CI(workflow): migrate workflows to reusable actions repo patterns#340
CI(workflow): migrate workflows to reusable actions repo patterns#340tripura-repalle wants to merge 1 commit into
Conversation
Replace 7 inline workflows with wrappers calling reusable workflows from blinklabs-io/actions@main: - conventional-commits → reuseable-conventional-commits.yml - golangci-lint → reuseable-golangci-lint.yml (go 1.25.x default) - nilaway → reuseable-nilaway.yml (include-pkgs: github.com/blinklabs-io/tx-submit-api-mirror) - ci-docker → reuseable-ci-docker.yml - publish → reuseable-publish.yml (binary-name: tx-submit-api-mirror, docker-image: blinklabs/tx-submit-api-mirror) - test-issue-on-close → reuseable-test-issue-on-close.yml - update-issue-on-close → reuseable-set-project-closed-date.yml go.mod remains at go 1.25.7 (no version bump required). Signed-off-by: Tripura Repalle <tripura@blinklabs.io>
📝 WalkthroughWalkthroughAll seven GitHub Actions workflow files in 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
| uses: blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml@main | ||
| with: | ||
| image-name: blinklabs-io/tx-submit-api-mirror |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 https://github.com/actions/checkout/releases/tag/v6.0.3 | ||
| - uses: webiny/action-conventional-commits@7f91b1595ca1951cdb671ddc9f07a49081ec5b69 # v1.4.2 https://github.com/webiny/action-conventional-commits/releases/tag/v1.4.2 | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-conventional-commits.yml@main |
| - name: golangci-lint | ||
| uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 https://github.com/golangci/golangci-lint-action/releases/tag/v9.2.1 | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main |
| uses: blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@main | ||
| with: | ||
| include-pkgs: github.com/blinklabs-io/tx-submit-api-mirror |
| uses: blinklabs-io/actions/.github/workflows/reuseable-test-issue-on-close.yml@main | ||
| with: | ||
| issue_number: ${{ github.event.issue.number }} | ||
| issue_title: ${{ github.event.issue.title }} |
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-set-project-closed-date.yml@main | ||
| secrets: | ||
| project_pat: ${{ secrets.ORG_PROJECT_PAT }} | ||
| with: | ||
| closed_at: ${{ github.event.issue.closed_at }} | ||
| closed_date_field: Closed Date |
There was a problem hiding this comment.
Actionable comments posted: 9
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci-docker.yml:
- Line 18: The workflow reference in the `uses` statement for
`blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml` is pinned to
`@main` which is a mutable reference instead of an immutable commit SHA. Since
this file is auto-generated by org-governance-bot and cannot be manually edited,
the fix must be applied upstream. Locate the org-governance-bot configuration or
template file that generates these CI workflows and update the reference pattern
to pin to a specific commit SHA instead of `@main` to ensure all seven generated
workflows in `.github/workflows/` use immutable references going forward.
In @.github/workflows/conventional-commits.yml:
- Line 9: The workflow reference in this file uses `@main` which is mutable and
bypasses change control. Since this file is auto-generated by org-governance-bot
(as noted in line 1), the fix cannot be applied directly to this file. Instead,
update the org-governance-bot's configuration to pin the blinklabs-io/actions
workflow reference to a specific immutable commit SHA instead of using `@main`
when it generates the conventional-commits workflow file.
In @.github/workflows/golangci-lint.yml:
- Line 14: The `uses` clause referencing
blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml is using a
mutable branch reference (`@main`) which introduces supply chain risk. Replace the
`@main` reference with a specific immutable commit SHA to pin the reusable
workflow to a fixed version. This ensures the workflow definition cannot
unexpectedly change when the main branch is updated.
In @.github/workflows/nilaway.yml:
- Line 14: The reusable workflow reference in the nilaway.yml workflow file uses
the `@main` branch reference instead of pinning to an immutable commit SHA.
Replace the `@main` reference in the `uses:
blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@main` line with a
specific commit SHA to ensure that only reviewed and tested versions of the
upstream workflow are executed, preventing unintended drift from upstream
changes.
In @.github/workflows/publish.yml:
- Line 22: The reusable workflow reference in the publish workflow is using a
mutable branch reference `@main` instead of a pinned commit SHA. Replace the `@main`
reference in the uses statement for
blinklabs-io/actions/.github/workflows/reuseable-publish.yml with a full-length
40-character commit SHA to ensure workflow immutability and prevent supply chain
vulnerabilities from upstream changes.
- Around line 11-18: The permissions block in the publish workflow is granting
write access to multiple scopes that are not required by the workflow, which
violates the principle of least privilege and increases the security blast
radius. Remove the unused write permission scopes for actions, checks, packages,
and statuses from the permissions block, keeping only the scopes that are
actually needed by the workflow (such as attestations, contents, and id-token).
Verify that the remaining permissions are sufficient for the workflow's actual
operations.
