Skip to content

chore(deps): Update GitHub Actions#78

Open
williaby wants to merge 1 commit into
mainfrom
renovate/github-actions
Open

chore(deps): Update GitHub Actions#78
williaby wants to merge 1 commit into
mainfrom
renovate/github-actions

Conversation

@williaby

@williaby williaby commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Package Change Type Update Age Adoption Passing Confidence OpenSSF
ByronWilliamsCPA/.github (changelog) 74c633a1502ecd action digest
actions/checkout v6.0.2v6.0.3 action patch age adoption passing confidence OpenSSF Scorecard
actions/setup-python v6.2.0v6.3.0 action minor age adoption passing confidence OpenSSF Scorecard
astral-sh/setup-uv v8.1.0v8.2.0 action minor age adoption passing confidence OpenSSF Scorecard
github/codeql-action v4.36.0v4.36.2 action patch age adoption passing confidence OpenSSF Scorecard
redis 09160599d31717 service digest

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Impact

  • ✅ Patch update: bug fixes and security patches only
  • ✅ No breaking changes

Acceptance Criteria

  • All CI checks pass

Testing

  • CI gates pass (tests, lint, type checking, security scan)

Notes


Release Notes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

actions/setup-python (actions/setup-python)

v6.3.0

Compare Source

What's Changed
Enhancement
Dependency update
Documentation
New Contributors

Full Changelog: actions/setup-python@v6...v6.3.0

astral-sh/setup-uv (astral-sh/setup-uv)

v8.2.0: 🌈 New inputs quiet and download-from-astral-mirror

Compare Source

Changes

This release brings two new inputs and a few bug fixes.

New inputs

Lets talk about the new inputs first.

quiet

Pretty simple. It turns of all info loggings. Useful if you use this in a composite action and are not interested in all the details.
In the upcoming releases we will add log groups to fully implement support for "less noise"

[!NOTE]
Warnings and errors are always logged.

download-from-astral-mirror

In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting download-from-astral-mirror: false allows you to do that.

Bugfixes

When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token.
All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults.

We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down.

🐛 Bug fixes
🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates
github/codeql-action (github/codeql-action)

v4.36.2

Compare Source

  • Cache CodeQL CLI version information across Actions steps. #​3943
  • Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #​3937
  • Update default CodeQL bundle version to 2.25.6. #​3948

v4.36.1

Compare Source

No user facing changes.


Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • "after 10pm every weekday,before 5am every weekday,every weekend"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot AI review requested due to automatic review settings June 6, 2026 02:14
@coderabbitai

coderabbitai Bot commented Jun 6, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Pinned SHA references updated across 21 GitHub Actions workflow files: actions/checkout bumped from v6.0.2 to v6.0.3, astral-sh/setup-uv from v8.1.0 to v8.2.0, github/codeql-action from v4.36.0 to v4.36.2, a Redis image digest refreshed, and all org-level reusable workflow references re-pinned to the ef10bbe7 commit SHA.

Changes

CI Dependency Pin Updates

Layer / File(s) Summary
Direct action version bumps
.github/workflows/ci.yml, .github/workflows/codeql.yml, .github/workflows/dependency-review.yml, .github/workflows/fips-compatibility.yml, .github/workflows/performance-regression.yml, .github/workflows/postman-api-tests.yml, .github/workflows/pr-validation.yml, .github/workflows/release-sign.yml, .github/workflows/reuse.yml
actions/checkout bumped to v6.0.3, astral-sh/setup-uv bumped to v8.2.0, github/codeql-action (init/analyze) bumped to v4.36.2, and the redis:8-alpine service image digest refreshed. All step logic and configuration remain unchanged.
Org reusable workflow SHA re-pins
.github/workflows/ci.yml, .github/workflows/codecov.yml, .github/workflows/container-security.yml, .github/workflows/coverage.yml, .github/workflows/docs.yml, .github/workflows/mutation-testing.yml, .github/workflows/performance-regression.yml, .github/workflows/pr-validation.yml, .github/workflows/publish-pypi.yml, .github/workflows/python-compatibility.yml, .github/workflows/qlty.yml, .github/workflows/release.yml, .github/workflows/sbom.yml, .github/workflows/scorecard.yml, .github/workflows/security-analysis.yml, .github/workflows/sonarcloud.yml
All uses: references to org-level reusable workflows (python-ci.yml, python-codecov.yml, python-container-security.yml, python-qlty-coverage.yml, python-docs.yml, python-mutation.yml, python-performance-regression.yml, python-publish-pypi.yml, python-compatibility.yml, python-release.yml, python-sbom.yml, python-scorecard.yml, python-security-analysis.yml, python-sonarcloud.yml) re-pinned to commit ef10bbe7. Job wiring, inputs, and secrets remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

