chore: bump ubuntu version in docs.yml workflow

[KooshaPari]

User description

Automated from stash.

---

Note

Medium Risk
Changes affect merge-blocking CI and secret scanning paths, and several workflow edits look structurally broken, which could disable jobs until corrected.

Overview
This PR retools GitHub Actions across many workflows rather than only bumping the docs runner OS (jobs still use ubuntu-latest).

Concurrency is added on CI, journey-gate, policy/quality/self-merge gates, SAST, Scorecard, and Trufflehog so duplicate runs on the same ref are cancelled (cancel-in-progress: true).

A new lint.yml workflow runs golangci-lint on push/PR to main, master, and develop via floating @v4/@v5/@v6 action tags.

Docs build switches docs dependency install from npm install to npm ci. Trufflehog drops trufflehog/actions/setup@main in favor of Setup Go plus go install of TruffleHog v3.

Several files also reformat or reorder step keys (e.g. checkout vs step name). In the current tree, some of that looks like invalid YAML—notably ci.yml putting the models-catalog run on the checkout step, codeql.yml/ **docs.yml**/ sast-quick.yml steps where uses and name appear merged incorrectly, and policy-gate.yml/quality-gate.yml checkout lines glued to the next step. Those would prevent workflows from running until fixed.

^{Reviewed by Cursor Bugbot for commit 6733dc6. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

CodeAnt-AI Description

Improve CI job handling and add repo lint checks

What Changed

• Duplicate runs of the same workflow now cancel older ones for CI, security scans, and gate checks
• A new lint workflow runs Go linting on pushes and pull requests to the main branches
• Docs builds now install dependencies with a locked install step, which keeps the build input more consistent
• Secret scanning now installs TruffleHog through Go before running the scan

Impact

✅ Fewer duplicate CI runs
✅ Faster feedback on active branches
✅ More consistent docs builds
✅ Clearer lint checks before merge

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Warning

Review limit reached

@KooshaPari, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 34 minutes and 45 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e49d99e3-4008-4bfb-b2b4-7ec2c42ffb1c

📥 Commits

Reviewing files that changed from the base of the PR and between b4f95c7 and 6733dc6.

📒 Files selected for processing (11)

• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/docs.yml
• .github/workflows/journey-gate.yml
• .github/workflows/lint.yml
• .github/workflows/policy-gate.yml
• .github/workflows/quality-gate.yml
• .github/workflows/sast-quick.yml
• .github/workflows/scorecard.yml
• .github/workflows/self-merge-gate.yml
• .github/workflows/trufflehog.yml

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key: "pre_merge_checks"

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/ubuntu-24-docs-yml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[codeant-ai]

🔴 Architect Review — CRITICAL

The first docs build step defines both checkout and Node setup in a single step with duplicate uses keys, so the actions/checkout invocation is overridden and the repository is never actually checked out before bun/npm commands run, causing the docs build to run against an empty workspace.

Suggestion: Split this into two separate sequential steps (one uses: actions/checkout@<pinned-sha>, then one uses: actions/setup-node@<pinned-sha> with the existing with: block) so the workspace is checked out before any bun/npm-based build steps execute.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/docs.yml
**Line:** 22:24
**Comment:**
	*CRITICAL: The first docs build step defines both checkout and Node setup in a single step with duplicate `uses` keys, so the `actions/checkout` invocation is overridden and the repository is never actually checked out before `bun`/`npm` commands run, causing the docs build to run against an empty workspace.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

🔴 Architect Review — CRITICAL

The Pages deploy job merges actions/configure-pages and actions/deploy-pages into a single step with duplicate uses keys, so configure-pages is never invoked and the job calls only deploy-pages, which can break the required GitHub Pages deployment contract on main.

Suggestion: Restore two explicit steps in order—a Configure Pages step that runs actions/configure-pages@<pinned-sha>, followed by a Deploy step running actions/deploy-pages@<pinned-sha> with the existing id and url wiring—so the Pages environment is configured before deployment.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/docs.yml
**Line:** 75:77
**Comment:**
	*CRITICAL: The Pages deploy job merges `actions/configure-pages` and `actions/deploy-pages` into a single step with duplicate `uses` keys, so `configure-pages` is never invoked and the job calls only `deploy-pages`, which can break the required GitHub Pages deployment contract on `main`.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

🟠 Architect Review — HIGH

Multiple workflows in this PR define "combined steps" that include both uses and run, or multiple uses keys, in a single step mapping (e.g. CI test checkout/run, docs checkout/Node setup, CodeQL checkout/init, SAST license checkout/reuse, quality-gate/policy-gate checkout/run), which GitHub Actions does not support and results in earlier actions (typically actions/checkout or actions/configure-pages) being ignored or steps failing validation so intended gates do not run correctly.

