Add release steps to GitHub Actions workflow#1
Conversation
Added steps to publish a GitHub release and use an NPM release action.
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 18 minutes and 10 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📝 WalkthroughWalkthroughA new GitHub Actions workflow Changes
Sequence Diagram(s)sequenceDiagram
participant GH as GitHub (workflow)
participant Runner as Actions Runner
participant Checkout as actions/checkout@v4
participant Release as tobua/release-npm-action@v3.0.2
participant Publish as LogicOverSnacks/actions-publish@v3
participant NPM as NPM Registry
participant Target as xerohero/srctree-linux
GH->>Runner: trigger on push / pull_request to main
Runner->>Checkout: checkout repository
Runner->>Release: run release action (NPM_TOKEN, github.token)
Release->>NPM: publish package (authenticate with NPM_TOKEN)
Runner->>Publish: run publish action (repo: xerohero/srctree-linux)
Publish->>Target: create publish/release in target repo
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
.github/workflows/blank.yml (1)
28-28: Avoid hardcoded repository identifier.Line 28 hardcodes
xerohero/srctree-linux. Use${{ github.repository }}to keep forks/reuse working without edits.Suggested fix
- repo: xerohero/srctree-linux + repo: ${{ github.repository }}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/blank.yml at line 28, The workflow hardcodes the repository identifier in the repo field (currently "xerohero/srctree-linux"); replace that hardcoded string with the reusable expression ${{ github.repository }} so forks and other repos automatically point to the current repository instead of requiring manual edits—update the repo entry where it currently contains xerohero/srctree-linux.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/blank.yml:
- Around line 17-28: The workflow is missing install/build steps so release
actions may publish incomplete artifacts; add steps that run npm ci and npm run
build (using the repository's scripts.build) before the release actions (i.e.,
before tobua/release-npm-action@v3.0.2 and LogicOverSnacks/actions-publish@v3)
and ensure dist/ (packaged artifacts) exists after the build, optionally adding
a cache step for node_modules to speed CI.
- Around line 6-11: The workflow currently triggers on both push and
pull_request but the release steps run for both; update the release-related
steps (the job/steps using release-npm-action and the "Publish Github Release"
step) to only execute on push events by adding an event guard such as an if:
condition that checks github.event_name == 'push' (or move the guard to the
entire release job) so those release actions do not run for pull_request runs.
- Around line 18-27: The workflow uses mutable action tags (actions/checkout@v4,
tobua/release-npm-action@v3.0.2, LogicOverSnacks/actions-publish@v3); replace
each mutable ref with the corresponding full 40-character commit SHA (keeping
the original tag as a comment, e.g., "# v4") to pin the exact commit for
supply-chain safety, so update the uses lines for actions/checkout,
tobua/release-npm-action, and LogicOverSnacks/actions-publish to their full
commit SHAs after verifying the correct commit in each upstream repo.
---
Nitpick comments:
In @.github/workflows/blank.yml:
- Line 28: The workflow hardcodes the repository identifier in the repo field
(currently "xerohero/srctree-linux"); replace that hardcoded string with the
reusable expression ${{ github.repository }} so forks and other repos
automatically point to the current repository instead of requiring manual
edits—update the repo entry where it currently contains xerohero/srctree-linux.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 7d47a8f5-70ad-4a12-84d5-ddfad2a18720
📒 Files selected for processing (1)
.github/workflows/blank.yml
| on: | ||
| # Triggers the workflow on push or pull request events but only for the "main" branch | ||
| push: | ||
| branches: [ "main" ] | ||
| pull_request: | ||
| branches: [ "main" ] |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Find and examine the workflow file
fd -t f "blank.yml" --path ".github/workflows/"Repository: XeroHero/srctree-linux
Length of output: 299
🏁 Script executed:
# Find the workflow file
fd -t f "blank.yml" .github/workflows/Repository: XeroHero/srctree-linux
Length of output: 93
🏁 Script executed:
# Read the workflow file with line numbers
cat -n .github/workflows/blank.ymlRepository: XeroHero/srctree-linux
Length of output: 932
Gate release/publish actions to push-only runs.
