Skip to content

CI(workflow): migrate workflows to reusable actions repo patterns#340

Open
tripura-repalle wants to merge 1 commit into
mainfrom
feat-call-reusable-actions-repo-workflows
Open

CI(workflow): migrate workflows to reusable actions repo patterns#340
tripura-repalle wants to merge 1 commit into
mainfrom
feat-call-reusable-actions-repo-workflows

Conversation

@tripura-repalle

@tripura-repalle tripura-repalle commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Closes: #341

Summary by cubic

Migrates all CI workflows to reusable workflows from blinklabs-io/actions to standardize CI and reduce maintenance. Behavior is unchanged; linting, Docker builds, and releases now run via shared templates.

  • Refactors
    • Replaced 7 inline workflows with reusable ones: conventional-commits, golangci-lint, nilaway, ci-docker, publish, test-issue-on-close, update-issue-on-close.
    • Notable inputs: nilaway.include-pkgs=github.com/blinklabs-io/tx-submit-api-mirror, ci-docker.image-name=blinklabs-io/tx-submit-api-mirror, publish uses binary-name=tx-submit-api-mirror, docker-image=blinklabs/tx-submit-api-mirror, passes secrets.DOCKER_PASSWORD; project close flow uses project 11 and field "Closed Date".
    • Standardized triggers/permissions and added generated headers; Go stays at 1.25.x.

Written for commit 7cb4956. Summary will update on new commits.

Review in cubic

Summary by CodeRabbit

  • Chores
    • Refactored CI/CD workflows to use centralized reusable workflow configurations, consolidating redundant build and deployment logic across the pipeline.
    • Updated Docker publishing, linting, testing, and issue-tracking automation to delegate to shared workflow implementations.

Replace 7 inline workflows with wrappers calling reusable workflows
from blinklabs-io/actions@main:
- conventional-commits → reuseable-conventional-commits.yml
- golangci-lint → reuseable-golangci-lint.yml (go 1.25.x default)
- nilaway → reuseable-nilaway.yml (include-pkgs: github.com/blinklabs-io/tx-submit-api-mirror)
- ci-docker → reuseable-ci-docker.yml
- publish → reuseable-publish.yml (binary-name: tx-submit-api-mirror, docker-image: blinklabs/tx-submit-api-mirror)
- test-issue-on-close → reuseable-test-issue-on-close.yml
- update-issue-on-close → reuseable-set-project-closed-date.yml

go.mod remains at go 1.25.7 (no version bump required).

Signed-off-by: Tripura Repalle <tripura@blinklabs.io>
@tripura-repalle
tripura-repalle requested a review from a team as a code owner June 23, 2026 18:18
@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

All seven GitHub Actions workflow files in .github/workflows/ are rewritten to delegate their CI logic to centralized reusable workflows hosted in blinklabs-io/actions. Each file replaces its inline job steps, permissions blocks, and environment declarations with a single orchestrate job using a uses: call. Affected workflows include Docker CI, conventional commits, golangci-lint, nilaway, publish, test-issue-on-close, and update-issue-on-close. The publish workflow additionally gains a new top-level permissions block with broad write scopes and removes its concurrency configuration.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title 'CI(workflow): migrate workflows to reusable actions repo patterns' directly and clearly summarizes the main change: migrating GitHub Actions workflows to use centralized reusable workflows from the blinklabs-io/actions repository.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat-call-reusable-actions-repo-workflows

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Comment on lines +18 to +20
uses: blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml@main
with:
image-name: blinklabs-io/tx-submit-api-mirror
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 https://github.com/actions/checkout/releases/tag/v6.0.3
- uses: webiny/action-conventional-commits@7f91b1595ca1951cdb671ddc9f07a49081ec5b69 # v1.4.2 https://github.com/webiny/action-conventional-commits/releases/tag/v1.4.2
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-conventional-commits.yml@main
- name: golangci-lint
uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 https://github.com/golangci/golangci-lint-action/releases/tag/v9.2.1
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main
Comment on lines +14 to +16
uses: blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@main
with:
include-pkgs: github.com/blinklabs-io/tx-submit-api-mirror
Comment on lines +11 to +14
uses: blinklabs-io/actions/.github/workflows/reuseable-test-issue-on-close.yml@main
with:
issue_number: ${{ github.event.issue.number }}
issue_title: ${{ github.event.issue.title }}
Comment on lines +12 to +18
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-set-project-closed-date.yml@main
secrets:
project_pat: ${{ secrets.ORG_PROJECT_PAT }}
with:
closed_at: ${{ github.event.issue.closed_at }}
closed_date_field: Closed Date

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 9

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci-docker.yml:
- Line 18: The workflow reference in the `uses` statement for
`blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml` is pinned to
`@main` which is a mutable reference instead of an immutable commit SHA. Since
this file is auto-generated by org-governance-bot and cannot be manually edited,
the fix must be applied upstream. Locate the org-governance-bot configuration or
template file that generates these CI workflows and update the reference pattern
to pin to a specific commit SHA instead of `@main` to ensure all seven generated
workflows in `.github/workflows/` use immutable references going forward.