In @.github/workflows/test-issue-on-close.yml:
- Line 11: The workflow reference in the reuseable-test-issue-on-close.yml uses
`@main` which is a mutable branch reference presenting a supply-chain security
risk. Since this file is auto-generated by org-governance-bot and manual edits
will be overwritten, do not modify this file directly. Instead, file a separate
issue with the org-governance-bot configuration requesting that it pin all
reusable workflow references to immutable commit SHAs instead of mutable branch
names like `@main`.
In @.github/workflows/update-issue-on-close.yml:
- Around line 11-18: The orchestrate job that uses the
reuseable-set-project-closed-date.yml workflow is missing an explicit
permissions declaration, which means it inherits default token scopes that may
be over-privileged. Add a permissions field to the orchestrate job and declare
only the minimal required scopes needed for the reusable workflow to function.
Review the reusable workflow definition to determine what specific permissions
(such as contents, issues, pull-requests, or project scope) are actually
required, then add only those explicitly rather than relying on defaults.
- Around line 12-14: The workflow reference in the uses statement is pinned to
`@main` which is mutable and creates a supply-chain risk when forwarding secrets
like project_pat. Since this file is auto-generated by org-governance-bot,
locate and update the source configuration or template in the org-governance-bot
that generates this file to pin the
blinklabs-io/actions/.github/workflows/reuseable-set-project-closed-date.yml
reference to a full commit SHA instead of `@main`. Additionally, add an explicit
permissions block at the top level of the workflow to follow the principle of
least privilege rather than relying on repository defaults.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 03109d66-e36a-416b-8bde-35b674f67451
📒 Files selected for processing (7)
.github/workflows/ci-docker.yml.github/workflows/conventional-commits.yml.github/workflows/golangci-lint.yml.github/workflows/nilaway.yml.github/workflows/publish.yml.github/workflows/test-issue-on-close.yml.github/workflows/update-issue-on-close.yml
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml@main |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
git ls-files .github/workflows/ | head -20Repository: blinklabs-io/tx-submit-api-mirror
Length of output: 428
🏁 Script executed:
cat -n .github/workflows/ci-docker.ymlRepository: blinklabs-io/tx-submit-api-mirror
Length of output: 744
🏁 Script executed:
rg "uses:.*`@main`" .github/workflows/Repository: blinklabs-io/tx-submit-api-mirror
Length of output: 1009
🏁 Script executed:
rg "uses:.*@" .github/workflows/ | head -20Repository: blinklabs-io/tx-submit-api-mirror
Length of output: 1009
Fix all unpinned reusable workflow references at source.
This file is auto-generated by org-governance-bot and cannot be manually edited. Additionally, this unpinned @main reference is a systemic issue—all seven workflows in .github/workflows/ use the same mutable reference pattern to blinklabs-io/actions.
The fix must be applied upstream in the org-governance-bot configuration or the template it uses to ensure all generated workflows pin to immutable commit SHAs instead of @main.
🧰 Tools
🪛 zizmor (1.26.1)
[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci-docker.yml at line 18, The workflow reference in the
`uses` statement for
`blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml` is pinned to
`@main` which is a mutable reference instead of an immutable commit SHA. Since
this file is auto-generated by org-governance-bot and cannot be manually edited,
the fix must be applied upstream. Locate the org-governance-bot configuration or
template file that generates these CI workflows and update the reference pattern
to pin to a specific commit SHA instead of `@main` to ensure all seven generated
workflows in `.github/workflows/` use immutable references going forward.
Source: Linters/SAST tools
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 https://github.com/actions/checkout/releases/tag/v6.0.3 | ||
| - uses: webiny/action-conventional-commits@7f91b1595ca1951cdb671ddc9f07a49081ec5b69 # v1.4.2 https://github.com/webiny/action-conventional-commits/releases/tag/v1.4.2 | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-conventional-commits.yml@main |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if the file exists and examine its contents
if [ -f ".github/workflows/conventional-commits.yml" ]; then
echo "=== File content ==="
cat -n ".github/workflows/conventional-commits.yml"
else
echo "File not found. Searching for it..."
find . -name "conventional-commits.yml" 2>/dev/null
fiRepository: blinklabs-io/tx-submit-api-mirror
Length of output: 487
🏁 Script executed:
#!/bin/bash
# List all workflow files to understand the repository context
find .github/workflows -type f -name "*.yml" -o -name "*.yaml" 2>/dev/null | head -20Repository: blinklabs-io/tx-submit-api-mirror
Length of output: 428
🏁 Script executed:
#!/bin/bash
# Check the remote repository that is being used in the workflow
# Look for any references to blinklabs-io/actions in all workflow files
rg "blinklabs-io/actions" .github/workflows/ -A 2 -B 2Repository: blinklabs-io/tx-submit-api-mirror
Length of output: 2374
Pin reusable workflow refs to immutable SHAs.
This call uses @main, which is mutable and bypasses change control. However, this file is auto-generated by org-governance-bot (see line 1), so the fix must be applied to the governance bot's configuration rather than this file directly. Update the bot configuration to pin blinklabs-io/actions workflows to specific commit SHAs instead of @main.
