Enhance CI/CD with new workflows and reusable setup

[kzndotsh]

Summary by Sourcery

Standardize and extend the project’s CI/CD processes by introducing a reusable Python setup and adding comprehensive workflows for testing, Docker builds, security scanning, maintenance, releases, notifications, and deployments

New Features:

• Introduce a reusable Python environment setup workflow for consistent dependency management and caching across all CI workflows
• Add a dedicated Tests workflow executing unit, database, and integration tests across multiple Python versions with smart change detection
• Implement a Docker Build & Deploy workflow supporting multi-platform builds, security scanning, and registry cleanup
• Add a Security workflow with CodeQL analysis, dependency review, Safety advisories scanning, and Dependabot auto-merge for automated vulnerability management
• Introduce a Maintenance workflow to convert TODOs to GitHub issues, clean up Docker images, and perform repository health checks
• Add a Notifications workflow to automatically open GitHub issues on CI failures and close them on success
• Implement a Release workflow for automated version detection, changelog generation, and GitHub release creation
• Add a Deploy workflow for manual or release-triggered deployments to staging and production environments

Enhancements:

• Enhance the CI workflow with smart file-change detection, parallel execution, comprehensive static analysis, and multi-level caching
• Refactor CI jobs to use minimal permissions, conditional execution, and a centralized reusable Python setup

CI:

• Extract Python environment setup into a reusable workflow and integrate it across CI and testing workflows

Deployment:

• Automate Docker image builds, multi-platform deployments, and container registry maintenance

Tests:

• Integrate Codecov reporting in Tests and CI workflows for unit, database, and integration coverage

Summary by Sourcery

Overhaul CI/CD by introducing reusable setup actions and comprehensive GitHub Actions workflows for testing, building, security, maintenance, releases, and deployments.

New Features:

• Add reusable Python environment setup action for consistent dependency management and caching
• Introduce dedicated Tests workflow with multi-version unit, database, and integration tests and Codecov reporting
• Implement Docker Build & Deploy workflow with multi-platform builds, security scanning, and automated registry cleanup
• Add Security workflow featuring CodeQL analysis, dependency review, Safety scanning, and Dependabot auto-merge
• Introduce Maintenance workflow to convert TODOs to issues, clean up Docker images, and perform repository health checks
• Implement automated Release workflow for version detection, changelog generation, and GitHub release creation
• Add Deploy workflow for manual or release-triggered deployments to staging and production environments

Enhancements:

• Refactor CI workflow to use smart change detection, parallel execution, minimal permissions, and multi-level caching
• Centralize environment setup, dependency caching, and test-env creation via composite GitHub Actions
• Standardize version and metadata extraction logic across workflows
• Integrate Codecov reporting into CI and test workflows

Build:

• Add default commit messages for pre-commit autofix and autoupdate hooks

CI:

• Extract Python setup into a reusable workflow and integrate it across CI and Tests
• Enhance CI jobs with conditional execution, minimal permissions, and comprehensive static analysis

Deployment:

• Add Deploy workflow for staging and production environments with concurrency control and simulated deployment steps

Tests:

• Create a standalone Tests workflow with a matrix across Python versions, adaptive execution, and artifact preservation

[sourcery-ai]

Reviewer's Guide

This PR refactors and extends the project’s CI/CD by extracting a reusable Python setup action and introducing dedicated GitHub Actions workflows for testing, Docker builds/deployments, security scanning, maintenance, releases, and deployments—each enhanced with smart change detection, parallel execution, conditional steps, and multi-level caching.

Sequence diagram for Docker build and deploy workflow

sequenceDiagram
    participant GitHub as actor GitHub Event
    participant DockerWorkflow as Docker Build & Deploy Workflow
    participant Buildx as Docker Buildx
    participant Registry as Container Registry (ghcr.io)
    participant Trivy as Trivy Security Scan
    participant DeployWorkflow as Deploy Workflow
    GitHub->>DockerWorkflow: Trigger (push/tag/PR/schedule)
    DockerWorkflow->>Buildx: Set up builder
    DockerWorkflow->>Buildx: Build image (multi-platform if release)
    Buildx->>Registry: Push image (if not PR)
    DockerWorkflow->>Trivy: Scan built image (if not PR)
    DockerWorkflow->>DeployWorkflow: Trigger deploy on release
    DeployWorkflow->>Registry: Pull image for deployment
    DeployWorkflow->>Environment: Deploy to staging/production