In @.github/workflows/conventional-commits.yml:
- Line 9: The workflow reference in this file uses `@main` which is mutable and
bypasses change control. Since this file is auto-generated by org-governance-bot
(as noted in line 1), the fix cannot be applied directly to this file. Instead,
update the org-governance-bot's configuration to pin the blinklabs-io/actions
workflow reference to a specific immutable commit SHA instead of using `@main`
when it generates the conventional-commits workflow file.

In @.github/workflows/golangci-lint.yml:
- Line 14: The `uses` clause referencing
blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml is using a
mutable branch reference (`@main`) which introduces supply chain risk. Replace the
`@main` reference with a specific immutable commit SHA to pin the reusable
workflow to a fixed version. This ensures the workflow definition cannot
unexpectedly change when the main branch is updated.

In @.github/workflows/nilaway.yml:
- Line 14: The reusable workflow reference in the nilaway.yml workflow file uses
the `@main` branch reference instead of pinning to an immutable commit SHA.
Replace the `@main` reference in the `uses:
blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@main` line with a
specific commit SHA to ensure that only reviewed and tested versions of the
upstream workflow are executed, preventing unintended drift from upstream
changes.

In @.github/workflows/publish.yml:
- Line 22: The reusable workflow reference in the publish workflow is using a
mutable branch reference `@main` instead of a pinned commit SHA. Replace the `@main`
reference in the uses statement for
blinklabs-io/actions/.github/workflows/reuseable-publish.yml with a full-length
40-character commit SHA to ensure workflow immutability and prevent supply chain
vulnerabilities from upstream changes.
- Around line 11-18: The permissions block in the publish workflow is granting
write access to multiple scopes that are not required by the workflow, which
violates the principle of least privilege and increases the security blast
radius. Remove the unused write permission scopes for actions, checks, packages,
and statuses from the permissions block, keeping only the scopes that are
actually needed by the workflow (such as attestations, contents, and id-token).
Verify that the remaining permissions are sufficient for the workflow's actual
operations.

In @.github/workflows/test-issue-on-close.yml:
- Line 11: The workflow reference in the reuseable-test-issue-on-close.yml uses
`@main` which is a mutable branch reference presenting a supply-chain security
risk. Since this file is auto-generated by org-governance-bot and manual edits
will be overwritten, do not modify this file directly. Instead, file a separate
issue with the org-governance-bot configuration requesting that it pin all
reusable workflow references to immutable commit SHAs instead of mutable branch
names like `@main`.

In @.github/workflows/update-issue-on-close.yml:
- Around line 11-18: The orchestrate job that uses the
reuseable-set-project-closed-date.yml workflow is missing an explicit
permissions declaration, which means it inherits default token scopes that may
be over-privileged. Add a permissions field to the orchestrate job and declare
only the minimal required scopes needed for the reusable workflow to function.
Review the reusable workflow definition to determine what specific permissions
(such as contents, issues, pull-requests, or project scope) are actually
required, then add only those explicitly rather than relying on defaults.
- Around line 12-14: The workflow reference in the uses statement is pinned to
`@main` which is mutable and creates a supply-chain risk when forwarding secrets
like project_pat. Since this file is auto-generated by org-governance-bot,
locate and update the source configuration or template in the org-governance-bot
that generates this file to pin the
blinklabs-io/actions/.github/workflows/reuseable-set-project-closed-date.yml
reference to a full commit SHA instead of `@main`. Additionally, add an explicit
permissions block at the top level of the workflow to follow the principle of
least privilege rather than relying on repository defaults.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 03109d66-e36a-416b-8bde-35b674f67451

📥 Commits

Reviewing files that changed from the base of the PR and between 144e601 and 7cb4956.

📒 Files selected for processing (7)
  • .github/workflows/ci-docker.yml
  • .github/workflows/conventional-commits.yml
  • .github/workflows/golangci-lint.yml
  • .github/workflows/nilaway.yml
  • .github/workflows/publish.yml
  • .github/workflows/test-issue-on-close.yml
  • .github/workflows/update-issue-on-close.yml

tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

git ls-files .github/workflows/ | head -20

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 428


🏁 Script executed:

cat -n .github/workflows/ci-docker.yml

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 744


🏁 Script executed:

rg "uses:.*`@main`" .github/workflows/

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 1009


🏁 Script executed:

rg "uses:.*@" .github/workflows/ | head -20

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 1009


Fix all unpinned reusable workflow references at source.

