Skip to content

chore: bump ubuntu version in docs.yml workflow #1014

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
KooshaPari wants to merge 5 commits into
base: main
Choose a base branch
from
Open

chore: bump ubuntu version in docs.yml workflow #1014

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
452103f
security(ci): replace trufflehog/actions/setup with go install + setu…
KooshaPari May 6, 2026
9be7dba
chore: add concurrency to CI workflows
KooshaPari May 6, 2026
fe13450
ci(cliproxyapi-plusplus): add golangci-lint workflow
KooshaPari May 6, 2026
e71b49e
index on main: fe134506 ci(cliproxyapi-plusplus): add golangci-lint w…
KooshaPari May 28, 2026
6733dc6
On main: sync-20260528
KooshaPari May 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: CI
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true


on:
push:
Expand All @@ -18,7 +22,8 @@ jobs:
go-version: ['1.21', '1.22']

steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Refresh models catalog
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
name: Refresh models catalog
run: |
Comment on lines +25 to 27
Copy link
Copy Markdown

@codeant-ai codeant-ai Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Architect Review — HIGH

Multiple workflows in this PR define "combined steps" that include both uses and run, or multiple uses keys, in a single step mapping (e.g. CI test checkout/run, docs checkout/Node setup, CodeQL checkout/init, SAST license checkout/reuse, quality-gate/policy-gate checkout/run), which GitHub Actions does not support and results in earlier actions (typically actions/checkout or actions/configure-pages) being ignored or steps failing validation so intended gates do not run correctly.

Suggestion: Normalize all seven affected locations so each step has exactly one uses or one run and each logical operation (checkout, setup, analysis, gate script, etc.) is its own list item, ensuring that required checkouts and setup actions execute before dependent scripts across CI, docs, CodeQL, SAST, quality-gate, and policy-gate workflows.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖 
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/ci.yml
**Line:** 25:27
**Comment:**
	*HIGH: Multiple workflows in this PR define "combined steps" that include both `uses` and `run`, or multiple `uses` keys, in a single step mapping (e.g. CI test checkout/run, docs checkout/Node setup, CodeQL checkout/init, SAST license checkout/reuse, quality-gate/policy-gate checkout/run), which GitHub Actions does not support and results in earlier actions (typically `actions/checkout` or `actions/configure-pages`) being ignored or steps failing validation so intended gates do not run correctly.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

git fetch --depth 1 https://github.com/router-for-me/models.git main
mkdir -p pkg/llmproxy/registry/models
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@ jobs:
language: [go]
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Initialize CodeQL
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with:
languages: ${{ matrix.language }}
config-file: .github/codeql/codeql-config.yml
Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Setup Node
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
name: Setup Node
Copy link
Copy Markdown

@cursor cursor Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Steps merged into one due to missing list indicators

High Severity

The commit splits step names that were previously embedded in YAML comments (e.g., # v4- name: Setup Node) into separate lines, but adds them as properties of the same step instead of creating new list items with - . This produces duplicate name: and uses: keys in single steps. YAML's last-wins behavior silently drops the first action (typically actions/checkout), so the repository is never checked out before subsequent steps run.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 6733dc6. Configure here.

uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4with:
Comment on lines +22 to 24
Copy link
Copy Markdown

@codeant-ai codeant-ai Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Architect Review — CRITICAL

The first docs build step defines both checkout and Node setup in a single step with duplicate uses keys, so the actions/checkout invocation is overridden and the repository is never actually checked out before bun/npm commands run, causing the docs build to run against an empty workspace.

