cleanup workflow for automated stale and merged branch removal with protected branch handling.
  • Added Labels Sync workflow for managing repository labels from a centralized YAML definition.

• Documentation

  • Updated README with simplified architecture overview and AI assistant support guidance.
  • Added comprehensive guides for contributors and AI agents.
  • Updated all workflow documentation examples to use stable v1.0.0 version tags.

• Chores

  • Enhanced label management system with categorized labeling rules.
  • Added automated code review configuration.

[coderabbitai]

Walkthrough

This PR establishes comprehensive documentation standards and automation guidelines for GitHub Actions workflows and composite actions, introduces two new reusable workflows with composite action implementations (branch-cleanup and labels-sync), and updates workflow version references in documentation from @main to @v1.0.0.

Changes

Cohort / File(s)	Summary
CI/CD Guidelines and Standards .claude/commands/composite.md, .claude/commands/gha.md, .claude/commands/refactor.md, .claude/commands/workflow.md, .cursor/rules/composite-actions.mdc, .cursor/rules/refactoring.mdc, .cursor/rules/reusable-workflows.mdc	New documentation prescribing standards for composite action structure, GitHub Actions conventions, refactoring protocols, and reusable workflow architecture. Defines pre-creation checks, design rules (step limits, single responsibility, no jobs/workflows in composites), dry_run semantics, naming conventions, secrets management, and breaking-change guidelines with migration paths.
Branch Cleanup Workflow .github/workflows/branch-cleanup.yml, src/config/branch-cleanup/action.yml, src/config/branch-cleanup/README.md, docs/branch-cleanup.md	Implements a new reusable workflow and composite action for deleting stale branches (configurable age threshold) and branches after PR merges. Includes protected branch patterns, dry-run support, GitHub API integration with pagination, and branch protection rule checks.
Labels Sync Workflow .github/workflows/labels-sync.yml, src/config/labels-sync/action.yml, src/config/labels-sync/README.md	Introduces a new reusable workflow and composite action for synchronizing GitHub labels from YAML definitions. Wraps crazy-max/ghaction-github-labeler@v5 with configurable label file, dry-run, and skip-delete modes.
Repository Configuration .github/labeler.yml, .github/labels.yml, .github/ISSUE_TEMPLATE/config.yml, .coderabbit.yml	Adds glob-based label categorization (workflow, golang, typescript, security, documentation, dependencies, github-config), new label definitions with descriptions, removes DevOps Team Support contact link, and establishes automated PR review rules for path-based validation of workflows, composites, and documentation consistency.
Documentation Version Pins docs/api-dog-e2e-tests-workflow.md, docs/build-workflow.md, docs/changed-paths-workflow.md, docs/frontend-pr-analysis-workflow.md, docs/gitops-update-workflow.md, docs/go-*.md, docs/gptchangelog-workflow.md, docs/pr-*.md, docs/release-workflow.md, docs/slack-notify-workflow.md, docs/typescript-release-workflow.md	Replaces all workflow version references from @main to @v1.0.0 across example YAML snippets. Hardening of workflow references to explicit semantic version; no logic changes.
Project Documentation README.md, CONTRIBUTING.md, AGENTS.md	Restructures README from per-workflow feature list to architecture-focused narrative with diagram (Caller → Reusable → Composite). Adds AI assistant support sections (Cursor rules, Claude CLI). Adds merge strategy table and .yml extension requirement to CONTRIBUTING. Adds AGENTS.md with CLI commands, conventions, branching guidelines, and refactoring protocol.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~28 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete. The 'Description' section (which should summarize what the PR does and which workflows are affected) is entirely empty, and the 'Caller repo / workflow run' validation link is missing.	Complete the Description section with a summary of changes (new workflows, documentation, configuration updates) and provide the caller repo/workflow run link that demonstrates testing.
Title check	❓ Inconclusive	The title 'feat(ci): New structure started' is vague and generic—it does not convey what the new structure is or what specific changes constitute it.	Provide a more specific title that clearly identifies the main change, e.g., 'feat(ci): Introduce branch-cleanup and labels-sync workflows with refactoring protocols' or similar.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/structure-repo

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 13

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/commands/composite.md:
- Line 143: Replace the mutable branch recommendation by removing the use of the
"@main" ref for LerianStudio/* in the dependabot guidance and instead instruct
authors to reference internal actions via local repository paths (e.g.,
./actions/...) and to pin cross-repo actions to immutable commit SHAs or release
tags; update the sentence containing "LerianStudio/*" and "@main" to explicitly
require local path references for internal actions and SHA/tag pinning for
external actions to ensure reproducibility and supply-chain security.

In @.claude/commands/gha.md:
- Line 433: Update the guidance that currently says "Never add `LerianStudio/*`
actions to dependabot — pinned to `@main` intentionally." to remove recommending
`@main` and instead instruct using local action paths or pinning cross-repo
actions to immutable commit SHAs; specifically replace the `@main`
recommendation for `LerianStudio/*` with a clear statement to reference local
paths (./.github/actions/...) for same-repo actions or use full commit SHAs when
referencing `LerianStudio/*` across repos, and mention Dependabot should not use
mutable branch refs like `@main`.