This file is auto-generated by org-governance-bot and cannot be manually edited. Additionally, this unpinned @main reference is a systemic issue—all seven workflows in .github/workflows/ use the same mutable reference pattern to blinklabs-io/actions.

The fix must be applied upstream in the org-governance-bot configuration or the template it uses to ensure all generated workflows pin to immutable commit SHAs instead of @main.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-docker.yml at line 18, The workflow reference in the
`uses` statement for
`blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml` is pinned to
`@main` which is a mutable reference instead of an immutable commit SHA. Since
this file is auto-generated by org-governance-bot and cannot be manually edited,
the fix must be applied upstream. Locate the org-governance-bot configuration or
template file that generates these CI workflows and update the reference pattern
to pin to a specific commit SHA instead of `@main` to ensure all seven generated
workflows in `.github/workflows/` use immutable references going forward.

Source: Linters/SAST tools

- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 https://github.com/actions/checkout/releases/tag/v6.0.3
- uses: webiny/action-conventional-commits@7f91b1595ca1951cdb671ddc9f07a49081ec5b69 # v1.4.2 https://github.com/webiny/action-conventional-commits/releases/tag/v1.4.2
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-conventional-commits.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the file exists and examine its contents
if [ -f ".github/workflows/conventional-commits.yml" ]; then
  echo "=== File content ==="
  cat -n ".github/workflows/conventional-commits.yml"
else
  echo "File not found. Searching for it..."
  find . -name "conventional-commits.yml" 2>/dev/null
fi

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 487


🏁 Script executed:

#!/bin/bash
# List all workflow files to understand the repository context
find .github/workflows -type f -name "*.yml" -o -name "*.yaml" 2>/dev/null | head -20

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 428


🏁 Script executed:

#!/bin/bash
# Check the remote repository that is being used in the workflow
# Look for any references to blinklabs-io/actions in all workflow files
rg "blinklabs-io/actions" .github/workflows/ -A 2 -B 2

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 2374


Pin reusable workflow refs to immutable SHAs.

This call uses @main, which is mutable and bypasses change control. However, this file is auto-generated by org-governance-bot (see line 1), so the fix must be applied to the governance bot's configuration rather than this file directly. Update the bot configuration to pin blinklabs-io/actions workflows to specific commit SHAs instead of @main.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 9-9: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/conventional-commits.yml at line 9, The workflow reference
in this file uses `@main` which is mutable and bypasses change control. Since this
file is auto-generated by org-governance-bot (as noted in line 1), the fix
cannot be applied directly to this file. Instead, update the
org-governance-bot's configuration to pin the blinklabs-io/actions workflow
reference to a specific immutable commit SHA instead of using `@main` when it
generates the conventional-commits workflow file.

Source: Linters/SAST tools

- name: golangci-lint
uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 https://github.com/golangci/golangci-lint-action/releases/tag/v9.2.1
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's check if the file exists and view its contents
find . -name "golangci-lint.yml" -type f 2>/dev/null | head -20

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 209


🏁 Script executed:

# If found, let's examine the file around line 14
if [ -f ".github/workflows/golangci-lint.yml" ]; then
  cat -n ".github/workflows/golangci-lint.yml" | head -20
fi

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 543


🏁 Script executed:

# Also check for any other workflow files that might use unpinned references
fd -e yml -e yaml ".github/workflows" 2>/dev/null | xargs grep -l "uses:.*`@main`\|uses:.*`@master`\|uses:.*@\(head\|trunk\)" 2>/dev/null || echo "No dynamic refs found or files not accessible"

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 217


Pin reusable workflow ref to immutable SHA.

The uses target at @main is mutable and introduces supply chain risk. Pin to a commit digest instead.

Suggested fix
-    uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main
+    uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@<commit-sha>
🧰 Tools
🪛 zizmor (1.26.1)

[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/golangci-lint.yml at line 14, The `uses` clause
referencing blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml
is using a mutable branch reference (`@main`) which introduces supply chain risk.
Replace the `@main` reference with a specific immutable commit SHA to pin the
reusable workflow to a fixed version. This ensures the workflow definition
cannot unexpectedly change when the main branch is updated.

