fix(release): merge develop into main

[bedatty]

GitHub Actions Shared Workflows

---

Description

Type of Change

• feat: New workflow or new input/output/step in an existing workflow
• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

None.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @develop or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run:

Related Issues

Closes #

Summary by CodeRabbit

Release Notes

• Chores
  • Pinned GitHub Actions to specific commit versions for enhanced security and stability
  • Consolidated automated routine workflow scheduling
  • Improved stale pull request detection reporting with better logging output
  • Added new label for categorizing GitHub Actions dependency updates

[coderabbitai]

Walkthrough

This PR introduces a new GitHub label for categorizing Actions ecosystem updates, pins multiple GitHub Actions to commit SHAs across security and release workflows, consolidates routine job scheduling from multiple cron expressions to a single weekly trigger, adjusts workflow trigger filters, and enhances logging and output handling in a stale action composite.

Changes

Cohort / File(s)	Summary
Label Configuration .github/labels.yml	Adds new github-actions label (color 2088FF) for categorizing Dependabot updates to Actions dependencies.
Workflow Action Pinning .github/workflows/go-release.yml, .github/workflows/go-security.yml	Pins GoReleaser and multiple security scanner Actions (checkout, setup-go, dependency-review-action, gosec, codeql-action, nancy, trivy, trufflehog, upload-artifact, sbom-action) from floating tags/branches to commit SHAs.
Workflow Trigger Management .github/workflows/self-release.yml, .github/workflows/self-routine.yml	Self-release workflow adds .github/workflows/self-*.yml to paths-ignore filter. Self-routine workflow consolidates multiple scheduled cron expressions to single weekly trigger (0 3 * * 1), updates job conditions to treat any schedule event as eligible, and adds operations_per_run parameter for stale-pr routine scaling by trigger type.
Composite Action Enhancement src/config/stale/action.yml	Replaces plain-text logging with collapsible group UI wrapping stale action output; adds step ID exposure; implements post-summary step emitting deduplicated notice/warning with computed stale/closed counts from action outputs, with conditional logic based on action success.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• #226: Modifies self-release.yml to add generate-changelog job, overlaps with PR's trigger filter changes.
• #220: Implements same SHA pinning pattern for GitHub Actions across workflow YAMLs.
• #269: Modifies self-routine.yml schedule consolidation and routine job trigger conditions.

Suggested labels

workflow, security, size/S

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	Title refers to a merge operation but actual changes are workflow updates, dependency pins, and configuration modifications unrelated to merging develop into main.	Update title to reflect actual changes, e.g., 'ci: pin external actions by SHA and update workflow configurations' or similar.
Description check	⚠️ Warning	Description template is mostly complete with type of change and testing checkboxes marked, but the Description section is entirely empty and provides no summary of what this PR actually does.	Fill the Description section with a summary of the actual changes: workflow pinning, stale action logging improvements, release path filtering, and dependency updates.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

Found 1 issue(s): 1 Medium

Severity	Rule	File	Message
🟡 Medium	actions/untrusted-checkout/medium	.github/workflows/go-release.yml:127	Potential unsafe checkout of untrusted pull request on privileged workflow.

---

_{🔍 View full scan logs | 🛡️ Security tab}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	6 file(s)	✅ success
Action Lint	4 file(s)	✅ success
Pinned Actions	5 file(s)	✅ success
Markdown Link Check	no changes	⏭️ skipped
Spelling Check	6 file(s)	✅ success
Shell Check	5 file(s)	✅ success
README Check	5 file(s)	✅ success
Composite Schema	1 file(s)	✅ success
Deployment Matrix	no changes	⏭️ skipped

---

_{🔍 View full scan logs}

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/go-release.yml (1)

99-111: ⚠️ Potential issue | 🔴 Critical

Do not execute inputs.test_cmd directly.

inputs.test_cmd is caller-controlled shell in a reusable workflow, so external callers can run arbitrary commands with this job's permissions. Keep the test command fixed, or move it behind a trusted composite action with structured inputs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/go-release.yml around lines 99 - 111, The "Run tests" step
currently executes a caller-controlled shell via inputs.test_cmd which is a
security risk; change the step so it does not run inputs.test_cmd
directly—either replace run: ${{ inputs.test_cmd }} with a fixed test command
(e.g., a vetted `go test ./...` invocation) or invoke a trusted composite action
that accepts structured inputs and validates/limits allowed commands; update the
step named "Run tests" and any usages of inputs.test_cmd in this workflow to use
the fixed command or the composite action instead of executing arbitrary
caller-provided shell.

.github/workflows/go-security.yml (1)

152-180: ⚠️ Potential issue | 🟠 Major

Nancy scanner findings are masked by two issues.

nancy has continue-on-error: true at line 156, preventing step failure. More critically, the nancy job result is not checked in the security-summary job (lines 282–291), so even if continue-on-error is removed, nancy failures won't block the workflow when fail_on_security_issues is true.

Trivy is correctly configured and will exit non-zero on findings (no continue-on-error).

Fix both:

1. Remove continue-on-error: true from nancy step
2. Add ${{ needs.nancy.result }} to the failure gate in security-summary (lines 283–287)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/go-security.yml around lines 152 - 180, Remove the masking
of Nancy findings by deleting the continue-on-error: true from the "Nancy
vulnerability scan" step so the step fails on vulnerabilities, and update the
conditional used in the "security-summary" job's failure gate to include the
Nancy job result (add ${ { needs.nancy.result } } into the existing failure
check) so security-summary considers Nancy failures when fail_on_security_issues
is true.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/go-security.yml:
- Around line 101-108: Remove the '-no-fail' flag from the "Run Gosec Security
Scanner" step so gosec exits with a non‑zero code when vulnerabilities are
found; locate the step named "Run Gosec Security Scanner" (uses:
securego/gosec...) and update its with.args (remove '-no-fail' from '-no-fail
-fmt sarif -out gosec-results.sarif ./...') so the workflow can fail and the
security-summary gating (fail_on_security_issues) will detect gosec findings;
ensure the SARIF output and the "Upload Gosec SARIF" step remain unchanged.

---

Outside diff comments:
In @.github/workflows/go-release.yml:
- Around line 99-111: The "Run tests" step currently executes a
caller-controlled shell via inputs.test_cmd which is a security risk; change the
step so it does not run inputs.test_cmd directly—either replace run: ${{
inputs.test_cmd }} with a fixed test command (e.g., a vetted `go test ./...`
invocation) or invoke a trusted composite action that accepts structured inputs
and validates/limits allowed commands; update the step named "Run tests" and any
usages of inputs.test_cmd in this workflow to use the fixed command or the
composite action instead of executing arbitrary caller-provided shell.

In @.github/workflows/go-security.yml:
- Around line 152-180: Remove the masking of Nancy findings by deleting the
continue-on-error: true from the "Nancy vulnerability scan" step so the step
fails on vulnerabilities, and update the conditional used in the
"security-summary" job's failure gate to include the Nancy job result (add ${ {
needs.nancy.result } } into the existing failure check) so security-summary
considers Nancy failures when fail_on_security_issues is true.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: c6dfe0c9-0819-4d30-b80f-a1cb23d49ee1

📥 Commits

Reviewing files that changed from the base of the PR and between 1adfdca and 0687665.

📒 Files selected for processing (6)

• .github/labels.yml
• .github/workflows/go-release.yml
• .github/workflows/go-security.yml
• .github/workflows/self-release.yml
• .github/workflows/self-routine.yml
• src/config/stale/action.yml