In @.cursor/rules/composite-actions.mdc:
- Around line 31-32: The policy currently forbids mutable refs ("Pin to a
specific tag or SHA — never `@main` or `@master`") but later permits
"LerianStudio/*@main", creating a contradiction; locate the rule text containing
"LerianStudio/*@main" and either replace that allowance with a specific pinned
tag or SHA (preferred) or add an explicit, documented exception and link to a
README justification explaining why LerianStudio/*@main is safe; ensure the
top-level prohibition and the exception are consistent and that the exception
text references "LerianStudio/*@main" so reviewers can find it.

In @.github/workflows/branch-cleanup.yml:
- Around line 30-43: The workflow_dispatch inputs are missing the merged_branch
parameter referenced later; add an input named merged_branch under the
workflow_dispatch inputs block (matching the declaration in workflow_call) so
inputs.merged_branch is available when manually triggering the workflow; update
the inputs section to include merged_branch with an appropriate description
(e.g., "Branch name used for merged-branch mode"), type string, and a sensible
default or empty value so merged-branch mode works when invoking the workflow
manually.

In @.github/workflows/labels-sync.yml:
- Line 55: The workflow step using the composite action currently points to the
wrong path; update the `uses` value in the labels-sync workflow (the `uses:
./src/labels-sync` entry in .github/workflows/labels-sync.yml) to `uses:
./src/config/labels-sync` so the action resolves to the existing composite
action at src/config/labels-sync/action.yml; ensure the `uses` string exactly
matches the directory containing action.yml.

In `@CONTRIBUTING.md`:
- Line 340: The merge-strategy summary sentence ("Always use the correct merge
strategy — squash for feature PRs, merge commit for releases and backmerges")
omits hotfixes and conflicts with the strategy table; update that sentence to
explicitly include hotfixes as squash merges (matching the strategy
table/definition at the top of the doc) so it reads something like "squash for
feature PRs and hotfixes, merge commit for releases and backmerges" to remove
reviewer ambiguity.

In `@docs/branch-cleanup.md`:
- Around line 52-53: The docs examples currently use "secrets: inherit", which
grants all caller secrets; replace each occurrence of "secrets: inherit" in the
snippets with an explicit, least-privilege mapping that only passes the token
needed (e.g., map a single secret name like MY_TOKEN or TOKEN to the caller
secret), and apply this change to every snippet that uses "secrets: inherit"
(the occurrences around lines 52, 71, 97, 104 in the diff) so examples only
expose the required token instead of inheriting all secrets.
- Around line 67-71: The workflow currently deletes the PR head branch when
github.event.pull_request.merged is true but doesn't check whether the head
branch lives in the same repository; update the conditional that controls the
branch-cleanup step (the step using
LerianStudio/github-actions-shared-workflows/.github/workflows/branch-cleanup.yml
with input merged_branch: ${{ github.head_ref }}) to also verify the PR head
repo equals the base repo (e.g. compare
github.event.pull_request.head.repo.full_name or head.repo.id to
github.repository or github.event.pull_request.base.repo.full_name) and only run
the deletion step when both merged is true and the head repo matches the base
repo. Ensure the same guard is applied to the other similar block that uses
github.head_ref (the block referenced around lines 100-104).

In `@src/config/branch-cleanup/action.yml`:
- Around line 83-101: Fetch and use the repository's actual default branch and
skip it explicitly during deletion: call gh api repos/${{ github.repository }}
--jq .default_branch to set a DEFAULT_BRANCH variable before the branch loop,
and inside the inner loop add a check like if [[ "$branch" == "$DEFAULT_BRANCH"
]]; then protected_count=$((protected_count+1)); continue; fi (alongside the
existing is_protected check) so the real default branch is never deleted even if
it doesn't match static name patterns.
- Line 59: Branch names with slashes must be percent-encoded before inserting
into GitHub API path or query strings; update the action to URL-encode
MERGED_BRANCH and any PROTECTED_BRANCH (or similar branch variables) and use the
encoded variables in the gh api calls that reference git/refs/heads/{branch},
branches/{branch}/protection, and any "branch=" query parameter. Add a step that
produces ENCODED_MERGED_BRANCH and ENCODED_PROTECTED_BRANCH (using a
URL-encoding method available in the runner, e.g., python/printf/node) and
replace occurrences of ${MERGED_BRANCH} and ${PROTECTED_BRANCH} in the gh api
URLs with ${ENCODED_MERGED_BRANCH} and ${ENCODED_PROTECTED_BRANCH} so '/'
becomes '%2F' for the DELETE, protection and query calls.

In `@src/config/branch-cleanup/README.md`:
- Line 33: Update the composite usage examples that reference the mutable branch
ref "uses:
LerianStudio/github-actions-shared-workflows/src/config/branch-cleanup@main"
(and the duplicate at line 50) to pin an immutable ref (for example replace
"@main" with a release tag like "@v1.0.0" or a commit SHA) so they match the
pinned example already shown as "@v1.0.0" and ensure all examples in the README
use immutable refs for reproducibility and security.