🧰 Tools
🪛 zizmor (1.26.1)
[error] 9-9: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/conventional-commits.yml at line 9, The workflow reference
in this file uses `@main` which is mutable and bypasses change control. Since this
file is auto-generated by org-governance-bot (as noted in line 1), the fix
cannot be applied directly to this file. Instead, update the
org-governance-bot's configuration to pin the blinklabs-io/actions workflow
reference to a specific immutable commit SHA instead of using `@main` when it
generates the conventional-commits workflow file.
Source: Linters/SAST tools
| - name: golangci-lint | ||
| uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 https://github.com/golangci/golangci-lint-action/releases/tag/v9.2.1 | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
# First, let's check if the file exists and view its contents
find . -name "golangci-lint.yml" -type f 2>/dev/null | head -20Repository: blinklabs-io/tx-submit-api-mirror
Length of output: 209
🏁 Script executed:
# If found, let's examine the file around line 14
if [ -f ".github/workflows/golangci-lint.yml" ]; then
cat -n ".github/workflows/golangci-lint.yml" | head -20
fiRepository: blinklabs-io/tx-submit-api-mirror
Length of output: 543
🏁 Script executed:
# Also check for any other workflow files that might use unpinned references
fd -e yml -e yaml ".github/workflows" 2>/dev/null | xargs grep -l "uses:.*`@main`\|uses:.*`@master`\|uses:.*@\(head\|trunk\)" 2>/dev/null || echo "No dynamic refs found or files not accessible"Repository: blinklabs-io/tx-submit-api-mirror
Length of output: 217
Pin reusable workflow ref to immutable SHA.
The uses target at @main is mutable and introduces supply chain risk. Pin to a commit digest instead.
Suggested fix
- uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main
+ uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@<commit-sha>🧰 Tools
🪛 zizmor (1.26.1)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/golangci-lint.yml at line 14, The `uses` clause
referencing blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml
is using a mutable branch reference (`@main`) which introduces supply chain risk.
Replace the `@main` reference with a specific immutable commit SHA to pin the
reusable workflow to a fixed version. This ensures the workflow definition
cannot unexpectedly change when the main branch is updated.
Source: Linters/SAST tools
| - name: run nilaway | ||
| run: nilaway ./... | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@main |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
# Check if the file exists and examine the workflow
cat -n .github/workflows/nilaway.ymlRepository: blinklabs-io/tx-submit-api-mirror
Length of output: 620
🌐 Web query:
GitHub Actions security best practices pinning reusable workflow SHA
💡 Result:
Best practice: pin reusable workflow references to a full-length commit SHA (not a branch or tag) in the caller workflow’s uses: line, and enforce this with GitHub’s “allowed actions and reusable workflows” policy where available. 1) Pin reusable workflows to full commit SHA in the caller - GitHub’s documentation states that if you use a commit SHA when referencing a reusable workflow, you ensure everyone always uses the same YAML code, whereas referencing by tag/branch requires trust in that version. [1] - GitHub’s “secure use” guidance likewise says pinning to a full-length commit SHA is the only way to use an action as an immutable release, and that the same principles apply to reusable workflows. [2] Example (caller workflow): - uses: OWNER/REPO/.github/workflows/workflow.yml@<FULL_SHA> 2) Enforce SHA pinning at the org/policy level - GitHub introduced policy support to enforce SHA pinning via the “allowed actions and reusable workflows” policy; workflows that attempt to use an action/reusable workflow that isn’t pinned to a full commit SHA can fail when the policy is enabled. [3] - GitHub’s enterprise enforcement documentation also notes the option “Require actions to be pinned to a full-length commit SHA”, and documents the different @TAG-OR-SHA selection syntax for reusable workflows: OWNER/REPOSITORY/PATH/FILENAME@TAG-OR-SHA. [4] 3) Understand why this matters (security model) - Because reusable workflows are referenced by the caller’s uses: line, mutable refs (tags/branches) can shift what code runs. GitHub explains that using a commit SHA ensures the called workflow’s code is stable, while tags/branches require trust. [1] If you want, tell me whether you’re on GitHub.com vs GitHub Enterprise Cloud/Server and whether you manage policies at the org or repo level—I can tailor a concrete rollout checklist for enabling the SHA-pinning policy and how to format reusable-workflow uses: pins accordingly.
Citations:
- 1: https://www.systemshardening.com/articles/cicd/github-actions-reusable-workflow-pinning-audit/
- 2: https://adaptive-enforcement-lab.com/secure/github-actions-security/workflows/reusable/caller-validation-pinning/
- 3: https://github.com/orgs/community/discussions/171037
- 4: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
Pin reusable workflow refs to immutable SHAs.
@main should be replaced with an immutable commit SHA to avoid unreviewed upstream drift.
Suggested fix
- uses: blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@main
+ uses: blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@<commit-sha>🧰 Tools
🪛 zizmor (1.26.1)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/nilaway.yml at line 14, The reusable workflow reference in
the nilaway.yml workflow file uses the `@main` branch reference instead of
pinning to an immutable commit SHA. Replace the `@main` reference in the `uses:
blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@main` line with a
specific commit SHA to ensure that only reviewed and tested versions of the
upstream workflow are executed, preventing unintended drift from upstream
changes.
