chore: pin all GitHub Actions to commit SHAs#420
Conversation
Remove duplicate with blocks, fix invalid job status expressions, normalize the frontend coverage heredoc, and move the Pulumi secret check to step-level env so workflow parsing succeeds. Co-authored-by: Codex <noreply@openai.com>
Add path filters so the legacy comprehensive validation, contracts, and broad CI workflows do not execute for workflow-only syntax fixes while preserving their source-code triggers. Co-authored-by: Codex <noreply@openai.com>
- Create tracertm.cli.commands module with stubs for history, state, watch, search, tui - Add remaining command stubs: progress, ingest, chaos, export, migrate - Each command has a Typer app with basic command structure - history and state include ConfigManager/LocalStorageManager stubs for test patching - All 21 pytest tests in test_gap_coverage_cli_commands.py now pass (100%) - Unblocks pytest collection and enables test-first development for CLI Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Adds documentation block + `directories:` negation patterns so future Dependabot runs do not re-open advisories on /ARCHIVE/** paths. Mirrors the batch-dismissal performed in commit f243df4 (2026-04). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Per dead-code audit 2026-04-26 (commit ba32168). Pure-docs directory with no live code references; raw-all.md links are auto-generated index entries pointing to the archive itself. ~616K reclaimed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…e refs) Per dead-code audit 2026-04-26 (commit ba32168). Genesis-commit data dump with zero live references. ~28K reclaimed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Use the repo-local worklog and docs navigation paths.\n\nCo-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Codex <noreply@openai.com>
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Note
|
| Cohort / File(s) | Summary |
|---|---|
GitHub Actions Pinning - Checkout & Artifact Handling .github/workflows/alert-sync-issues.yml, architecture.yml, benchmarks.yml, canary-deploy.yml, chaos-tests.yml, codeql.yml, deployment-rollback.yml, docs-deploy.yml, docs-performance.yml, go-tests.yml, naming-guard.yml, policy-gate.yml, qa-governance.yml, quality.yml, release.yml, secret-scanning.yml, security-guard-hook-audit.yml, security-guard.yml, vitepress-pages.yml |
Pins actions/checkout to specific v4.1.1 commit SHA across multiple workflows. Some workflows also pin actions/upload-artifact and actions/download-artifact to fixed revisions replacing @v4/@v5 tags. |
GitHub Actions Pinning - Setup Tools & Cache architecture.yml, benchmarks.yml, chaos-tests.yml, chromatic.yml, ci-cd.yml, contracts.yml, dependabot-auto-merge.yml, go-tests.yml, performance-regression.yml, pre-commit.yml, quality.yml, schema-validation.yml, test-pyramid.yml, test.yml, tests.yml |
Pins setup actions (setup-python, setup-go, setup-node) and cache action to specific commit SHAs, replacing @v4/@v5/@v3 tags to ensure deterministic tool provisioning. |
GitHub Actions Pinning - Scripting & Other Actions alert-sync-issues.yml, architecture.yml, chromatic.yml, ci-cd.yml, contract-tests.yml, deployment-rollback.yml, docs-deploy.yml, docs-performance.yml, load-test.yml, openapi-docs.yml, performance-regression.yml, test-pyramid.yml |
Pins actions/github-script (replacing @v7) and other specialized actions (actions/configure-pages, actions/deploy-pages, actions/dependency-review-action) to pinned commit SHAs. |
Workflow Path Filtering & CI Logic ci.yml, contracts.yml, test-validation.yml |
Adds paths filters to push/pull_request triggers limiting runs to backend/frontend/src/contract/infra changes and dependency files. In ci.yml: moves Pulumi secret gating from job-level if to step-level env check, refactors frontend coverage extraction inline script to use single fs instance. In test-validation.yml: updates job status references from job.<job>.status to needs.<job>.result, removes duplicate setup-node with: keys. |
New Placeholder Workflows doc-links.yml, fr-coverage.yml, quality-gate.yml |
Introduces three new workflows with pinned checkout actions and placeholder commands for phenotype-tooling integration (doc link checks, frontend coverage, quality gate). |
Dependabot Configuration .github/dependabot.yml |
Excludes /ARCHIVE/** directories from Dependabot scanning by replacing root-level directory: "/" with directories: ["/", "!/ARCHIVE/**"] for pip and GitHub Actions ecosystems, with clarifying comments. |
Documentation Consolidation & Links README.md, claude.md, docs/01-getting-started/README.md, docs/05-research/rtm-deep-dives/README.md, docs/05-research/trace-research/README.md, docs/07-reports/archive/README.md, docs/07-reports/archive/STATUS_DASHBOARD.md |
Updates navigation links to point to new markdown structure (e.g., INDEX.md → README.md, relative path fixes for archived docs). claude.md replaces long process guide with shorter Tracera project overview; STATUS_DASHBOARD.md archived as historical snapshot; README.md adds badge and simplifies license section. |
Archived Test Documentation Removal docs/archive/test-docs/*.md (41 files including CLI_ITEM_TESTS_SUMMARY.md, COMPREHENSIVE_TEST_COVERAGE_PLAN.md, FINAL_TEST_COVERAGE_REPORT_2025.md, INDEX.md, PHASE_*_*.md, PYTHON_TEST_COVERAGE_*.md, TESTING_*.md, TEST_*.md, etc.) |
Deletes extensive archived test documentation suite (40+ files, ~8000+ lines removed total) covering test plans, coverage reports, phased implementation summaries, infrastructure completion, and test failure analyses from prior development phases. |
Administrative Files LICENSE, DEPENDABOT_VULNERABILITY_WORKLOG.md |
Adds MIT License file (21 lines). Updates vulnerability worklog statuses from TODO to Pending remediation across 14 entries (cryptography, virtualenv, golang.org/x/crypto, storybook, etc.). |
Estimated code review effort
🎯 4 (Complex) | ⏱️ ~45 minutes
Possibly related PRs
- ci: repair invalid workflow syntax #339: Modifies the same CI/CD workflows (
ci.yml,test-validation.yml) with overlapping fixes for duplicate workflow keys, frontend coverage refactoring, and Pulumi secret handling logic. - fix(ci): commit regenerated OpenAPI artifact (audit #118) #342: Updates
.github/workflows/openapi-docs.ymlwith changes to permissions, checkout configuration, and commit/push logic—shares workflow file overlap with this PR's action pinning changes.
Suggested labels
layered-pr-exception, size:L
Poem
🐰 Workflows locked to solid ground,
With pinned SHAs all around,
Archive dusted, links made bright,
MIT license shining light,
Chaos tamed, the repo's right! 🔒
🚥 Pre-merge checks | ✅ 4 | ❌ 1
❌ Failed checks (1 warning)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Description check | The description is comprehensive but does not follow the provided template structure. It provides context about the changes, risk assessment, and impact, but lacks the formal template sections (Summary, Changes, Testing, Checklist, Related Issues). | Reformat the description to match the template: add a Summary section, organize changes as bullet points, include Testing checklist items, and add the Checklist section with relevant items for this type of change. |
✅ Passed checks (4 passed)
| Check name | Status | Explanation |
|---|---|---|
| Title check | ✅ Passed | The title clearly and specifically describes the main objective of the PR: pinning GitHub Actions to commit SHAs, which aligns with the primary changes across all workflow files in the changeset. |
| Docstring Coverage | ✅ Passed | No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check. |
| Linked Issues check | ✅ Passed | Check skipped because no linked issues were found for this pull request. |
| Out of Scope Changes check | ✅ Passed | Check skipped because no linked issues were found for this pull request. |
✏️ Tip: You can configure your own custom pre-merge checks in the settings.
✨ Finishing Touches
🧪 Generate unit tests (beta)
- Create PR with unit tests
- Commit unit tests in branch
chore/pin-github-actions-20260430
⚔️ Resolve merge conflicts
- Resolve merge conflict in branch
chore/pin-github-actions-20260430
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.
Review rate limit: 0/1 reviews remaining, refill in 60 minutes.Comment @coderabbitai help to get the list of available commands and usage tips.
codeant-ai
Bot
added
the
size:XL
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| config = ConfigManager() | ||
| project = config.get("project") | ||
| if not project: | ||
| typer.echo("Error: no project configured", err=True) | ||
| raise typer.Exit(code=1) |
There was a problem hiding this comment.
Suggestion: Replace this ad hoc configuration lookup with a typed pydantic-settings configuration model and read the project value from that model instead of calling a generic getter. [custom_rule]
Severity Level: Minor
Why it matters? 🤔
The code performs an ad hoc configuration lookup with ConfigManager().get("project") and manually checks for a missing value.
This matches the described rule violation because it is not using a typed pydantic-settings model for configuration access.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** src/tracertm/cli/commands/history.py
**Line:** 33:37
**Comment:**
*Custom Rule: Replace this ad hoc configuration lookup with a typed `pydantic-settings` configuration model and read the project value from that model instead of calling a generic getter.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| if at: | ||
| try: | ||
| datetime.fromisoformat(at) | ||
| except (ValueError, TypeError): | ||
| typer.echo(f"Error: invalid date format '{at}'") | ||
| return |
There was a problem hiding this comment.
Suggestion: Move this manual date parsing/exception flow to Pydantic-based validation by using a typed input field so invalid values are rejected by model validation instead of custom if/try logic. [custom_rule]
Severity Level: Minor
Why it matters? 🤔
The code manually parses and validates the at value with datetime.fromisoformat() inside a try/except block.
That is the exact kind of custom validation the suggestion says should be replaced by Pydantic-based validation, so the violation is real.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** src/tracertm/cli/commands/history.py
**Line:** 40:45
**Comment:**
*Custom Rule: Move this manual date parsing/exception flow to Pydantic-based validation by using a typed input field so invalid values are rejected by model validation instead of custom `if`/`try` logic.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is ON, but it could not run because on-demand usage is turned off. To enable Bugbot Autofix, turn on on-demand usage and set a spend limit in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit fab1068. Configure here.
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| uses: actions/setup-python@0057852bfaa89a56745cba8c7296529d2fc39830 |
There was a problem hiding this comment.