In `@src/config/labels-sync/action.yml`:
- Around line 24-29: Replace mutable action version tags with immutable commit
SHAs: change uses: actions/checkout@v4 and uses:
crazy-max/ghaction-github-labeler@v5 to their corresponding Git commit SHAs
(e.g., actions/checkout@<commit-sha> and
crazy-max/ghaction-github-labeler@<commit-sha>), obtaining the correct SHAs from
each action's GitHub repository and update your dependency automation
(Dependabot/Renovate) to manage future upgrades; ensure the identifiers you edit
are the uses entries for Checkout and Sync labels in the workflow.

In `@src/config/labels-sync/README.md`:
- Around line 49-80: The README examples use mutable refs
(LerianStudio/github-actions-shared-workflows/...@main) which is unsafe; update
every example that references the labels-sync workflow (the `uses:` lines in the
reusable workflow, dry-run, and skip-delete examples) to a stable pinned ref
such as a released tag (e.g., `@v1.x.y`) or a specific commit SHA instead of
`@main`, and adjust the text to recommend pinned refs for consumers of the
labels-sync workflow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: afecb9e8-0dd4-4cc0-be47-cee2491f0cd3

📥 Commits

Reviewing files that changed from the base of the PR and between 1990971 and 5dea9ba.

📒 Files selected for processing (20)

• .claude/commands/composite.md
• .claude/commands/gha.md
• .claude/commands/refactor.md
• .claude/commands/workflow.md
• .cursor/rules/composite-actions.mdc
• .cursor/rules/refactoring.mdc
• .cursor/rules/reusable-workflows.mdc
• .github/ISSUE_TEMPLATE/config.yml
• .github/labeler.yml
• .github/labels.yml
• .github/workflows/branch-cleanup.yml
• .github/workflows/labels-sync.yml
• AGENTS.md
• CONTRIBUTING.md
• README.md
• docs/branch-cleanup.md
• src/config/branch-cleanup/README.md
• src/config/branch-cleanup/action.yml
• src/config/labels-sync/README.md
• src/config/labels-sync/action.yml

💤 Files with no reviewable changes (1)

• .github/ISSUE_TEMPLATE/config.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.coderabbit.yaml:
- Around line 22-28: Remove the unsupported key poem_instructions and replace
the two incorrectly named keys: rename suggest_labels to suggested_labels and
suggest_reviewers to suggested_reviewers, and place these renamed keys under the
reviews mapping (use reviews.suggested_labels and reviews.suggested_reviewers)
so the configuration matches the CodeRabbit schema and the keys are recognized.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d006b704-b891-4d57-8252-fa7be27524cf

📥 Commits

Reviewing files that changed from the base of the PR and between 5dea9ba and aa7f98f.

📒 Files selected for processing (1)

• .coderabbit.yaml

[coderabbitai]

Actionable comments posted: 5

♻️ Duplicate comments (4)

.coderabbit.yaml (1)

22-28: ⚠️ Potential issue | 🟠 Major

Invalid reviews configuration keys remain unfixed.

Per the schema:

• Line 22: poem_instructions does not exist — remove it.
• Line 24: suggest_labels → suggested_labels
• Line 27: suggest_reviewers → suggested_reviewers

These keys will be silently ignored, causing the intended behavior (label/reviewer suggestions) to use defaults instead of the specified values.

Proposed fix

   poem: false
-  poem_instructions: ""

-  suggest_labels: true
+  suggested_labels: true
   auto_apply_labels: false

-  suggest_reviewers: true
+  suggested_reviewers: true
   auto_assign_reviewers: false

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yaml around lines 22 - 28, Remove the invalid key
poem_instructions and rename the misspelled suggestion keys so they match the
schema: change suggest_labels to suggested_labels and suggest_reviewers to
suggested_reviewers (leave the corresponding auto_apply_labels and
auto_assign_reviewers flags as-is); ensure the YAML keys now read
suggested_labels: true and suggested_reviewers: true and delete
poem_instructions entirely so the config is honored.

.cursor/rules/composite-actions.mdc (1)

171-171: ⚠️ Potential issue | 🟠 Major

Resolve contradictory pinning guidance (never @main`` vs LerianStudio/*@main).

Line 171 contradicts Line 31 and weakens the stated immutable-ref policy.

Proposed fix

-Never add `LerianStudio/*` actions to dependabot — they are pinned to `@main` intentionally.
+Do not pin `LerianStudio/*` to mutable branches.
+For same-repo usage, reference local paths; for cross-repo usage, pin immutable SHAs (or managed release tags) and group them in Dependabot when applicable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.cursor/rules/composite-actions.mdc at line 171, Resolve the contradictory
guidance by updating the composite-actions policy text so it clearly exempts
LerianStudio actions from the general "never pin to `@main`" rule: replace or
rephrase the sentence "Never add `LerianStudio/*` actions to dependabot — they
are pinned to `@main` intentionally." so it explicitly states that the
immutable-ref policy forbids adding actions with mutable refs except for the
special-case LerianStudio/* which are intentionally pinned to `@main`; ensure
the document’s general rule (the immutable-ref policy) and the LerianStudio
exception are consistent and unambiguous.

