fix: upgrade upload-pages-artifact to v4 and add zizmor workflow linting

[Aureliolo]

Summary

• Upgrade actions/upload-pages-artifact v3 → v4 — v4.0.0 (PR #127) SHA-pins its internal actions/upload-artifact dependency, fixing the sha_pinning_required conflict where the composite action's tag reference (@v4) was rejected by the repo's Actions permissions policy
• Add zizmor workflow security analysis — runs on workflow file changes (push to main + PRs), catches unpinned actions, script injection, excessive permissions, and uploads SARIF to the Security tab
• Add explicit failure on release retry exhaustion — retry loop now sets a FOUND flag so exhaustion surfaces a clear ::error:: instead of falling through to a confusing gh release edit failure (Greptile PR docs: set up documentation site, release CI, and sandbox hardening #298 finding)

Context

After merging #298, the Pages workflow failed on main because upload-pages-artifact v3 internally called actions/upload-artifact@v4 (tag, not SHA), violating the repo's sha_pinning_required: true setting. This is a known limitation with composite actions — GitHub enforces SHA pinning transitively but composite action authors don't always pin their internal deps. v4.0.0 fixed this upstream.

The zizmor workflow provides CI-level enforcement of SHA pinning and other workflow security checks, complementing the repo-level sha_pinning_required setting.

Test plan

• Pages workflow succeeds on main after merge (v4 upload-pages-artifact)
• zizmor workflow runs and uploads SARIF on this PR's workflow changes
• Verify no breaking change from v4 dotfile exclusion (MkDocs/Astro output has no dotfiles)
• Release retry loop fails clearly after exhaustion (manual verification of logic)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 5.9	Details Check Score Reason Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/zizmorcore/zizmor-action	71321a20a9ded102f6e9ce5718a2fcec2c4f70d8	Unknown	Unknown

Scanned Files

• .github/workflows/zizmor.yml

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Enhanced release process reliability with improved verification checks.
  • Updated GitHub Pages deployment to the latest action version for better compatibility.
  • Added automated security scanning for workflow configurations.

Walkthrough

Three GitHub Actions workflow files are modified: Docker workflow now includes bounded retry verification (6 attempts) for GitHub release existence with explicit error handling, Pages workflow upgraded to use newer upload-pages-artifact action version, and a new Zizmor workflow added for workflow security scanning.

Changes

Cohort / File(s)	Summary
Release Retry Verification .github/workflows/docker.yml	Added bounded retry logic (6 attempts) with FOUND flag to verify GitHub release existence before updating release notes, with explicit error exit on failure.
Artifact Action Upgrade .github/workflows/pages.yml	Updated actions/upload-pages-artifact from v3 to v4 (commit SHA updated).
Workflow Security Scanning .github/workflows/zizmor.yml	New workflow added to run security checks on workflow file changes via zizmor-action with pinned versions and specific digest, triggered on pushes and pull requests to main branch.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: upgrading upload-pages-artifact to v4 and adding zizmor workflow linting, which are the primary modifications across the three workflow files.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the motivation, context, and changes for all three workflow modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/pages-sha-pinning-and-zizmor

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/pages-sha-pinning-and-zizmor

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR addresses a post-merge Pages deployment breakage caused by upload-pages-artifact v3 internally using an unpinned actions/upload-artifact@v4 tag reference, which violated the repo's sha_pinning_required policy; it upgrades to v4 which pins its internal dependency. Two additional improvements are included: a new zizmor.yml CI workflow that provides static security analysis of GitHub Actions workflow files, and an explicit failure path for the Docker release retry loop.

• pages.yml: SHA bumped from 56afc609... (v3) to 7b1f4a76... (v4) for actions/upload-pages-artifact, resolving the transitive unpinned dependency violation.
• zizmor.yml: New workflow running zizmorcore/zizmor-action on workflow file changes. Uses permissions: {} at the top level with scoped job-level permissions (security-events: write, contents: read, actions: read). SARIF upload is correctly gated to push and workflow_dispatch events via advanced-security: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}, preventing failures on fork PRs that lack security-events: write.
• docker.yml: Adds a FOUND=0 flag before the release poll loop and a post-loop exit 1 with a clear ::error:: annotation if all 6 attempts are exhausted, replacing the prior silent fall-through.

