fix(release): cut v0.15.1 after Phase 0 DevOps stabilization

[tomymaritano]

Release v0.15.1 — Phase 0 DevOps stabilization

Brings the 7-PR DevOps cleanup chain to main and cuts a clean release. This is the verification gate for the whole Phase 0 effort — if anything breaks at tag, build, or publish, Phase 0 isn't done.

What landed since v0.15.0

PR	Phase	Summary
#290	A1	`fix(desktop)`: pin Electron to ^41.7.1 so better-sqlite3 prebuilts apply (closes the v0.15.0 V8 ABI failure on all 3 build platforms)
#291	A2	`fix(release)`: restore version bumping via `scripts/bump-version.mjs` + `@semantic-release/exec` (closes the "tag at 0.14.0" trap)
#292	B	`chore(ci)`: workflow surface cleanup — actions @v4→@v5 sweep, `windows-latest` → `windows-2025-vs2026` pin, drop `FORCE_JAVASCRIPT_ACTIONS_TO_NODE24`, `if-no-files-found: error`, `permissions:` blocks, HUSKY: '0' removal
#293	A4	`chore(ci)`: `release.yml` pre-flight dry-run gate + post-flight version assertion (closes the "silent no-release" trap)
#294	C1	`ci`: PR-title commitlint as a standalone workflow → required check on develop + main
#295		`fix(lint)`: develop lint baseline (preserve-caught-error × 4 in encryptionService + mcp-server tsconfig split for ESLint projectService)
#296		`chore(ci)`: unblock CI on develop — ignore CHANGELOG.md in Prettier (semantic-release writes it), `pnpm install --ignore-scripts` in setup job (same shape as release.yml + deploy-api.yml)

C2 — branch protection updates (already applied via gh api)

Both `develop` and `main`:

• Required status checks: `lint`, `test`, `typecheck`, `CodeRabbit`, `commitlint`
• Force-pushes blocked
• `strict: true` (PRs must be up to date)

Release pipeline guardrails now in place

• Pre-merge: PR-title commitlint blocks `release:`-style non-conventional squash titles upstream.
• Mid-release: `release.yml` dry-run check fails loud if no release would be cut. `scripts/bump-version.mjs` mutates both `package.json` files. Post-flight assertion verifies both match the dry-run-announced version.
• Post-release: `build.yml` artifact upload uses `if-no-files-found: error` (silent zero-asset releases die at upload).
• Native deps: `apps/desktop` pinned to Electron 41.7.1 with prebuilt better-sqlite3. CI `setup` skips postinstall so workflow-side install never rebuilds native modules.

Expected behavior of the Release pipeline after merge

1. Merge this PR → main tip advances.
2. Manually dispatch the Release workflow.
3. `release.yml` runs:
   • `pnpm install --ignore-scripts` (no native rebuild needed for semantic-release).
   • Pre-flight dry-run → "next release version is 0.15.1" (single `fix(release):` commit since v0.15.0).
   • `npx semantic-release`:
     • `@semantic-release/exec` runs `node scripts/bump-version.mjs 0.15.1` → both package.json files updated.
     • `@semantic-release/git` commits + pushes tag `v0.15.1`.
     • `@semantic-release/github` creates draft Release.
   • Post-flight assertion → both package.jsons read `0.15.1`.
4. Tag push triggers `build.yml` on macOS-14, windows-2025-vs2026, ubuntu-latest.
5. All 3 platforms succeed → publish job un-drafts the GitHub Release.
6. Auto-sync PR opens to merge main → develop.

What still needs verification (post-release)

• Tag push actually triggers Build (needs GH_TOKEN with workflow scope — A3 deferred, may need PAT regen)
• Build completes on all 3 platforms with prebuilt better-sqlite3 (smoke-test desktop bundle after publish)
• Auto-sync PR back to develop is created

🤖 This is the Phase 0 verification gate. Mobile + Plugin Marketplace UI remain deferred.

Summary by CodeRabbit

• New Features

  • Added PR title validation workflow for automated commit message compliance checks.

• Bug Fixes

  • Enhanced error diagnostics in encryption operations.
  • Added pre-flight checks to release process to prevent failed deployments.
  • Stricter artifact validation in builds.