Wrong SHA pins setup-python to github-script action
High Severity
The SHA 0057852bfaa89a56745cba8c7296529d2fc39830 is the commit hash for actions/github-script, but it's being used to pin actions/setup-python in four locations. Every other setup-python reference in the repo correctly uses ea165f8d65b6e75b540449e92b4886f43607fa02. This will cause the affected CI jobs (test, lint, build, deploy in ci-cd.yml, backend Python tests in test-validation.yml, CLI tests in test.yml) to fail at the Python setup step.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit fab1068. Configure here.
|
CodeAnt AI finished reviewing your PR. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
| - run: echo "Doc link check (phenotype-tooling integration)" |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
| - run: echo "FR coverage check (phenotype-tooling integration)" |
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
| steps: | ||
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
| - run: echo "Quality gate check (phenotype-tooling integration)" |
…pt, actual stack is Python/FastAPI + React 19 Corrected: - name, purpose, language, stack table - project structure (Python src/tracertm/, frontend/, backend/, tests/) - development commands (uv/ruff/pytest instead of npm) - quality gates aligned to Python-first project Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 20
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (10)
.github/workflows/release.yml (1)
23-28:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winMerge the two
with:mappings.The Python setup step still has duplicate
with:keys, so this workflow remains invalid YAML and will fail validation before release jobs start.Suggested fix
- name: Set up Python uses: actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02 with: cache: 'pip' - with: - python-version: "3.12" + python-version: "3.12"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/release.yml around lines 23 - 28, The "Set up Python" GitHub Actions step named "Set up Python" contains duplicate with: mappings which makes the workflow invalid; open the step (look for the step name "Set up Python") and merge the two with: blocks into a single with: mapping that includes both cache: 'pip' and python-version: "3.12" so the step has one with: section containing both keys..github/workflows/test-pyramid.yml (1)
28-40:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winMerge the two
with:mappings.
actions/setup-nodeandactions/setup-pythoneach declarewith:twice, which makes this workflow invalid YAML and prevents GitHub Actions from parsing it.Suggested fix
- name: Set up Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: cache: 'npm' - with: node-version: "20" - name: Set up Python uses: actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02 with: cache: 'pip' - with: python-version: "3.12"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/test-pyramid.yml around lines 28 - 40, The workflow has duplicate with: mappings for the setup actions which makes the YAML invalid; for both the actions/setup-node and actions/setup-python steps (look for the step names "Set up Node.js" and "Set up Python"), merge the two with: blocks into a single with: mapping that includes both keys (e.g., cache and node-version for setup-node, cache and python-version for setup-python) so each action has one with: mapping containing all required fields..github/workflows/load-test.yml (1)
24-26:⚠️ Potential issue | 🟠 MajorPin the remaining third-party action.
grafana/setup-k6-action@v1is still tag-based, so this workflow has a mutable dependency even though the other Actions are pinned to commit SHAs. Replace it with a commit SHA (check https://github.com/grafana/setup-k6-action/releases for the latest v1.x release SHA).Suggested fix
- name: Setup k6 - uses: grafana/setup-k6-action@v1 + uses: grafana/setup-k6-action@<commit-sha>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/load-test.yml around lines 24 - 26, The workflow uses a tag-based Action "uses: grafana/setup-k6-action@v1" which is mutable; replace that with the corresponding commit SHA for the v1.x release (e.g., "uses: grafana/setup-k6-action@<COMMIT_SHA>") so the workflow is pinned; locate the line containing uses: grafana/setup-k6-action@v1 in .github/workflows/load-test.yml and update it to the stable commit SHA from the grafana/setup-k6-action releases page..github/workflows/secret-scanning.yml (1)
19-26:⚠️ Potential issue | 🟠 MajorPin
trufflehogto a commit SHA.
trufflesecurity/trufflehog@mainis mutable and this security-scanning workflow can change behavior without review. Pin it to an immutable commit likeactions/checkouton line 15.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/secret-scanning.yml around lines 19 - 26, The workflow step "Run secret scanning" currently uses the mutable ref trufflesecurity/trufflehog@main; replace that with an immutable pinned commit SHA (e.g., trufflesecurity/trufflehog@<commit-sha>) so the action's behavior is locked to a known commit, updating the uses field for the trufflesecurity/trufflehog action accordingly; copy the stable commit SHA from the trufflehog repo release or a verified commit and use that SHA instead of "main"..github/workflows/dependabot-auto-merge.yml (1)
27-31:⚠️ Potential issue | 🟠 MajorPin
dependabot/fetch-metadatato a commit SHA.This workflow pins other GitHub Actions to commit SHAs (e.g.,
actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11,actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020), butdependabot/fetch-metadata@v2uses a mutable major version tag at lines 29, 117, and 143. Convert all three references to commit SHAs for consistency and security.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/dependabot-auto-merge.yml around lines 27 - 31, The workflow uses the mutable tag dependabot/fetch-metadata@v2 in multiple places; replace every usage of dependabot/fetch-metadata@v2 with a fixed commit SHA (the full 40-character commit from the dependabot/fetch-metadata repo) so the action is pinned; update all three occurrences where dependabot/fetch-metadata@v2 appears (ensure you replace each occurrence consistently) and commit the changed workflow file..github/workflows/pre-commit.yml (1)
22-26:⚠️ Potential issue | 🟠 MajorPin
pre-commit/actionto a commit SHA.
actions/checkout,actions/setup-python, andactions/upload-artifactare pinned to commit SHAs, butpre-commit/action@v3.0.1uses a tag reference. For consistency and to prevent supply chain attacks, pin it to the commit SHA:pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pre-commit.yml around lines 22 - 26, Replace the tagged reference for the pre-commit action with the pinned commit SHA: in the workflow step that currently uses "pre-commit/action@v3.0.1" (the "Run pre-commit" step), change the uses value to "pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd" so the action is pinned to the specified commit SHA while keeping the existing with: extra_args: --all-files configuration..github/workflows/security-guard.yml (1)
22-25:⚠️ Potential issue | 🟠 MajorPin
pre-commit/actionto a SHA.The
actions/checkoutaction is pinned to a commit hash whilepre-commit/action@v3.0.1uses a tag-based reference. For a security-focused workflow, this inconsistency leaves a mutable third-party action reference that could be reassigned or compromised. Pin it to a specific commit hash to match the immutability standard.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/security-guard.yml around lines 22 - 25, The workflow uses the mutable tag pre-commit/action@v3.0.1; replace that tag with a fixed commit SHA for pre-commit/action (e.g., pre-commit/action@<commit-sha>) to ensure immutability. Locate the step using the action name "pre-commit/action@v3.0.1" in the workflow and update the uses field to the specific commit hash from the pre-commit/action GitHub repo (you can obtain the exact SHA from the repo's commit history or the action release commit) so the workflow pins the action to a known immutable revision..github/workflows/chaos-tests.yml (1)
82-87:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winMerge the duplicated
withblocks.The second
with:replaces the first one here, socache: 'pip'is lost. That removes pip caching and needlessly slows this job down.♻️ Proposed fix
- name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02 with: - cache: 'pip' - with: python-version: ${{ env.PYTHON_VERSION }} + cache: 'pip'🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/chaos-tests.yml around lines 82 - 87, The actions/setup-python step has two duplicated with: blocks so the second one overwrites the first and drops cache: 'pip'; fix the step (named "Set up Python ${{ env.PYTHON_VERSION }}") by merging the two with: blocks into a single with: containing both cache: 'pip' and python-version: ${{ env.PYTHON_VERSION }} so pip caching is preserved..github/workflows/architecture.yml (1)
20-25:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winMerge the duplicated
withblocks.The second
with:replaces the first one here, socache: 'pip'is never applied. That drops pip caching and slows this workflow down unnecessarily.♻️ Proposed fix
- name: Set up Python uses: actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02 with: - cache: 'pip' - with: python-version: "3.12" + cache: 'pip'🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/architecture.yml around lines 20 - 25, The "Set up Python" step uses two separate with: blocks so the second one overrides the first and cache: 'pip' is lost; merge the duplicated with blocks for the actions/setup-python@... step by keeping both keys (cache: 'pip' and python-version: "3.12") in a single with: mapping for that step (refer to the step name "Set up Python" and the uses action actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02) so pip caching is applied and python-version remains set..github/workflows/docs-deploy.yml (1)
48-66:⚠️ Potential issue | 🟠 Major | ⚡ Quick winDon't gate manual dispatch on the last commit diff.
A
workflow_dispatchrun can still hitrun=falsehere, which skipsgenerate-openapiand prevents both deploy jobs from running when the last commit didn't touchbackend/orfrontend/apps/docs/.Suggested fix
- name: Check docs app scope id: scope shell: bash run: | set -euo pipefail + if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then + echo "run=true" >> "$GITHUB_OUTPUT" + echo "generated=true" >> "$GITHUB_OUTPUT" + exit 0 + fi if [[ "${{ github.event_name }}" == "pull_request" ]]; then base="${{ github.event.pull_request.base.sha }}" @@ - name: Check if spec changed id: check-spec - if: steps.scope.outputs.run == 'true' + if: steps.scope.outputs.run == 'true' && github.event_name != 'workflow_dispatch'Also applies to: 106-114
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/docs-deploy.yml around lines 48 - 66, The "Check docs app scope" step currently sets run=false when the last commit doesn't touch backend/ or frontend/apps/docs/, which incorrectly blocks workflow_dispatch runs; update the shell logic in that step (and the duplicate step around lines 106-114) to detect if github.event_name == "workflow_dispatch" and in that case force echo "run=true" (and leave generated as appropriate) so manual dispatches always proceed to generate-openapi and the deploy jobs even if the last commit diff doesn't include those paths; adjust the conditional branch that computes base/changed to short-circuit for workflow_dispatch and set the GITHUB_OUTPUT run flag accordingly.
♻️ Duplicate comments (2)
.github/workflows/fr-coverage.yml (1)
1-8:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winAdd a minimal
permissionsblock.GitHub recommends constraining
GITHUB_TOKENwith explicit permissions;contents: readis enough for this checkout-and-echo workflow. (docs.github.com)Suggested fix
name: FR Coverage +permissions: + contents: read on: [pull_request]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/fr-coverage.yml around lines 1 - 8, The workflow "FR Coverage" (job name "coverage") is missing an explicit permissions block for GITHUB_TOKEN; add a top-level permissions: contents: read entry under the workflow to restrict token scope (e.g., add a permissions section with contents: read so the checkout step has minimal necessary access)..github/workflows/doc-links.yml (1)
1-8:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winAdd a minimal
permissionsblock.GitHub recommends constraining
GITHUB_TOKENwith explicit permissions;contents: readis enough for this checkout-and-echo workflow. (docs.github.com)Suggested fix
name: Doc Links +permissions: + contents: read on: [push, pull_request]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/doc-links.yml around lines 1 - 8, Add a minimal permissions block to the workflow to constrain GITHUB_TOKEN access: update the workflow (the "Doc Links" workflow and the "links" job) to include a top-level permissions section with contents: read so the checkout step only needs read access; ensure the permissions stanza is added at the same level as name/on/jobs so GitHub will apply it to the job.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/dependabot.yml:
- Around line 99-101: Replace the unsupported negated directories entry (e.g.,
"- \"/\"; - \"!/ARCHIVE/**\"") in the pip and github-actions dependabot blocks
with the documented keys: set directory: "/" and add exclude-paths:
["ARCHIVE/**"]; locate the pip block and the github-actions block in the
Dependabot config (search for the pip package-ecosystem and github-actions
package-ecosystem blocks) and remove the negated directories list, then add
directory: "/" plus exclude-paths: ["ARCHIVE/**"] so Dependabot uses the
supported exclusion mechanism.
