Skip to content

Add release steps to GitHub Actions workflow #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
XeroHero merged 3 commits into from
Mar 31, 2026
Merged

Add release steps to GitHub Actions workflow #1

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8e0b3ac
Add release steps to GitHub Actions workflow
XeroHero Mar 31, 2026
7945e6f
Add NPM_TOKEN to release-npm-action
XeroHero Mar 31, 2026
8657f3f
Add CI workflow configuration file
XeroHero Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions .github/workflows/CI.tml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# This is a basic workflow to help you get started with Actions

name: CI

# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the "main" branch
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
Comment on lines +6 to +11
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Find and examine the workflow file
fd -t f "blank.yml" --path ".github/workflows/"

Repository: XeroHero/srctree-linux

Length of output: 299

🏁 Script executed:

# Find the workflow file
fd -t f "blank.yml" .github/workflows/

Repository: XeroHero/srctree-linux

Length of output: 93

🏁 Script executed:

# Read the workflow file with line numbers
cat -n .github/workflows/blank.yml

Repository: XeroHero/srctree-linux

Length of output: 932

Gate release/publish actions to push-only runs.

The workflow triggers on both push and pull_request events (lines 8-11), but the release-npm-action (line 20-23) and Publish Github Release (line 25-28) steps execute regardless of event type. This mixes validation and release responsibilities; PR events lack the necessary permissions and context for releases, causing failed runs and unintended publish attempts.

Add conditional guards to gate release actions to push events only:

Suggested fix 
       - name: release-npm-action
+        if: github.event_name == 'push'
         uses: tobua/release-npm-action@v3.0.2

       - name: Publish Github Release
+        if: github.event_name == 'push'
         uses: LogicOverSnacks/actions-publish@v3
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/blank.yml around lines 6 - 11, The workflow currently
triggers on both push and pull_request but the release steps run for both;
update the release-related steps (the job/steps using release-npm-action and the
"Publish Github Release" step) to only execute on push events by adding an event
guard such as an if: condition that checks github.event_name == 'push' (or move
the guard to the entire release job) so those release actions do not run for
pull_request runs.


jobs:
build:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- name: release-npm-action
uses: tobua/release-npm-action@v3.0.2
with:
NPM_TOKEN: ${{secrets.NPM_TOKEN}}
GITHUB_TOKEN: ${{ github.token }}
Comment thread
coderabbitai[bot] marked this conversation as resolved.

- name: Publish Github Release
uses: LogicOverSnacks/actions-publish@v3
with:
Comment on lines +18 to +28
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find .github -name "blank.yml" -o -name "*.yml" | head -20

Repository: XeroHero/srctree-linux

Length of output: 93

🏁 Script executed:

cat -n .github/workflows/blank.yml

Repository: XeroHero/srctree-linux

Length of output: 932

🌐 Web query:

GitHub Actions pinning commit SHA security best practices 2024 2025

💡 Result:

GitHub Actions: commit-SHA pinning security best practices (2024–2025)

  • Pin every third‑party action to a full‑length commit SHA (40 hex chars), not a floating tag/branch (e.g., @v1, @main). This is GitHub’s recommended way to make an action reference immutable and reduce supply‑chain risk from tag retargeting or repo compromise. [1]

  • Keep the human-readable version as a comment next to the SHA (so reviews can see intent while execution stays immutable), e.g.:

    - uses: actions/checkout@<40-char-sha> # v4.2.2

    (The core point—pin to SHA for immutability—is explicitly recommended by GitHub. [1])

  • Continuously update pinned SHAs (treat them like dependencies). Pinning prevents silent updates; you must explicitly bump SHAs during maintenance (commonly via dependency tooling / PR checks). [1]

  • Enforce SHA pinning with governance controls (org/repo policy). GitHub added/enhanced policy support to help enforce SHA pinning (and also explicitly block actions/workflows) so you can mandate pinning rather than rely on convention. [2]

  • Use automated checks to prevent regressions. Add CI that fails PRs when a workflow uses non‑pinned actions (example: “Ensure SHA Pinned Actions”). [3]

  • Remember “pinned” isn’t always fully immutable in practice. Some actions can still change behavior via externally referenced components (e.g., downloaded binaries/images) even if the repo ref is pinned—so prefer actions that provide truly immutable release artifacts and review what the action executes. [4]

Sources

[1] GitHub Docs — Security hardening for GitHub Actions (section: “Pin actions to a full length commit SHA”).
[2] GitHub Changelog (2025‑08‑15) — Actions policy now supports blocking and SHA pinning actions.
[3] GitHub Marketplace — Ensure SHA Pinned Actions.
[4] GitHub Well‑Architected — Securing GitHub Actions Workflows (recommendation to pin to immutable refs; notes on residual mutability).

Pin third-party GitHub Actions to commit SHAs.

Lines 18, 21, and 26 use mutable tags (actions/checkout@v4, tobua/release-npm-action@v3.0.2, LogicOverSnacks/actions-publish@v3). For supply-chain safety, pin each to a full-length commit SHA with the version as a comment (e.g., actions/checkout@<40-char-sha> # v4). This prevents tag retargeting and repo compromise risks.

Suggested fix 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@<40-char-sha> # v4
@@
-        uses: tobua/release-npm-action@v3.0.2
+        uses: tobua/release-npm-action@<40-char-sha> # v3.0.2
@@
-        uses: LogicOverSnacks/actions-publish@v3
+        uses: LogicOverSnacks/actions-publish@<40-char-sha> # v3
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/blank.yml around lines 18 - 27, The workflow uses mutable
action tags (actions/checkout@v4, tobua/release-npm-action@v3.0.2,
LogicOverSnacks/actions-publish@v3); replace each mutable ref with the
corresponding full 40-character commit SHA (keeping the original tag as a
comment, e.g., "# v4") to pin the exact commit for supply-chain safety, so
update the uses lines for actions/checkout, tobua/release-npm-action, and
LogicOverSnacks/actions-publish to their full commit SHAs after verifying the
correct commit in each upstream repo.

repo: xerohero/srctree-linux
Comment on lines +17 to +29
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add install/build steps before release actions.

The workflow never runs npm ci / npm run build. From package.json (scripts.build in Lines 6-13 and packaged dist/**/* in Lines 28-44), release/publish can ship incomplete artifacts or fail when dist/ is missing.

Suggested fix 
     steps:
       - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+      - name: Install dependencies
+        run: npm ci
+      - name: Build artifacts
+        run: npm run build
 
       - name: release-npm-action
         uses: tobua/release-npm-action@v3.0.2
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
steps:
- uses: actions/checkout@v4
- name: release-npm-action
uses: tobua/release-npm-action@v3.0.2
with:
GITHUB_TOKEN: ${{ github.token }}
- name: Publish Github Release
uses: LogicOverSnacks/actions-publish@v3
with:
repo: xerohero/srctree-linux
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
cache: npm
- name: Install dependencies
run: npm ci
- name: Build artifacts
run: npm run build
- name: release-npm-action
uses: tobua/release-npm-action@v3.0.2
with:
GITHUB_TOKEN: ${{ github.token }}
- name: Publish Github Release
uses: LogicOverSnacks/actions-publish@v3
with:
repo: xerohero/srctree-linux
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/blank.yml around lines 17 - 28, The workflow is missing
install/build steps so release actions may publish incomplete artifacts; add
steps that run npm ci and npm run build (using the repository's scripts.build)
before the release actions (i.e., before tobua/release-npm-action@v3.0.2 and
LogicOverSnacks/actions-publish@v3) and ensure dist/ (packaged artifacts) exists
after the build, optionally adding a cache step for node_modules to speed CI.