.claude/commands/composite.md (1)

159-159: ⚠️ Potential issue | 🟠 Major

Remove mutable-ref exception for LerianStudio/*; it conflicts with Line 21.

Current text allows @main while the file otherwise forbids mutable refs.

Proposed fix

-Never add `LerianStudio/*` actions to dependabot — pinned to `@main` intentionally.
+Do not use `@main` for `LerianStudio/*`.
+Use local paths for same-repo actions and immutable SHAs (or managed release tags) for cross-repo references.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/commands/composite.md at line 159, Remove the special-case allowing
mutable refs for LerianStudio/* by deleting the exception that permits using
`@main`; the rule should consistently forbid mutable refs as enforced on Line 21.
Locate the text "Never add `LerianStudio/*` actions to dependabot — pinned to
`@main` intentionally." and remove or rewrite the sentence that creates a
mutable-ref exception so the document uniformly disallows mutable refs for all
entries (including LerianStudio/*).

.claude/commands/gha.md (1)

449-449: ⚠️ Potential issue | 🟠 Major

Remove the LerianStudio/*@main exception; it contradicts the file’s own security policy.

Line 449 conflicts with Line 122 and Line 323, and reintroduces mutable refs that can break reproducibility for callers pinned to tags.

Proposed fix

-Never add `LerianStudio/*` actions to dependabot — pinned to `@main` intentionally.
+Do not use mutable branch refs for `LerianStudio/*`.
+Use local paths for same-repo composites, and pin cross-repo references to immutable SHAs (or managed release tags).
+Include cross-repo `LerianStudio/*` action refs in `.github/dependabot.yml` grouping when applicable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/commands/gha.md at line 449, Remove the exception
"LerianStudio/*@main" from the dependabot rule in the file so the policy no
longer permits mutable refs; specifically delete the "LerianStudio/*@main"
allowance and reconcile the surrounding dependabot rule text so it matches the
file’s stated security policy (i.e., enforce pinned tags/immutable refs only and
remove any contradictory exception that reintroduces mutable refs).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/commands/composite.md:
- Line 32: The markdown file has MD040 warnings because several fenced code
blocks lack language annotations; update each code fence at the referenced
locations (around the blocks currently at lines 32, 43, 88, and 97) by adding
the appropriate language identifier (e.g., ```bash, ```json, ```ts, ```md, etc.)
to the opening fence so markdownlint recognizes the language; locate the exact
fenced blocks in .claude/commands/composite.md and amend their opening ``` to
include the correct language token based on the block contents.

In @.claude/commands/gha.md:
- Line 20: The markdown file .claude/commands/gha.md contains multiple fenced
code blocks with no language identifiers (triggering MD040); update each
triple-backtick fence to include an explicit language token (e.g., ```yaml,
```text, ```bash) matching the block content using the proposed pattern (replace
``` with ```text or the appropriate language) for every block referenced
(including the ones noted in the review), so markdownlint no longer flags them;
search for bare ``` fences in gha.md and add the correct language identifier to
each.

In @.claude/commands/workflow.md:
- Line 30: Several fenced code blocks in the Markdown lack language specifiers
(triggering markdownlint MD040); update each triple-backtick block in the
document to include the appropriate language token (for example ```bash or ```sh
for shell snippets, ```yaml for YAML, ```json for JSON, ```text for plain text)
matching the snippet content so markdownlint MD040 passes; locate the inline
fenced blocks referenced in the review and add the correct language identifier
to each opening ``` fence.

In @.cursor/rules/composite-actions.mdc:
- Line 42: Several fenced code blocks are unlabeled and trigger markdownlint
MD040; locate each unlabeled fenced code block (``` ) in the document and add an
explicit language tag that matches the block content (for example ```md,
```yaml, ```json, ```bash, etc.), updating each occurrence so all previously
unlabeled fences are labeled and the markdownlint rule MD040 is satisfied.

In @.cursor/rules/reusable-workflows.mdc:
- Line 40: Replace bare triple-backtick code fences (``` ) in the markdown with
fenced blocks that include the correct language identifier (e.g., ```yaml,
```bash, ```json) so markdownlint MD040 no longer reports missing fence
language; locate the code fence occurrences in the reusable-workflows markdown
document and update each opening fence to the appropriate language for that
snippet.

---

Duplicate comments:
In @.claude/commands/composite.md:
- Line 159: Remove the special-case allowing mutable refs for LerianStudio/* by
deleting the exception that permits using `@main`; the rule should consistently
forbid mutable refs as enforced on Line 21. Locate the text "Never add
`LerianStudio/*` actions to dependabot — pinned to `@main` intentionally." and
remove or rewrite the sentence that creates a mutable-ref exception so the
document uniformly disallows mutable refs for all entries (including
LerianStudio/*).

In @.claude/commands/gha.md:
- Line 449: Remove the exception "LerianStudio/*@main" from the dependabot rule
in the file so the policy no longer permits mutable refs; specifically delete
the "LerianStudio/*@main" allowance and reconcile the surrounding dependabot
rule text so it matches the file’s stated security policy (i.e., enforce pinned
tags/immutable refs only and remove any contradictory exception that
reintroduces mutable refs).