• Chores

  • Updated GitHub Actions to latest stable versions.
  • Improved code formatting configuration and build scripts.
  • Adjusted Electron dependency version.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
readide	Ready	Preview, Comment	Jun 9, 2026 2:02pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR performs a systematic upgrade of GitHub Actions to v5, introduces PR title validation, hardens release automation with verification checks, updates code quality tooling, and improves application configurations including error handling, dependency pinning, and build setup.

Changes

CI/CD Enhancement and Build Configuration Updates

Layer / File(s)	Summary
GitHub Actions v5 runtime upgrade across all workflows .github/workflows/build.yml, .github/workflows/ci.yml, .github/workflows/codeql.yml, .github/workflows/deploy-api.yml, .github/workflows/docs.yml	All CI workflows updated from actions v4 to v5 for checkout, setup-node, cache, and upload-artifact actions. Build workflow pins Windows runner to windows-2025-vs2026 and switches artifact upload to fail on missing files. CI adds --ignore-scripts to pnpm install and removes duplicate PR-title commitlint check. Docs workflow adds selective pnpm filtering and explicit GITHUB_TOKEN passing.
Dedicated PR title validation workflow .github/workflows/pr-title.yml	New workflow runs commitlint against PR titles on open/edit/reopen/synchronize events with PR-scoped concurrency and dependency caching.
Release automation with pre-flight dry-run and post-flight verification .github/workflows/release.yml, release.config.js, scripts/bump-version.mjs	Pre-flight step runs semantic-release dry-run, validates release will be cut, and logs next version. Post-flight step extracts expected version and verifies both package.json and apps/desktop/package.json versions match. Semantic-release config adds @semantic-release/exec plugin. New ESM script synchronizes version field across target package.json files.
Code quality tooling: Prettier configuration and format scripts .prettierignore, package.json	Prettier ignore file created with patterns for build artifacts, framework caches, and lock files. Format and format:check scripts updated to respect both .gitignore and .prettierignore paths.
Application and build configuration updates apps/desktop/src/main/services/encryptionService.ts, apps/desktop/package.json, packages/mcp-server/package.json, packages/mcp-server/tsconfig.json, packages/mcp-server/tsconfig.build.json	Encryption service adds error cause propagation across four methods for improved diagnostics. Electron pinned to ^41.7.1. MCP server build split into separate tsconfig.build.json excluding test files, build script targets that config, and base tsconfig includes vitest/globals types.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• tomymaritano/readide#157: Adds the semantic-release @semantic-release/exec configuration and version-bump script logic that this PR reintroduces in release.config.js and scripts/bump-version.mjs.
• tomymaritano/readide#290: Pins Electron to the same version (^41.7.1) as this PR's apps/desktop/package.json update.
• tomymaritano/readide#238: Updates packages/mcp-server TypeScript and build configuration similarly to this PR's tsconfig and package.json adjustments for that workspace.

Suggested labels

ci, dependencies, app:desktop, size/M

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly references the release version (v0.15.1) and the primary context (Phase 0 DevOps stabilization), accurately summarizing the PR's core objective of preparing and cutting a release after DevOps infrastructure work.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 57895f0949

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Rebuild native deps before Electron E2E

This setup cache is restored by the e2e job, but the Electron app launched there imports @readied/storage-sqlite in apps/desktop/src/main/index.ts and initializes better-sqlite3 before the notes IPC tests run. With --ignore-scripts, neither better-sqlite3's install script (prebuild-install || node-gyp rebuild --release) nor apps/desktop's electron-builder install-app-deps runs on a fresh runner, so the restored node_modules will not contain an Electron-compatible native binding and the Playwright Electron coverage will fail (currently hidden by continue-on-error). Please run the native rebuild/install step in the e2e job or avoid sharing this no-script install with Electron runtime tests.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 9

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Line 37: Replace mutable action tags like actions/checkout@v5 with their
corresponding immutable commit SHAs and add persist-credentials: false to
checkout steps that run in workflows with write-scoped permissions; specifically
update the checkout usages (the actions/checkout invocation shown and the other
same-tag occurrences) to pinned SHAs and ensure the checkout step includes
persist-credentials: false to prevent credential persistence when contents:
write is granted.
- Around line 37-40: The checkout step currently uses actions/checkout@v5 and
runs with workflow-level permissions: contents: write, but does not disable
persisted credentials; update the checkout step (uses: actions/checkout@v5) to
add the input persist-credentials: false so the default token is not written
into git config during the "Checkout tag" step.

