ci: fix workflow YAML syntax errors blocking CI on main

[KooshaPari]

User description

ci: fix workflow YAML syntax errors blocking CI on main

Root cause

Seven workflow files in .github/workflows/ contained invalid YAML that GitHub
Actions could not parse, so every push and pull_request failed before any
job could run. GitHub surfaces this as:

This run likely failed because of a workflow file issue.

Two distinct defects were present, often in the same file.

1. actions/checkout SHA pins were written without the @ separator

# before (broken)
- uses: actions/checkout11bd71901bbe5b1630ceea73d27597364c9af683 # v4

# after
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

The SHA itself (11bd71901bbe5b1630ceea73d27597364c9af683) is a valid
actions/checkout@v4 commit pin and was preserved verbatim; only the missing
@ was added.

2. Several files declared the on: key twice — once at the top in inline
or block form, and again later in the body. YAML's last-write-wins semantics
hides this from most parsers, but GitHub Actions rejects workflows with
duplicate top-level keys. The two declarations were merged into a single block
that preserves the union of triggers (workflow_dispatch, push to main,
pull_request, and any scheduled cron entries where present).

3. scorecard.yml additionally had a duplicate permissions: top-level key
(the second instance was an overbroad read-all scope, which would grant
all read scopes including packages, pages, discussions, etc.).
Replaced with the explicit least-privilege scopes the analysis job needs
(contents: read, actions: read, security-events: write,
id-token: write), matching the job-level permissions: block.

Files changed

File	Change
.github/workflows/cargo-audit.yml	duplicate on: merged
.github/workflows/cargo-machete.yml	added @ to checkout pin
.github/workflows/cargo-semver-checks.yml	added @ to checkout pin
.github/workflows/doc-links.yml	duplicate on: merged + @ added
.github/workflows/fr-coverage.yml	duplicate on: merged + @ added
.github/workflows/quality-gate.yml	duplicate on: merged + @ added
.github/workflows/scorecard.yml	duplicate permissions: fixed + @ added

7 files changed, 18 insertions(+), 22 deletions(-) — net smaller.

Local checks (all green)

Check	Result
Strict YAML load (no duplicate top-level keys)	13/13 PASS
actions/checkout pins resolve to v4 SHA	PASS
cargo fmt --all -- --check	PASS (only pre-existing nightly-feature warnings)
cargo clippy --all-targets --all-features -- -D warnings	PASS (zero warnings)
cargo test --workspace	PASS (44/44 tests, 0 failed)
cargo build --release	PASS
cargo deny check	PASS (advisories/bans/licenses/sources all OK)
cargo audit --no-fetch	PASS (1138 advisories scanned, 0 vulnerabilities)

Scope

This PR is intentionally narrow: it does not delete any files, does not
reformat unrelated YAML, and does not touch Cargo.toml, application source,
or any pre-existing tag-pinned actions in release-attestation.yml /
trufflehog.yml (those don't run on push/pull_request to main).

The Journey Gate workflow failure on main is a separate, pre-existing issue
unrelated to this fix — it requires the external phenotype-journey tool
which is not available in the CI environment. That is out of scope here.

---

CodeAnt-AI Description

Fix workflow syntax so CI runs again on pushes and pull requests

What Changed

• Fixed several workflow files so GitHub Actions can parse them and start jobs instead of failing before the run begins
• Restored the intended triggers for key checks, including push, pull request, schedule, and manual runs where applicable
• Corrected checkout steps so the pinned action version is recognized by GitHub Actions
• Tightened Scorecard access to the specific read/write permissions it needs instead of broad read-all access

Impact

✅ CI runs on main and pull requests again
✅ Fewer workflow parse failures
✅ Cleaner security scan permissions

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[codeant-ai]

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Repo admins can enable using credits for code reviews in their settings.

[coderabbitai]

📝 Walkthrough

Summary

This PR fixes critical YAML syntax errors in seven GitHub Actions workflow files (.github/workflows/) that prevented CI from parsing and executing any workflows on push or pull_request events. All modified files now pass strict YAML validation with no duplicate top-level keys.

Changes Overview

Files Modified (7 total):

• cargo-audit.yml — Merged duplicate on: keys
• cargo-machete.yml — Added missing @ separator to actions/checkout pin
• cargo-semver-checks.yml — Added missing @ separator to actions/checkout pin
• doc-links.yml — Merged duplicate on: keys + added @ separator
• fr-coverage.yml — Merged duplicate on: keys + added @ separator
• quality-gate.yml — Merged duplicate on: keys + added @ separator
• scorecard.yml — Replaced overbroad read-all permission with explicit least-privilege scopes (contents: read, actions: read, security-events: write, id-token: write) + added @ separator

Net Changes: +18 insertions, -22 deletions

Defects Fixed

1. Missing @ separators in action pins: Actions/checkout references were malformed (e.g., actions/checkout11bd7190... instead of actions/checkout@11bd7190...). The SHA pins themselves (valid v4 commit hashes) were preserved; only the @ character was added.