In @.github/workflows/benchmarks.yml:
- Around line 17-18: The workflow pins incorrect commit SHAs to the wrong action
repos; update the pinned refs so each action uses a SHA that belongs to its
repository (or replace the SHA with the official stable tag). Specifically, for
the actions/setup-go step (currently using SHA 330a01c...) replace that ref with
the correct actions/setup-go commit SHA for the desired version or use the
official tag (e.g., actions/setup-go@v4), and for the actions/upload-artifact
step (currently using SHA 6f8efc2...) replace that ref with the correct
actions/upload-artifact commit SHA or use its official tag (e.g.,
actions/upload-artifact@v5); ensure the refs you choose match the repository
names (actions/setup-go, actions/upload-artifact) so GitHub can fetch the
correct commits.
In @.github/workflows/ci.yml:
- Around line 6-20: The workflow's path filters omit the repository root
Dockerfile so changes to that file won't trigger CI for the docker-build job;
update the .github/workflows/ci.yml configuration to add "Dockerfile" to both
push.paths and pull_request.paths (the same change should be applied to the
other identical block referenced at lines 24-37) so the docker-build job (named
docker-build) runs when the root Dockerfile is modified.
- Line 22: Update the branches entry in the GitHub Actions workflow to remove
the extra spaces inside the bracketed list: replace the current value "[ main,
develop ]" under the branches key with "[main, develop]" so it conforms to
YAMLlint/style rules and clears the lint failure.
- Around line 96-97: Several workflow steps pin
actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02 and
actions/setup-go@330a01c490aca151604b8cf639adc76d48f6c5d4 to incorrect SHAs
(they point to upload-artifact commits); locate every occurrence of the action
identifiers actions/setup-python@... and actions/setup-go@... (e.g., the uses
entries shown) and replace those pinned SHAs with the correct commit SHAs for
actions/setup-python and actions/setup-go respectively (update all instances
mentioned: around lines 96–97, 155–156, 287–288, 333–334, 409–410, 916–917,
926–927, 934–935 and any other matches) so the workflow references the proper
action commits. Ensure the format remains uses:
actions/setup-python@<correct-sha> and uses: actions/setup-go@<correct-sha>.
In @.github/workflows/contracts.yml:
- Around line 6-18: The workflow's paths filter omits proto sources so contract
checks can be skipped; update the two trigger blocks' paths arrays in
contracts.yml by adding the missing pattern 'proto/**' alongside existing
entries (e.g., the current 'paths:' lists that include 'backend/**',
'frontend/**', 'contracts/**', etc.) so Buf/OpenAPI generation runs when proto
files change; ensure you add 'proto/**' to both trigger blocks referenced in the
file.
- Around line 43-44: The workflow is using invalid/mismatched commit SHAs for
actions: replace the incorrect SHA on the uses line referencing actions/setup-go
(currently "actions/setup-go@330a01c490...") with a valid tag or commit SHA from
the actions/setup-go repository (e.g., a released tag like "v0.4.0" or the
correct commit), and likewise correct the uses entry that mistakenly applies the
actions/upload-artifact SHA to actions/setup-python (replace
"actions/setup-python@ea165f8d..." with a valid actions/setup-python tag or SHA
such as "v4" or a correct commit); ensure each uses value points to the matching
repository (actions/setup-go, actions/setup-python, actions/upload-artifact) and
use official version tags where possible to avoid future breakage.
In @.github/workflows/deployment-rollback.yml:
- Line 69: The workflow references an invalid pinned commit for the action
string "uses: actions/github-script@0057852bfaa89a56745cba8c7296529d2fc39830"
(appears in three places); replace each occurrence with a valid ref from the
actions/github-script repository (e.g., a released tag like
"actions/github-script@v6" or a real commit SHA from that repo) so the action
resolves correctly during workflow runs. Ensure all three instances of the exact
bad ref are updated to the same valid ref.
In @.github/workflows/docs-deploy.yml:
- Around line 223-225: The workflow step "Comment PR with Preview URL" uses an
invalid commit SHA for actions/github-script (uses:
actions/github-script@0057852bf...), causing runtime failure; update the uses
reference in that step to a valid ref from the actions/github-script repository
(for example a maintained tag like v6 or a real commit SHA from that repo) so
the action resolves correctly—locate the uses line in the "Comment PR with
Preview URL" step and replace the bad SHA with a valid tag or commit.
In @.github/workflows/go-tests.yml:
- Around line 36-37: Multiple job steps pin incorrect SHAs to the wrong actions
(e.g., uses: actions/setup-go@330a01c490... and uses:
actions/upload-artifact@6f8efc29...), causing runtime resolution failures;
update every mismatched "uses: actions/setup-go@...", "uses:
actions/upload-artifact@...", and "uses: actions/cache@..." occurrence to their
correct, corresponding commit SHAs (fetch the canonical SHA from each action's
GitHub repo/tags) so each action reference matches its own repo; ensure you
replace all listed occurrences of those action strings in the workflow.
In @.github/workflows/openapi-docs.yml:
- Around line 33-34: The workflow pins three GitHub Actions to incorrect
repository SHAs causing wrong actions to run; update the action references so
each uses the correct repo and tag/commit: replace
actions/setup-go@330a01c490... with the correct setup-go release (e.g.,
actions/setup-go@v4 or the proper setup-go commit SHA), replace both
actions/upload-artifact@6f8efc29... occurrences with the correct upload-artifact
release (e.g., actions/upload-artifact@v3 or its correct commit SHA), and
replace actions/github-script@0057852b... with the correct github-script release
(e.g., actions/github-script@v6 or its correct commit SHA); ensure you verify
each SHA belongs to the matching repository before committing.
In @.github/workflows/performance-regression.yml:
- Around line 119-124: The GitHub Actions steps named "Set up Python" use the
actions/setup-python action but have duplicated consecutive "with:" mappings
(e.g., the block containing uses:
actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02 and the "Set up
Python" step name); merge each duplicated "with" into a single "with:" mapping
that contains both keys (cache and python-version) for all three occurrences
referenced (the ones around the uses: actions/setup-python entries), ensuring
valid YAML by removing the repeated "with" lines and combining their inner keys
into one mapping.
In @.github/workflows/quality.yml:
- Around line 24-29: The workflow step named "Set up Python" declares two
separate with: mappings which makes the YAML invalid; merge them into a single
with: mapping for the "Set up Python" step (the uses:
actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02 block) so that
cache: 'pip' and python-version: ${{ matrix.python-version }} live under the
same with: key, removing the duplicate with: entry and keeping both options
together.
- Around line 19-22: Update the "Install UV" step to pin the action to a
specific commit SHA instead of the tag astral-sh/setup-uv@v2 (replace that ref
with a full commit SHA) and remove the duplicate YAML key in the "Set up Python"
step by merging both sets of inputs under a single with: block so there is only
one with: for the "Set up Python" step; target the "Install UV" step identifier
and the "Set up Python" step in the workflow when making these changes.
In @.github/workflows/release.yml:
- Around line 18-21: The "Set up Python" step has duplicate with: blocks so the
cache: 'pip' value is lost—merge them into a single with: mapping that includes
both python-version and cache: 'pip' (locate the step titled "Set up Python" and
update its with: to contain both keys); also pin third-party actions currently
referenced as astral-sh/setup-uv@v2 (step "Install UV") and
softprops/action-gh-release@v1 to their immutable commit SHAs (replace the tag
refs with the corresponding commit SHA strings for those actions).
In @.github/workflows/tests.yml:
- Around line 57-63: The "Set up Python" step contains duplicate with mappings
causing invalid YAML; merge the two with blocks into a single with block for the
step named "Set up Python" (the step that uses
actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02) so the with block
includes both cache: 'pip' and python-version: ${{ matrix.python-version }};
apply the same single-with-block fix to the equivalent "Set up Python" step in
the test-parallel job so both jobs use one consolidated with mapping.
In `@claude.md`:
- Around line 28-46: The markdown fenced block in claude.md (the directory tree
block beginning at the fenced code block around Line 28) is missing a language
tag (MD040); update that fenced code block to include the language identifier
"text" (i.e., change the opening ``` to ```text) so the directory tree is
properly tagged, then save the file and run your markdown linter to verify MD040
is resolved.
- Around line 50-71: The Markdown headings "Python setup", "Frontend", and
"Quality gates" and their adjacent fenced code blocks are missing required blank
lines (MD022/MD031); fix by adding a blank line before each subheading and a
blank line both before and after each ```bash fenced block around the commands
so the headings and fences are separated correctly (look for the "Python setup",
"Frontend", "Quality gates" headings and the ```bash code fences to apply the
spacing).
- Around line 83-84: The two hardcoded paths in the "Parent governance" and
"Global governance" lines leak a local username and are non-portable; update
those entries (the lines containing "Parent governance" and "Global governance")
to use portable references such as a repo-relative path for parent governance
(e.g., "./CLAUDE.md" or "docs/CLAUDE.md") and a generic home-relative path for
global governance (e.g., "~/.claude/CLAUDE.md"), replacing the absolute
"/Users/kooshapari/..." strings so no local user identifier is exposed.
In `@LICENSE`:
- Line 3: Replace the single-person copyright line ("Copyright (c) 2026 Koosha
Pari") with a contributor-entity and year-range statement to avoid ambiguity;
update the LICENSE file's copyright header to a format like "Copyright (c)
2021-2026 The Project Contributors" or "Copyright (c) 2021-2026
<Organization/Entity Name> and contributors" so it covers multiple contributors
and the appropriate year range, and ensure the chosen entity name matches your
project's CONTRIBUTING or AUTHORS guidance.
---
Outside diff comments:
In @.github/workflows/architecture.yml:
- Around line 20-25: The "Set up Python" step uses two separate with: blocks so
the second one overrides the first and cache: 'pip' is lost; merge the
duplicated with blocks for the actions/setup-python@... step by keeping both
keys (cache: 'pip' and python-version: "3.12") in a single with: mapping for
that step (refer to the step name "Set up Python" and the uses action
actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02) so pip caching is
applied and python-version remains set.
In @.github/workflows/chaos-tests.yml:
- Around line 82-87: The actions/setup-python step has two duplicated with:
blocks so the second one overwrites the first and drops cache: 'pip'; fix the
step (named "Set up Python ${{ env.PYTHON_VERSION }}") by merging the two with:
blocks into a single with: containing both cache: 'pip' and python-version: ${{
env.PYTHON_VERSION }} so pip caching is preserved.