In @.github/workflows/ci.yml:
- Line 22: Replace all mutable GitHub Action tags in the workflow (any "uses:"
entries that reference a major tag like `@v5/`@v6/@v4) with commit-pinned
references (full SHA) — e.g., locate entries such as "uses: actions/checkout@v5"
and other "uses: ..." lines and replace the tag with the exact commit SHA from
the action repository, verifying the correct commit on the action's GitHub
releases/commits page; ensure every occurrence (all actions referenced by "`@vX`")
is updated to a commit-pinned ref and test the workflow to confirm no breakage.

In @.github/workflows/codeql.yml:
- Line 23: The workflow uses mutable action tags (actions/checkout@v5 and
github/codeql-action/{init,autobuild,analyze}`@v4`); update
.github/workflows/codeql.yml to pin each action to a specific commit SHA instead
of the major/minor tag. Locate the uses entries for actions/checkout and
github/codeql-action/init, github/codeql-action/autobuild,
github/codeql-action/analyze and replace the `@v5/`@v4 references with the
corresponding full commit SHAs (from the action repositories) so all CodeQL runs
are deterministic and policy-compliant.

In @.github/workflows/deploy-api.yml:
- Line 32: The workflow uses floating tags like actions/checkout@v5,
pnpm/action-setup@v5 and actions/setup-node@v5 in both the deploy and test jobs;
replace each of those "uses: ...@v5" entries with the corresponding immutable
commit SHAs (pin the actions to specific SHAs) so the workflow is
deterministic—update both occurrences for actions/checkout, pnpm/action-setup,
and actions/setup-node where they appear (search for the exact strings
"actions/checkout@v5", "pnpm/action-setup@v5", and "actions/setup-node@v5" and
replace with their verified commit SHAs).

In @.github/workflows/docs.yml:
- Line 19: Replace the mutable workflow action tags with pinned commit SHAs for
the three uses in the workflow: actions/checkout@v5, pnpm/action-setup@v5, and
actions/setup-node@v5. Locate the occurrences of those action references in the
workflow and replace each `@v5` tag with the corresponding action's exact commit
SHA (obtained from the action's repository releases/commits) so the workflow
uses immutable references; do this for every instance of the three action
identifiers to eliminate the unpinned-uses supply-chain risk.

In @.github/workflows/pr-title.yml:
- Line 34: Replace mutable action version tags with their immutable commit SHAs:
find the three uses entries actions/checkout@v5, pnpm/action-setup@v5, and
actions/setup-node@v5 in the workflow and change each to the corresponding full
commit SHA (e.g., actions/checkout@<sha>) by looking up the latest stable commit
for the v5 release on each action's GitHub repo and updating the `uses:` values
so the workflow is pinned to those SHAs.

In @.github/workflows/release.yml:
- Around line 95-98: The current check treats a missing $expected as a benign
condition and exits 0; change this to fail the workflow so format drift can't
bypass the version guard: in the block that tests if [ -z "$expected" ]; replace
the warning/exit 0 with an error message (e.g. echo "::error::Could not extract
expected version from dry-run log; aborting bump check.") and exit 1 so the job
fails when $expected is empty, preserving the post-flight assertion; update the
same conditional in the release.yml workflow to fail-fast rather than continue.
- Line 21: The workflow uses mutable action tags (actions/checkout@v5,
pnpm/action-setup@v5, actions/setup-node@v5) and a verification step ('Verify
version bump applied') that treats failed version extraction as success; fix by
replacing those three mutable refs with their corresponding full commit SHAs
(pin to immutable SHAs for actions/checkout, pnpm/action-setup, and
actions/setup-node) and update the 'Verify version bump applied' step so that
when it cannot extract the expected version it exits with non-zero (exit 1)
instead of 0, ensuring the job fails on extraction errors.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: c1b87ac4-02a6-4618-a0aa-48a8a3fb497f

📥 Commits

Reviewing files that changed from the base of the PR and between 46755ca and 57895f0.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (16)