2. Duplicate on: top-level keys: Multiple files declared the on: trigger key twice. While most YAML parsers accept this (last-write-wins), GitHub Actions explicitly rejects duplicate top-level keys. Declarations were merged into single blocks preserving all triggers.

3. Overbroad permissions in scorecard.yml: A second permissions: block with read-all was replaced with explicit scopes matching the job-level permissions, applying least-privilege principles.

Verification

✓ All 13 workflow files pass strict YAML validation
✓ No duplicate top-level keys present
✓ All actions/checkout pins resolve to v4
✓ Commit message confirms: cargo fmt/clippy/test/build all pass with zero warnings
✓ cargo deny and cargo audit report no issues

Assessment

This is a low-risk, high-impact fix addressing blocking CI failures. The changes are purely syntactic corrections with no functional logic modifications. No Rust code is affected.

Recommendation: Approve — This PR should merge without further changes.

Walkthrough

Six GitHub Actions workflow files receive two categories of fixes: malformed actions/checkout step references (missing the @ before the pinned SHA) are corrected, and trigger blocks are expanded from shorthand to explicit form with workflow_dispatch added. The scorecard.yml workflow additionally replaces broad read-all permissions with explicit per-capability grants.

Changes

CI Workflow Trigger and Action Reference Fixes

Layer / File(s)	Summary
Trigger and concurrency consolidation .github/workflows/cargo-audit.yml, .github/workflows/doc-links.yml, .github/workflows/fr-coverage.yml, .github/workflows/quality-gate.yml	Rewrites on: blocks from shorthand or fragmented forms to explicit mappings, adds workflow_dispatch to doc-links, fr-coverage, and quality-gate, and repositions concurrency settings in cargo-audit to follow the completed trigger block.
Checkout action reference fixes and scorecard permissions .github/workflows/cargo-machete.yml, .github/workflows/cargo-semver-checks.yml, .github/workflows/doc-links.yml, .github/workflows/fr-coverage.yml, .github/workflows/quality-gate.yml, .github/workflows/scorecard.yml	Corrects malformed actions/checkout references (missing @ before pinned SHA) across all affected workflows. Replaces scorecard.yml's broad read-all permission with explicit actions: read, security-events: write, and id-token: write.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: fix workflow YAML syntax errors blocking CI on main' directly and clearly describes the main change: fixing YAML syntax errors in workflow files that were preventing CI from running.
Description check	✅ Passed	The description provides detailed explanation of the root causes, lists all affected files with specific changes, and includes verification of local checks, directly addressing the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-green

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/ci-green

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[sonarqubecloud]

❌ The last analysis has failed.

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/doc-links.yml:
- Line 17: In the `.github/workflows/doc-links.yml` file, replace the commit SHA
in the `actions/checkout` action with a proper version tag. Change the action
reference from `actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683` to
either `actions/checkout@v4` (for the major version tag) or
`actions/checkout@v4.2.2` (for the specific version tag). This improves
maintainability and makes it easier to track version updates, as GitHub
recommends using version tags instead of commit SHAs.

In @.github/workflows/scorecard.yml:
- Around line 14-16: The workflow-level permissions in the scorecard.yml file
currently include write permissions (security-events: write and id-token: write)
which should be restricted per security best practices. Remove these two write
permissions from the workflow-level permissions section and move them to the
job-level permissions block instead. Keep the workflow-level permissions
restricted to read-only access (contents: read and actions: read) following the
principle of least privilege, and grant the write permissions only where
specifically needed at the job level in the scorecard job definition.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 899f0bc6-fdae-4552-999d-e035a7a28ffd

📥 Commits

Reviewing files that changed from the base of the PR and between e12339a and 691ac81.

📒 Files selected for processing (7)

• .github/workflows/cargo-audit.yml
• .github/workflows/cargo-machete.yml
• .github/workflows/cargo-semver-checks.yml
• .github/workflows/doc-links.yml
• .github/workflows/fr-coverage.yml
• .github/workflows/quality-gate.yml
• .github/workflows/scorecard.yml

📜 Review details

⏰ Context from checks skipped due to timeout. (4)

• GitHub Check: Analyze Rust
• GitHub Check: Cargo Audit
• GitHub Check: Analyze (rust)
• GitHub Check: semgrep-cloud-platform/scan

🧰 Additional context used

🪛 zizmor (1.26.1)

.github/workflows/cargo-semver-checks.yml

[warning] 19-19: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

.github/workflows/cargo-machete.yml

[warning] 24-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

.github/workflows/doc-links.yml

[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[info] 14-14: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

.github/workflows/fr-coverage.yml

[warning] 16-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[info] 13-13: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

.github/workflows/scorecard.yml

[warning] 15-15: overly broad permissions (excessive-permissions): security-events: write is overly broad at the workflow level

(excessive-permissions)

---

[error] 16-16: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level

(excessive-permissions)

---

[warning] 14-14: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

.github/workflows/quality-gate.yml

[warning] 18-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[info] 14-14: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

🔇 Additional comments (9)

.github/workflows/cargo-audit.yml (1)

12-15: LGTM!