In @.coderabbit.yaml:
- Around line 22-28: Remove the invalid key poem_instructions and rename the
misspelled suggestion keys so they match the schema: change suggest_labels to
suggested_labels and suggest_reviewers to suggested_reviewers (leave the
corresponding auto_apply_labels and auto_assign_reviewers flags as-is); ensure
the YAML keys now read suggested_labels: true and suggested_reviewers: true and
delete poem_instructions entirely so the config is honored.

In @.cursor/rules/composite-actions.mdc:
- Line 171: Resolve the contradictory guidance by updating the composite-actions
policy text so it clearly exempts LerianStudio actions from the general "never
pin to `@main`" rule: replace or rephrase the sentence "Never add `LerianStudio/*`
actions to dependabot — they are pinned to `@main` intentionally." so it
explicitly states that the immutable-ref policy forbids adding actions with
mutable refs except for the special-case LerianStudio/* which are intentionally
pinned to `@main`; ensure the document’s general rule (the immutable-ref policy)
and the LerianStudio exception are consistent and unambiguous.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: c8e1ddf3-695f-45a7-a9de-b2848e106dbc

📥 Commits

Reviewing files that changed from the base of the PR and between aa7f98f and dad4ce2.

📒 Files selected for processing (6)

• .claude/commands/composite.md
• .claude/commands/gha.md
• .claude/commands/workflow.md
• .coderabbit.yaml
• .cursor/rules/composite-actions.mdc
• .cursor/rules/reusable-workflows.mdc

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.coderabbit.yaml:
- Around line 38-46: Update the workflow path matcher string currently set as
".github/workflows/*.yml" to also include ".yaml" variants so workflows with a
.yaml extension are validated; specifically modify the value of the "path" entry
(the string ".github/workflows/*.yml") to match both ".yml" and ".yaml" (e.g.,
".github/workflows/*.y{ml,yaml}" or two entries ".github/workflows/*.yml" and
".github/workflows/*.yaml") so the caller-breaking-change checks apply to both
extensions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: fa249588-6f7c-4148-bca0-b0dd35e86ec9

📥 Commits

Reviewing files that changed from the base of the PR and between dad4ce2 and 311d5d1.

📒 Files selected for processing (1)

• .coderabbit.yaml

[coderabbitai]

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (7)

docs/typescript-release-workflow.md (1)

1-1: ⚠️ Potential issue | 🟠 Major

Rename doc file to match workflow filename exactly

This doc is for typescript-release.yml, so docs/typescript-release-workflow.md violates the naming rule. Please rename it to docs/typescript-release.md. Line 1 is in a file path that currently breaks docs/workflow mapping.

As per coding guidelines, docs/*.md: Workflow documentation. Filename must exactly match the workflow file (e.g., go-ci.yml → docs/go-ci.md).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/typescript-release-workflow.md` at line 1, The docs filename doesn't
match the workflow name; rename docs/typescript-release-workflow.md to
docs/typescript-release.md so it exactly matches the workflow file
typescript-release.yml, and update any references if present (e.g., in mkdocs or
TOC) to reflect the new filename.

docs/slack-notify-workflow.md (1)

1-1: ⚠️ Potential issue | 🟠 Major

Doc filename must match slack-notify.yml exactly

This file should be named docs/slack-notify.md to satisfy the workflow-doc naming rule. Current name (docs/slack-notify-workflow.md) is non-compliant.

As per coding guidelines, docs/*.md: Workflow documentation. Filename must exactly match the workflow file (e.g., go-ci.yml → docs/go-ci.md).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/slack-notify-workflow.md` at line 1, The documentation filename doesn't
match the workflow name: rename the current docs/slack-notify-workflow.md to
docs/slack-notify.md so it exactly matches the workflow file slack-notify.yml;
update any internal references if present to point to docs/slack-notify.md to
satisfy the docs/*.md workflow naming rule.

docs/go-release-workflow.md (1)

1-1: ⚠️ Potential issue | 🟠 Major

Doc filename violates workflow-doc naming contract

For workflow go-release.yml, the doc file should be docs/go-release.md, not docs/go-release-workflow.md. This breaks the required one-to-one naming convention.

As per coding guidelines, docs/*.md: Workflow documentation. Filename must exactly match the workflow file (e.g., go-ci.yml → docs/go-ci.md).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/go-release-workflow.md` at line 1, The documentation filename doesn't
follow the naming convention: rename docs/go-release-workflow.md to
docs/go-release.md to exactly match the workflow file go-release.yml; update any
references (links, README index, or CI docs) that point to the old filename so
they reference docs/go-release.md and ensure the one-to-one mapping between the
workflow (go-release.yml) and its doc file.

docs/go-ci-workflow.md (1)

1-1: ⚠️ Potential issue | 🟠 Major

Doc filename must match go-ci.yml

This should be docs/go-ci.md to comply with the required filename mapping. docs/go-ci-workflow.md is non-compliant.