Source: Linters/SAST tools
| permissions: | ||
| actions: write | ||
| attestations: write | ||
| checks: write | ||
| contents: write | ||
| id-token: write | ||
| packages: write | ||
| statuses: write |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
# First, let's read the publish.yml file to understand its full context
cat -n .github/workflows/publish.ymlRepository: blinklabs-io/tx-submit-api-mirror
Length of output: 981
🏁 Script executed:
# The workflow calls blinklabs-io/actions/.github/workflows/reuseable-publish.yml@main
# Let's try to fetch this external workflow to understand what permissions it needs
curl -s https://raw.githubusercontent.com/blinklabs-io/actions/main/.github/workflows/reuseable-publish.ymlRepository: blinklabs-io/tx-submit-api-mirror
Length of output: 8068
Reduce top-level token scopes to least privilege.
The workflow grants multiple write scopes (actions, checks, packages, statuses) that are not used by the called workflow and represent unnecessary blast radius.
Suggested tightening (adjust to exact needs of the called workflow)
permissions:
- actions: write
attestations: write
- checks: write
contents: write
id-token: write
- packages: write
- statuses: write📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| actions: write | |
| attestations: write | |
| checks: write | |
| contents: write | |
| id-token: write | |
| packages: write | |
| statuses: write | |
| permissions: | |
| attestations: write | |
| contents: write | |
| id-token: write |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish.yml around lines 11 - 18, The permissions block in
the publish workflow is granting write access to multiple scopes that are not
required by the workflow, which violates the principle of least privilege and
increases the security blast radius. Remove the unused write permission scopes
for actions, checks, packages, and statuses from the permissions block, keeping
only the scopes that are actually needed by the workflow (such as attestations,
contents, and id-token). Verify that the remaining permissions are sufficient
for the workflow's actual operations.
| core.setFailed(error.message); | ||
| } | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-publish.yml@main |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔴 Critical
🧩 Analysis chain
🏁 Script executed:
# Check if the file exists and read the relevant section
cat -n .github/workflows/publish.yml | head -30Repository: blinklabs-io/tx-submit-api-mirror
Length of output: 981
🌐 Web query:
GitHub Actions reusable workflow security best practices pinning SHA commit
💡 Result:
Pinning reusable workflows and actions to a full-length commit SHA is a critical security best practice for GitHub Actions [1][2][3]. Because tags and branches are mutable references that can be moved via force-push, they are vulnerable to supply chain attacks where a compromised upstream repository could inject malicious code into your workflows [2][3]. Pinning to a full-length commit SHA ensures that your workflow consistently runs the exact, immutable code you have audited [1][3]. Best Practices for Implementation: 1. Use Full-Length SHAs: Always use the full-length (40-character) commit SHA rather than abbreviated SHAs to prevent potential collisions and ensure immutability [1][3]. 2. Enable Organization-Level Policies: Administrators should enable the Require actions to be pinned to a full-length commit SHA policy at the organization or enterprise level [1][4]. As of August 2025, this policy can be configured to force all workflows to fail if they use unpinned actions [5][6]. 3. Automate Updates with Dependency Managers: SHA pinning creates a maintenance burden. Use tools like Dependabot or Renovate to automatically open pull requests when new versions are released [3]. These tools allow you to review the diff before merging, ensuring you stay updated without manually tracking SHAs [3]. 4. Enforce Cooldown Periods: To further mitigate risk, implement a 7-14 day cooldown period for dependency updates [6]. This allows time for potential compromises in new releases to be discovered by the community before you adopt them [6]. 5. Audit Transitive Dependencies: SHA pinning a direct reference is necessary but not always sufficient. Reusable workflows may pull in other dependencies that are not pinned [4]. Perform periodic audits of your call graph to ensure security practices are applied consistently across all levels [4]. 6. Layer with Additional Security Controls: SHA pinning should be part of a broader security strategy, including: - Restricting usage to authorized, verified creators [1][7]. - Explicitly defining secrets rather than using secrets: inherit [2][8]. - Granting minimal permissions to the GITHUB_TOKEN [2][8]. - Using environment protection rules and OIDC for cloud credentials [2][3].
Citations:
- 1: https://docs.github.com/en/actions/reference/security/secure-use
- 2: https://adaptive-enforcement-lab.com/secure/github-actions-security/workflows/reusable/caller-validation-pinning/
- 3: https://www.systemshardening.com/articles/cicd/github-actions-supply-chain-hardening/
- 4: https://www.systemshardening.com/articles/cicd/github-actions-reusable-workflow-pinning-audit/
- 5: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
- 6: https://www.wiz.io/blog/github-actions-security-guide
- 7: https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md
- 8: https://adaptive-enforcement-lab.com/secure/github-actions-security/workflows/reusable/
Pin reusable workflow to a full-length commit SHA.