.github/workflows/doc-links.yml (1)

4-13: LGTM!

.github/workflows/fr-coverage.yml (2)

4-12: LGTM!

---

16-16: LGTM!

.github/workflows/quality-gate.yml (2)

4-12: LGTM!

---

18-18: LGTM!

.github/workflows/cargo-machete.yml (1)

24-24: LGTM!

.github/workflows/cargo-semver-checks.yml (1)

19-19: LGTM!

.github/workflows/scorecard.yml (1)

29-29: LGTM!

[coderabbitai]

🎯 Functional Correctness | 🔵 Trivial

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the checkout action SHA pin is valid for v4

gh api repos/actions/checkout/commits/11bd71901bbe5b1630ceea73d27597364c9af683 --jq '.sha, .commit.message' 2>/dev/null || echo "SHA verification requires network access"

# Check if this commit is on the v4 branch/tag
gh api repos/actions/checkout/commits/11bd71901bbe5b1630ceea73d27597364c9af683/branches-where-head --jq '.[].name' 2>/dev/null || echo "Branch check requires network access"

Repository: KooshaPari/rich-cli-kit

Length of output: 320

---

🌐 Web query:

actions/checkout v4 tag SHA 11bd71901bbe5b1630ceea73d27597364c9af683 github release

💡 Result:

The SHA 11bd71901bbe5b1630ceea73d27597364c9af683 corresponds to the release of version v4.2.2 of the actions/checkout GitHub action [1][2]. This commit, titled "Prepare 4.2.2 Release" (#1953), was merged on October 23, 2024 [1][2]. Key changes included in this version: - The url-helper.ts file was updated to leverage well-known environment variables [1][2]. - Unit test coverage for isGhes was expanded [1][2]. You can reference this specific release or commit in your workflow configuration if needed, although it is generally recommended to use the tagged version (e.g., actions/checkout@v4.2.2) or the major version tag (e.g., actions/checkout@v4) for stability and security [3][4].

Citations:

• 1: actions/checkout@v4.1.7...11bd719
• 2: actions/checkout@d632683...11bd719
• 3: https://github.com/actions/checkout
• 4: https://github.com/actions/checkout/blob/v4/README.md

---

Checkout action format is valid but consider using version tags instead of commit SHAs.

The @ separator is correct, making actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 syntactically valid. However, this SHA corresponds to v4.2.2, not the generic v4 tag. While pinning to a specific commit is secure, GitHub recommends using major version tags (v4) or specific version tags (v4.2.2) for better maintainability and easier tracking of updates.

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/doc-links.yml at line 17, In the
`.github/workflows/doc-links.yml` file, replace the commit SHA in the
`actions/checkout` action with a proper version tag. Change the action reference
from `actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683` to either
`actions/checkout@v4` (for the major version tag) or `actions/checkout@v4.2.2`
(for the specific version tag). This improves maintainability and makes it
easier to track version updates, as GitHub recommends using version tags instead
of commit SHAs.

[coderabbitai]

🗄️ Data Integrity & Integration | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the complete workflow-level permissions block in scorecard.yml

echo "=== Workflow-level permissions block ==="
sed -n '/^permissions:/,/^[a-z]/p' .github/workflows/scorecard.yml | head -n -1

echo -e "\n=== Checking for contents: read ==="
rg -n "^\s+contents:\s+read" .github/workflows/scorecard.yml | head -5

Repository: KooshaPari/rich-cli-kit

Length of output: 373

---

Move security-events: write and id-token: write to job-level permissions instead of workflow level.

The workflow-level permissions currently include contents: read, actions: read, security-events: write, and id-token: write. Per GitHub Actions security best practices and the pattern demonstrated in crates/klipdot/.github/workflows/scorecard.yml, workflow-level permissions should be restricted to read-only (or use read-all). Grant specific write permissions only at the job level to follow the principle of least privilege.

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 15-15: overly broad permissions (excessive-permissions): security-events: write is overly broad at the workflow level

(excessive-permissions)

---

[error] 16-16: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level

(excessive-permissions)

---

[warning] 14-14: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/scorecard.yml around lines 14 - 16, The workflow-level
permissions in the scorecard.yml file currently include write permissions
(security-events: write and id-token: write) which should be restricted per
security best practices. Remove these two write permissions from the
workflow-level permissions section and move them to the job-level permissions
block instead. Keep the workflow-level permissions restricted to read-only
access (contents: read and actions: read) following the principle of least
privilege, and grant the write permissions only where specifically needed at the
job level in the scorecard job definition.

Source: Linters/SAST tools