As per coding guidelines, docs/*.md: Workflow documentation. Filename must exactly match the workflow file (e.g., go-ci.yml → docs/go-ci.md).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/go-ci-workflow.md` at line 1, The docs filename is non-compliant: rename
docs/go-ci-workflow.md to docs/go-ci.md so it matches the workflow file
go-ci.yml; update any internal references or links that point to
docs/go-ci-workflow.md to the new docs/go-ci.md and confirm the document
title/header still reads "Go CI Workflow" if desired.

docs/frontend-pr-analysis-workflow.md (1)

1-1: ⚠️ Potential issue | 🟠 Major

Rename file to match frontend-pr-analysis.yml

The doc filename should be docs/frontend-pr-analysis.md. Current naming (-workflow.md) violates the required exact mapping.

As per coding guidelines, docs/*.md: Workflow documentation. Filename must exactly match the workflow file (e.g., go-ci.yml → docs/go-ci.md).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/frontend-pr-analysis-workflow.md` at line 1, The document filename
docs/frontend-pr-analysis-workflow.md must be renamed to
docs/frontend-pr-analysis.md to exactly match the workflow name; update any
references or links that point to docs/frontend-pr-analysis-workflow.md (search
for that filename in the repo) and ensure the workflow file is named
frontend-pr-analysis.yml so the mapping docs/frontend-pr-analysis.md ↔
frontend-pr-analysis.yml is exact; commit the rename and verify CI/docs index
pages (if any) reference the new docs/frontend-pr-analysis.md.

docs/go-security-workflow.md (1)

1-1: ⚠️ Potential issue | 🟠 Major

Rename this doc to match the workflow filename.

This file name (docs/go-security-workflow.md) does not match go-security.yml; use docs/go-security.md to keep workflow↔doc mapping consistent.

As per coding guidelines, "Workflow documentation. Filename must exactly match the workflow file (e.g., go-ci.yml → docs/go-ci.md)."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/go-security-workflow.md` at line 1, Rename the documentation file so its
filename exactly matches the workflow file: change docs/go-security-workflow.md
to docs/go-security.md to align with go-security.yml and satisfy the
workflow↔doc mapping rule; update any links or references that point to the old
docs/go-security-workflow.md if present.

docs/changed-paths-workflow.md (1)

1-1: ⚠️ Potential issue | 🟠 Major

Rename this doc to match the workflow filename.

This file is docs/changed-paths-workflow.md, but the workflow reference is changed-paths.yml; the doc should be docs/changed-paths.md for deterministic mapping and automation.

As per coding guidelines, "Workflow documentation. Filename must exactly match the workflow file (e.g., go-ci.yml → docs/go-ci.md)."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/changed-paths-workflow.md` at line 1, The documentation filename must
exactly match the workflow filename; rename docs/changed-paths-workflow.md to
docs/changed-paths.md so it deterministically maps to the changed-paths.yml
workflow, and update any internal links or references that point to the old
docs/changed-paths-workflow.md to the new docs/changed-paths.md to satisfy the
"Workflow documentation. Filename must exactly match the workflow file"
guideline.

♻️ Duplicate comments (3)

.claude/commands/gha.md (1)

456-456: ⚠️ Potential issue | 🟠 Major

Remove instruction that endorses mutable @main for internal actions

Line 456 reintroduces unsafe guidance (@main intentional pinning), which conflicts with immutable-reference security practices and your own earlier rules in this doc.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/commands/gha.md at line 456, Remove the line that advises pinning
internal actions to `@main` (the text "Never add `LerianStudio/*` actions to
dependabot — pinned to `@main` intentionally.") because it endorses mutable
references; instead either delete that sentence or replace it with guidance to
use immutable versioned refs (tags/commit SHAs) for `LerianStudio/*` actions so
the document consistently enforces immutable-reference security practices.

CONTRIBUTING.md (1)

341-341: ⚠️ Potential issue | 🟡 Minor

Align merge-strategy summary with the table.

Line 341 omits hotfix (and other squash categories in the table), which conflicts with Lines 55-58 and can mislead reviewers.

Suggested fix

-- **Always** use the correct merge strategy — squash for feature PRs, merge commit for releases and backmerges
+- **Always** use the correct merge strategy — squash for feature/fix/docs/hotfix PRs, merge commit for releases and backmerges

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CONTRIBUTING.md` at line 341, Update the merge-strategy summary sentence that
currently reads "**Always** use the correct merge strategy — squash for feature
PRs, merge commit for releases and backmerges" to match the table and include
hotfix (and other squash categories) listed earlier (Lines 55-58); replace or
reword that sentence so it explicitly states that squash is used for feature,
hotfix, and analogous small-change PRs while merge commits are used for releases
and backmerges, making the phrasing consistent with the table entries.

.cursor/rules/composite-actions.mdc (1)

31-31: ⚠️ Potential issue | 🟠 Major

Resolve contradictory pinning policy for internal actions.

Line 31 bans mutable refs, but Line 173 explicitly allows @main for LerianStudio/*. This creates conflicting policy and undermines supply-chain controls.

