You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
actions/upload-artifact@v4 in ci.yml is not pinned to a full commit SHA, inconsistent with every other action in the workflow (checkout, setup-go, golangci-lint, cosign, sbom-action, goreleaser are all SHA-pinned). A mutable tag reference is a supply-chain risk.
CI test matrix runs only on ubuntu-latest - a cross-platform TUI app with significant platform-specific code (Windows Terminal theme detection, WSL bridge, Windows PTY via ConPTY, platform-specific launch modes) never runs its test suite on a native Windows or macOS runner in CI. Only compilation is checked for those platforms.
The cross-compile job in ci.yml has if: github.event_name == 'pull_request', so it is skipped on direct pushes to main (e.g., Dependabot auto-merges). A broken cross-platform build could land on main undetected.
Coverage is measured and reported in CI (via go test -coverprofile) but no minimum threshold is enforced - regressions go unreported. The CI step prints a summary line but never fails if coverage drops.
project review
actions/upload-artifact@v4in ci.yml is not pinned to a full commit SHA, inconsistent with every other action in the workflow (checkout, setup-go, golangci-lint, cosign, sbom-action, goreleaser are all SHA-pinned). A mutable tag reference is a supply-chain risk.ubuntu-latest- a cross-platform TUI app with significant platform-specific code (Windows Terminal theme detection, WSL bridge, Windows PTY via ConPTY, platform-specific launch modes) never runs its test suite on a native Windows or macOS runner in CI. Only compilation is checked for those platforms.cross-compilejob in ci.yml hasif: github.event_name == 'pull_request', so it is skipped on direct pushes tomain(e.g., Dependabot auto-merges). A broken cross-platform build could land on main undetected.go test -coverprofile) but no minimum threshold is enforced - regressions go unreported. The CI step prints a summary line but never fails if coverage drops.Automated analysis - 4 finding(s)