chore(cliproxyapi-plusplus): workflow hygiene — ubuntu-24.04, permissions #1012
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| blank_issues_enabled: true | ||
| contact_links: | ||
| - name: Phenotype org | ||
| url: https://github.com/KooshaPari | ||
| about: Other Phenotype-ecosystem repos and discussions |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,16 +1,19 @@ | ||
| name: Alert sync issues | ||
| on: | ||
| push: | ||
| branches: [main, master, develop] | ||
| pull_request: | ||
| branches: [main, master, develop] | ||
| schedule: | ||
| - cron: '17 * * * *' | ||
| workflow_dispatch: | ||
| permissions: | ||
| contents: read | ||
| issues: write | ||
|
|
||
| jobs: | ||
| sync: | ||
| uses: KooshaPari/phenoShared/.github/workflows/alert-sync-issues.yml@4b820a6d1eca7884e692e4ec4edf2b59732809cd | ||
| with: | ||
| auto-label: auto-alert-sync | ||
| min_severity: high |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,8 +1,11 @@ | ||
| name: codeql | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main, master, develop] | ||
| pull_request: | ||
| branches: [main, master, develop] | ||
| workflow_dispatch: | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
|
|
@@ -12,19 +15,22 @@ jobs: | |
| analyze: | ||
| name: Analyze (Go) | ||
| if: ${{ !startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }} | ||
| runs-on: ubuntu-24.04 | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| language: [go] | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
| name: Initialize CodeQL | ||
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | ||
| with: | ||
|
There was a problem hiding this comment. Checkout and CodeQL init merged into one stepHigh Severity The Checkout step and Initialize CodeQL step have been collapsed into a single YAML mapping with duplicate   Reviewed by Cursor Bugbot for commit 5f17af3. Configure here. There was a problem hiding this comment. CRITICAL: |
||
| languages: ${{ matrix.language }} | ||
| config-file: .github/codeql/codeql-config.yml | ||
| - name: Set up Go | ||
| uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 | ||
| with: | ||
| go-version-file: go.mod | ||
| cache: true | ||
| - name: Build | ||
|
|
@@ -33,7 +39,7 @@ jobs: | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4analyze-skip-for-migrated-router-fix: | ||
|
Comment on lines
24
to
39
There was a problem hiding this comment. 🔴 Architect Review — CRITICAL The CodeQL job now has checkout and init collapsed into a single step with duplicate Suggestion: Restore separate steps for checkout, CodeQL init, and analyze, and split the Fix in Cursor | Fix in VSCode Claude (Use Cmd/Ctrl + Click for best experience) Prompt for AI Agent 🤖This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/codeql.yml
**Line:** 24:39
**Comment:**
*CRITICAL: The CodeQL job now has checkout and init collapsed into a single step with duplicate `name`/`uses` keys, and the `analyze` step is merged with the next job definition, so the intended checkout/init/analyze sequence is not executed and the branch-specific skip job has been collapsed into the same job, breaking the CodeQL analysis flow.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix |
||
| name: Analyze (Go) | ||
| if: ${{ startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }} | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Skip CodeQL build for migrated router compatibility branch | ||
| run: echo "Skipping CodeQL build for migrated router compatibility branch." | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,8 +1,11 @@ | ||
| name: coderabbit-rate-limit-retry | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main, master, develop] | ||
| pull_request: | ||
| branches: [main, master, develop] | ||
| workflow_dispatch: | ||
| permissions: | ||
| checks: write | ||
| contents: read | ||
|
|
@@ -12,10 +15,11 @@ permissions: | |
| jobs: | ||
| retrigger: | ||
| name: retrigger-coderabbit-on-rate-limit | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Re-request CodeRabbit when backlog is high and check is stale | ||
| uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 | ||
| with: | ||
| script: | | ||
| const owner = context.repo.owner; | ||
| const repo = context.repo.repo; | ||
|
|
@@ -166,7 +170,7 @@ jobs: | |
| status: "completed", | ||
| conclusion: pass ? "success" : "failure", | ||
| output: { | ||
| title: "pass ? "CodeRabbit gate passed" : "CodeRabbit gate blocked"," | ||
|
There was a problem hiding this comment. JavaScript ternary expression corrupted into string literalHigh Severity The JavaScript ternary expression Reviewed by Cursor Bugbot for commit 5f17af3. Configure here. |
||
| summary, | ||
| }, | ||
| }); | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,8 +1,11 @@ | ||
| name: docker-image | ||
|
|
||
| on: | ||
| push: | ||
| branches: [main, master, develop] | ||
| pull_request: | ||
| branches: [main, master, develop] | ||
| workflow_dispatch: | ||
| env: | ||
| APP_NAME: CLIProxyAPI | ||
| DOCKERHUB_REPO: ${{ secrets.DOCKERHUB_USERNAME }}/cli-proxy-api-plus | ||
|
|
@@ -12,16 +15,19 @@ permissions: | |
|
|
||
| jobs: | ||
| docker_amd64: | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
| - name: Refresh models catalog | ||
| run: | | ||
| git fetch --depth 1 https://github.com/router-for-me/models.git main | ||
| git show FETCH_HEAD:models.json > internal/registry/models/models.json | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | ||
| - name: Login to DockerHub | ||
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
| - name: Generate Build Metadata | ||
|
|
@@ -30,7 +36,8 @@ jobs: | |
| echo COMMIT=`git rev-parse --short HEAD` >> $GITHUB_ENV | ||
| echo BUILD_DATE=`date -u +%Y-%m-%dT%H:%M:%SZ` >> $GITHUB_ENV | ||
| - name: Build and push (amd64) | ||
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | ||
| with: | ||
| context: . | ||
| platforms: linux/amd64 | ||
| push: true | ||
|
|
@@ -46,13 +53,16 @@ jobs: | |
| runs-on: ubuntu-24.04-arm | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
| - name: Refresh models catalog | ||
| run: | | ||
| git fetch --depth 1 https://github.com/router-for-me/models.git main | ||
| git show FETCH_HEAD:models.json > internal/registry/models/models.json | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | ||
| - name: Login to DockerHub | ||
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
| - name: Generate Build Metadata | ||
|
|
@@ -61,7 +71,8 @@ jobs: | |
| echo COMMIT=`git rev-parse --short HEAD` >> $GITHUB_ENV | ||
| echo BUILD_DATE=`date -u +%Y-%m-%dT%H:%M:%SZ` >> $GITHUB_ENV | ||
| - name: Build and push (arm64) | ||
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | ||
| with: | ||
| context: . | ||
| platforms: linux/arm64 | ||
| push: true | ||
|
|
@@ -74,15 +85,18 @@ jobs: | |
| ${{ env.DOCKERHUB_REPO }}:${{ env.VERSION }}-arm64 | ||
|
|
||
| docker_manifest: | ||
| runs-on: ubuntu-24.04 | ||
| needs: | ||
| - docker_amd64 | ||
| - docker_arm64 | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | ||
| - name: Login to DockerHub | ||
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
| - name: Generate Build Metadata | ||
|
|
@@ -102,7 +116,7 @@ jobs: | |
| "${DOCKERHUB_REPO}:${VERSION}-arm64" | ||
| - name: Cleanup temporary tags | ||
| continue-on-error: true | ||
| - env: | ||
|
There was a problem hiding this comment. Docker cleanup step split creates invalid workflow stepMedium Severity The "Cleanup temporary tags" step has been split into a step with only Reviewed by Cursor Bugbot for commit 5f17af3. Configure here. |
||
| DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | ||
| run: | | ||
|
|
||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reusable workflow job cannot have
runs-onHigh Severity
The
phenotype-validatejob specifies bothruns-on: ubuntu-24.04anduses:(a reusable workflow call). GitHub Actions does not allowruns-onon jobs that call reusable workflows — the called workflow defines its own runner. This will cause a workflow validation error, potentially blocking the entire CI workflow.Reviewed by Cursor Bugbot for commit 0864037. Configure here.