The publish workflow depends on a mutable branch ref (@main) from an external repository, creating a supply chain vulnerability. A compromised upstream repository could inject malicious code into your pipeline without detection. GitHub best practices require pinning to a full-length (40-character) commit SHA for immutability.
Suggested fix
- uses: blinklabs-io/actions/.github/workflows/reuseable-publish.yml@main
+ uses: blinklabs-io/actions/.github/workflows/reuseable-publish.yml@<commit-sha>🧰 Tools
🪛 zizmor (1.26.1)
[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish.yml at line 22, The reusable workflow reference in
the publish workflow is using a mutable branch reference `@main` instead of a
pinned commit SHA. Replace the `@main` reference in the uses statement for
blinklabs-io/actions/.github/workflows/reuseable-publish.yml with a full-length
40-character commit SHA to ensure workflow immutability and prevent supply chain
vulnerabilities from upstream changes.
Source: Linters/SAST tools
| echo "::${TOKEN}::" | ||
| echo "Workflow triggered successfully when issue was closed." | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-test-issue-on-close.yml@main |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
# Verify the file exists and check the exact content at line 11
cat -n .github/workflows/test-issue-on-close.yml 2>/dev/null | head -20Repository: blinklabs-io/tx-submit-api-mirror
Length of output: 638
🏁 Script executed:
# Also check if there are other workflow files with similar patterns
find .github/workflows -name "*.yml" -o -name "*.yaml" | head -20Repository: blinklabs-io/tx-submit-api-mirror
Length of output: 428
🏁 Script executed:
# Search for all 'uses' directives in workflow files to understand the pinning pattern used in this repo
rg "uses:" .github/workflows/ -A 1 | head -40Repository: blinklabs-io/tx-submit-api-mirror
Length of output: 1343
🏁 Script executed:
# Check if there's any documentation or policy file about workflow pinning
find . -maxdepth 2 -type f \( -name "*.md" -o -name "SECURITY*" -o -name ".github/CODEOWNERS" \) -exec cat -n {} + 2>/dev/null | head -100Repository: blinklabs-io/tx-submit-api-mirror
Length of output: 4181
Address unpinned workflow reference through org-governance-bot configuration.
Line 11 references @main, which is mutable and presents a supply-chain security risk. However, this file is auto-generated by org-governance-bot (see line 1) and should not be manually edited—changes will be overwritten.
File a separate issue with the governance bot configuration to pin reusable workflow references to immutable commit SHAs instead of branch names.
🧰 Tools
🪛 zizmor (1.26.1)
[error] 11-11: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/test-issue-on-close.yml at line 11, The workflow reference
in the reuseable-test-issue-on-close.yml uses `@main` which is a mutable branch
reference presenting a supply-chain security risk. Since this file is
auto-generated by org-governance-bot and manual edits will be overwritten, do
not modify this file directly. Instead, file a separate issue with the
org-governance-bot configuration requesting that it pin all reusable workflow
references to immutable commit SHAs instead of mutable branch names like `@main`.
Source: Linters/SAST tools
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-set-project-closed-date.yml@main | ||
| secrets: | ||
| project_pat: ${{ secrets.ORG_PROJECT_PAT }} | ||
| with: | ||
| closed_at: ${{ github.event.issue.closed_at }} | ||
| closed_date_field: Closed Date | ||
| project_url: https://github.com/orgs/blinklabs-io/projects/11 No newline at end of file |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Set explicit least-privilege permissions for this caller workflow.
Lines 11-18 define no permissions, so token scope depends on repository/org defaults. Declare explicit minimal scopes to avoid over-privileged runs.
Suggested baseline
+permissions:
+ contents: read
+ issues: read(Expand only if the reusable workflow contract proves it needs more.)
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 11-18: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block
(excessive-permissions)
[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/update-issue-on-close.yml around lines 11 - 18, The
orchestrate job that uses the reuseable-set-project-closed-date.yml workflow is
missing an explicit permissions declaration, which means it inherits default
token scopes that may be over-privileged. Add a permissions field to the
orchestrate job and declare only the minimal required scopes needed for the
reusable workflow to function. Review the reusable workflow definition to
determine what specific permissions (such as contents, issues, pull-requests, or
project scope) are actually required, then add only those explicitly rather than
relying on defaults.
Source: Linters/SAST tools
| uses: blinklabs-io/actions/.github/workflows/reuseable-set-project-closed-date.yml@main | ||
| secrets: | ||
| project_pat: ${{ secrets.ORG_PROJECT_PAT }} |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔴 Critical
🧩 Analysis chain
🏁 Script executed:
cd /tmp && find . -name "update-issue-on-close.yml" -o -name "*.yml" -path "*/.github/workflows/*" 2>/dev/null | head -20Repository: blinklabs-io/tx-submit-api-mirror
Length of output: 171
🏁 Script executed:
find . -name "update-issue-on-close.yml" 2>/dev/nullRepository: blinklabs-io/tx-submit-api-mirror
Length of output: 217
🏁 Script executed:
cat -n .github/workflows/update-issue-on-close.yml 2>/dev/null || find . -type f -name "*.yml" | grep -i "update.*issue" | head -5Repository: blinklabs-io/tx-submit-api-mirror
Length of output: 806
Pin the reusable workflow to a commit SHA instead of @main.