Loading

Class diagram for reusable setup-python action

classDiagram
    class SetupPythonAction {
        +python-version: string = '3.13'
        +install-groups: string = 'dev,types'
        +cache-suffix: string = 'default'
        +generate-prisma: string = 'true'
        +Install Poetry()
        +Set up Python()
        +Cache Poetry dependencies()
        +Install dependencies()
        +Generate Prisma client()
    }

Loading

Class diagram for setup-nodejs-markdown reusable action

classDiagram
    class SetupNodejsMarkdownAction {
        +node-version: string = '20'
        +Setup Node.js()
        +Cache node modules()
        +Install markdownlint()
    }

Loading

Class diagram for upload-coverage reusable action

classDiagram
    class UploadCoverageAction {
        +coverage-file: string
        +junit-file: string = ''
        +flags: string
        +name: string
        +codecov-token: string
        +slug: string = 'allthingslinux/tux'
        +Upload coverage to Codecov()
        +Upload test results to Codecov()
    }

Loading

File-Level Changes

Change	Details	Files
Introduce composite Python setup action for consistent environment and integrate it across workflows	Added .github/actions/setup-python/action.yml to install Poetry, setup Python, cache dependencies, and optionally generate Prisma Replaced inline Python setup in CI, Tests, Security, Maintenance, and Release workflows with the composite action Parameterized Python version, install groups, cache suffix, and Prisma generation	.github/actions/setup-python/action.yml .github/workflows/ci.yml .github/workflows/tests.yml .github/workflows/security.yml .github/workflows/maintenance.yml .github/workflows/release.yml
Add comprehensive Tests workflow with multi-version matrix and smart execution	Created .github/workflows/tests.yml defining a matrix for Python 3.12/3.13 Implemented smart file-change detection to skip tests when irrelevant files haven’t changed Set up test environment via composite action and created .env dynamically Executed unit, database, and integration tests with separate coverage files and uploaded artifacts via composite upload-coverage action	.github/workflows/tests.yml
Enhance existing CI workflow with reusable setup, smart linting, and caching	Refactored .github/workflows/ci.yml to extract Python setup into the reusable action Introduced smart change detection and early termination for Python, Markdown, and infrastructure jobs Enabled parallel linting jobs, multi-level caching, and minimal permissions for each job	.github/workflows/ci.yml
Implement Docker Build & Deploy workflow with validation, multi-platform builds, and registry maintenance	Added validate, build, security scan, and cleanup jobs in .github/workflows/docker.yml Configured Docker Buildx for multi-platform builds and GitHub Actions caching Integrated Trivy security scanning with SARIF upload and automated registry cleanup	.github/workflows/docker.yml
Introduce security workflow with CodeQL, dependency review, safety checks, and dependabot auto-merge	Added .github/workflows/security.yml with CodeQL init/analyze jobs for Python and Actions Created dependency-review and security-advisories jobs using dependency-review-action and Safety CLI Implemented dependabot-auto-merge job with metadata checks and conservative auto-approval logic	.github/workflows/security.yml
Add maintenance workflow for automated TODO conversion, image cleanup, and health checks	Created .github/workflows/maintenance.yml with jobs to convert TODOs/FIXMEs into GitHub issues Implemented configurable Docker image cleanup and legacy buildcache removal Added repository health-check job for large file detection, outdated dependencies, and metrics	.github/workflows/maintenance.yml
Add automated Release workflow for version detection, changelog generation, and GitHub releases	Defined validate-release and wait-for-tests jobs to determine version and block until tests pass Generated changelog from git history and used action-gh-release to create releases Included notification step to confirm release creation	.github/workflows/release.yml
Add Deploy workflow for manual or release-triggered deployments to staging/production	Created .github/workflows/deploy.yml with inputs for environment selection Retrieved image tag based on release or manual dispatch and simulated deployment steps Reported deployment status and exposed environment URL via environment outputs	.github/workflows/deploy.yml
Introduce composite actions for coverage upload, test environment creation, and Node.js Markdown setup	Added upload-coverage composite action to wrap Codecov upload steps Added create-test-env to generate .env file with test configuration Added setup-nodejs-markdown to install Node.js, cache npm, and install markdownlint-cli	.github/actions/upload-coverage/action.yml .github/actions/create-test-env/action.yml .github/actions/setup-nodejs-markdown/action.yml
Update pre-commit configuration with CI and autoupdate commit messages	Extended .pre-commit-config.yaml to include custom messages for autofix and autoupdate hooks	.pre-commit-config.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	4.*.*	🟢 5.2	Details Check Score Reason Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected
actions/actions/checkout	4.*.*	🟢 5.2	Details Check Score Reason Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected
actions/lewagon/wait-on-check-action	1.3.4	🟢 4.9	Details Check Score Reason Code-Review ⚠️ 2 Found 6/24 approved changesets -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 8 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Security-Policy ⚠️ 0 security policy file not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/softprops/action-gh-release	2.*.*	🟢 5.3	Details Check Score Reason Maintained 🟢 10 26 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 3 Found 6/17 approved changesets -- score normalized to 3 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/checkout	4.*.*	🟢 5.2	Details Check Score Reason Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected
actions/actions/upload-artifact	4.*.*	🟢 5.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 3 4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected
actions/tj-actions/changed-files	45.0.8	🟢 6.6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Code-Review 🟢 3 Found 1/3 approved changesets -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 10 all dependencies are pinned Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 8 2 existing vulnerabilities detected