• .github/workflows/build.yml
• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/deploy-api.yml
• .github/workflows/docs.yml
• .github/workflows/pr-title.yml
• .github/workflows/release.yml
• .prettierignore
• apps/desktop/package.json
• apps/desktop/src/main/services/encryptionService.ts
• package.json
• packages/mcp-server/package.json
• packages/mcp-server/tsconfig.build.json
• packages/mcp-server/tsconfig.json
• release.config.js
• scripts/bump-version.mjs

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/build.yml"
if [ ! -f "$FILE" ]; then
  echo "Missing $FILE" >&2
  exit 1
fi
nl -ba "$FILE" | sed -n '1,200p'

Repository: tomymaritano/readide

Length of output: 107

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/build.yml"
if [ ! -f "$FILE" ]; then
  echo "Missing $FILE" >&2
  exit 1
fi

awk 'NR>=1 && NR<=160 { printf "%4d:%s\n", NR, $0 }' "$FILE" | sed -n '1,160p'

Repository: tomymaritano/readide

Length of output: 5529

---

Pin GitHub Actions to immutable SHAs and disable checkout credential persistence in write-scoped workflows.

        uses: actions/checkout@v5

• The workflow uses mutable @v5 tags (lines 37, 46, 52, 59, 110). Pin these actions to immutable commit SHAs.
• The checkout step does not set persist-credentials: false, while workflow permissions grant contents: write, increasing blast radius if a step is compromised.

Also applies to: 46-46, 52-52, 59-59, 110-110

🧰 Tools

🪛 zizmor (1.25.2)

[error] 37-37: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml at line 37, Replace mutable action tags like
actions/checkout@v5 with their corresponding immutable commit SHAs and add
persist-credentials: false to checkout steps that run in workflows with
write-scoped permissions; specifically update the checkout usages (the
actions/checkout invocation shown and the other same-tag occurrences) to pinned
SHAs and ensure the checkout step includes persist-credentials: false to prevent
credential persistence when contents: write is granted.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the workflow header + around the referenced lines
echo "=== build.yml (lines 1-120) ==="
nl -ba .github/workflows/build.yml | sed -n '1,120p'

# Focus on around line 37-40
echo
echo "=== build.yml (lines 25-60) ==="
nl -ba .github/workflows/build.yml | sed -n '25,60p'

# Check for permissions and persist-credentials usage
echo
echo "=== Search: contents: write ==="
rg -n "contents:\s*write" .github/workflows/build.yml || true

echo
echo "=== Search: persist-credentials ==="
rg -n "persist-credentials" .github/workflows/build.yml || true

Repository: tomymaritano/readide

Length of output: 157

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Fallback line-numbering without nl
awk_print_range() {
  local file="$1"
  local start="$2"
  local end="$3"
  awk -v s="$start" -v e="$end" '{ if (NR>=s && NR<=e) printf "%5d\t%s\n", NR, $0 }' "$file"
}

echo "=== build.yml (lines 1-120) ==="
awk_print_range .github/workflows/build.yml 1 120

echo
echo "=== build.yml (lines 25-60) ==="
awk_print_range .github/workflows/build.yml 25 60

echo
echo "=== Search: permissions.contents write ==="
rg -n "contents:\s*write" .github/workflows/build.yml || true

echo
echo "=== Search: persist-credentials ==="
rg -n "persist-credentials" .github/workflows/build.yml || true

Repository: tomymaritano/readide

Length of output: 5757

---

Disable persisted checkout credentials in this write-scoped workflow.
The workflow sets permissions: contents: write, but the actions/checkout@v5 step (“Checkout tag”) does not set persist-credentials: false, so checkout will persist the default token credentials into the git config. Add persist-credentials: false to that checkout step.

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 36-40: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 37-37: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 37 - 40, The checkout step
currently uses actions/checkout@v5 and runs with workflow-level permissions:
contents: write, but does not disable persisted credentials; update the checkout
step (uses: actions/checkout@v5) to add the input persist-credentials: false so
the default token is not written into git config during the "Checkout tag" step.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect workflow file and relevant lines
FILE=".github/workflows/ci.yml"
echo "=== File: $FILE ==="
ls -l "$FILE" || true
echo

if [ -f "$FILE" ]; then
  # Print with line numbers around the referenced lines
  for L in 22 28 47 60 62 67 90 92 97 113 126 128 133 159 161 166 189 200 202 207 228 230 235; do
    echo "---- $FILE:$L ----"
    sed -n "$((L-2)),$((L+2))p" "$FILE" | nl -ba -w2 -s':'
    echo
  done

