Skip to content

chore(refs): pin all @develop refs to v1.18.0 in workflows and v1.x.x in READMEs#160

Merged
bedatty merged 2 commits intodevelopfrom
chore/pin-refs-to-v1.18.0
Mar 20, 2026
Merged

chore(refs): pin all @develop refs to v1.18.0 in workflows and v1.x.x in READMEs#160
bedatty merged 2 commits intodevelopfrom
chore/pin-refs-to-v1.18.0

Conversation

@bedatty
Copy link
Contributor

@bedatty bedatty commented Mar 20, 2026
edited by coderabbitai bot
Loading

Lerian

GitHub Actions Shared Workflows

Description

Replaces all @develop references with pinned versions:

  • Reusable workflows (.github/workflows/): @develop@v1.18.0
  • README usage examples (src/*/README.md): @develop@v1.x.x (generic stable placeholder)
  • Exception: branch-cleanup and labels-sync READMEs that explicitly document @develop as a testing ref — left unchanged.

Type of Change

  • chore: Dependency bumps, config updates, maintenance

Breaking Changes

None.

Testing

  • YAML syntax validated locally
  • Verified all existing inputs still work with default values
  • Checked that unrelated workflows are not affected

Caller repo / workflow run: N/A — ref-only change, no behavioral difference.

Related Issues

Closes #

Summary by CodeRabbit

  • Chores
    • Pinned GitHub Actions shared workflows to release tag v1.18.0 across automation pipelines for more stable, predictable runs.
    • Updated workflow examples and documentation to reference versioned release tags (v1.x.x) instead of the moving develop branch.

@bedatty bedatty requested a review from a team as a code owner March 20, 2026 18:14
@coderabbitai
Copy link

coderabbitai bot commented Mar 20, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9f0d2880-3fc5-4349-b792-a67288b78d74

📥 Commits

Reviewing files that changed from the base of the PR and between b402a01 and 5e09efe.

📒 Files selected for processing (1)
  • .github/workflows/release-notification.yml

Walkthrough

Pinned shared GitHub Actions references from moving branches to fixed tags (mostly @v1.18.0 or @v1.x.x) across CI workflows and README examples; one workflow also fixed how it appends tag=$TAG to GITHUB_OUTPUT (added quoting).

Changes

Cohort / File(s) Summary
Workflows (version pins & minor fix)
.github/workflows/branch-cleanup.yml, .github/workflows/build.yml, .github/workflows/gptchangelog.yml, .github/workflows/labels-sync.yml, .github/workflows/pr-security-scan.yml, .github/workflows/release-notification.yml, .github/workflows/release.yml, .github/workflows/typescript-build.yml, .github/workflows/typescript-release.yml		 Replaced uses: references that pointed at @develop with pinned tags (@v1.18.0) for shared reusable workflows. In release-notification.yml additionally changed how tag=$TAG is appended to GITHUB_OUTPUT (quoted). No other step inputs/conditions/outputs altered.
Documentation examples
src/lint/composite-schema/README.md, src/lint/readme-check/README.md, src/lint/shellcheck/README.md, src/notify/discord-release/README.md, src/notify/pr-lint-reporter/README.md, src/notify/slack-notify/README.md, src/notify/slack-release/README.md, src/security/dockerfile-checks/README.md, src/security/pr-security-reporter/README.md, src/security/trivy-fs-scan/README.md, src/security/trivy-image-scan/README.md		 Updated README workflow usage snippets to reference versioned tags (e.g., @v1.x.x) instead of @develop. Examples only; inputs and examples unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed Title clearly and specifically describes the main change: pinning all @develop references to v1.18.0 in workflows and v1.x.x in READMEs.
Description check ✅ Passed Description covers the key changes, type of change (chore), testing validation, and breaking changes status. Related Issues field is incomplete but other critical sections are present and substantive.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/pin-refs-to-v1.18.0

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions bot added workflow Changes to one or more reusable workflow files typescript Changes to TypeScript or Frontend workflows security Changes to security workflows or vulnerability reporting policy labels Mar 20, 2026
@lerian-studio lerian-studio added the size/S PR changes 50–199 lines label Mar 20, 2026
@lerian-studio
Copy link

lerian-studio commented Mar 20, 2026
edited
Loading

🔍 Lint Analysis

Check Files Scanned Status
YAML Lint 9 file(s) ✅ success
Action Lint 9 file(s) ✅ success
Pinned Actions 9 file(s) ✅ success
Markdown Link Check 11 file(s) ✅ success
Spelling Check 20 file(s) ✅ success
Shell Check 9 file(s) ✅ success
README Check 9 file(s) ✅ success
Composite Schema no changes ⏭️ skipped

🔍 View full scan logs

coderabbitai[bot]
coderabbitai bot reviewed Mar 20, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/release-notification.yml (1)

130-141: ⚠️ Potential issue | 🟠 Major

Quote $GITHUB_OUTPUT in redirection target at line 141.