Suggestion: Split this into two separate sequential steps (one uses: actions/checkout@<pinned-sha>, then one uses: actions/setup-node@<pinned-sha> with the existing with: block) so the workspace is checked out before any bun/npm-based build steps execute.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖 
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/docs.yml
**Line:** 22:24
**Comment:**
	*CRITICAL: The first docs build step defines both checkout and Node setup in a single step with duplicate `uses` keys, so the `actions/checkout` invocation is overridden and the repository is never actually checked out before `bun`/`npm` commands run, causing the docs build to run against an empty workspace.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

node-version: "20"
cache: "npm"
Expand All @@ -40,7 +41,7 @@ jobs:

- name: Install dependencies
working-directory: docs
run: npm install --frozen-lockfile
run: npm ci --frozen-lockfile

- name: Build docs
working-directory: docs
Expand Down Expand Up @@ -71,6 +72,7 @@ jobs:
url: ${{ steps.deployment.outputs.page_url }}
steps:
- name: Configure Pages
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5- name: Deploy
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
name: Deploy
Copy link
Copy Markdown

@cursor cursor Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

YAML indentation error breaks entire docs workflow

High Severity

The name: Deploy line has 9 spaces of indentation while all sibling properties (uses:, id:) in the same step mapping have 8 spaces. YAML block mappings require all keys at the same level to share identical indentation. This mismatch will cause a YAML parse error, preventing the entire docs.yml workflow file from loading — breaking both the build and deploy jobs.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 6733dc6. Configure here.

id: deployment
Comment on lines +75 to 77
Copy link
Copy Markdown

@codeant-ai codeant-ai Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Architect Review — CRITICAL

The Pages deploy job merges actions/configure-pages and actions/deploy-pages into a single step with duplicate uses keys, so configure-pages is never invoked and the job calls only deploy-pages, which can break the required GitHub Pages deployment contract on main.

Suggestion: Restore two explicit steps in order—a Configure Pages step that runs actions/configure-pages@<pinned-sha>, followed by a Deploy step running actions/deploy-pages@<pinned-sha> with the existing id and url wiring—so the Pages environment is configured before deployment.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖 
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/docs.yml
**Line:** 75:77
**Comment:**
	*CRITICAL: The Pages deploy job merges `actions/configure-pages` and `actions/deploy-pages` into a single step with duplicate `uses` keys, so `configure-pages` is never invoked and the job calls only `deploy-pages`, which can break the required GitHub Pages deployment contract on `main`.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
4 changes: 4 additions & 0 deletions .github/workflows/journey-gate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@
# =============================================================================

name: Journey Gate
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true


on:
push:
Expand Down
18 changes: 18 additions & 0 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: lint
on:
push:
branches: [main, master, develop]
pull_request:
branches: [main, master, develop]
jobs:
golangci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: stable
- name: golangci-lint
uses: golangci/golangci-lint-action@v6
with:
version: latest

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
Comment on lines +9 to +18
4 changes: 4 additions & 0 deletions .github/workflows/policy-gate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: policy-gate
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

on: [workflow_dispatch]
permissions:
contents: read
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/quality-gate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: quality-gate
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

on: [workflow_dispatch]
permissions:
contents: read
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/sast-quick.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: SAST Quick Check
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true


on:
pull_request:
Expand Down Expand Up @@ -41,7 +45,8 @@ jobs:
# Tier 3: Advisory - security enrichment only
continue-on-error: true
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4- name: Analyze licenses
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
name: Analyze licenses
uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true # Allow findings but don't fail
- name: Check for non-reusable licenses
run: |
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: OpenSSF Scorecard
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

on:
branch_protection_rule:
schedule:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/self-merge-gate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: self-merge-gate
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

on: [workflow_dispatch]
permissions:
contents: read
Expand Down
9 changes: 8 additions & 1 deletion .github/workflows/trufflehog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: Trufflehog Secrets Scan
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

on:
push:
branches: [main]
Expand All @@ -11,7 +15,10 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
fetch-depth: 0
- uses: trufflehog/actions/setup@main
- uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1
with:
go-version: 'stable'
- run: go install github.com/trufflehog/trufflehog/v3@latest
- run: trufflehog github --only-verified --no-update
env:
GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
Loading