  # Show all uses: lines with their line numbers (avoid huge output by filtering)
  echo "=== All uses: entries (line-numbered) ==="
  rg -n '^\s*uses:\s*' "$FILE" || true

  # Collect any uses with `@v`* (mutable tags)
  echo
  echo "=== uses with `@v`* tags (line-numbered) ==="
  rg -n '^\s*uses:\s*[^#\n]+@v[0-9]+' "$FILE" || true

  # Collect uses with SHAs (pinned)
  echo
  echo "=== uses with commit SHA pinning (line-numbered) ==="
  rg -n '^\s*uses:\s*[^#\n]+@([0-9a-f]{7,40})\b' "$FILE" || true
fi

# Search repository for an existing guideline/policy about pinning actions
echo "=== Search for pinning policy mentions ==="
rg -n --hidden --glob '!.git/*' \
  -S 'pin(ned)? actions|unpinned uses|require.*pinned|github-actions.*pin|dependabot.*pin|supply chain.*actions' . \
  || true

Repository: tomymaritano/readide

Length of output: 278

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/ci.yml"
echo "=== File: $FILE ==="
ls -l "$FILE" || true
echo

if [ -f "$FILE" ]; then
  # Print with line numbers around specific lines
  for L in 22 28 47 60 62 67 90 92 97 113 126 128 133 159 161 166 189 200 202 207 228 230 235; do
    echo "---- $FILE:$L ----"
    start=$((L-2)); end=$((L+2))
    awk -v s="$start" -v e="$end" 'NR>=s && NR<=e {printf "%4d:%s\n", NR, $0}' "$FILE"
    echo
  done

  echo "=== All uses: entries (line-numbered) ==="
  awk '/^[[:space:]]*uses:[[:space:]]*/ {printf "%4d:%s\n", NR, $0}' "$FILE" || true

  echo
  echo "=== uses with `@v`* tags (line-numbered) ==="
  awk '/^[[:space:]]*uses:[[:space:]]*[^#]+@v[0-9]+/{printf "%4d:%s\n", NR, $0}' "$FILE" || true

  echo
  echo "=== uses with commit SHA pinning (line-numbered) ==="
  awk '/^[[:space:]]*uses:[[:space:]]*[^#]+@[0-9a-f]{7,40}\b/ {printf "%4d:%s\n", NR, $0}' "$FILE" || true
fi

echo
echo "=== Search for pinning policy mentions ==="
rg -n --hidden --glob '!.git/*' \
  -S 'pin(ned)? actions|unpinned uses|require.*pinned|github-actions.*pin|dependabot.*pin|supply chain.*actions' . \
  || true

Repository: tomymaritano/readide

Length of output: 6024

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"

echo "=== All uses: entries including '- uses:' (line-numbered) ==="
awk '/^[[:space:]]*-[[:space:]]*uses:[[:space:]]/ || /^[[:space:]]*uses:[[:space:]]/ {printf "%4d:%s\n", NR, $0}' "$FILE" || true

echo
echo "=== uses with `@v`* tags (line-numbered) ==="
awk '/^[[:space:]]*-[[:space:]]*uses:[[:space:]]/ || /^[[:space:]]*uses:[[:space:]]/ {
  if ($0 ~ /@v[0-9]+/) {printf "%4d:%s\n", NR, $0}
}' "$FILE" || true

echo
echo "=== Search for pinning policy mentions ==="
rg -n --hidden --glob '!.git/*' \
  -S 'pin(ned)? actions|unpinned uses|require.*pinned|github-actions.*pin|dependabot.*pin|supply chain.*actions' . \
  || true

Repository: tomymaritano/readide

Length of output: 2764

---

Replace mutable GitHub Action tags with commit-pinned uses: references in .github/workflows/ci.yml.

Unpinned uses: refs (@v5/@v6) are present at lines: 22, 25, 28, 47, 60, 61, 62, 67, 90, 91, 92, 97, 113, 126, 127, 128, 133, 159, 160, 161, 166, 189, 200, 201, 202, 207, 228, 229, 230, 235, 268.