Source: Linters/SAST tools

- name: run nilaway
run: nilaway ./...
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and examine the workflow
cat -n .github/workflows/nilaway.yml

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 620


🌐 Web query:

GitHub Actions security best practices pinning reusable workflow SHA

💡 Result:

Best practice: pin reusable workflow references to a full-length commit SHA (not a branch or tag) in the caller workflow’s uses: line, and enforce this with GitHub’s “allowed actions and reusable workflows” policy where available. 1) Pin reusable workflows to full commit SHA in the caller - GitHub’s documentation states that if you use a commit SHA when referencing a reusable workflow, you ensure everyone always uses the same YAML code, whereas referencing by tag/branch requires trust in that version. [1] - GitHub’s “secure use” guidance likewise says pinning to a full-length commit SHA is the only way to use an action as an immutable release, and that the same principles apply to reusable workflows. [2] Example (caller workflow): - uses: OWNER/REPO/.github/workflows/workflow.yml@<FULL_SHA> 2) Enforce SHA pinning at the org/policy level - GitHub introduced policy support to enforce SHA pinning via the “allowed actions and reusable workflows” policy; workflows that attempt to use an action/reusable workflow that isn’t pinned to a full commit SHA can fail when the policy is enabled. [3] - GitHub’s enterprise enforcement documentation also notes the option “Require actions to be pinned to a full-length commit SHA”, and documents the different @TAG-OR-SHA selection syntax for reusable workflows: OWNER/REPOSITORY/PATH/FILENAME@TAG-OR-SHA. [4] 3) Understand why this matters (security model) - Because reusable workflows are referenced by the caller’s uses: line, mutable refs (tags/branches) can shift what code runs. GitHub explains that using a commit SHA ensures the called workflow’s code is stable, while tags/branches require trust. [1] If you want, tell me whether you’re on GitHub.com vs GitHub Enterprise Cloud/Server and whether you manage policies at the org or repo level—I can tailor a concrete rollout checklist for enabling the SHA-pinning policy and how to format reusable-workflow uses: pins accordingly.

Citations:


Pin reusable workflow refs to immutable SHAs.

@main should be replaced with an immutable commit SHA to avoid unreviewed upstream drift.

Suggested fix
-    uses: blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@main
+    uses: blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@<commit-sha>
🧰 Tools
🪛 zizmor (1.26.1)

[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/nilaway.yml at line 14, The reusable workflow reference in
the nilaway.yml workflow file uses the `@main` branch reference instead of
pinning to an immutable commit SHA. Replace the `@main` reference in the `uses:
blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@main` line with a
specific commit SHA to ensure that only reviewed and tested versions of the
upstream workflow are executed, preventing unintended drift from upstream
changes.

Source: Linters/SAST tools

Comment on lines +11 to +18
permissions:
actions: write
attestations: write
checks: write
contents: write
id-token: write
packages: write
statuses: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's read the publish.yml file to understand its full context
cat -n .github/workflows/publish.yml

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 981


🏁 Script executed:

# The workflow calls blinklabs-io/actions/.github/workflows/reuseable-publish.yml@main
# Let's try to fetch this external workflow to understand what permissions it needs
curl -s https://raw.githubusercontent.com/blinklabs-io/actions/main/.github/workflows/reuseable-publish.yml

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 8068


Reduce top-level token scopes to least privilege.

The workflow grants multiple write scopes (actions, checks, packages, statuses) that are not used by the called workflow and represent unnecessary blast radius.

Suggested tightening (adjust to exact needs of the called workflow)
 permissions:
-  actions: write
   attestations: write
-  checks: write
   contents: write
   id-token: write
-  packages: write
-  statuses: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
actions: write
attestations: write
checks: write
contents: write
id-token: write
packages: write
statuses: write
permissions:
attestations: write
contents: write
id-token: write
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 11 - 18, The permissions block in
the publish workflow is granting write access to multiple scopes that are not
required by the workflow, which violates the principle of least privilege and
increases the security blast radius. Remove the unused write permission scopes
for actions, checks, packages, and statuses from the permissions block, keeping
only the scopes that are actually needed by the workflow (such as attestations,
contents, and id-token). Verify that the remaining permissions are sufficient
for the workflow's actual operations.

core.setFailed(error.message);
}
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-publish.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and read the relevant section
cat -n .github/workflows/publish.yml | head -30

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 981


🌐 Web query:

GitHub Actions reusable workflow security best practices pinning SHA commit

💡 Result:

Pinning reusable workflows and actions to a full-length commit SHA is a critical security best practice for GitHub Actions [1][2][3]. Because tags and branches are mutable references that can be moved via force-push, they are vulnerable to supply chain attacks where a compromised upstream repository could inject malicious code into your workflows [2][3]. Pinning to a full-length commit SHA ensures that your workflow consistently runs the exact, immutable code you have audited [1][3]. Best Practices for Implementation: 1. Use Full-Length SHAs: Always use the full-length (40-character) commit SHA rather than abbreviated SHAs to prevent potential collisions and ensure immutability [1][3]. 2. Enable Organization-Level Policies: Administrators should enable the Require actions to be pinned to a full-length commit SHA policy at the organization or enterprise level [1][4]. As of August 2025, this policy can be configured to force all workflows to fail if they use unpinned actions [5][6]. 3. Automate Updates with Dependency Managers: SHA pinning creates a maintenance burden. Use tools like Dependabot or Renovate to automatically open pull requests when new versions are released [3]. These tools allow you to review the diff before merging, ensuring you stay updated without manually tracking SHAs [3]. 4. Enforce Cooldown Periods: To further mitigate risk, implement a 7-14 day cooldown period for dependency updates [6]. This allows time for potential compromises in new releases to be discovered by the community before you adopt them [6]. 5. Audit Transitive Dependencies: SHA pinning a direct reference is necessary but not always sufficient. Reusable workflows may pull in other dependencies that are not pinned [4]. Perform periodic audits of your call graph to ensure security practices are applied consistently across all levels [4]. 6. Layer with Additional Security Controls: SHA pinning should be part of a broader security strategy, including: - Restricting usage to authorized, verified creators [1][7]. - Explicitly defining secrets rather than using secrets: inherit [2][8]. - Granting minimal permissions to the GITHUB_TOKEN [2][8]. - Using environment protection rules and OIDC for cloud credentials [2][3].