The unquoted variable expansion triggers shellcheck SC2086 and blocks PR validation. Word-splitting can occur if the variable contains whitespace or special characters.

Fix 
-          echo "tag=$TAG" >> $GITHUB_OUTPUT
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-notification.yml around lines 130 - 141, The
redirection target $GITHUB_OUTPUT should be quoted to avoid word-splitting
(ShellCheck SC2086); update the final echo that writes the output variable (the
line using echo "tag=$TAG" >> $GITHUB_OUTPUT) to quote the expansion (use ">>
\"$GITHUB_OUTPUT\"" or equivalent) so the redirection is safe when GITHUB_OUTPUT
contains spaces or special characters; ensure the change is applied in the block
that resolves TAG and writes the output.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/release-notification.yml:
- Around line 130-141: The redirection target $GITHUB_OUTPUT should be quoted to
avoid word-splitting (ShellCheck SC2086); update the final echo that writes the
output variable (the line using echo "tag=$TAG" >> $GITHUB_OUTPUT) to quote the
expansion (use ">> \"$GITHUB_OUTPUT\"" or equivalent) so the redirection is safe
when GITHUB_OUTPUT contains spaces or special characters; ensure the change is
applied in the block that resolves TAG and writes the output.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7756a680-b250-4839-a48f-3b8bbb911e06

📥 Commits

Reviewing files that changed from the base of the PR and between de3055c and b402a01.

📒 Files selected for processing (20)
  • .github/workflows/branch-cleanup.yml
  • .github/workflows/build.yml
  • .github/workflows/gptchangelog.yml
  • .github/workflows/labels-sync.yml
  • .github/workflows/pr-security-scan.yml
  • .github/workflows/release-notification.yml
  • .github/workflows/release.yml
  • .github/workflows/typescript-build.yml
  • .github/workflows/typescript-release.yml
  • src/lint/composite-schema/README.md
  • src/lint/readme-check/README.md
  • src/lint/shellcheck/README.md
  • src/notify/discord-release/README.md
  • src/notify/pr-lint-reporter/README.md
  • src/notify/slack-notify/README.md
  • src/notify/slack-release/README.md
  • src/security/dockerfile-checks/README.md
  • src/security/pr-security-reporter/README.md
  • src/security/trivy-fs-scan/README.md
  • src/security/trivy-image-scan/README.md

@lerian-studio lerian-studio added size/S PR changes 50–199 lines and removed size/S PR changes 50–199 lines labels Mar 20, 2026
@bedatty bedatty self-assigned this Mar 20, 2026
@bedatty bedatty merged commit 557bc9a into develop Mar 20, 2026
22 checks passed
@github-actions github-actions bot deleted the chore/pin-refs-to-v1.18.0 branch March 20, 2026 18:32
@coderabbitai coderabbitai bot mentioned this pull request Mar 20, 2026
Merged
14 tasks
bedatty added a commit that referenced this pull request Mar 20, 2026
@bedatty @dependabot
chore(release): merge develop into main v1.18.1 (#161)
09f3e9a 
* chore(deps): bump aws-actions/configure-aws-credentials in the aws group

Bumps the aws group with 1 update: [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials).


Updates `aws-actions/configure-aws-credentials` from 4 to 6
- [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases)
- [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md)
- [Commits](aws-actions/configure-aws-credentials@v4...v6)

---
updated-dependencies:
- dependency-name: aws-actions/configure-aws-credentials
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: aws
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(refs): pin all @develop refs to v1.18.0 in workflows and v1.x.x in READMEs (#160)

* chore(refs): pin all @develop refs to v1.18.0 in workflows and v1.x.x in README examples

* fix(lint): quote GITHUB_OUTPUT in release-notification SC2086

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

@bedatty bedatty

Labels

security Changes to security workflows or vulnerability reporting policy size/S PR changes 50–199 lines typescript Changes to TypeScript or Frontend workflows workflow Changes to one or more reusable workflow files

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bedatty @lerian-studio