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 21-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 22, Replace all mutable GitHub Action tags
in the workflow (any "uses:" entries that reference a major tag like
`@v5/`@v6/@v4) with commit-pinned references (full SHA) — e.g., locate entries
such as "uses: actions/checkout@v5" and other "uses: ..." lines and replace the
tag with the exact commit SHA from the action repository, verifying the correct
commit on the action's GitHub releases/commits page; ensure every occurrence
(all actions referenced by "`@vX`") is updated to a commit-pinned ref and test the
workflow to confirm no breakage.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Pin all GitHub Actions in .github/workflows/codeql.yml to commit SHAs (avoid mutable major tags).

actions/checkout@v5 and github/codeql-action/{init,autobuild,analyze}@v4`` are referenced via mutable tags; pin them to specific commit SHAs to keep CodeQL runs deterministic and policy-compliant.

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml at line 23, The workflow uses mutable action
tags (actions/checkout@v5 and github/codeql-action/{init,autobuild,analyze}`@v4`);
update .github/workflows/codeql.yml to pin each action to a specific commit SHA
instead of the major/minor tag. Locate the uses entries for actions/checkout and
github/codeql-action/init, github/codeql-action/autobuild,
github/codeql-action/analyze and replace the `@v5/`@v4 references with the
corresponding full commit SHAs (from the action repositories) so all CodeQL runs
are deterministic and policy-compliant.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/deploy-api.yml"
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE" >&2
  exit 1
fi

echo "== File: $FILE =="
nl -ba "$FILE" | sed -n '1,120p'
echo "== Search for unpinned uses =="
rg -n "uses:\s*[^@]+@v" "$FILE" || true
echo "== Search for any uses not pinned to a SHA =="
# Rough heuristic: flags uses with tags like v5/v4/main/master, but allows full SHAs (40 hex) and includes
rg -n "uses:\s*[^@]+@(?![0-9a-f]{40,})(v[0-9]+|main|master|master|latest|head|refs)" "$FILE" || true

Repository: tomymaritano/readide

Length of output: 171

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/deploy-api.yml"
if [ ! -f "$FILE" ]; then
  echo "Missing file: $FILE" >&2
  exit 1
fi

echo "== File: $FILE =="
awk '{printf "%5d  %s\n", NR, $0}' "$FILE" | sed -n '1,160p'

echo "== Search for uses refs like actions/*`@v5` (non-SHA tags) =="
rg -n "uses:\s*actions/[^@]+@v[0-9]+" "$FILE" || true

echo "== Search for any uses not pinned to a full 40-hex SHA =="
# Allow full SHAs only; flag other ref forms (v*, main, master, latest, heads, etc.)
rg -n "uses:\s*[^@]+@(?![0-9a-f]{40}$)[^ \t]+" "$FILE" || true

Repository: tomymaritano/readide

Length of output: 3663

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/deploy-api.yml"

echo "== All uses: lines =="
rg -n "^\s*-\s+uses:" "$FILE" || true

echo "== uses not pinned to a 40-hex SHA (PCRE2) =="
rg --pcre2 -n "^\s*-\s+uses:\s*[^@]+@(?!(?:[0-9a-f]{40})$)[^\s]+" "$FILE" || true

echo "== uses pinned to 40-hex SHA (sanity check) =="
rg --pcre2 -n "^\s*-\s+uses:\s*[^@]+@[0-9a-f]{40}$" "$FILE" || true

Repository: tomymaritano/readide

Length of output: 635

---

Pin GitHub Actions in deploy-api workflow to immutable SHAs
Unpinned uses: ...@v5 references appear in both test and deploy jobs: actions/checkout@v5 (32, 59), pnpm/action-setup@v5 (34, 61), and actions/setup-node@v5 (36, 63). Replace each with the corresponding commit SHA.

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 32-32: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 32-32: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-api.yml at line 32, The workflow uses floating tags
like actions/checkout@v5, pnpm/action-setup@v5 and actions/setup-node@v5 in both
the deploy and test jobs; replace each of those "uses: ...@v5" entries with the
corresponding immutable commit SHAs (pin the actions to specific SHAs) so the
workflow is deterministic—update both occurrences for actions/checkout,
pnpm/action-setup, and actions/setup-node where they appear (search for the
exact strings "actions/checkout@v5", "pnpm/action-setup@v5", and
"actions/setup-node@v5" and replace with their verified commit SHAs).