Citations:


Pin reusable workflow to a full-length commit SHA.

The publish workflow depends on a mutable branch ref (@main) from an external repository, creating a supply chain vulnerability. A compromised upstream repository could inject malicious code into your pipeline without detection. GitHub best practices require pinning to a full-length (40-character) commit SHA for immutability.

Suggested fix
-    uses: blinklabs-io/actions/.github/workflows/reuseable-publish.yml@main
+    uses: blinklabs-io/actions/.github/workflows/reuseable-publish.yml@<commit-sha>
🧰 Tools
🪛 zizmor (1.26.1)

[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml at line 22, The reusable workflow reference in
the publish workflow is using a mutable branch reference `@main` instead of a
pinned commit SHA. Replace the `@main` reference in the uses statement for
blinklabs-io/actions/.github/workflows/reuseable-publish.yml with a full-length
40-character commit SHA to ensure workflow immutability and prevent supply chain
vulnerabilities from upstream changes.

Source: Linters/SAST tools

echo "::${TOKEN}::"
echo "Workflow triggered successfully when issue was closed."
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-test-issue-on-close.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Verify the file exists and check the exact content at line 11
cat -n .github/workflows/test-issue-on-close.yml 2>/dev/null | head -20

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 638


🏁 Script executed:

# Also check if there are other workflow files with similar patterns
find .github/workflows -name "*.yml" -o -name "*.yaml" | head -20

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 428


🏁 Script executed:

# Search for all 'uses' directives in workflow files to understand the pinning pattern used in this repo
rg "uses:" .github/workflows/ -A 1 | head -40

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 1343


🏁 Script executed:

# Check if there's any documentation or policy file about workflow pinning
find . -maxdepth 2 -type f \( -name "*.md" -o -name "SECURITY*" -o -name ".github/CODEOWNERS" \) -exec cat -n {} + 2>/dev/null | head -100

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 4181


Address unpinned workflow reference through org-governance-bot configuration.

Line 11 references @main, which is mutable and presents a supply-chain security risk. However, this file is auto-generated by org-governance-bot (see line 1) and should not be manually edited—changes will be overwritten.

File a separate issue with the governance bot configuration to pin reusable workflow references to immutable commit SHAs instead of branch names.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 11-11: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-issue-on-close.yml at line 11, The workflow reference
in the reuseable-test-issue-on-close.yml uses `@main` which is a mutable branch
reference presenting a supply-chain security risk. Since this file is
auto-generated by org-governance-bot and manual edits will be overwritten, do
not modify this file directly. Instead, file a separate issue with the
org-governance-bot configuration requesting that it pin all reusable workflow
references to immutable commit SHAs instead of mutable branch names like `@main`.

Source: Linters/SAST tools

Comment on lines +11 to +18
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-set-project-closed-date.yml@main
secrets:
project_pat: ${{ secrets.ORG_PROJECT_PAT }}
with:
closed_at: ${{ github.event.issue.closed_at }}
closed_date_field: Closed Date
project_url: https://github.com/orgs/blinklabs-io/projects/11 No newline at end of file

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Set explicit least-privilege permissions for this caller workflow.

Lines 11-18 define no permissions, so token scope depends on repository/org defaults. Declare explicit minimal scopes to avoid over-privileged runs.

Suggested baseline
+permissions:
+  contents: read
+  issues: read

(Expand only if the reusable workflow contract proves it needs more.)

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 11-18: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)


[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-issue-on-close.yml around lines 11 - 18, The
orchestrate job that uses the reuseable-set-project-closed-date.yml workflow is
missing an explicit permissions declaration, which means it inherits default
token scopes that may be over-privileged. Add a permissions field to the
orchestrate job and declare only the minimal required scopes needed for the
reusable workflow to function. Review the reusable workflow definition to
determine what specific permissions (such as contents, issues, pull-requests, or
project scope) are actually required, then add only those explicitly rather than
relying on defaults.