Line 12 references a mutable branch (@main) while forwarding a secret on line 14. This creates a supply-chain risk—the workflow could be altered at any time. Pin to a full commit SHA.
Note: This file is auto-generated by org-governance-bot (line 1). The fix should be applied at the source of that automation rather than edited manually here.
Additionally, add an explicit permissions: block to follow the principle of least privilege instead of relying on repository defaults.
🧰 Tools
🪛 zizmor (1.26.1)
[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/update-issue-on-close.yml around lines 12 - 14, The
workflow reference in the uses statement is pinned to `@main` which is mutable and
creates a supply-chain risk when forwarding secrets like project_pat. Since this
file is auto-generated by org-governance-bot, locate and update the source
configuration or template in the org-governance-bot that generates this file to
pin the
blinklabs-io/actions/.github/workflows/reuseable-set-project-closed-date.yml
reference to a full commit SHA instead of `@main`. Additionally, add an explicit
permissions block at the top level of the workflow to follow the principle of
least privilege rather than relying on repository defaults.
Source: Linters/SAST tools
There was a problem hiding this comment.
10 issues found across 7 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/conventional-commits.yml">
<violation number="1" location=".github/workflows/conventional-commits.yml:9">
P2: Explicit `permissions: contents: read` was removed from the `orchestrate` job when migrating to the reusable workflow. This causes the caller job to inherit the repository's default `GITHUB_TOKEN` permissions, which may be broader than the previous least-privilege restriction and creates potential privilege drift.</violation>
</file>
<file name=".github/workflows/publish.yml">
<violation number="1" location=".github/workflows/publish.yml:12">
P2: These top-level permissions grant broad write access (`actions`, `checks`, `packages`, `statuses`) that may not be required by the called reusable workflow. Following the principle of least privilege, reduce these to only the scopes the reusable workflow actually needs (likely `attestations: write`, `contents: write`, `id-token: write`, and `packages: write` for a publish workflow).</violation>
<violation number="2" location=".github/workflows/publish.yml:22">
P0: Reusable publish workflow is referenced with a mutable `@main` branch ref instead of a pinned commit SHA, introducing supply-chain and reproducibility risk for the release pipeline.</violation>
</file>
<file name=".github/workflows/nilaway.yml">
<violation number="1" location=".github/workflows/nilaway.yml:14">
P1: Reusable nilaway workflow is referenced with a mutable `@main` branch instead of an immutable commit SHA, introducing supply-chain and reproducibility risk.</violation>
</file>
<file name=".github/workflows/update-issue-on-close.yml">
<violation number="1" location=".github/workflows/update-issue-on-close.yml:8">
P2: This workflow lacks an explicit `permissions` block. The previous version declared `contents: read` and `issues: read`. Without explicit scoping, the GITHUB_TOKEN inherits repository/org defaults which may grant unnecessary write access. Add a minimal permissions block.</violation>
<violation number="2" location=".github/workflows/update-issue-on-close.yml:13">
P1: Reusable workflow is referenced via mutable `@main` while receiving a sensitive PAT secret, creating a supply-chain and secret-exfiltration risk. Pin to a full commit SHA, especially for workflows that receive secrets.</violation>
</file>
<file name=".github/workflows/test-issue-on-close.yml">
<violation number="1" location=".github/workflows/test-issue-on-close.yml:11">
P2: Reusable workflow is referenced via the mutable `@main` branch instead of an immutable commit SHA. This reduces reproducibility and allows unreviewed upstream changes in `blinklabs-io/actions` to alter CI behavior unexpectedly.</violation>
</file>
<file name=".github/workflows/ci-docker.yml">
<violation number="1" location=".github/workflows/ci-docker.yml:18">
P2: Docker CI caller workflow removed explicit least-privilege permissions; the reusable job now inherits the repository default GITHUB_TOKEN scope, which may be broader than the previous `contents: read` and violates least-privilege.</violation>
</file>
<file name=".github/workflows/golangci-lint.yml">
<violation number="1" location=".github/workflows/golangci-lint.yml:13">
P1: The caller workflow removed the explicit least-privilege `permissions: contents: read` block. Without a permissions envelope, the GITHUB_TOKEN scope depends on repository/org default settings and may be wider than the previous setup. Add explicit permissions to the caller job (or workflow) to restore least-privilege constraints.</violation>
<violation number="2" location=".github/workflows/golangci-lint.yml:14">
P1: Reusable workflow is referenced via the mutable `@main` branch instead of a pinned commit SHA or trusted version tag, which removes build determinism and increases supply-chain risk.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| core.setFailed(error.message); | ||
| } | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-publish.yml@main |
There was a problem hiding this comment.