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/docs.yml"
echo "== File: $FILE =="
[ -f "$FILE" ] || { echo "Missing $FILE"; exit 1; }

echo "== Total lines =="
wc -l < "$FILE"

echo "== Lines 1-60 (with numbers) =="
nl -ba "$FILE" | sed -n '1,60p'

echo "== Lines 15-30 (with numbers) =="
nl -ba "$FILE" | sed -n '15,30p'

echo "== All uses: lines (with line numbers) =="
nl -ba "$FILE" | rg -n "^\s*[-]?\s*uses:\s*"
echo "== uses: refs only (no line numbers) =="
rg -n "uses:\s*" "$FILE"

Repository: tomymaritano/readide

Length of output: 218

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/docs.yml"
[ -f "$FILE" ] || { echo "Missing $FILE"; exit 1; }

echo "== Total lines =="
wc -l < "$FILE"

echo "== Lines 1-40 (cat -n) =="
cat -n "$FILE" | sed -n '1,40p'

echo "== Lines 16-28 (cat -n) =="
cat -n "$FILE" | sed -n '16,28p'

echo "== All uses: with line numbers =="
rg -n '^\s*uses:\s*' "$FILE" || true

echo "== Extract uses refs =="
rg '^\s*uses:\s*' "$FILE" | sed -E 's/^\s*uses:\s*//'

Repository: tomymaritano/readide

Length of output: 1945

---

Pin GitHub Actions to commit SHAs in .github/workflows/docs.yml (avoid mutable @v5 tags).
Lines 19, 21, and 23 still use actions/checkout@v5, pnpm/action-setup@v5, and actions/setup-node@v5; replace each with an exact SHA to address the unpinned-uses supply-chain risk.

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 19-19: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml at line 19, Replace the mutable workflow action
tags with pinned commit SHAs for the three uses in the workflow:
actions/checkout@v5, pnpm/action-setup@v5, and actions/setup-node@v5. Locate the
occurrences of those action references in the workflow and replace each `@v5` tag
with the corresponding action's exact commit SHA (obtained from the action's
repository releases/commits) so the workflow uses immutable references; do this
for every instance of the three action identifiers to eliminate the
unpinned-uses supply-chain risk.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate and print the relevant workflow with line numbers
FILE=".github/workflows/pr-title.yml"
if [ -f "$FILE" ]; then
  echo "=== $FILE (lines 1-120) ==="
  nl -ba "$FILE" | sed -n '1,120p'
else
  echo "File not found: $FILE" >&2
  exit 1
fi

echo "=== uses: entries in $FILE ==="
rg -n --fixed-string "uses:" "$FILE" || true

echo "=== Search repo for unpinned-uses policy text (if any) ==="
rg -n -S "unpinned-uses|pinned.*SHA|pin.*uses|actions/checkout@v" .github || true
rg -n -S "unpinned-uses|pinned.*SHA|pin.*uses" . || true

Repository: tomymaritano/readide

Length of output: 178

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/pr-title.yml"

echo "=== File existence ==="
ls -la "$FILE" || true

echo "=== pr-title.yml (lines 1-120) with line numbers ==="
if [ -f "$FILE" ]; then
  awk '{printf "%4d\t%s\n", NR, $0}' "$FILE" | sed -n '1,120p'
fi

echo "=== Exact 'uses:' lines in pr-title.yml (with line numbers) ==="
if [ -f "$FILE" ]; then
  rg -n "uses:" "$FILE" || true
fi

echo "=== Show context around lines 30-45 ==="
if [ -f "$FILE" ]; then
  awk 'NR>=25 && NR<=50 {printf "%4d\t%s\n", NR, $0}' "$FILE"
fi

echo "=== Repo search for existing unpinned/pin policy text ==="
rg -n -S "unpinned-uses|pin(ned)? uses|pinned.*SHA|actions/checkout@v[0-9]+|dependabot|security-hardening|SAST|policy.*uses" . || true

Repository: tomymaritano/readide

Length of output: 4238

---

Pin GitHub Actions in .github/workflows/pr-title.yml to immutable SHAs
This workflow uses mutable @v5 tags on lines 34, 38, and 40 (actions/checkout@v5, pnpm/action-setup@v5, actions/setup-node@v5). Pin each uses: to a full commit SHA (e.g., @<sha>) to avoid supply-chain changes.