Confidence Score: 5/5

• This PR is safe to merge — all changes are targeted, well-reasoned, and follow existing security conventions.
• All three workflow changes are minimal and correct: the upload-pages-artifact upgrade fixes a concrete deployment failure with a SHA-pinned reference, the zizmor workflow correctly handles fork PR permission limits and follows least-privilege patterns consistent with other workflows in the repo, and the retry exhaustion fix is a straightforward shell logic improvement. No application code is changed.
• No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/zizmor.yml	New workflow adding zizmor static analysis for GitHub Actions security; correctly SHA-pinned, uses minimal permissions, and conditionally enables SARIF upload only for push/workflow_dispatch to handle fork PR permission limits.
.github/workflows/pages.yml	Upgrades upload-pages-artifact v3 → v4 (SHA-pinned); fixes the sha_pinning_required conflict caused by v3's internal unpinned actions/upload-artifact@v4 dependency.
.github/workflows/docker.yml	Adds FOUND flag and explicit error/exit after retry exhaustion, replacing silent fall-through that would produce a confusing gh release edit failure.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Events
    participant ZW as zizmor.yml Workflow
    participant ZA as zizmorcore/zizmor-action
    participant ST as Security Tab (SARIF)
    participant PR as PR Annotations

    GH->>ZW: push to main (workflow files changed)
    ZW->>ZA: checkout + run zizmor (advanced-security=true)
    ZA->>ST: upload SARIF results

    GH->>ZW: pull_request to main (workflow files changed)
    ZW->>ZA: checkout + run zizmor (advanced-security=false)
    ZA->>PR: annotate PR with findings (no SARIF upload)

    GH->>ZW: workflow_dispatch (manual)
    ZW->>ZA: checkout + run zizmor (advanced-security=true)
    ZA->>ST: upload SARIF results

Loading

_{Last reviewed commit: 5bf6876}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/zizmor.yml:
- Around line 28-29: Add a manual trigger to the CI by adding a
workflow_dispatch event to the zizmor workflow so it can be run on-demand;
update the triggers section in .github/workflows/zizmor.yml (where the existing
event configuration for the zizmor job and the use of the action
zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 is defined) to
include workflow_dispatch alongside the current triggers.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ccf4e34f-50e5-49c3-8f9d-470b925e3ea2

📥 Commits

Reviewing files that changed from the base of the PR and between 0dec9da and 43cc6ff.

📒 Files selected for processing (3)

• .github/workflows/docker.yml
• .github/workflows/pages.yml
• .github/workflows/zizmor.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Agent
• GitHub Check: Greptile Review

🧰 Additional context used

📓 Path-based instructions (3)

.github/workflows/*.yml

📄 CodeRabbit inference engine (CLAUDE.md)

CI pipeline: lint (ruff) + type-check (mypy src/ tests/) + test (pytest + coverage) run in parallel → ci-pass gate. Coverage enforced at 80% minimum.

Files:

• .github/workflows/pages.yml
• .github/workflows/zizmor.yml
• .github/workflows/docker.yml

.github/workflows/pages.yml

📄 CodeRabbit inference engine (CLAUDE.md)

Pages workflow (.github/workflows/pages.yml) builds Astro landing + MkDocs docs, merges, deploys to GitHub Pages on push to main.

Files:

• .github/workflows/pages.yml

.github/workflows/docker.yml

📄 CodeRabbit inference engine (CLAUDE.md)

.github/workflows/docker.yml: Docker workflow (.github/workflows/docker.yml) builds backend + web images, pushes to GHCR, signs with cosign. Scans: Trivy (CRITICAL = hard fail, HIGH = warn-only) + Grype (critical cutoff). CVE triage via .github/.trivyignore.yaml and .github/.grype.yaml. Images only pushed after scans pass. Triggers on push to main and version tags (v*).
Docker CI tags images with version from pyproject.toml ([tool.commitizen].version), semver, and SHA.

Files:

• .github/workflows/docker.yml

🧠 Learnings (4)

📓 Common learnings

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T14:50:09.256Z
Learning: Applies to .github/workflows/docker.yml : Docker workflow (.github/workflows/docker.yml) builds backend + web images, pushes to GHCR, signs with cosign. Scans: Trivy (CRITICAL = hard fail, HIGH = warn-only) + Grype (critical cutoff). CVE triage via .github/.trivyignore.yaml and .github/.grype.yaml. Images only pushed after scans pass. Triggers on push to main and version tags (v*).