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 27-31: The workflow uses the mutable tag
dependabot/fetch-metadata@v2 in multiple places; replace every usage of
dependabot/fetch-metadata@v2 with a fixed commit SHA (the full 40-character
commit from the dependabot/fetch-metadata repo) so the action is pinned; update
all three occurrences where dependabot/fetch-metadata@v2 appears (ensure you
replace each occurrence consistently) and commit the changed workflow file.
In @.github/workflows/docs-deploy.yml:
- Around line 48-66: The "Check docs app scope" step currently sets run=false
when the last commit doesn't touch backend/ or frontend/apps/docs/, which
incorrectly blocks workflow_dispatch runs; update the shell logic in that step
(and the duplicate step around lines 106-114) to detect if github.event_name ==
"workflow_dispatch" and in that case force echo "run=true" (and leave generated
as appropriate) so manual dispatches always proceed to generate-openapi and the
deploy jobs even if the last commit diff doesn't include those paths; adjust the
conditional branch that computes base/changed to short-circuit for
workflow_dispatch and set the GITHUB_OUTPUT run flag accordingly.
In @.github/workflows/load-test.yml:
- Around line 24-26: The workflow uses a tag-based Action "uses:
grafana/setup-k6-action@v1" which is mutable; replace that with the
corresponding commit SHA for the v1.x release (e.g., "uses:
grafana/setup-k6-action@<COMMIT_SHA>") so the workflow is pinned; locate the
line containing uses: grafana/setup-k6-action@v1 in
.github/workflows/load-test.yml and update it to the stable commit SHA from the
grafana/setup-k6-action releases page.
In @.github/workflows/pre-commit.yml:
- Around line 22-26: Replace the tagged reference for the pre-commit action with
the pinned commit SHA: in the workflow step that currently uses
"pre-commit/action@v3.0.1" (the "Run pre-commit" step), change the uses value to
"pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd" so the action is
pinned to the specified commit SHA while keeping the existing with: extra_args:
--all-files configuration.
In @.github/workflows/release.yml:
- Around line 23-28: The "Set up Python" GitHub Actions step named "Set up
Python" contains duplicate with: mappings which makes the workflow invalid; open
the step (look for the step name "Set up Python") and merge the two with: blocks
into a single with: mapping that includes both cache: 'pip' and python-version:
"3.12" so the step has one with: section containing both keys.
In @.github/workflows/secret-scanning.yml:
- Around line 19-26: The workflow step "Run secret scanning" currently uses the
mutable ref trufflesecurity/trufflehog@main; replace that with an immutable
pinned commit SHA (e.g., trufflesecurity/trufflehog@<commit-sha>) so the
action's behavior is locked to a known commit, updating the uses field for the
trufflesecurity/trufflehog action accordingly; copy the stable commit SHA from
the trufflehog repo release or a verified commit and use that SHA instead of
"main".
In @.github/workflows/security-guard.yml:
- Around line 22-25: The workflow uses the mutable tag pre-commit/action@v3.0.1;
replace that tag with a fixed commit SHA for pre-commit/action (e.g.,
pre-commit/action@<commit-sha>) to ensure immutability. Locate the step using
the action name "pre-commit/action@v3.0.1" in the workflow and update the uses
field to the specific commit hash from the pre-commit/action GitHub repo (you
can obtain the exact SHA from the repo's commit history or the action release
commit) so the workflow pins the action to a known immutable revision.
In @.github/workflows/test-pyramid.yml:
- Around line 28-40: The workflow has duplicate with: mappings for the setup
actions which makes the YAML invalid; for both the actions/setup-node and
actions/setup-python steps (look for the step names "Set up Node.js" and "Set up
Python"), merge the two with: blocks into a single with: mapping that includes
both keys (e.g., cache and node-version for setup-node, cache and python-version
for setup-python) so each action has one with: mapping containing all required
fields.
---
Duplicate comments:
In @.github/workflows/doc-links.yml:
- Around line 1-8: Add a minimal permissions block to the workflow to constrain
GITHUB_TOKEN access: update the workflow (the "Doc Links" workflow and the
"links" job) to include a top-level permissions section with contents: read so
the checkout step only needs read access; ensure the permissions stanza is added
at the same level as name/on/jobs so GitHub will apply it to the job.
In @.github/workflows/fr-coverage.yml:
- Around line 1-8: The workflow "FR Coverage" (job name "coverage") is missing
an explicit permissions block for GITHUB_TOKEN; add a top-level permissions:
contents: read entry under the workflow to restrict token scope (e.g., add a
permissions section with contents: read so the checkout step has minimal
necessary access).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: af924aec-3d1e-4512-9646-f8ec4b61a895
⛔ Files ignored due to path filters (19)
data/backup/tracertm_backup_20260119_184645.json.gzis excluded by!**/*.gzdata/backup/tracertm_backup_20260119_184655.json.gzis excluded by!**/*.gzdata/backup/tracertm_backup_20260122_192757.json.gzis excluded by!**/*.gzdata/backup/tracertm_backup_20260122_192758.json.gzis excluded by!**/*.gzdata/backup/tracertm_backup_20260122_192820.json.gzis excluded by!**/*.gzdata/backup/tracertm_backup_20260127_010623.json.gzis excluded by!**/*.gzdata/backup/tracertm_backup_20260127_010711.json.gzis excluded by!**/*.gzsrc/tracertm/cli/__pycache__/__init__.cpython-313.pycis excluded by!**/*.pycsrc/tracertm/cli/commands/__pycache__/__init__.cpython-313.pycis excluded by!**/*.pycsrc/tracertm/cli/commands/__pycache__/chaos.cpython-313.pycis excluded by!**/*.pycsrc/tracertm/cli/commands/__pycache__/export.cpython-313.pycis excluded by!**/*.pycsrc/tracertm/cli/commands/__pycache__/history.cpython-313.pycis excluded by!**/*.pycsrc/tracertm/cli/commands/__pycache__/ingest.cpython-313.pycis excluded by!**/*.pycsrc/tracertm/cli/commands/__pycache__/migrate.cpython-313.pycis excluded by!**/*.pycsrc/tracertm/cli/commands/__pycache__/progress.cpython-313.pycis excluded by!**/*.pycsrc/tracertm/cli/commands/__pycache__/search.cpython-313.pycis excluded by!**/*.pycsrc/tracertm/cli/commands/__pycache__/state.cpython-313.pycis excluded by!**/*.pycsrc/tracertm/cli/commands/__pycache__/tui.cpython-313.pycis excluded by!**/*.pycsrc/tracertm/cli/commands/__pycache__/watch.cpython-313.pycis excluded by!**/*.pyc
📒 Files selected for processing (120)
.github/dependabot.yml.github/workflows/alert-sync-issues.yml.github/workflows/architecture.yml.github/workflows/benchmarks.yml.github/workflows/canary-deploy.yml.github/workflows/chaos-tests.yml.github/workflows/chromatic.yml.github/workflows/ci-cd.yml.github/workflows/ci.yml.github/workflows/codeql.yml.github/workflows/contract-tests.yml.github/workflows/contracts.yml.github/workflows/dependabot-auto-merge.yml.github/workflows/deployment-rollback.yml.github/workflows/doc-links.yml.github/workflows/docs-deploy.yml.github/workflows/docs-performance.yml.github/workflows/fr-coverage.yml.github/workflows/go-tests.yml.github/workflows/load-test.yml.github/workflows/naming-guard.yml.github/workflows/openapi-docs.yml.github/workflows/performance-regression.yml.github/workflows/policy-gate.yml.github/workflows/pre-commit.yml.github/workflows/qa-governance.yml.github/workflows/quality-gate.yml.github/workflows/quality.yml.github/workflows/release.yml.github/workflows/schema-validation.yml.github/workflows/secret-scanning.yml.github/workflows/security-guard-hook-audit.yml.github/workflows/security-guard.yml.github/workflows/security-scans.yml.github/workflows/test-pyramid.yml.github/workflows/test-validation.yml.github/workflows/test.yml.github/workflows/tests.yml.github/workflows/vitepress-pages.ymlDEPENDABOT_VULNERABILITY_WORKLOG.mdLICENSEREADME.mdclaude.mddocs/01-getting-started/README.mddocs/05-research/rtm-deep-dives/README.mddocs/05-research/trace-research/README.mddocs/07-reports/archive/README.mddocs/07-reports/archive/STATUS_DASHBOARD.mddocs/archive/test-docs/CLI_ITEM_TESTS_SUMMARY.mddocs/archive/test-docs/COMPREHENSIVE_TEST_COVERAGE_PLAN.mddocs/archive/test-docs/COMPREHENSIVE_TEST_PLAN.mddocs/archive/test-docs/FINAL_TEST_COVERAGE_REPORT_2025.mddocs/archive/test-docs/IMPORT_CMD_TEST_COMPLETION.mddocs/archive/test-docs/INDEX.mddocs/archive/test-docs/LINK_CLI_TEST_COVERAGE_REPORT.mddocs/archive/test-docs/MASTER_TEST_EXECUTION_CHECKLIST.mddocs/archive/test-docs/PHASE_2A_STORAGE_TESTS_COMPLETION.mddocs/archive/test-docs/PHASE_2B_API_TESTS_COMPLETION.mddocs/archive/test-docs/PHASE_2_TEST_IMPLEMENTATION_REPORT.mddocs/archive/test-docs/PHASE_3B_HOOKS_UTILITIES_TESTS_SUMMARY.mddocs/archive/test-docs/PHASE_3C_PAGE_TESTS_REPORT.mddocs/archive/test-docs/PHASE_3_TEST_FILES_INDEX.mddocs/archive/test-docs/PROJECT_CLI_TEST_SUITE_SUMMARY.mddocs/archive/test-docs/PYTHON_TEST_COVERAGE_DELIVERABLES.mddocs/archive/test-docs/PYTHON_TEST_COVERAGE_EXECUTIVE_SUMMARY.mddocs/archive/test-docs/PYTHON_TEST_COVERAGE_INITIATIVE_COMPLETE.mddocs/archive/test-docs/PYTHON_TEST_COVERAGE_INITIATIVE_FINAL_REPORT.mddocs/archive/test-docs/PYTHON_TEST_COVERAGE_INITIATIVE_FINAL_SUMMARY.mddocs/archive/test-docs/README_TEST_COVERAGE_INITIATIVE.mddocs/archive/test-docs/SECURITY_TESTING_SUMMARY.mddocs/archive/test-docs/SYNC_COMMAND_TEST_SUITE_SUMMARY.mddocs/archive/test-docs/TESTING_IMPLEMENTATION_PLAN.mddocs/archive/test-docs/TESTING_REPORT.mddocs/archive/test-docs/TESTING_STRATEGY_2025.mddocs/archive/test-docs/TESTING_SUMMARY.mddocs/archive/test-docs/TEST_CLI_IMPLEMENTATION_SUMMARY.mddocs/archive/test-docs/TEST_COVERAGE_ANALYSIS.mddocs/archive/test-docs/TEST_COVERAGE_AUDIT_2025.mddocs/archive/test-docs/TEST_COVERAGE_IMPROVEMENTS_2025.mddocs/archive/test-docs/TEST_FAILURE_ANALYSIS.mddocs/archive/test-docs/TEST_FIXES_SUMMARY.mddocs/archive/test-docs/TEST_IMPORT_COMPREHENSIVE_SUMMARY.mddocs/archive/test-docs/TEST_IMPORT_STRUCTURE.mddocs/archive/test-docs/TEST_INFRASTRUCTURE_COMPLETION.mddocs/archive/test-docs/TUI_COMPREHENSIVE_TEST_SUITE_SUMMARY.mddocs/archive/test-docs/TUI_TESTING_QUICK_REFERENCE.mddocs/archive/test-docs/UNIFIED_COMPLETE_PLAN_WITH_TESTING.mddocs/archive/test-docs/UNIFIED_TEST_CLI_COMPLETE_SUMMARY.mddocs/archive/test-docs/UNIFIED_TEST_CLI_PLAN.mddocs/archive/test-docs/UNIFIED_TEST_CLI_PLAN_COMPLETE.mddocs/sessions/20260429-tracera-sladge-badge/00_SESSION_OVERVIEW.mddocs/sessions/20260429-tracera-sladge-badge/01_RESEARCH.mddocs/sessions/20260429-tracera-sladge-badge/02_SPECIFICATIONS.mddocs/sessions/20260429-tracera-sladge-badge/03_DAG_WBS.mddocs/sessions/20260429-tracera-sladge-badge/04_IMPLEMENTATION_STRATEGY.mddocs/sessions/20260429-tracera-sladge-badge/05_KNOWN_ISSUES.mddocs/sessions/20260429-tracera-sladge-badge/06_TESTING_STRATEGY.mddocs/worklogs/ARCHITECTURE.mddocs/worklogs/GOVERNANCE.mddocs/worklogs/README.mddocs/worklogs/RESEARCH.mdfrontend/apps/docs/README.mdsrc/tracertm/cli/__init__.pysrc/tracertm/cli/commands/__init__.pysrc/tracertm/cli/commands/chaos.pysrc/tracertm/cli/commands/export.pysrc/tracertm/cli/commands/history.pysrc/tracertm/cli/commands/ingest.pysrc/tracertm/cli/commands/migrate.pysrc/tracertm/cli/commands/progress.pysrc/tracertm/cli/commands/search.pysrc/tracertm/cli/commands/state.pysrc/tracertm/cli/commands/tui.pysrc/tracertm/cli/commands/watch.pytests/test_smoke.pyworklog.mdworklogs/ARCHITECTURE.mdworklogs/GOVERNANCE.mdworklogs/README.mdworklogs/RESEARCH.md
💤 Files with no reviewable changes (40)
- docs/archive/test-docs/PHASE_3_TEST_FILES_INDEX.md
- docs/archive/test-docs/TESTING_REPORT.md
- docs/archive/test-docs/TEST_FAILURE_ANALYSIS.md
- docs/archive/test-docs/LINK_CLI_TEST_COVERAGE_REPORT.md
- docs/archive/test-docs/CLI_ITEM_TESTS_SUMMARY.md
- docs/archive/test-docs/README_TEST_COVERAGE_INITIATIVE.md
- docs/archive/test-docs/PYTHON_TEST_COVERAGE_INITIATIVE_FINAL_SUMMARY.md
- docs/archive/test-docs/TUI_COMPREHENSIVE_TEST_SUITE_SUMMARY.md
- docs/archive/test-docs/SECURITY_TESTING_SUMMARY.md
- docs/archive/test-docs/PHASE_2A_STORAGE_TESTS_COMPLETION.md
- docs/archive/test-docs/TESTING_SUMMARY.md
- docs/archive/test-docs/UNIFIED_TEST_CLI_COMPLETE_SUMMARY.md
- docs/archive/test-docs/PYTHON_TEST_COVERAGE_EXECUTIVE_SUMMARY.md
- docs/archive/test-docs/INDEX.md
- docs/archive/test-docs/PYTHON_TEST_COVERAGE_INITIATIVE_FINAL_REPORT.md
- docs/archive/test-docs/IMPORT_CMD_TEST_COMPLETION.md
- docs/archive/test-docs/TEST_COVERAGE_ANALYSIS.md
- docs/archive/test-docs/MASTER_TEST_EXECUTION_CHECKLIST.md
- docs/archive/test-docs/COMPREHENSIVE_TEST_COVERAGE_PLAN.md
- docs/archive/test-docs/PYTHON_TEST_COVERAGE_INITIATIVE_COMPLETE.md
- docs/archive/test-docs/TESTING_STRATEGY_2025.md
- docs/archive/test-docs/PHASE_2B_API_TESTS_COMPLETION.md
- docs/archive/test-docs/TEST_FIXES_SUMMARY.md
- docs/archive/test-docs/TEST_INFRASTRUCTURE_COMPLETION.md
- docs/archive/test-docs/PROJECT_CLI_TEST_SUITE_SUMMARY.md
- docs/archive/test-docs/TUI_TESTING_QUICK_REFERENCE.md
- docs/archive/test-docs/SYNC_COMMAND_TEST_SUITE_SUMMARY.md
- docs/archive/test-docs/TEST_COVERAGE_IMPROVEMENTS_2025.md
- docs/archive/test-docs/PYTHON_TEST_COVERAGE_DELIVERABLES.md
- docs/archive/test-docs/TEST_IMPORT_STRUCTURE.md
- docs/archive/test-docs/COMPREHENSIVE_TEST_PLAN.md
- docs/archive/test-docs/UNIFIED_COMPLETE_PLAN_WITH_TESTING.md
- docs/archive/test-docs/PHASE_3B_HOOKS_UTILITIES_TESTS_SUMMARY.md
- docs/archive/test-docs/TEST_CLI_IMPLEMENTATION_SUMMARY.md
- docs/archive/test-docs/FINAL_TEST_COVERAGE_REPORT_2025.md
- docs/archive/test-docs/TEST_IMPORT_COMPREHENSIVE_SUMMARY.md
- docs/archive/test-docs/PHASE_3C_PAGE_TESTS_REPORT.md
- docs/archive/test-docs/TEST_COVERAGE_AUDIT_2025.md
- docs/archive/test-docs/TESTING_IMPLEMENTATION_PLAN.md
- docs/archive/test-docs/PHASE_2_TEST_IMPLEMENTATION_REPORT.md
| directories: | ||
| - "/" | ||
| - "!/ARCHIVE/**" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/dependabot.ymlRepository: KooshaPari/Tracera
Length of output: 9397
🌐 Web query:
Dependabot directories exclude-paths configuration options github yml
💡 Result:
The exclude-paths option in Dependabot's dependabot.yml configuration allows you to specify directories and files to ignore when scanning for manifests and dependencies. It uses glob patterns relative to the directory specified in the update configuration. Key details: - Purpose: Prevents Dependabot from creating update PRs for dependencies in test assets, vendored code, examples, or other non-production locations. - Location: Under each package-ecosystem entry in the updates section. - Default behavior: Scans all files in the specified directory unless excluded. - Syntax: List of glob patterns, e.g.: version: 2 updates: - package-ecosystem: "npm" directory: "/" schedule: interval: "daily" exclude-paths: - "src/test/assets" - "vendor/" - "src/.js" - "src/test/helper.js" - Supported glob patterns: (recursive), * (single segment), e.g., test/, /.md, *.lock. - Scope: Applies per ecosystem; patterns relative to directory. Does not affect security updates (as of 2026). - Related: Use with directory or directories (which supports globs). Complements ignore for dependency names/versions. This feature reached general availability in August 2025.
Citations:
- 1: https://help.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates
- 2: https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference
- 3: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
- 4: https://github.blog/changelog/2025-08-26-dependabot-can-now-exclude-automatic-pull-requests-for-manifests-in-selected-subdirectories/
- 5: https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
Replace the negated directories entries with exclude-paths.
The negated directory syntax !/ARCHIVE/** is not supported in Dependabot's documented schema. The proper mechanism for excluding paths is exclude-paths with positive glob patterns. Update both the pip (lines 99-101) and github-actions (lines 249-251) blocks to use directory: "/" with exclude-paths: ["ARCHIVE/**"].
♻️ Proposed fix
- - package-ecosystem: "pip"
- directories:
- - "/"
- - "!/ARCHIVE/**"
+ - package-ecosystem: "pip"
+ directory: "/"
+ exclude-paths:
+ - "ARCHIVE/**"- - package-ecosystem: "github-actions"
- directories:
- - "/"
- - "!/ARCHIVE/**"
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ exclude-paths:
+ - "ARCHIVE/**"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| directories: | |
| - "/" | |
| - "!/ARCHIVE/**" | |
| directory: "/" | |
| exclude-paths: | |
| - "ARCHIVE/**" |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/dependabot.yml around lines 99 - 101, Replace the unsupported
negated directories entry (e.g., "- \"/\"; - \"!/ARCHIVE/**\"") in the pip and
github-actions dependabot blocks with the documented keys: set directory: "/"
and add exclude-paths: ["ARCHIVE/**"]; locate the pip block and the
github-actions block in the Dependabot config (search for the pip
package-ecosystem and github-actions package-ecosystem blocks) and remove the
negated directories list, then add directory: "/" plus exclude-paths:
["ARCHIVE/**"] so Dependabot uses the supported exclusion mechanism.
| - uses: actions/setup-go@330a01c490aca151604b8cf639adc76d48f6c5d4 | ||
| with: |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/benchmarks.ymlRepository: KooshaPari/Tracera
Length of output: 1214
🌐 Web query:
setup-go 330a01c490aca151604b8cf639adc76d48f6c5d4 GitHub
💡 Result:
The GitHub repo for setup-go is actions/setup-go (GitHub Actions action “actions/setup-go”, used to set up a Go toolchain in CI). Your specific identifier “330a01c490aca151604b8cf639adc76d48f6c5d4” does not resolve to a commit in the canonical actions/setup-go repository in the public web results I found. The hash may instead refer to some other repo/fork, or to a truncated/non-matching value used in another system log. Authoritative references for the action itself (usage + behavior): - https://github.com/actions/setup-go - https://github.com/actions/setup-go/blob/main/action.yml If you want, paste the exact URL where you saw that 330a… hash (or the file/log snippet around it), and I can trace it to the exact commit/repo or explain what it refers to.