Suggested fix

-Never add `LerianStudio/*` actions to dependabot — they are pinned to `@main` intentionally.
+Do not pin `LerianStudio/*` actions to mutable branches. Use immutable refs (tag/SHA) and include them in Dependabot grouping where applicable.

Also applies to: 173-173

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.cursor/rules/composite-actions.mdc at line 31, The document currently
contradicts itself: the rule text "Pin to a specific tag or SHA — never `@main`
or `@master`" forbids mutable refs but a later entry allows `@main` for
`LerianStudio/*`; resolve by making the policy consistent — either remove the
`LerianStudio/*` exception or replace its `@main` usages with explicit pinned
tags/SHAs. Locate the offending texts (the rule line containing "Pin to a
specific tag or SHA — never `@main` or `@master`" and the exception entry
referencing `LerianStudio/*` and `@main`) and update the latter to use a
specific tag or SHA or add a clearly documented, auditable exception clause that
requires justification and periodic re-pinning.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/api-dog-e2e-tests-workflow.md`:
- Line 206: The workflow reference uses an invalid local-path with an `@ref` in
the line containing "uses: ./.github/workflows/api-dog-e2e-tests.yml@v1.0.0";
remove the `@ref` so the local reusable workflow is referenced as the path only
(e.g., "uses: ./.github/workflows/api-dog-e2e-tests.yml"), or if you need a
versioned external reference replace it with a fully qualified remote reusable
workflow (owner/repo/.github/workflows/api-dog-e2e-tests.yml@v1.0.0) instead.

In `@docs/changed-paths-workflow.md`:
- Line 224: The tip currently repeats `@v1.0.0` and is non-actionable; update
the sentence to recommend pinning to an exact release tag instead of a floating
tag — e.g., change the text to "Pin to a version tag: Use `@v1.0.0` instead of
`@v1`" so readers know to prefer exact tags over major-version aliases.

In `@docs/frontend-pr-analysis-workflow.md`:
- Line 254: The tip text under "Pin to version tag" currently compares `@v1.0.0`
to the same `@v1.0.0`; update the second inline code snippet to show the mutable
ref to discourage (e.g., change the second `@v1.0.0` to `@main` or `@latest`) so
the sentence reads like "Use `@v1.0.0` instead of `@main`" and thus meaningfully
warns against using mutable refs in the `Pin to version tag` guidance.

In `@docs/go-ci-workflow.md`:
- Line 154: The documentation line under "Pin to a version tag" currently reads
to use `@v1.0.0` instead of `@v1.0.0` which is incorrect; update the second
occurrence (the "instead of" value) to the mutable ref `@v1` so the tip reads "Use
`@v1.0.0` instead of `@v1`". Locate the sentence containing `@v1.0.0` and replace the
wrong duplicate with `@v1` to clarify the version-pin recommendation.

In `@docs/go-pr-analysis-workflow.md`:
- Line 306: Update the contradictory guidance in the "Pin to version tag" tip by
changing the second occurrence of `@v1.0.0` (the "instead of" value) to a
testing branch ref such as `@develop` (or an example branch like
`@feat/<branch>`), and scan the examples in this doc for any usage of `@main`,
replacing those test examples with `@develop` or `@feat/<branch>` while keeping
production examples as `@vX.Y.Z`; ensure the tip now reads that production
should use `@v1.0.0` and testing should use `@develop`.

In `@docs/go-release-workflow.md`:
- Line 189: The tip currently reads "Use `@v1.0.0` instead of `@v1.0.0`" which
is self-referential; update the second occurrence to the mutable ref you want to
discourage (e.g., replace the second `@v1.0.0` with `@main` or `@latest`) so the
sentence clearly reads "Use `@v1.0.0` instead of `@main`" (or your chosen
mutable ref) to convey actionable guidance.

In `@docs/go-security-workflow.md`:
- Line 185: The tip text currently repeats the same token (`@v1.0.0`) and is
self-contradictory; replace the second occurrence with a meaningful
recommendation such as "Pin to a specific tag (e.g., `@v1.0.0`) instead of
floating tags like `@latest`" so the line reads something like: "Pin to version:
Use a specific tag (e.g., `@v1.0.0`) instead of floating tags like `@latest` for
production." Locate the offending string `@v1.0.0` in the document and update
the sentence to this clarified wording.