Source: Linters/SAST tools

Comment on lines +12 to +14
uses: blinklabs-io/actions/.github/workflows/reuseable-set-project-closed-date.yml@main
secrets:
project_pat: ${{ secrets.ORG_PROJECT_PAT }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cd /tmp && find . -name "update-issue-on-close.yml" -o -name "*.yml" -path "*/.github/workflows/*" 2>/dev/null | head -20

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 171


🏁 Script executed:

find . -name "update-issue-on-close.yml" 2>/dev/null

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 217


🏁 Script executed:

cat -n .github/workflows/update-issue-on-close.yml 2>/dev/null || find . -type f -name "*.yml" | grep -i "update.*issue" | head -5

Repository: blinklabs-io/tx-submit-api-mirror

Length of output: 806


Pin the reusable workflow to a commit SHA instead of @main.

Line 12 references a mutable branch (@main) while forwarding a secret on line 14. This creates a supply-chain risk—the workflow could be altered at any time. Pin to a full commit SHA.

Note: This file is auto-generated by org-governance-bot (line 1). The fix should be applied at the source of that automation rather than edited manually here.

Additionally, add an explicit permissions: block to follow the principle of least privilege instead of relying on repository defaults.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-issue-on-close.yml around lines 12 - 14, The
workflow reference in the uses statement is pinned to `@main` which is mutable and
creates a supply-chain risk when forwarding secrets like project_pat. Since this
file is auto-generated by org-governance-bot, locate and update the source
configuration or template in the org-governance-bot that generates this file to
pin the
blinklabs-io/actions/.github/workflows/reuseable-set-project-closed-date.yml
reference to a full commit SHA instead of `@main`. Additionally, add an explicit
permissions block at the top level of the workflow to follow the principle of
least privilege rather than relying on repository defaults.

Source: Linters/SAST tools

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

10 issues found across 7 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/conventional-commits.yml">

<violation number="1" location=".github/workflows/conventional-commits.yml:9">
P2: Explicit `permissions: contents: read` was removed from the `orchestrate` job when migrating to the reusable workflow. This causes the caller job to inherit the repository's default `GITHUB_TOKEN` permissions, which may be broader than the previous least-privilege restriction and creates potential privilege drift.</violation>
</file>

<file name=".github/workflows/publish.yml">

<violation number="1" location=".github/workflows/publish.yml:12">
P2: These top-level permissions grant broad write access (`actions`, `checks`, `packages`, `statuses`) that may not be required by the called reusable workflow. Following the principle of least privilege, reduce these to only the scopes the reusable workflow actually needs (likely `attestations: write`, `contents: write`, `id-token: write`, and `packages: write` for a publish workflow).</violation>

<violation number="2" location=".github/workflows/publish.yml:22">
P0: Reusable publish workflow is referenced with a mutable `@main` branch ref instead of a pinned commit SHA, introducing supply-chain and reproducibility risk for the release pipeline.</violation>
</file>

<file name=".github/workflows/nilaway.yml">

<violation number="1" location=".github/workflows/nilaway.yml:14">
P1: Reusable nilaway workflow is referenced with a mutable `@main` branch instead of an immutable commit SHA, introducing supply-chain and reproducibility risk.</violation>
</file>

<file name=".github/workflows/update-issue-on-close.yml">

<violation number="1" location=".github/workflows/update-issue-on-close.yml:8">
P2: This workflow lacks an explicit `permissions` block. The previous version declared `contents: read` and `issues: read`. Without explicit scoping, the GITHUB_TOKEN inherits repository/org defaults which may grant unnecessary write access. Add a minimal permissions block.</violation>

<violation number="2" location=".github/workflows/update-issue-on-close.yml:13">
P1: Reusable workflow is referenced via mutable `@main` while receiving a sensitive PAT secret, creating a supply-chain and secret-exfiltration risk. Pin to a full commit SHA, especially for workflows that receive secrets.</violation>
</file>

<file name=".github/workflows/test-issue-on-close.yml">

<violation number="1" location=".github/workflows/test-issue-on-close.yml:11">
P2: Reusable workflow is referenced via the mutable `@main` branch instead of an immutable commit SHA. This reduces reproducibility and allows unreviewed upstream changes in `blinklabs-io/actions` to alter CI behavior unexpectedly.</violation>
</file>

<file name=".github/workflows/ci-docker.yml">

<violation number="1" location=".github/workflows/ci-docker.yml:18">
P2: Docker CI caller workflow removed explicit least-privilege permissions; the reusable job now inherits the repository default GITHUB_TOKEN scope, which may be broader than the previous `contents: read` and violates least-privilege.</violation>
</file>