Citations:
- 1: https://github.com/actions/setup-go
- 2: https://github.com/actions/setup-go/tree/main
- 3: https://github.com/actions/setup-go/blob/main/action.yml
🌐 Web query:
upload-artifact 6f8efc29b200d32929f49075959781ed54ec270c GitHub
💡 Result:
The string "6f8efc29b200d32929f49075959781ed54ec270c" is the Git commit SHA (short or full ref) for version v3.5.0 of the GitHub Actions "actions/cache" action. It is used in GitHub Actions workflows pinned to a specific commit for reproducibility and security, e.g., uses: actions/cache@6f8efc2. This version is deprecated and runs on Node.js 20, which is scheduled for deprecation (warnings appear in workflows using it as of 2026). Users are advised to upgrade to v5.0.4 or later, which supports Node.js 24. The query mentions "upload-artifact" but matches this cache action ref, commonly used alongside upload-artifact in workflows.
Citations:
- 1: Dependency Dashboard livekit/rust-sdks#1008
- 2: https://github.com/aws/amazon-cloudwatch-agent/actions/runs/24485609883
- 3: https://github.com/actions/cache
- 4: https://github.com/actions/cache/blob/main/RELEASES.md
- 5: https://github.com/actions/cache/releases/
- 6: https://github.com/actions/cache/releases
- 7: https://github.com/actions/cache/releases/tag/v5.0.4
🌐 Web query:
actions/setup-go latest SHA commit v5
💡 Result:
The latest actions/setup-go v5 is v5.5.0 (released 2025-05-08). However, the sources found in this research do not explicitly provide the full 40-character commit SHA that corresponds to the v5.5.0 tag. What you can use instead: - Use the tag itself in workflows: uses: actions/setup-go@v5 (or @v5.5.0 for a fixed version). - To get the exact SHA for the v5.5.0 tag at runtime, you can resolve the tag in GitHub/Git locally (example): git ls-remote https://github.com/actions/setup-go.git refs/tags/v5.5.0 Evidence: the GitHub release page shows v5.5.0 as a v5 release, and the repository indicates the latest release is v6.4.0 (2026-03-30); but tag-to-SHA mapping was not surfaced in the captured snippets.
Citations:
- 1: https://github.com/actions/setup-go/releases/tag/v5.5.0
- 2: https://github.com/actions/setup-go/tree/v5.5.0
- 3: https://github.com/actions/setup-go
🌐 Web query:
actions/upload-artifact latest SHA v4
💡 Result:
The latest SHA for actions/upload-artifact@v4 (the v4 branch) is not explicitly stated in search results, but the v4 branch exists and points to the latest commit on that maintenance branch for v4.x releases. The most recent v4.x release mentioned is v4.6.0 from January 2025 (https://github.com/actions/upload-artifact/releases/tag/v4.6.0). When using actions/upload-artifact@v4 in GitHub Actions workflows, GitHub resolves it to the latest commit SHA on the v4 branch. A specific pinned SHA example from a related action is ea165f8d65b6e75b540449e92b4886f43607fa02 (from September 2025), likely corresponding to a v4.x version at that time. The repository's main branch latest release is v7.0.1 (April 2026), but v4 remains available for compatibility.
Citations:
- 1: https://github.com/actions/upload-artifact/releases
- 2: Document the SHA used for
actions/upload-artifactactions/upload-pages-artifact#131 - 3: https://github.com/actions/upload-artifact/releases/tag/v4.6.0
- 4: https://github.com/actions/upload-artifact
- 5: https://github.com/actions/upload-artifact/tree/v4
🌐 Web query:
330a01c490aca151604b8cf639adc76d48f6c5d4 GitHub commit
💡 Result:
The GitHub commit 330a01c490aca151604b8cf639adc76d48f6c5d4 is the merge commit for pull request #734 in the actions/upload-artifact repository. It merges the branch danwkennedy/prepare-5.0.0, which prepares the upload-artifact action for version v5.0.0. Key changes include bumping the package version from 4.6.2 to 5.0.0 and updating the @actions/artifact dependency from ^2.3.2 to ^4.0.0. The commit was made on 2025-10-24 by GitHub (automated), authored by danwkennedy. It affects 6 files with 6076 additions and 10951 deletions, primarily updating package.json, package-lock.json, and dist files. This commit tags v5.0.0 and is widely referenced in workflows pinning to actions/upload-artifact@330a01c for immutability (e.g., # v5.0.0). Official GitHub page: actions/upload-artifact@330a01c
Citations:
- 1: https://gitea.psi.ch/actions/upload-artifact/commit/330a01c490aca151604b8cf639adc76d48f6c5d4
- 2: actions/upload-artifact@330a01c...b7c566a
- 3: https://github.com/actions/upload-artifact/commits
- 4: actions/upload-artifact@905a1ec
- 5: Prepare
v5.0.0actions/upload-artifact#734 - 6: https://github.com/actions/upload-artifact/releases/tag/v5.0.0
- 7: actions/upload-artifact@v4...v5.0.0
SHAs in the benchmark workflow are assigned to the wrong action repositories and will cause workflow failures.
Line 17 pins actions/setup-go@330a01c490aca151604b8cf639adc76d48f6c5d4, but that SHA is actually from actions/upload-artifact v5.0.0.
Line 27 pins actions/upload-artifact@6f8efc29b200d32929f49075959781ed54ec270c, but that SHA is actually from actions/cache v3.5.0.
These misassignments will cause the workflow to fail immediately when GitHub attempts to fetch the commits from the incorrect repositories.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/benchmarks.yml around lines 17 - 18, The workflow pins
incorrect commit SHAs to the wrong action repos; update the pinned refs so each
action uses a SHA that belongs to its repository (or replace the SHA with the
official stable tag). Specifically, for the actions/setup-go step (currently
using SHA 330a01c...) replace that ref with the correct actions/setup-go commit
SHA for the desired version or use the official tag (e.g., actions/setup-go@v4),
and for the actions/upload-artifact step (currently using SHA 6f8efc2...)
replace that ref with the correct actions/upload-artifact commit SHA or use its
official tag (e.g., actions/upload-artifact@v5); ensure the refs you choose
match the repository names (actions/setup-go, actions/upload-artifact) so GitHub
can fetch the correct commits.
| paths: | ||
| - 'backend/**' | ||
| - 'frontend/**' | ||
| - 'src/**' | ||
| - 'tests/**' | ||
| - 'infra/**' | ||
| - 'scripts/**' | ||
| - 'docker/**' | ||
| - 'docker-compose*.yml' | ||
| - 'pyproject.toml' | ||
| - 'uv.lock' | ||
| - 'go.mod' | ||
| - 'go.sum' | ||
| - 'package.json' | ||
| - 'bun.lock' |
There was a problem hiding this comment.
Path filters exclude root Dockerfile, so docker build changes may skip CI.
The docker-build job builds ./Dockerfile, but the trigger paths do not include Dockerfile. Add it to both push.paths and pull_request.paths.
Also applies to: 24-37
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/ci.yml around lines 6 - 20, The workflow's path filters
omit the repository root Dockerfile so changes to that file won't trigger CI for
the docker-build job; update the .github/workflows/ci.yml configuration to add
"Dockerfile" to both push.paths and pull_request.paths (the same change should
be applied to the other identical block referenced at lines 24-37) so the
docker-build job (named docker-build) runs when the root Dockerfile is modified.
| - 'package.json' | ||
| - 'bun.lock' | ||
| pull_request: | ||
| branches: [ main, develop ] |
There was a problem hiding this comment.
Fix YAMLlint bracket spacing error on branch list.
Static analysis flagged this line ([ main, develop ]) as invalid style. Use [main, develop] to clear lint failures.
🧰 Tools
🪛 YAMLlint (1.38.0)
[error] 22-22: too many spaces inside brackets
(brackets)
[error] 22-22: too many spaces inside brackets
(brackets)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/ci.yml at line 22, Update the branches entry in the GitHub
Actions workflow to remove the extra spaces inside the bracketed list: replace
the current value "[ main, develop ]" under the branches key with "[main,
develop]" so it conforms to YAMLlint/style rules and clears the lint failure.
| uses: actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02 | ||
| with: |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, check if the file exists and its size
wc -l .github/workflows/ci.ymlRepository: KooshaPari/Tracera
Length of output: 92
🏁 Script executed:
# Read the specific line ranges to verify the action pins
sed -n '96,97p; 155,156p; 277,278p; 287,288p; 333,334p; 409,410p; 452,453p; 637,638p; 667,668p; 676,677p; 738,739p; 796,797p; 908,909p; 916,917p; 926,927p; 934,935p; 1009,1010p; 1047,1048p; 1085,1086p; 1127,1128p' .github/workflows/ci.yml | cat -nRepository: KooshaPari/Tracera
Length of output: 2149
🏁 Script executed:
# Get context around the action pins at specific lines
sed -n '94,99p; 153,158p; 275,280p; 285,290p' .github/workflows/ci.ymlRepository: KooshaPari/Tracera
Length of output: 937
🏁 Script executed:
# Let's also search for all action pins in the file to see the pattern
rg 'uses: actions/' .github/workflows/ci.yml -A 1 -B 1 | head -60Repository: KooshaPari/Tracera
Length of output: 1996
🌐 Web query:
actions/setup-python ea165f8d65b6e75b540449e92b4886f43607fa02 SHA commit hash
💡 Result:
The commit hash you provided (ea165f8d65b6e75b540449e92b4886f43607fa02) is used as a pinned SHA for the GitHub Action actions/upload-artifact@v4, not for actions/setup-python. Evidence: a workflow change explicitly updates the digest to ea165f8d65b6e75b540449e92b4886f43607fa02 in actions/upload-artifact@... steps, and the referenced OpenUSD GitHub Actions run also contains that SHA in actions/upload-artifact@.... If you meant actions/setup-python, please confirm the intended action (setup-python vs upload-artifact) and whether you have the correct 40-hex commit SHA for setup-python.
Citations:
- 1: Update actions/upload-artifact digest to ea165f8 (main) elastic/cloudbeat#3708
- 2: https://github.com/PixarAnimationStudios/OpenUSD/actions/runs/23069445202
- 3: stacklok/toolhive@0496bb5
🌐 Web query:
actions/upload-artifact 6f8efc29b200d32929f49075959781ed54ec270c version
💡 Result:
I could not determine an “actions/upload-artifact” action version for commit/sha 6f8efc29b200d32929f49075959781ed54ec270c from authoritative sources in the searches I ran. What I can say from GitHub’s official documentation is that actions/upload-artifact is published in version tags (e.g., v4, v6, v7), and actions/upload-artifact@v7 is current; but mapping an arbitrary commit SHA to a specific published tag requires finding that exact SHA in the repo’s commit/tag history (not found in the results I received). If you share the full context where you saw that SHA (for example: the workflow log line, or the repository URL/owner that contains the tag/commit), I can re-run a targeted search to map that SHA to the corresponding release tag/version.