Scanned Files

• .github/workflows/ci.yml
• .github/workflows/deploy.yml
• .github/workflows/release.yml
• .github/workflows/security.yml
• .github/workflows/tests.yml

[kzndotsh]

@sourcery-ai title

[cloudflare-workers-and-pages]

Deploying tux with    Cloudflare Pages

Latest commit:	a015db3
Status:	✅  Deploy successful!
Preview URL:	https://1c8b410d.tux-afh.pages.dev
Branch Preview URL:	https://fix-gh-actions.tux-afh.pages.dev

View logs

[sourcery-ai]

Hey @kzndotsh - I've reviewed your changes and they look great!

Blocking issues:

• Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR". (link)
• Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR". (link)
• Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR". (link)

Prompt for AI Agents

Please address the comments from this code review:
## Individual Comments

### Comment 1
<location> `.github/workflows/docker.yml:166` </location>
<code_context>
+    # Skips pull requests to prevent unnecessary deployments
+    # Waits for validation to complete before proceeding
     if: github.event_name != 'pull_request'
+    needs:             # Always wait for validation
+      - validate
     runs-on: ubuntu-latest
</code_context>

<issue_to_address>
The build job always waits for validation, but validation only runs on pull requests.

Consider making the 'build' job's dependency on 'validate' conditional or restructuring the workflow to prevent unnecessary waiting or confusion for non-pull request events.
</issue_to_address>

### Comment 2
<location> `.github/workflows/docker.yml:273` </location>
<code_context>
+          cache-to: type=gha,mode=max    # Update cache comprehensively
+          # CONDITIONAL MULTI-PLATFORM BUILDS
+          # ARM64 builds only for tagged releases to save resources
+          platforms: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') && contains(github.ref, 'v')) && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
+          # SECURITY ATTESTATIONS
+          # SLSA provenance and SBOM only for releases
</code_context>

<issue_to_address>
The conditional for multi-platform builds may not match all intended release tags.

'contains(github.ref, 'v')' may be unnecessary or could exclude valid tags. Please review and clarify the tag matching logic to ensure all intended release tags are handled.
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
          platforms: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') && contains(github.ref, 'v')) && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
=======
          platforms: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
>>>>>>> REPLACE

</suggested_fix>

### Comment 3
<location> `.github/workflows/maintenance.yml:165` </location>
<code_context>
+          package-type: container             # Container images only
+          # CONFIGURABLE RETENTION POLICY
+          # Default 10 images, override via manual trigger
           min-versions-to-keep: ${{ github.event.inputs.keep_amount || '10' }}
+          # UNTAGGED IMAGE HANDLING
+          # Configurable untagged image cleanup (typically safe to remove)
</code_context>

<issue_to_address>
Using a string default for min-versions-to-keep may cause type issues.