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T14:50:09.256Z
Learning: Applies to .github/workflows/release.yml : Release workflow (.github/workflows/release.yml) uses Release Please (Google) to auto-create a release PR on every push to main. Merging the release PR creates a git tag (vX.Y.Z) + GitHub Release with changelog. Tag push triggers Docker workflow for version-tagged images. Uses RELEASE_PLEASE_TOKEN secret (PAT/GitHub App token). Config in .github/release-please-config.json and .github/.release-please-manifest.json.

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T14:50:09.256Z
Learning: Applies to .github/workflows/pages.yml : Pages workflow (.github/workflows/pages.yml) builds Astro landing + MkDocs docs, merges, deploys to GitHub Pages on push to main.

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T14:50:09.256Z
Learning: Applies to .github/dependabot.yml : Dependabot auto-updates uv + github-actions + docker dependencies daily with grouped minor/patch updates, no auto-merge.

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T14:50:09.256Z
Learning: Applies to .github/workflows/docker.yml : Docker CI tags images with version from pyproject.toml ([tool.commitizen].version), semver, and SHA.

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T14:50:09.256Z
Learning: Applies to .github/workflows/*.yml : CI pipeline: lint (ruff) + type-check (mypy src/ tests/) + test (pytest + coverage) run in parallel → ci-pass gate. Coverage enforced at 80% minimum.

📚 Learning: 2026-03-11T14:50:09.256Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T14:50:09.256Z
Learning: Applies to .github/workflows/pages.yml : Pages workflow (.github/workflows/pages.yml) builds Astro landing + MkDocs docs, merges, deploys to GitHub Pages on push to main.

Applied to files:

• .github/workflows/pages.yml
• .github/workflows/zizmor.yml

📚 Learning: 2026-03-11T14:50:09.256Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T14:50:09.256Z
Learning: Applies to .github/workflows/docker.yml : Docker workflow (.github/workflows/docker.yml) builds backend + web images, pushes to GHCR, signs with cosign. Scans: Trivy (CRITICAL = hard fail, HIGH = warn-only) + Grype (critical cutoff). CVE triage via .github/.trivyignore.yaml and .github/.grype.yaml. Images only pushed after scans pass. Triggers on push to main and version tags (v*).

Applied to files:

• .github/workflows/zizmor.yml
• .github/workflows/docker.yml

📚 Learning: 2026-03-11T14:50:09.256Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-11T14:50:09.256Z
Learning: Applies to .github/workflows/release.yml : Release workflow (.github/workflows/release.yml) uses Release Please (Google) to auto-create a release PR on every push to main. Merging the release PR creates a git tag (vX.Y.Z) + GitHub Release with changelog. Tag push triggers Docker workflow for version-tagged images. Uses RELEASE_PLEASE_TOKEN secret (PAT/GitHub App token). Config in .github/release-please-config.json and .github/.release-please-manifest.json.

Applied to files:

• .github/workflows/zizmor.yml
• .github/workflows/docker.yml

🔇 Additional comments (3)

.github/workflows/docker.yml (1)

299-311: LGTM — explicit failure on retry exhaustion.

The FOUND flag correctly surfaces a clear error when the release is unavailable after 6 attempts, preventing the previous confusing fallthrough to gh release edit with empty content. The logic properly initializes FOUND=0, sets it to 1 only on success, and exits with an actionable error message if exhausted.

.github/workflows/zizmor.yml (1)

1-14: LGTM — well-structured security workflow.

Good security posture with empty top-level permissions and appropriately scoped job-level permissions. Triggering on workflow file changes ensures CI-level enforcement of security checks.

.github/workflows/pages.yml (1)

75-75: LGTM — SHA pin verified for v4.