Citations:
- 1: https://github.com/actions/upload-artifact
- 2: https://github.com/actions/upload-artifact/releases
🌐 Web query:
actions/setup-go 330a01c490aca151604b8cf639adc76d48f6c5d4 commit
💡 Result:
The SHA 330a01c490aca151604b8cf639adc76d48f6c5d4 corresponds to the GitHub Actions action "actions/upload-artifact" at version v5.0.0. This is the commit used for pinning the action in workflows for reproducibility and security. It is referenced in multiple GitHub Actions logs as the SHA for actions/upload-artifact@v5.0.0, which was released on 2025-10-24 with Node.js 24 support and updates to @actions/artifact v4.0.0. The query mentions "actions/setup-go" likely due to context in workflows using both actions, but the SHA matches upload-artifact. Repository: https://github.com/actions/upload-artifact/tree/330a01c490aca151604b8cf639adc76d48f6c5d4
Citations:
- 1: https://github.com/grafana/k6/actions/runs/23730300391
- 2: 🎯 Repository Quality Improvement Report - Dependencies github/gh-aw#7251
- 3: https://github.com/actions/upload-artifact/commits
- 4: https://github.com/actions/upload-artifact/tree/330a01c490aca151604b8cf639adc76d48f6c5d4
- 5: https://github.com/actions/upload-artifact/releases/tag/v5.0.0
🌐 Web query:
6f8efc29b200d32929f49075959781ed54ec270c upload-artifact version tag
💡 Result:
You asked to “research” the query string: 6f8efc29b200d32929f49075959781ed54ec270c upload-artifact version tag. Findings (from authoritative GitHub sources): 1) The GitHub Action commonly referred to as “upload-artifact” is actions/upload-artifact. 2) Its versioning is expressed as Git tags like v4, v5, v6, v7 (used in workflow syntax like uses: actions/upload-artifact@v4). 3) I could not reliably associate the specific hex string 6f8efc29b200d32929f49075959781ed54ec270c with any particular “upload-artifact” release tag or commit in the official actions/upload-artifact repository using the evidence found. What the official docs show about version tags for upload-artifact: - Workflows reference it by tag, for example actions/upload-artifact@v4 in GitHub’s artifact documentation. - The upstream action repository has many tagged releases (latest shown as v7.0.1 in the repo page at the time of indexing), and the action readme documents compatibility notes (e.g., GHES limitations for v4+).
Citations:
- 1: https://github.com/actions/upload-artifact
- 2: https://docs.github.com/en/actions/tutorials/store-and-share-data
- 3: https://github.com/actions/upload-artifact/blob/v4/README.md
- 4: https://github.com/actions/upload-artifact/tree/v4.2.0
- 5: https://github.com/actions/upload-artifact/releases
🌐 Web query:
actions/upload-artifact v4 release commit SHA ea165f8d65b6e75b540449e92b4886f43607fa02
💡 Result:
The Git commit SHA ea165f8d65b6e75b540449e92b4886f43607fa02 corresponds to a merge commit in the actions/upload-artifact repository: "Merge pull request #685 from salmanmkc/salmanmkc/3-new-upload-artifacts-release". This commit is part of the v4 branch or a release related to actions/upload-artifact@v4. It appears in comparisons like v4.4.3...v4.6.0 and is referenced as the specific ref pinned for actions/upload-artifact@v4 in composite actions like actions/upload-pages-artifact@v4, where workflows must allow this SHA due to security restrictions on allowed actions. This SHA predates later releases like v4.6.0 (2025-01-09) and v7.0.1 (2026-04-10), positioning it around March 2025 based on nearby commits (e.g., 0839620 on 2025-03-19). No official release tag directly points to this exact SHA, but it represents a stable commit used for the v4 version in GitHub Actions workflows.
Citations:
- 1: Document the SHA used for
actions/upload-artifactactions/upload-pages-artifact#131 - 2: actions/upload-artifact@ea165f8...b7c566a
- 3: actions/upload-artifact@actions:ff15f03...actions:ea165f8
- 4: actions/upload-artifact@v4.4.3...v4.6.0
- 5: https://github.com/actions/upload-artifact
- 6: https://github.com/actions/upload-artifact/releases
🌐 Web query:
actions/setup-python latest version commit SHA 2024 2025
💡 Result:
The latest version of the actions/setup-python GitHub Action is v6.2.0, released on 2026-01-22. The commit SHA for this release tag is a309ff8b426b58ec0e2a45f0f869d46889d02405. There have been subsequent commits on the main branch, including one on 2026-03-09 (Bump minimatch from 3.1.2 to 3.1.5 #1281, SHA 28f2168) and the repository's last push was on 2026-03-30. In 2024, v5.1.0 was released on 2024-03-26. In 2025, v6.0.0 was released on 2025-09-04, followed by v6.1.0 on 2025-11-25.
Citations:
- 1: https://github.com/actions/setup-python
- 2: https://github.com/marketplace/actions/setup-python
- 3: https://github.com/actions/setup-python/commits/main/
- 4: https://github.com/actions/setup-python/releases/tag/v6.2.0
- 5: actions/setup-python@v6.1.0...v6.2.0
- 6: actions/setup-python@a26af69...a309ff8
- 7: https://github.com/actions/setup-python/
🏁 Script executed:
# Get exact setup-python and setup-go pins from the workflow
rg 'setup-python|setup-go' .github/workflows/ci.yml -A 1 -B 1Repository: KooshaPari/Tracera
Length of output: 455
Fix incorrect action SHAs: setup-python and setup-go are pinned to upload-artifact commits.
The workflow pins actions/setup-python to SHA ea165f8d65b6e75b540449e92b4886f43607fa02 and actions/setup-go to SHA 330a01c490aca151604b8cf639adc76d48f6c5d4, both of which are commits from the actions/upload-artifact repository. Using incorrect action SHAs causes GitHub Actions to execute the wrong action code, resulting in CI failures before tests run.
Update these pins to the correct commit SHAs for their respective actions at lines 96–97, 155–156, 287–288, 333–334, 409–410, 916–917, 926–927, 934–935, and other occurrences in the workflow.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/ci.yml around lines 96 - 97, Several workflow steps pin
actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02 and
actions/setup-go@330a01c490aca151604b8cf639adc76d48f6c5d4 to incorrect SHAs
(they point to upload-artifact commits); locate every occurrence of the action
identifiers actions/setup-python@... and actions/setup-go@... (e.g., the uses
entries shown) and replace those pinned SHAs with the correct commit SHAs for
actions/setup-python and actions/setup-go respectively (update all instances
mentioned: around lines 96–97, 155–156, 287–288, 333–334, 409–410, 916–917,
926–927, 934–935 and any other matches) so the workflow references the proper
action commits. Ensure the format remains uses:
actions/setup-python@<correct-sha> and uses: actions/setup-go@<correct-sha>.
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02 | ||
| with: | ||
| cache: 'pip' | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
|
|
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
actionlint .github/workflows/tests.ymlRepository: KooshaPari/Tracera
Length of output: 985
Merge the duplicated with mapping.
Both Set up Python steps declare with twice, which makes this workflow invalid YAML and prevents GitHub from parsing it. The actionlint validation confirms duplicate-key errors at lines 59/61 and 182/184.
Suggested fix
- name: Set up Python
uses: actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02
with:
python-version: ${{ matrix.python-version }}
cache: 'pip'Apply the same edit to the test-parallel job (around lines 180–185).
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| uses: actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02 | |
| with: | |
| cache: 'pip' | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Set up Python | |
| uses: actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| cache: 'pip' |
🧰 Tools
🪛 actionlint (1.7.12)
[error] 61-61: key "with" is duplicated in element of "steps" section. previously defined at line:59,col:9
(syntax-check)
🪛 YAMLlint (1.38.0)
[error] 61-61: duplication of key "with" in mapping
(key-duplicates)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/tests.yml around lines 57 - 63, The "Set up Python" step
contains duplicate with mappings causing invalid YAML; merge the two with blocks
into a single with block for the step named "Set up Python" (the step that uses
actions/setup-python@ea165f8d65b6e75b540449e92b4886f43607fa02) so the with block
includes both cache: 'pip' and python-version: ${{ matrix.python-version }};
apply the same single-with-block fix to the equivalent "Set up Python" step in
the test-parallel job so both jobs use one consolidated with mapping.
| ``` | ||
| docs/ | ||
| ├── guides/ # Implementation guides and how-tos | ||
| │ └── quick-start/ # Quick start guides | ||
| ├── reports/ # Completion reports, summaries, status reports | ||
| ├── research/ # Research summaries, indexes, analysis | ||
| ├── reference/ # Quick references, API references | ||
| └── checklists/ # Implementation checklists, verification lists | ||
| src/tracertm/ # Python package (main source) | ||
| ├── api/ # FastAPI routes | ||
| ├── services/ # Business logic | ||
| ├── repositories/ # Data access | ||
| ├── storage/ # File/markdown handling | ||
| ├── mcp/ # MCP server tools | ||
| ├── agent/ # Agent coordination | ||
| ├── tui/ # Textual TUI | ||
| ├── grpc/ # gRPC service | ||
| ├── workflows/ # Temporal workflows | ||
| └── observability/ # Tracing/metrics | ||
|
|
||
| frontend/ # React monorepo (turbo) | ||
| backend/ # Go API stub | ||
| tests/ # pytest suite (unit/integration/e2e) | ||
| alembic/ # DB migrations | ||
| scripts/ # Dev & seed scripts | ||
| ``` |
There was a problem hiding this comment.
Add a language tag to the fenced block.
The fenced block starting at Line 28 has no language identifier (MD040). Use text for the directory tree block.
Suggested patch
-```
+```text
src/tracertm/ # Python package (main source)
...
scripts/ # Dev & seed scripts</details>
<details>
<summary>🧰 Tools</summary>
<details>
<summary>🪛 markdownlint-cli2 (0.22.1)</summary>
[warning] 28-28: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
</details>
</details>
<details>
<summary>🤖 Prompt for AI Agents</summary>
Verify each finding against the current code and only fix it if needed.
In @claude.md around lines 28 - 46, The markdown fenced block in claude.md (the
directory tree block beginning at the fenced code block around Line 28) is
missing a language tag (MD040); update that fenced code block to include the
language identifier "text" (i.e., change the opening totext) so the
directory tree is properly tagged, then save the file and run your markdown
linter to verify MD040 is resolved.