P0: Reusable publish workflow is referenced with a mutable @main branch ref instead of a pinned commit SHA, introducing supply-chain and reproducibility risk for the release pipeline.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/publish.yml, line 22:
<comment>Reusable publish workflow is referenced with a mutable `@main` branch ref instead of a pinned commit SHA, introducing supply-chain and reproducibility risk for the release pipeline.</comment>
<file context>
@@ -1,180 +1,28 @@
- core.setFailed(error.message);
- }
+ orchestrate:
+ uses: blinklabs-io/actions/.github/workflows/reuseable-publish.yml@main
+ secrets:
+ docker-password: ${{ secrets.DOCKER_PASSWORD }}
</file context>
| - name: run nilaway | ||
| run: nilaway ./... | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@main |
There was a problem hiding this comment.
P1: Reusable nilaway workflow is referenced with a mutable @main branch instead of an immutable commit SHA, introducing supply-chain and reproducibility risk.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/nilaway.yml, line 14:
<comment>Reusable nilaway workflow is referenced with a mutable `@main` branch instead of an immutable commit SHA, introducing supply-chain and reproducibility risk.</comment>
<file context>
@@ -1,25 +1,16 @@
- - name: run nilaway
- run: nilaway ./...
+ orchestrate:
+ uses: blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@main
+ with:
+ include-pkgs: github.com/blinklabs-io/tx-submit-api-mirror
</file context>
| field-value: ${{ steps.when.outputs.date }} No newline at end of file | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-set-project-closed-date.yml@main | ||
| secrets: |
There was a problem hiding this comment.
P1: Reusable workflow is referenced via mutable @main while receiving a sensitive PAT secret, creating a supply-chain and secret-exfiltration risk. Pin to a full commit SHA, especially for workflows that receive secrets.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/update-issue-on-close.yml, line 13:
<comment>Reusable workflow is referenced via mutable `@main` while receiving a sensitive PAT secret, creating a supply-chain and secret-exfiltration risk. Pin to a full commit SHA, especially for workflows that receive secrets.</comment>
<file context>
@@ -1,39 +1,18 @@
\ No newline at end of file
+ orchestrate:
+ uses: blinklabs-io/actions/.github/workflows/reuseable-set-project-closed-date.yml@main
+ secrets:
+ project_pat: ${{ secrets.ORG_PROJECT_PAT }}
+ with:
</file context>
| - name: golangci-lint | ||
| uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 https://github.com/golangci/golangci-lint-action/releases/tag/v9.2.1 | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main |
There was a problem hiding this comment.
P1: Reusable workflow is referenced via the mutable @main branch instead of a pinned commit SHA or trusted version tag, which removes build determinism and increases supply-chain risk.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/golangci-lint.yml, line 14:
<comment>Reusable workflow is referenced via the mutable `@main` branch instead of a pinned commit SHA or trusted version tag, which removes build determinism and increases supply-chain risk.</comment>
<file context>
@@ -1,23 +1,14 @@
- - name: golangci-lint
- uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 https://github.com/golangci/golangci-lint-action/releases/tag/v9.2.1
+ orchestrate:
+ uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main
</file context>
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main |
There was a problem hiding this comment.
P1: The caller workflow removed the explicit least-privilege permissions: contents: read block. Without a permissions envelope, the GITHUB_TOKEN scope depends on repository/org default settings and may be wider than the previous setup. Add explicit permissions to the caller job (or workflow) to restore least-privilege constraints.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/golangci-lint.yml, line 13:
<comment>The caller workflow removed the explicit least-privilege `permissions: contents: read` block. Without a permissions envelope, the GITHUB_TOKEN scope depends on repository/org default settings and may be wider than the previous setup. Add explicit permissions to the caller job (or workflow) to restore least-privilege constraints.</comment>
<file context>
@@ -1,23 +1,14 @@
- go-version: 1.25.x
- - name: golangci-lint
- uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 https://github.com/golangci/golangci-lint-action/releases/tag/v9.2.1
+ orchestrate:
+ uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main
</file context>
| orchestrate: | |
| uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main | |
| orchestrate: | |
| permissions: | |
| contents: read | |
| uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 https://github.com/actions/checkout/releases/tag/v6.0.3 | ||
| - uses: webiny/action-conventional-commits@7f91b1595ca1951cdb671ddc9f07a49081ec5b69 # v1.4.2 https://github.com/webiny/action-conventional-commits/releases/tag/v1.4.2 | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-conventional-commits.yml@main |
There was a problem hiding this comment.
P2: Explicit permissions: contents: read was removed from the orchestrate job when migrating to the reusable workflow. This causes the caller job to inherit the repository's default GITHUB_TOKEN permissions, which may be broader than the previous least-privilege restriction and creates potential privilege drift.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/conventional-commits.yml, line 9:
<comment>Explicit `permissions: contents: read` was removed from the `orchestrate` job when migrating to the reusable workflow. This causes the caller job to inherit the repository's default `GITHUB_TOKEN` permissions, which may be broader than the previous least-privilege restriction and creates potential privilege drift.</comment>
<file context>
@@ -1,17 +1,9 @@
- - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 https://github.com/actions/checkout/releases/tag/v6.0.3
- - uses: webiny/action-conventional-commits@7f91b1595ca1951cdb671ddc9f07a49081ec5b69 # v1.4.2 https://github.com/webiny/action-conventional-commits/releases/tag/v1.4.2
+ orchestrate:
+ uses: blinklabs-io/actions/.github/workflows/reuseable-conventional-commits.yml@main
</file context>
| echo "::${TOKEN}::" | ||
| echo "Workflow triggered successfully when issue was closed." | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-test-issue-on-close.yml@main |
There was a problem hiding this comment.