The upgrade to actions/upload-pages-artifact@v4 with SHA 7b1f4a764d45c48632c6b24a0339c27f5614fb0b is correct. This change resolves the sha_pinning_required conflict and aligns with GitHub Actions best practices. The workflow correctly builds and merges Astro landing pages with MkDocs documentation before deployment.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify SHA 71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 is tagged as v0.5.2
gh api repos/zizmorcore/zizmor-action/git/ref/tags/v0.5.2 --jq '.object.sha'

Repository: Aureliolo/synthorg

Length of output: 222

---

🏁 Script executed:

cat -n .github/workflows/zizmor.yml

Repository: Aureliolo/synthorg

Length of output: 862

---

🌐 Web query:

zizmor-action v0.5.2 release SHA 71321a20a9ded102f6e9ce5718a2fcec2c4f70d8

💡 Result:

71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 is the commit that the zizmorcore/zizmor-action v0.5.2 release/tag points to (short SHA 71321a2). [1]

That commit is titled “Sync zizmor versions (#96)” and updates the action’s bundled/“latest” zizmor version to 1.23.1. [1][2]

---

SHA is correctly pinned to v0.5.2; consider adding workflow_dispatch for manual security scans.

The SHA-pinned action reference correctly follows repository conventions. Adding workflow_dispatch trigger would enable manual runs when needed (e.g., after zizmor rule updates), since the workflow currently only runs on workflow file changes.

💡 Optional: Add workflow_dispatch trigger

 on:
   push:
     branches: [main]
     paths:
       - ".github/workflows/**"
   pull_request:
     branches: [main]
     paths:
       - ".github/workflows/**"
+  workflow_dispatch:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/zizmor.yml around lines 28 - 29, Add a manual trigger to
the CI by adding a workflow_dispatch event to the zizmor workflow so it can be
run on-demand; update the triggers section in .github/workflows/zizmor.yml
(where the existing event configuration for the zizmor job and the use of the
action zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 is
defined) to include workflow_dispatch alongside the current triggers.

[Copilot]

Pull request overview

This PR updates the repository’s GitHub Actions workflows to comply with strict SHA pinning policies and to improve workflow security validation in CI.

Changes:

• Upgrades actions/upload-pages-artifact from v3 to v4 (pinned by SHA) in the Pages deployment workflow.
• Adds a new zizmor workflow to lint GitHub Actions workflows for security issues.
• Improves the Docker release workflow’s retry loop to fail with a clear error when the GitHub Release never becomes available.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/zizmor.yml	Adds a workflow-security job intended to run zizmor and (per PR description) upload SARIF results.
.github/workflows/pages.yml	Updates Pages artifact upload action to v4 (SHA-pinned) to resolve transitive pinning policy conflicts.
.github/workflows/docker.yml	Adds a FOUND flag and explicit failure to make release retry exhaustion clearer.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

pull_request workflows triggered from forks will receive a read-only GITHUB_TOKEN, so security-events: write (and SARIF upload) will fail in that context. Consider limiting SARIF upload to push on main (or gating the upload step on github.event_name == 'push') while still running the analysis on PRs, so external PRs don't fail spuriously.

[Copilot]

The PR description mentions uploading SARIF to the Security tab, but this workflow doesn't show any explicit SARIF upload step or inputs enabling upload; it relies on zizmorcore/zizmor-action defaults. To avoid silent drift if the action defaults change, consider making the SARIF upload behavior explicit (via documented with: options and/or a dedicated upload step).

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the reliability and security of the CI/CD pipeline. It resolves a critical dependency pinning issue in GitHub Actions by upgrading a core component, and introduces a new static analysis workflow to proactively identify and mitigate security vulnerabilities within GitHub Actions workflows. Additionally, it improves the robustness of the release process by providing clearer failure indications.

Highlights

• GitHub Actions Upgrade: Upgraded actions/upload-pages-artifact from v3 to v4 to resolve sha_pinning_required conflicts caused by transitive dependencies in composite actions, ensuring compliance with repository policies.
• Workflow Security Analysis: Introduced a zizmor workflow for static analysis of GitHub Actions workflows, checking for unpinned actions, script injection, and excessive permissions, with SARIF upload to the Security tab.
• Release Process Robustness: Enhanced the release retry mechanism to explicitly fail with a clear error message upon exhaustion, preventing confusing gh release edit failures and improving debugging.

Changelog

• CLAUDE.md
  • Added a new entry detailing the implementation of zizmor.yml for workflow security analysis.
  • Updated the description of the release workflow to reflect the improved retry mechanism.
• DESIGN_SPEC.md
  • Included zizmor.yml in the .github/workflows directory structure, noting its purpose for workflow security analysis.

Ignored Files

• Ignored by pattern: .github/workflows/** (3)
  • .github/workflows/docker.yml
  • .github/workflows/pages.yml
  • .github/workflows/zizmor.yml

Activity

• No specific activity has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