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 34-36: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 34-34: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-title.yml at line 34, Replace mutable action version
tags with their immutable commit SHAs: find the three uses entries
actions/checkout@v5, pnpm/action-setup@v5, and actions/setup-node@v5 in the
workflow and change each to the corresponding full commit SHA (e.g.,
actions/checkout@<sha>) by looking up the latest stable commit for the v5
release on each action's GitHub repo and updating the `uses:` values so the
workflow is pinned to those SHAs.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the workflow file with line numbers (small enough to inspect targeted ranges)
FILE=".github/workflows/release.yml"
echo "== $FILE =="
nl -ba "$FILE" | sed -n '1,140p'
echo

# Extract all action 'uses:' lines (for quick confirmation of tags/SHAs)
echo "== uses: lines =="
rg -n '^\s*uses:\s*actions\/' "$FILE" || true
echo

# Specifically show around line ~21 and ~30 (per original comment)
echo "== Context around uses near lines 15-40 =="
nl -ba "$FILE" | sed -n '10,50p'
echo

# Specifically show around the post-flight verification logic near lines 90-110
echo "== Context around verification near lines 85-110 =="
nl -ba "$FILE" | sed -n '80,115p'

Repository: tomymaritano/readide

Length of output: 161

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/release.yml"
echo "== $FILE =="
awk '{print NR "\t" $0}' "$FILE" | sed -n '1,160p'
echo

echo "== uses: actions/* lines =="
rg -n '^\s*uses:\s*actions\/' "$FILE" || true
echo

echo "== Context around lines 15-50 =="
awk '{print NR "\t" $0}' "$FILE" | sed -n '10,60p'
echo

echo "== Context around lines 85-120 =="
awk '{print NR "\t" $0}' "$FILE" | sed -n '75,130p'

Repository: tomymaritano/readide

Length of output: 9403

---

Pin GitHub Actions to immutable commit SHAs (and avoid fail-open version checks)

• .github/workflows/release.yml: actions/checkout@v5 (line 21), pnpm/action-setup@v5 (line 27), and actions/setup-node@v5 (line 30) are mutable tags—pin each to a full commit SHA.
• Verify version bump applied exits with 0 when it can’t extract the expected version (lines 95-98), allowing a potentially unverified release through—treat extraction failure as a hard error (exit 1).

Suggested hardening

-        uses: actions/checkout@v5
+        uses: actions/checkout@<full_commit_sha>
...
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@<full_commit_sha>

🧰 Tools

🪛 zizmor (1.25.2)

[error] 21-21: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 21, The workflow uses mutable action
tags (actions/checkout@v5, pnpm/action-setup@v5, actions/setup-node@v5) and a
verification step ('Verify version bump applied') that treats failed version
extraction as success; fix by replacing those three mutable refs with their
corresponding full commit SHAs (pin to immutable SHAs for actions/checkout,
pnpm/action-setup, and actions/setup-node) and update the 'Verify version bump
applied' step so that when it cannot extract the expected version it exits with
non-zero (exit 1) instead of 0, ensuring the job fails on extraction errors.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Do not skip the version assertion when parsing fails.

This branch is fail-open (exit 0), so a log format drift can silently bypass the post-flight version guard.

Suggested fix

-          if [ -z "$expected" ]; then
-            echo "::warning::Could not extract expected version from dry-run log; skipping bump check."
-            exit 0
-          fi
+          if [ -z "$expected" ]; then
+            echo "::error::Could not extract expected version from dry-run log."
+            echo "::error::Failing closed to avoid shipping an unverified version bump."
+            exit 1
+          fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [ -z "$expected" ]; then
	echo "::warning::Could not extract expected version from dry-run log; skipping bump check."
	exit 0
	fi
	if [ -z "$expected" ]; then
	echo "::error::Could not extract expected version from dry-run log."
	echo "::error::Failing closed to avoid shipping an unverified version bump."
	exit 1
	fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 95 - 98, The current check treats
a missing $expected as a benign condition and exits 0; change this to fail the
workflow so format drift can't bypass the version guard: in the block that tests
if [ -z "$expected" ]; replace the warning/exit 0 with an error message (e.g.
echo "::error::Could not extract expected version from dry-run log; aborting
bump check.") and exit 1 so the job fails when $expected is empty, preserving
the post-flight assertion; update the same conditional in the release.yml
workflow to fail-fast rather than continue.