</details>
<!-- fingerprinting:phantom:triton:hawk:40945e7f-cfd7-4210-af35-aa01152c0294 -->
<!-- d98c2f50 -->
<!-- This is an auto-generated comment by CodeRabbit -->
| ### Python setup | ||
| ```bash | ||
| uv sync | ||
| pytest # run tests | ||
| pytest -m unit # unit only | ||
| pytest -m integration # integration only | ||
| ruff check . && ruff format . | ||
| ty check src/ | ||
| ``` | ||
| docs/ | ||
| ├── guides/ # Implementation guides and how-tos | ||
| │ └── quick-start/ # Quick start guides | ||
| ├── reports/ # Completion reports, summaries, status reports | ||
| ├── research/ # Research summaries, indexes, analysis | ||
| ├── reference/ # Quick references, API references | ||
| └── checklists/ # Implementation checklists, verification lists | ||
| ``` | ||
|
|
||
| ### File Organization Rules | ||
|
|
||
| **When creating or moving documentation:** | ||
|
|
||
| 1. **Quick Starts** → `docs/guides/quick-start/` | ||
| - Files matching `*QUICK_START*.md` or `*QUICKSTART*.md` | ||
|
|
||
| 2. **Quick References** → `docs/reference/` | ||
| - Files matching `*QUICK_REFERENCE*.md` or `*QUICK_REF*.md` | ||
|
|
||
| 3. **Implementation Guides** → `docs/guides/` | ||
| - Files matching `*IMPLEMENTATION_GUIDE*.md` or `*GUIDE*.md` | ||
| - General implementation documentation | ||
|
|
||
| 4. **Completion Reports** → `docs/reports/` | ||
| - Files matching `*COMPLETE*.md`, `*COMPLETION*.md`, `*SUMMARY*.md`, `*REPORT*.md` | ||
| - Phase completion files (`PHASE_*.md`) | ||
| - Test-related reports (`*TEST*.md`) | ||
|
|
||
| 5. **Research Files** → `docs/research/` | ||
| - Files matching `*RESEARCH*.md` or `*INDEX*.md` | ||
|
|
||
| 6. **Checklists** → `docs/checklists/` | ||
| - Files matching `*CHECKLIST*.md` | ||
|
|
||
| ### AI Agent Instructions | ||
|
|
||
| **When working as Claude:** | ||
|
|
||
| - **NEVER** create `.md` files in the project root (except the allowed files above) | ||
| - **ALWAYS** place new documentation in the appropriate `docs/` subdirectory | ||
| - **VERIFY** file location before creating documentation | ||
| - **MOVE** misplaced files to correct subdirectories if found | ||
| - **REFERENCE** this structure when users ask about documentation organization | ||
|
|
||
| ### Maintenance | ||
|
|
||
| - Use the `organize_docs.sh` script to reorganize misplaced files | ||
| - Keep root directory clean and organized | ||
| - Reference this structure in all documentation creation workflows | ||
|
|
||
|
|
||
| ## Development Philosophy | ||
|
|
||
| ### Extend, Never Duplicate | ||
|
|
||
| - NEVER create a v2 file. Refactor the original. | ||
| - NEVER create a new class if an existing one can be made generic. | ||
| - NEVER create custom implementations when an OSS library exists. | ||
| - Before writing ANY new code: search the codebase for existing patterns. | ||
|
|
||
| ### Primitives First | ||
|
|
||
| - Build generic building blocks before application logic. | ||
| - A provider interface + registry is better than N isolated classes. | ||
| - Template strings > hardcoded messages. Config-driven > code-driven. | ||
|
|
||
| ### Research Before Implementing | ||
|
|
||
| - Check project deps (`pyproject.toml`) for existing libraries. | ||
| - Search PyPI before writing custom code. | ||
| - For non-trivial algorithms: check GitHub for 80%+ implementations to fork/adapt. | ||
|
|
||
| --- | ||
|
|
||
| ## Library Preferences (DO NOT REINVENT) | ||
|
|
||
| | Need | Use | NOT | | ||
| |------|-----|-----| | ||
| | Retry/resilience | tenacity | Custom retry loops | | ||
| | HTTP client | httpx | Custom wrappers | | ||
| | Logging | loguru + structlog | print() or logging.getLogger | | ||
| | Config | pydantic-settings | Manual env parsing | | ||
| | CLI | typer | argparse | | ||
| | Validation | pydantic | Manual if/else | | ||
| | Rate limiting | tenacity + asyncio.Semaphore | Custom rate limiter class | | ||
| | Serialization | msgspec / msgpack | manual json or unsafe alternatives | | ||
| | Database ORM | SQLAlchemy (async) | Raw SQL strings | | ||
| | API framework | FastAPI + uvicorn | Flask / custom ASGI | | ||
| | MCP tools | fastmcp | Custom MCP protocol handling | | ||
| | Workflow orchestration | temporalio | Custom job queues | | ||
| ### Frontend | ||
| ```bash | ||
| bun install | ||
| bun run dev | ||
| ``` | ||
|
|
||
| --- | ||
| ### Quality gates | ||
| ```bash | ||
| poe quality # full: ruff + ty + tach + bandit + pip-audit + pytest | ||
| poe test # pytest | ||
| poe lint # ruff check --fix | ||
| ``` |
There was a problem hiding this comment.
Fix heading/fence spacing to satisfy markdownlint.
Around Lines 50-71, headings and fenced blocks are missing required blank-line separation (MD022/MD031). Add blank lines before/after each subheading and code fence.
Suggested patch
## Development
### Python setup
+
```bash
uv sync
pytest # run tests
pytest -m unit # unit only
pytest -m integration # integration only
ruff check . && ruff format .
ty check src/Frontend
bun install
bun run devQuality gates
poe quality # full: ruff + ty + tach + bandit + pip-audit + pytest
poe test # pytest
poe lint # ruff check --fix</details>
<!-- suggestion_start -->
<details>
<summary>📝 Committable suggestion</summary>
> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
```suggestion
### Python setup
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 50-50: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below
(MD022, blanks-around-headings)
[warning] 51-51: Fenced code blocks should be surrounded by blank lines
(MD031, blanks-around-fences)
[warning] 60-60: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below
(MD022, blanks-around-headings)
[warning] 61-61: Fenced code blocks should be surrounded by blank lines
(MD031, blanks-around-fences)
[warning] 66-66: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below
(MD022, blanks-around-headings)
[warning] 67-67: Fenced code blocks should be surrounded by blank lines
(MD031, blanks-around-fences)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@claude.md` around lines 50 - 71, The Markdown headings "Python setup",
"Frontend", and "Quality gates" and their adjacent fenced code blocks are
missing required blank lines (MD022/MD031); fix by adding a blank line before
each subheading and a blank line both before and after each ```bash fenced block
around the commands so the headings and fences are separated correctly (look for
the "Python setup", "Frontend", "Quality gates" headings and the ```bash code
fences to apply the spacing).
| - **Parent governance**: `/Users/kooshapari/CodeProjects/Phenotype/repos/CLAUDE.md` | ||
| - **Global governance**: `/Users/kooshapari/.claude/CLAUDE.md` |
There was a problem hiding this comment.
Replace machine-local governance paths with portable references.
Line 83 and Line 84 hardcode /Users/kooshapari/..., which is non-portable and leaks a local user identifier. Use repo-relative paths (or non-identifying generic paths) instead.
Suggested patch
-- **Parent governance**: `/Users/kooshapari/CodeProjects/Phenotype/repos/CLAUDE.md`
-- **Global governance**: `/Users/kooshapari/.claude/CLAUDE.md`
+- **Parent governance**: `../CLAUDE.md` (repository-relative)
+- **Global governance**: `~/.claude/CLAUDE.md` (user-local reference)📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - **Parent governance**: `/Users/kooshapari/CodeProjects/Phenotype/repos/CLAUDE.md` | |
| - **Global governance**: `/Users/kooshapari/.claude/CLAUDE.md` | |
| - **Parent governance**: `../CLAUDE.md` (repository-relative) | |
| - **Global governance**: `~/.claude/CLAUDE.md` (user-local reference) |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@claude.md` around lines 83 - 84, The two hardcoded paths in the "Parent
governance" and "Global governance" lines leak a local username and are
non-portable; update those entries (the lines containing "Parent governance" and
"Global governance") to use portable references such as a repo-relative path for
parent governance (e.g., "./CLAUDE.md" or "docs/CLAUDE.md") and a generic
home-relative path for global governance (e.g., "~/.claude/CLAUDE.md"),
replacing the absolute "/Users/kooshapari/..." strings so no local user
identifier is exposed.
| @@ -0,0 +1,21 @@ | |||
| MIT License | |||
|
|
|||
| Copyright (c) 2026 Koosha Pari | |||
There was a problem hiding this comment.
Clarify copyright ownership to avoid licensing ambiguity.
Line 3 currently names a single individual, which can conflict with a multi-contributor repository and weaken downstream compliance confidence. Use a contributor-entity/year-range statement that reflects actual ownership.
Proposed fix
-Copyright (c) 2026 Koosha Pari
+Copyright (c) 2024-2026 TracerTM Contributors📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Copyright (c) 2026 Koosha Pari | |
| Copyright (c) 2024-2026 TracerTM Contributors |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@LICENSE` at line 3, Replace the single-person copyright line ("Copyright (c)
2026 Koosha Pari") with a contributor-entity and year-range statement to avoid
ambiguity; update the LICENSE file's copyright header to a format like
"Copyright (c) 2021-2026 The Project Contributors" or "Copyright (c) 2021-2026
<Organization/Entity Name> and contributors" so it covers multiple contributors
and the appropriate year range, and ensure the chosen entity name matches your
project's CONTRIBUTING or AUTHORS guidance.
User description
Pins all GitHub Actions to immutable commit SHAs.
Note
Low Risk
Primarily CI configuration and documentation updates; main risk is inadvertently skipping or breaking workflows due to action pinning/path filters and the Pulumi conditional change.
Overview
Hardens CI by pinning nearly all GitHub Actions
uses:references to immutable commit SHAs and updating relatedcache,upload/download-artifact, and dependency review actions accordingly.Scopes several workflows (
ci.yml,contracts.yml,test-validation.yml) to run only when relevant paths change, and updates Dependabot to avoid scanningARCHIVE/**viadirectoriesexclusions.Adjusts CI behavior in a few spots: fixes
test-validation.ymlreporting to useneeds.*.result, tweaks Pulumi dev deployment gating to be based onPULUMI_ACCESS_TOKENenv, and adds a few minimal placeholder workflows (doc-links.yml,fr-coverage.yml,quality-gate.yml).Repo hygiene/docs updates include adding an MIT
LICENSE, updating README/doc links, simplifyingclaude.md, and marking vulnerability worklog items as “Pending remediation”.Reviewed by Cursor Bugbot for commit 8a22fc7. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Add CLI command stubs, update docs, and stabilize CI checks
What Changed
Impact
✅ Fewer broken CI runs on docs-only changes✅ Clearer CLI command availability✅ More reliable build and release checks🔄 Retrigger CodeAnt AI Review
Details
💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.
Summary by CodeRabbit
Chores
Documentation