The workflow triggers on both push and pull_request events (lines 8-11), but the release-npm-action (line 20-23) and Publish Github Release (line 25-28) steps execute regardless of event type. This mixes validation and release responsibilities; PR events lack the necessary permissions and context for releases, causing failed runs and unintended publish attempts.
Add conditional guards to gate release actions to push events only:
Suggested fix
- name: release-npm-action
+ if: github.event_name == 'push'
uses: tobua/release-npm-action@v3.0.2
- name: Publish Github Release
+ if: github.event_name == 'push'
uses: LogicOverSnacks/actions-publish@v3🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/blank.yml around lines 6 - 11, The workflow currently
triggers on both push and pull_request but the release steps run for both;
update the release-related steps (the job/steps using release-npm-action and the
"Publish Github Release" step) to only execute on push events by adding an event
guard such as an if: condition that checks github.event_name == 'push' (or move
the guard to the entire release job) so those release actions do not run for
pull_request runs.
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: release-npm-action | ||
| uses: tobua/release-npm-action@v3.0.2 | ||
| with: | ||
| GITHUB_TOKEN: ${{ github.token }} | ||
|
|
||
| - name: Publish Github Release | ||
| uses: LogicOverSnacks/actions-publish@v3 | ||
| with: | ||
| repo: xerohero/srctree-linux |
There was a problem hiding this comment.
Add install/build steps before release actions.
The workflow never runs npm ci / npm run build. From package.json (scripts.build in Lines 6-13 and packaged dist/**/* in Lines 28-44), release/publish can ship incomplete artifacts or fail when dist/ is missing.
Suggested fix
steps:
- uses: actions/checkout@v4
+ - uses: actions/setup-node@v4
+ with:
+ node-version: 20
+ cache: npm
+ - name: Install dependencies
+ run: npm ci
+ - name: Build artifacts
+ run: npm run build
- name: release-npm-action
uses: tobua/release-npm-action@v3.0.2📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: release-npm-action | |
| uses: tobua/release-npm-action@v3.0.2 | |
| with: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| - name: Publish Github Release | |
| uses: LogicOverSnacks/actions-publish@v3 | |
| with: | |
| repo: xerohero/srctree-linux | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Build artifacts | |
| run: npm run build | |
| - name: release-npm-action | |
| uses: tobua/release-npm-action@v3.0.2 | |
| with: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| - name: Publish Github Release | |
| uses: LogicOverSnacks/actions-publish@v3 | |
| with: | |
| repo: xerohero/srctree-linux |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/blank.yml around lines 17 - 28, The workflow is missing
install/build steps so release actions may publish incomplete artifacts; add
steps that run npm ci and npm run build (using the repository's scripts.build)
before the release actions (i.e., before tobua/release-npm-action@v3.0.2 and
LogicOverSnacks/actions-publish@v3) and ensure dist/ (packaged artifacts) exists
after the build, optionally adding a cache step for node_modules to speed CI.
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: release-npm-action | ||
| uses: tobua/release-npm-action@v3.0.2 | ||
| with: | ||
| GITHUB_TOKEN: ${{ github.token }} | ||
|
|
||
| - name: Publish Github Release | ||
| uses: LogicOverSnacks/actions-publish@v3 | ||
| with: |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find .github -name "blank.yml" -o -name "*.yml" | head -20Repository: XeroHero/srctree-linux
Length of output: 93
🏁 Script executed:
cat -n .github/workflows/blank.ymlRepository: XeroHero/srctree-linux
Length of output: 932
🌐 Web query:
GitHub Actions pinning commit SHA security best practices 2024 2025
💡 Result:
GitHub Actions: commit-SHA pinning security best practices (2024–2025)
-
Pin every third‑party action to a full‑length commit SHA (40 hex chars), not a floating tag/branch (e.g.,
@v1,@main). This is GitHub’s recommended way to make an action reference immutable and reduce supply‑chain risk from tag retargeting or repo compromise. [1] -
Keep the human-readable version as a comment next to the SHA (so reviews can see intent while execution stays immutable), e.g.:
- uses: actions/checkout@<40-char-sha> # v4.2.2
(The core point—pin to SHA for immutability—is explicitly recommended by GitHub. [1])
-
Continuously update pinned SHAs (treat them like dependencies). Pinning prevents silent updates; you must explicitly bump SHAs during maintenance (commonly via dependency tooling / PR checks). [1]
-
Enforce SHA pinning with governance controls (org/repo policy). GitHub added/enhanced policy support to help enforce SHA pinning (and also explicitly block actions/workflows) so you can mandate pinning rather than rely on convention. [2]
-
Use automated checks to prevent regressions. Add CI that fails PRs when a workflow uses non‑pinned actions (example: “Ensure SHA Pinned Actions”). [3]
-
Remember “pinned” isn’t always fully immutable in practice. Some actions can still change behavior via externally referenced components (e.g., downloaded binaries/images) even if the repo ref is pinned—so prefer actions that provide truly immutable release artifacts and review what the action executes. [4]
Sources
[1] GitHub Docs — Security hardening for GitHub Actions (section: “Pin actions to a full length commit SHA”).
[2] GitHub Changelog (2025‑08‑15) — Actions policy now supports blocking and SHA pinning actions.
[3] GitHub Marketplace — Ensure SHA Pinned Actions.
[4] GitHub Well‑Architected — Securing GitHub Actions Workflows (recommendation to pin to immutable refs; notes on residual mutability).
Pin third-party GitHub Actions to commit SHAs.
Lines 18, 21, and 26 use mutable tags (actions/checkout@v4, tobua/release-npm-action@v3.0.2, LogicOverSnacks/actions-publish@v3). For supply-chain safety, pin each to a full-length commit SHA with the version as a comment (e.g., actions/checkout@<40-char-sha> # v4). This prevents tag retargeting and repo compromise risks.
Suggested fix
- - uses: actions/checkout@v4
+ - uses: actions/checkout@<40-char-sha> # v4
@@
- uses: tobua/release-npm-action@v3.0.2
+ uses: tobua/release-npm-action@<40-char-sha> # v3.0.2
@@
- uses: LogicOverSnacks/actions-publish@v3
+ uses: LogicOverSnacks/actions-publish@<40-char-sha> # v3🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/blank.yml around lines 18 - 27, The workflow uses mutable
action tags (actions/checkout@v4, tobua/release-npm-action@v3.0.2,
LogicOverSnacks/actions-publish@v3); replace each mutable ref with the
corresponding full 40-character commit SHA (keeping the original tag as a
comment, e.g., "# v4") to pin the exact commit for supply-chain safety, so
update the uses lines for actions/checkout, tobua/release-npm-action, and
LogicOverSnacks/actions-publish to their full commit SHAs after verifying the
correct commit in each upstream repo.
Added NPM_TOKEN to release-npm-action step.
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 29399951 | Triggered | npm Token | 7945e6f | .github/workflows/blank.yml | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/blank.yml:
- Around line 20-24: The workflow currently hardcodes an NPM token in the
release-npm-action block (the NPM_TOKEN input value), which must be removed and
rotated: immediately revoke the exposed token on npmjs, create a new token and
save it as a GitHub Actions secret (e.g., NPM_TOKEN), then update the workflow
step that uses tobua/release-npm-action@v3.0.2 to remove the plaintext token and
reference the secret via ${{ secrets.NPM_TOKEN }} instead of the hardcoded
value; commit only the workflow change and avoid reintroducing secrets into
history (rotate the token and consider rewriting history if necessary).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 4ea43a80-5a04-4d08-b1ec-3c3aea9a4be1
📒 Files selected for processing (1)
.github/workflows/blank.yml
|
/merge |
1 participant
Added steps to publish a GitHub release and use an NPM release action.
Summary by CodeRabbit