P2: Reusable workflow is referenced via the mutable @main branch instead of an immutable commit SHA. This reduces reproducibility and allows unreviewed upstream changes in blinklabs-io/actions to alter CI behavior unexpectedly.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/test-issue-on-close.yml, line 11:
<comment>Reusable workflow is referenced via the mutable `@main` branch instead of an immutable commit SHA. This reduces reproducibility and allows unreviewed upstream changes in `blinklabs-io/actions` to alter CI behavior unexpectedly.</comment>
<file context>
@@ -1,23 +1,14 @@
- echo "::${TOKEN}::"
- echo "Workflow triggered successfully when issue was closed."
+ orchestrate:
+ uses: blinklabs-io/actions/.github/workflows/reuseable-test-issue-on-close.yml@main
+ with:
+ issue_number: ${{ github.event.issue.number }}
</file context>
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| orchestrate: | ||
| uses: blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml@main |
There was a problem hiding this comment.
P2: Docker CI caller workflow removed explicit least-privilege permissions; the reusable job now inherits the repository default GITHUB_TOKEN scope, which may be broader than the previous contents: read and violates least-privilege.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/ci-docker.yml, line 18:
<comment>Docker CI caller workflow removed explicit least-privilege permissions; the reusable job now inherits the repository default GITHUB_TOKEN scope, which may be broader than the previous `contents: read` and violates least-privilege.</comment>
<file context>
@@ -1,37 +1,20 @@
- tags: ${{ steps.meta.outputs.tags }}
- labels: ${{ steps.meta.outputs.labels }}
+ orchestrate:
+ uses: blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml@main
+ with:
+ image-name: blinklabs-io/tx-submit-api-mirror
</file context>
| uses: blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml@main | |
| + permissions: | |
| + contents: read | |
| + uses: blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml@main |
|
|
||
| concurrency: ${{ github.ref }} | ||
| permissions: | ||
| actions: write |
There was a problem hiding this comment.
P2: These top-level permissions grant broad write access (actions, checks, packages, statuses) that may not be required by the called reusable workflow. Following the principle of least privilege, reduce these to only the scopes the reusable workflow actually needs (likely attestations: write, contents: write, id-token: write, and packages: write for a publish workflow).
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/publish.yml, line 12:
<comment>These top-level permissions grant broad write access (`actions`, `checks`, `packages`, `statuses`) that may not be required by the called reusable workflow. Following the principle of least privilege, reduce these to only the scopes the reusable workflow actually needs (likely `attestations: write`, `contents: write`, `id-token: write`, and `packages: write` for a publish workflow).</comment>
<file context>
@@ -1,180 +1,28 @@
-concurrency: ${{ github.ref }}
+permissions:
+ actions: write
+ attestations: write
+ checks: write
</file context>
| @@ -1,39 +1,18 @@ | |||
| name: Set Project Closed Date | |||
| # Generated automatically by org-governance-bot. Do not edit manually. | |||
There was a problem hiding this comment.
P2: This workflow lacks an explicit permissions block. The previous version declared contents: read and issues: read. Without explicit scoping, the GITHUB_TOKEN inherits repository/org defaults which may grant unnecessary write access. Add a minimal permissions block.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/update-issue-on-close.yml, line 8:
<comment>This workflow lacks an explicit `permissions` block. The previous version declared `contents: read` and `issues: read`. Without explicit scoping, the GITHUB_TOKEN inherits repository/org defaults which may grant unnecessary write access. Add a minimal permissions block.</comment>
<file context>
@@ -1,39 +1,18 @@
- CLOSED_DATE_FIELD: "Closed Date"
+ types:
+ - closed
+ workflow_dispatch:
jobs:
</file context>
Closes: #341
Summary by cubic
Migrates all CI workflows to reusable workflows from
blinklabs-io/actionsto standardize CI and reduce maintenance. Behavior is unchanged; linting, Docker builds, and releases now run via shared templates.conventional-commits,golangci-lint,nilaway,ci-docker,publish,test-issue-on-close,update-issue-on-close.nilaway.include-pkgs=github.com/blinklabs-io/tx-submit-api-mirror,ci-docker.image-name=blinklabs-io/tx-submit-api-mirror,publishusesbinary-name=tx-submit-api-mirror,docker-image=blinklabs/tx-submit-api-mirror, passessecrets.DOCKER_PASSWORD; project close flow uses project 11 and field "Closed Date".1.25.x.Written for commit 7cb4956. Summary will update on new commits.
Summary by CodeRabbit