In `@README.md`:
- Around line 12-18: Update the fenced code block containing the architecture
diagram in README.md to include a language identifier (e.g., change the opening
``` to ```text) so markdownlint rule MD040 is satisfied; ensure only the opening
fence is modified and the closing fence remains ```, preserving the diagram
content and spacing.

---

Outside diff comments:
In `@docs/changed-paths-workflow.md`:
- Line 1: The documentation filename must exactly match the workflow filename;
rename docs/changed-paths-workflow.md to docs/changed-paths.md so it
deterministically maps to the changed-paths.yml workflow, and update any
internal links or references that point to the old
docs/changed-paths-workflow.md to the new docs/changed-paths.md to satisfy the
"Workflow documentation. Filename must exactly match the workflow file"
guideline.

In `@docs/frontend-pr-analysis-workflow.md`:
- Line 1: The document filename docs/frontend-pr-analysis-workflow.md must be
renamed to docs/frontend-pr-analysis.md to exactly match the workflow name;
update any references or links that point to
docs/frontend-pr-analysis-workflow.md (search for that filename in the repo) and
ensure the workflow file is named frontend-pr-analysis.yml so the mapping
docs/frontend-pr-analysis.md ↔ frontend-pr-analysis.yml is exact; commit the
rename and verify CI/docs index pages (if any) reference the new
docs/frontend-pr-analysis.md.

In `@docs/go-ci-workflow.md`:
- Line 1: The docs filename is non-compliant: rename docs/go-ci-workflow.md to
docs/go-ci.md so it matches the workflow file go-ci.yml; update any internal
references or links that point to docs/go-ci-workflow.md to the new
docs/go-ci.md and confirm the document title/header still reads "Go CI Workflow"
if desired.

In `@docs/go-release-workflow.md`:
- Line 1: The documentation filename doesn't follow the naming convention:
rename docs/go-release-workflow.md to docs/go-release.md to exactly match the
workflow file go-release.yml; update any references (links, README index, or CI
docs) that point to the old filename so they reference docs/go-release.md and
ensure the one-to-one mapping between the workflow (go-release.yml) and its doc
file.

In `@docs/go-security-workflow.md`:
- Line 1: Rename the documentation file so its filename exactly matches the
workflow file: change docs/go-security-workflow.md to docs/go-security.md to
align with go-security.yml and satisfy the workflow↔doc mapping rule; update any
links or references that point to the old docs/go-security-workflow.md if
present.

In `@docs/slack-notify-workflow.md`:
- Line 1: The documentation filename doesn't match the workflow name: rename the
current docs/slack-notify-workflow.md to docs/slack-notify.md so it exactly
matches the workflow file slack-notify.yml; update any internal references if
present to point to docs/slack-notify.md to satisfy the docs/*.md workflow
naming rule.

In `@docs/typescript-release-workflow.md`:
- Line 1: The docs filename doesn't match the workflow name; rename
docs/typescript-release-workflow.md to docs/typescript-release.md so it exactly
matches the workflow file typescript-release.yml, and update any references if
present (e.g., in mkdocs or TOC) to reflect the new filename.

---

Duplicate comments:
In @.claude/commands/gha.md:
- Line 456: Remove the line that advises pinning internal actions to `@main`
(the text "Never add `LerianStudio/*` actions to dependabot — pinned to `@main`
intentionally.") because it endorses mutable references; instead either delete
that sentence or replace it with guidance to use immutable versioned refs
(tags/commit SHAs) for `LerianStudio/*` actions so the document consistently
enforces immutable-reference security practices.

In @.cursor/rules/composite-actions.mdc:
- Line 31: The document currently contradicts itself: the rule text "Pin to a
specific tag or SHA — never `@main` or `@master`" forbids mutable refs but a
later entry allows `@main` for `LerianStudio/*`; resolve by making the policy
consistent — either remove the `LerianStudio/*` exception or replace its `@main`
usages with explicit pinned tags/SHAs. Locate the offending texts (the rule line
containing "Pin to a specific tag or SHA — never `@main` or `@master`" and the
exception entry referencing `LerianStudio/*` and `@main`) and update the latter
to use a specific tag or SHA or add a clearly documented, auditable exception
clause that requires justification and periodic re-pinning.

In `@CONTRIBUTING.md`:
- Line 341: Update the merge-strategy summary sentence that currently reads
"**Always** use the correct merge strategy — squash for feature PRs, merge
commit for releases and backmerges" to match the table and include hotfix (and
other squash categories) listed earlier (Lines 55-58); replace or reword that
sentence so it explicitly states that squash is used for feature, hotfix, and
analogous small-change PRs while merge commits are used for releases and
backmerges, making the phrasing consistent with the table entries.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1bf39852-933f-4404-ba67-ff4e91bc272b

📥 Commits

Reviewing files that changed from the base of the PR and between 311d5d1 and 1e0d85b.

📒 Files selected for processing (25)

• .claude/commands/gha.md
• .claude/commands/workflow.md
• .coderabbit.yml
• .cursor/rules/composite-actions.mdc
• .cursor/rules/reusable-workflows.mdc
• AGENTS.md
• CONTRIBUTING.md
• README.md
• docs/api-dog-e2e-tests-workflow.md
• docs/build-workflow.md
• docs/changed-paths-workflow.md
• docs/frontend-pr-analysis-workflow.md
• docs/gitops-update-workflow.md
• docs/go-ci-workflow.md
• docs/go-pr-analysis-workflow.md
• docs/go-release-workflow.md
• docs/go-security-workflow.md
• docs/gptchangelog-workflow.md
• docs/pr-security-scan-workflow.md
• docs/pr-validation-workflow.md
• docs/release-workflow.md
• docs/slack-notify-workflow.md
• docs/typescript-release-workflow.md
• src/config/branch-cleanup/README.md
• src/config/labels-sync/README.md