Suggestion: Normalize all seven affected locations so each step has exactly one uses or one run and each logical operation (checkout, setup, analysis, gate script, etc.) is its own list item, ensuring that required checkouts and setup actions execute before dependent scripts across CI, docs, CodeQL, SAST, quality-gate, and policy-gate workflows.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/ci.yml
**Line:** 25:27
**Comment:**
	*HIGH: Multiple workflows in this PR define "combined steps" that include both `uses` and `run`, or multiple `uses` keys, in a single step mapping (e.g. CI test checkout/run, docs checkout/Node setup, CodeQL checkout/init, SAST license checkout/reuse, quality-gate/policy-gate checkout/run), which GitHub Actions does not support and results in earlier actions (typically `actions/checkout` or `actions/configure-pages`) being ignored or steps failing validation so intended gates do not run correctly.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Bugbot Autofix prepared fixes for both issues found in the latest run.

• ✅ Fixed: YAML indentation error breaks entire docs workflow
  • Corrected indentation and added missing list indicator to separate Configure Pages and Deploy steps.
• ✅ Fixed: Steps merged into one due to missing list indicators
  • Added missing list indicators to separate workflow steps in docs.yml, codeql.yml, and sast-quick.yml.

Or push these changes by commenting:

@cursor push 90d565a23e

Preview (90d565a23e)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -20,18 +20,21 @@
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with:
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
           languages: ${{ matrix.language }}
           config-file: .github/codeql/codeql-config.yml
       - name: Set up Go
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with:
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
           go-version-file: go.mod
           cache: true
       - name: Build
         run: go build ./...
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4analyze-skip-for-migrated-router-fix:
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+  analyze-skip-for-migrated-router-fix:
     name: Analyze (Go)
     if: ${{ startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }}
     runs-on: ubuntu-latest

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -20,14 +20,16 @@
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4with:
+      - name: Setup Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
+        with:
           node-version: "20"
           cache: "npm"
           cache-dependency-path: docs/package.json
 
       - name: Setup Bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2with:
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        with:
           bun-version: latest
 
       - name: Install OXC dependencies
@@ -51,7 +53,8 @@
         run: test -f docs/.vitepress/dist/index.html
 
       - name: Upload pages artifact
-        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with:
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
+        with:
           path: docs/.vitepress/dist/
 
   build-skip-branch-ci-unblock:
@@ -73,6 +76,6 @@
     steps:
       - name: Configure Pages
         uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
-         name: Deploy
+      - name: Deploy
         id: deployment
         uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
\ No newline at end of file

diff --git a/.github/workflows/sast-quick.yml b/.github/workflows/sast-quick.yml
--- a/.github/workflows/sast-quick.yml
+++ b/.github/workflows/sast-quick.yml
@@ -21,9 +21,11 @@
     # Tier 3: Advisory - security enrichment only
     continue-on-error: true
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
           fetch-depth: 0
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with:
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
           python-version: "3.12"
       - name: Install Semgrep
         run: python -m pip install --disable-pip-version-check semgrep==1.157.0
@@ -33,7 +35,8 @@
         run: |
           semgrep scan --sarif --sarif-output=semgrep.sarif --max-target-bytes 1000000 --quiet --config=auto || true
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always()
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        if: always()
         with:
           sarif_file: semgrep.sarif
 
@@ -46,14 +49,16 @@
     continue-on-error: true
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        name: Analyze licenses
-        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true  # Allow findings but don't fail
+      - name: Analyze licenses
+        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4
+        continue-on-error: true  # Allow findings but don't fail
       - name: Check for non-reusable licenses
         run: |
           # Check for problematic licenses
           grep -r "GPL\|AGPL" --include="*.toml" --include="*.json" . || true
       - name: Check license compliance
-        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true
+        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4
+        continue-on-error: true
 
   # Secret Scanning - Tier 2: Important (runs in parallel)
   secrets:
@@ -61,10 +66,12 @@
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
           fetch-depth: 0
       - name: Run Gitleaks
-        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2env:
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
+        env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           args: --verbose --redact
@@ -77,6 +84,7 @@
           output: trivy-results.sarif
         continue-on-error: true
       - name: Upload Trivy results
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always()
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        if: always()
         with:
           sarif_file: 'trivy-results.sarif'

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit 6733dc6. Configure here.}

[cursor]

YAML indentation error breaks entire docs workflow

High Severity

The name: Deploy line has 9 spaces of indentation while all sibling properties (uses:, id:) in the same step mapping have 8 spaces. YAML block mappings require all keys at the same level to share identical indentation. This mismatch will cause a YAML parse error, preventing the entire docs.yml workflow file from loading — breaking both the build and deploy jobs.

 

^{Reviewed by Cursor Bugbot for commit 6733dc6. Configure here.}

[cursor]

Steps merged into one due to missing list indicators

High Severity

The commit splits step names that were previously embedded in YAML comments (e.g., # v4- name: Setup Node) into separate lines, but adds them as properties of the same step instead of creating new list items with - . This produces duplicate name: and uses: keys in single steps. YAML's last-wins behavior silently drops the first action (typically actions/checkout), so the repository is never checked out before subsequent steps run.

Additional Locations (2)

• .github/workflows/codeql.yml#L21-L24
• .github/workflows/sast-quick.yml#L47-L50

 

^{Reviewed by Cursor Bugbot for commit 6733dc6. Configure here.}