<file name=".github/workflows/golangci-lint.yml">

<violation number="1" location=".github/workflows/golangci-lint.yml:13">
P1: The caller workflow removed the explicit least-privilege `permissions: contents: read` block. Without a permissions envelope, the GITHUB_TOKEN scope depends on repository/org default settings and may be wider than the previous setup. Add explicit permissions to the caller job (or workflow) to restore least-privilege constraints.</violation>

<violation number="2" location=".github/workflows/golangci-lint.yml:14">
P1: Reusable workflow is referenced via the mutable `@main` branch instead of a pinned commit SHA or trusted version tag, which removes build determinism and increases supply-chain risk.</violation>
</file>

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

core.setFailed(error.message);
}
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-publish.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P0: Reusable publish workflow is referenced with a mutable @main branch ref instead of a pinned commit SHA, introducing supply-chain and reproducibility risk for the release pipeline.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/publish.yml, line 22:

<comment>Reusable publish workflow is referenced with a mutable `@main` branch ref instead of a pinned commit SHA, introducing supply-chain and reproducibility risk for the release pipeline.</comment>

<file context>
@@ -1,180 +1,28 @@
-              core.setFailed(error.message);
-            }
+  orchestrate:
+    uses: blinklabs-io/actions/.github/workflows/reuseable-publish.yml@main
+    secrets:
+      docker-password: ${{ secrets.DOCKER_PASSWORD }}
</file context>

- name: run nilaway
run: nilaway ./...
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Reusable nilaway workflow is referenced with a mutable @main branch instead of an immutable commit SHA, introducing supply-chain and reproducibility risk.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/nilaway.yml, line 14:

<comment>Reusable nilaway workflow is referenced with a mutable `@main` branch instead of an immutable commit SHA, introducing supply-chain and reproducibility risk.</comment>

<file context>
@@ -1,25 +1,16 @@
-      - name: run nilaway
-        run: nilaway ./...
+  orchestrate:
+    uses: blinklabs-io/actions/.github/workflows/reuseable-nilaway.yml@main
+    with:
+      include-pkgs: github.com/blinklabs-io/tx-submit-api-mirror
</file context>

field-value: ${{ steps.when.outputs.date }} No newline at end of file
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-set-project-closed-date.yml@main
secrets:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Reusable workflow is referenced via mutable @main while receiving a sensitive PAT secret, creating a supply-chain and secret-exfiltration risk. Pin to a full commit SHA, especially for workflows that receive secrets.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/update-issue-on-close.yml, line 13:

<comment>Reusable workflow is referenced via mutable `@main` while receiving a sensitive PAT secret, creating a supply-chain and secret-exfiltration risk. Pin to a full commit SHA, especially for workflows that receive secrets.</comment>

<file context>
@@ -1,39 +1,18 @@
\ No newline at end of file
+  orchestrate:
+    uses: blinklabs-io/actions/.github/workflows/reuseable-set-project-closed-date.yml@main
+    secrets:
+      project_pat: ${{ secrets.ORG_PROJECT_PAT }}
+    with:
</file context>

- name: golangci-lint
uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 https://github.com/golangci/golangci-lint-action/releases/tag/v9.2.1
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Reusable workflow is referenced via the mutable @main branch instead of a pinned commit SHA or trusted version tag, which removes build determinism and increases supply-chain risk.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/golangci-lint.yml, line 14:

<comment>Reusable workflow is referenced via the mutable `@main` branch instead of a pinned commit SHA or trusted version tag, which removes build determinism and increases supply-chain risk.</comment>

<file context>
@@ -1,23 +1,14 @@
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 https://github.com/golangci/golangci-lint-action/releases/tag/v9.2.1
+  orchestrate:
+    uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main
</file context>

Comment on lines +13 to +14
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: The caller workflow removed the explicit least-privilege permissions: contents: read block. Without a permissions envelope, the GITHUB_TOKEN scope depends on repository/org default settings and may be wider than the previous setup. Add explicit permissions to the caller job (or workflow) to restore least-privilege constraints.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/golangci-lint.yml, line 13:

<comment>The caller workflow removed the explicit least-privilege `permissions: contents: read` block. Without a permissions envelope, the GITHUB_TOKEN scope depends on repository/org default settings and may be wider than the previous setup. Add explicit permissions to the caller job (or workflow) to restore least-privilege constraints.</comment>

<file context>
@@ -1,23 +1,14 @@
-          go-version: 1.25.x
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1 https://github.com/golangci/golangci-lint-action/releases/tag/v9.2.1
+  orchestrate:
+    uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main
</file context>
Suggested change
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main
orchestrate:
permissions:
contents: read
uses: blinklabs-io/actions/.github/workflows/reuseable-golangci-lint.yml@main

- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 https://github.com/actions/checkout/releases/tag/v6.0.3
- uses: webiny/action-conventional-commits@7f91b1595ca1951cdb671ddc9f07a49081ec5b69 # v1.4.2 https://github.com/webiny/action-conventional-commits/releases/tag/v1.4.2
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-conventional-commits.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Explicit permissions: contents: read was removed from the orchestrate job when migrating to the reusable workflow. This causes the caller job to inherit the repository's default GITHUB_TOKEN permissions, which may be broader than the previous least-privilege restriction and creates potential privilege drift.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/conventional-commits.yml, line 9:

<comment>Explicit `permissions: contents: read` was removed from the `orchestrate` job when migrating to the reusable workflow. This causes the caller job to inherit the repository's default `GITHUB_TOKEN` permissions, which may be broader than the previous least-privilege restriction and creates potential privilege drift.</comment>

<file context>
@@ -1,17 +1,9 @@
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 https://github.com/actions/checkout/releases/tag/v6.0.3
-      - uses: webiny/action-conventional-commits@7f91b1595ca1951cdb671ddc9f07a49081ec5b69 # v1.4.2 https://github.com/webiny/action-conventional-commits/releases/tag/v1.4.2
+  orchestrate:
+    uses: blinklabs-io/actions/.github/workflows/reuseable-conventional-commits.yml@main
</file context>

echo "::${TOKEN}::"
echo "Workflow triggered successfully when issue was closed."
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-test-issue-on-close.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Reusable workflow is referenced via the mutable @main branch instead of an immutable commit SHA. This reduces reproducibility and allows unreviewed upstream changes in blinklabs-io/actions to alter CI behavior unexpectedly.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/test-issue-on-close.yml, line 11:

<comment>Reusable workflow is referenced via the mutable `@main` branch instead of an immutable commit SHA. This reduces reproducibility and allows unreviewed upstream changes in `blinklabs-io/actions` to alter CI behavior unexpectedly.</comment>

<file context>
@@ -1,23 +1,14 @@
-          echo "::${TOKEN}::"
-          echo "Workflow triggered successfully when issue was closed."
+  orchestrate:
+    uses: blinklabs-io/actions/.github/workflows/reuseable-test-issue-on-close.yml@main
+    with:
+      issue_number: ${{ github.event.issue.number }}
</file context>

tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
orchestrate:
uses: blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Docker CI caller workflow removed explicit least-privilege permissions; the reusable job now inherits the repository default GITHUB_TOKEN scope, which may be broader than the previous contents: read and violates least-privilege.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/ci-docker.yml, line 18:

<comment>Docker CI caller workflow removed explicit least-privilege permissions; the reusable job now inherits the repository default GITHUB_TOKEN scope, which may be broader than the previous `contents: read` and violates least-privilege.</comment>

<file context>
@@ -1,37 +1,20 @@
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+  orchestrate:
+    uses: blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml@main
+    with:
+      image-name: blinklabs-io/tx-submit-api-mirror
</file context>
Suggested change
uses: blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml@main
+ permissions:
+ contents: read
+ uses: blinklabs-io/actions/.github/workflows/reuseable-ci-docker.yml@main


concurrency: ${{ github.ref }}
permissions:
actions: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: These top-level permissions grant broad write access (actions, checks, packages, statuses) that may not be required by the called reusable workflow. Following the principle of least privilege, reduce these to only the scopes the reusable workflow actually needs (likely attestations: write, contents: write, id-token: write, and packages: write for a publish workflow).

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/publish.yml, line 12:

<comment>These top-level permissions grant broad write access (`actions`, `checks`, `packages`, `statuses`) that may not be required by the called reusable workflow. Following the principle of least privilege, reduce these to only the scopes the reusable workflow actually needs (likely `attestations: write`, `contents: write`, `id-token: write`, and `packages: write` for a publish workflow).</comment>

<file context>
@@ -1,180 +1,28 @@
 
-concurrency: ${{ github.ref }}
+permissions:
+  actions: write
+  attestations: write
+  checks: write
</file context>

@@ -1,39 +1,18 @@
name: Set Project Closed Date
# Generated automatically by org-governance-bot. Do not edit manually.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: This workflow lacks an explicit permissions block. The previous version declared contents: read and issues: read. Without explicit scoping, the GITHUB_TOKEN inherits repository/org defaults which may grant unnecessary write access. Add a minimal permissions block.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/update-issue-on-close.yml, line 8:

<comment>This workflow lacks an explicit `permissions` block. The previous version declared `contents: read` and `issues: read`. Without explicit scoping, the GITHUB_TOKEN inherits repository/org defaults which may grant unnecessary write access. Add a minimal permissions block.</comment>

<file context>
@@ -1,39 +1,18 @@
-  CLOSED_DATE_FIELD: "Closed Date"
+    types:
+      - closed
+  workflow_dispatch:
 
 jobs:
</file context>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

test reusable workflows from actions repo

2 participants