Validate or cast the input to an integer to prevent unexpected behavior if a string is provided.
</issue_to_address>

### Comment 4
<location> `.github/workflows/release.yml:75` </location>
<code_context>
+      - name: Determine version
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="${{ github.event.inputs.version }}"
+          else
</code_context>

<issue_to_address>
Manual release version input is not validated for semantic versioning.

Add a validation step to ensure manual version inputs follow semantic versioning (e.g., v1.2.3) to prevent inconsistent tags.
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            VERSION="${{ github.event.inputs.version }}"
          else
            VERSION="${GITHUB_REF#refs/tags/}"
          fi
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
=======
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            VERSION="${{ github.event.inputs.version }}"
            # Validate semantic versioning: vMAJOR.MINOR.PATCH (e.g., v1.2.3)
            if ! [[ "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
              echo "Error: Manual version input '$VERSION' does not match semantic versioning (vMAJOR.MINOR.PATCH, e.g., v1.2.3)."
              exit 1
            fi
          else
            VERSION="${GITHUB_REF#refs/tags/}"
          fi
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
>>>>>>> REPLACE

</suggested_fix>

## Security Issues

### Issue 1
<location> `.github/workflows/deploy.yml:48` </location>

<issue_to_address>
**security (opengrep-rules.yaml.github-actions.security.run-shell-injection):** Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

*Source: opengrep*
</issue_to_address>

### Issue 2
<location> `.github/workflows/deploy.yml:71` </location>

<issue_to_address>
**security (opengrep-rules.yaml.github-actions.security.run-shell-injection):** Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

*Source: opengrep*
</issue_to_address>

### Issue 3
<location> `.github/workflows/release.yml:74` </location>

<issue_to_address>
**security (opengrep-rules.yaml.github-actions.security.run-shell-injection):** Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion: The build job always waits for validation, but validation only runs on pull requests.

Consider making the 'build' job's dependency on 'validate' conditional or restructuring the workflow to prevent unnecessary waiting or confusion for non-pull request events.

[sourcery-ai]

suggestion: The conditional for multi-platform builds may not match all intended release tags.

'contains(github.ref, 'v')' may be unnecessary or could exclude valid tags. Please review and clarify the tag matching logic to ensure all intended release tags are handled.

Suggested change

	platforms: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') && contains(github.ref, 'v')) && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
	platforms: ${{ (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) && 'linux/amd64,linux/arm64' || 'linux/amd64' }}

[sourcery-ai]

issue (bug_risk): Using a string default for min-versions-to-keep may cause type issues.

Validate or cast the input to an integer to prevent unexpected behavior if a string is provided.

[sourcery-ai]

suggestion (bug_risk): Manual release version input is not validated for semantic versioning.

Add a validation step to ensure manual version inputs follow semantic versioning (e.g., v1.2.3) to prevent inconsistent tags.

Suggested change

	if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
	VERSION="${{ github.event.inputs.version }}"
	else
	VERSION="${GITHUB_REF#refs/tags/}"
	fi
	echo "version=$VERSION" >> "$GITHUB_OUTPUT"
	if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
	VERSION="${{ github.event.inputs.version }}"
	# Validate semantic versioning: vMAJOR.MINOR.PATCH (e.g., v1.2.3)
	if ! [[ "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
	echo "Error: Manual version input '$VERSION' does not match semantic versioning (vMAJOR.MINOR.PATCH, e.g., v1.2.3)."
	exit 1
	fi
	else
	VERSION="${GITHUB_REF#refs/tags/}"
	fi
	echo "version=$VERSION" >> "$GITHUB_OUTPUT"

[sourcery-ai]

security (opengrep-rules.yaml.github-actions.security.run-shell-injection): Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

Source: opengrep

[sourcery-ai]

security (opengrep-rules.yaml.github-actions.security.run-shell-injection): Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

Source: opengrep

[sourcery-ai]

security (opengrep-rules.yaml.github-actions.security.run-shell-injection): Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

Source: opengrep