  • fix(ci): pin org reusable workflow references to SHA instead of @main audio-processor#9: PR implements the same pattern of pinning org reusable workflow uses: references to specific commit SHAs with # main annotations.
  • ByronWilliamsCPA/taxdome#7: PR addresses the same Renovate-tracked dependency updates (actions/checkout v6.0.2→v6.0.3) across the same workflow files (reuse.yml, scorecard.yml).
  • Dependency Dashboard gleif#23: PR implements the same set of GitHub Actions bumps (actions/checkout, astral-sh/setup-uv, github/codeql-action) and reusable workflow re-pins listed in that Renovate dashboard.
  • ByronWilliamsCPA/maester-tests#14: PR implements the exact dependency updates (actions/checkout v6.0.2→v6.0.3, astral-sh/setup-uv v8.1.0→v8.2.0) tracked across the identical set of workflow files.
  • Dependency Dashboard reference-library#10: PR matches the "Update GitHub Actions to ef10bbe" and "Update ByronWilliamsCPA/.github digest to ef10bbe" updates tracked in that Renovate dashboard.
  • ByronWilliamsCPA/cookiecutter-template-sample#3: PR implements the same GitHub Actions and reusable workflow version updates tracked by Renovate across .github/workflows/ files.
  • Dependency Dashboard pp-security-master#50: PR applies the identical set of workflow pin updates (actions/checkout v6.0.3, astral-sh/setup-uv v8.2.0, org-workflow SHAs) tracked in that Renovate dependency dashboard.

Possibly related PRs

  • ByronWilliamsCPA/rag-processor#19: Same pattern of bumping actions/checkout, astral-sh/setup-uv, and CodeQL action pins across the same overlapping workflow files without altering job logic.
  • ByronWilliamsCPA/rag-processor#42: Both PRs update .github/workflows/postman-api-tests.yml with a refreshed redis:8-alpine image digest and bumped actions/checkout/astral-sh/setup-uv pins.
  • ByronWilliamsCPA/rag-processor#57: Both PRs update the python-ci.yml reusable workflow SHA in ci.yml and bump related CI coverage workflow references.

Suggested labels

ci, security

🐇 Hops through the YAML with glee,
Bumping SHAs so pipelines stay free.
checkout leaps to v6.0.3,
setup-uv skips to v8.2!
No logic changed — just pins, you see.
Safe and snug as a rabbit should be! 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main change: updating GitHub Actions versions/dependencies across the entire CI/CD workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/github-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jun 6, 2026

Copy link
Copy Markdown

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 5 package(s) with unknown licenses.
See the Details below.

License Issues

.github/workflows/coverage.yml

PackageVersionLicenseIssue Type
ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml1502ecdde74ba30e2db1c91778f98b550bcf100eNullUnknown License

.github/workflows/performance-regression.yml

PackageVersionLicenseIssue Type
ByronWilliamsCPA/.github/.github/workflows/python-performance-regression.yml1502ecdde74ba30e2db1c91778f98b550bcf100eNullUnknown License

.github/workflows/qlty.yml

PackageVersionLicenseIssue Type
ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml1502ecdde74ba30e2db1c91778f98b550bcf100eNullUnknown License

.github/workflows/scorecard.yml

PackageVersionLicenseIssue Type
ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml1502ecdde74ba30e2db1c91778f98b550bcf100eNullUnknown License

.github/workflows/sonarcloud.yml

PackageVersionLicenseIssue Type
ByronWilliamsCPA/.github/.github/workflows/python-sonarcloud.yml1502ecdde74ba30e2db1c91778f98b550bcf100eNullUnknown License
Denied Licenses: GPL-2.0, GPL-3.0

OpenSSF Scorecard

PackageVersionScoreDetails
actions/ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml 1502ecdde74ba30e2db1c91778f98b550bcf100e UnknownUnknown
actions/ByronWilliamsCPA/.github/.github/workflows/python-performance-regression.yml 1502ecdde74ba30e2db1c91778f98b550bcf100e UnknownUnknown
actions/actions/checkout df4cb1c069e1874edd31b4311f1884172cec0e10 🟢 6.9
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1016 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST🟢 10SAST tool is run on all commits
actions/ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml 1502ecdde74ba30e2db1c91778f98b550bcf100e UnknownUnknown
actions/ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml 1502ecdde74ba30e2db1c91778f98b550bcf100e UnknownUnknown
actions/ByronWilliamsCPA/.github/.github/workflows/python-sonarcloud.yml 1502ecdde74ba30e2db1c91778f98b550bcf100e UnknownUnknown

Scanned Files

  • .github/workflows/coverage.yml
  • .github/workflows/performance-regression.yml
  • .github/workflows/qlty.yml
  • .github/workflows/scorecard.yml
  • .github/workflows/sonarcloud.yml

@github-actions

github-actions Bot commented Jun 6, 2026

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.29 2.27 -1.1%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.92 1.92 📈 0.2%
p95_ms 2.29 2.27 📉 -1.1%
p99_ms 2.37 2.37 📈 0.0%
mean_ms 1.37 1.37 ➡️ 0.0%
min_ms 0.05 0.05 ➡️ 0.0%
max_ms 2.38 2.38 ➡️ 0.0%
throughput_ops 730.33 730.25 📉 -0.0%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 0.92 0.91 📉 -1.0%
avg_throughput_all_benchmarks_ops 1094200.51 1156904.35 📈 5.7%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates GitHub Actions and org-level reusable workflow pins across this repository’s CI/security/docs pipelines to pick up patch-level fixes and security updates while preserving existing workflow behavior.

Changes:

  • Bump actions/checkout from v6.0.2 to v6.0.3 (SHA-pinned) wherever it’s used directly.
  • Bump github/codeql-action from v4.36.0 to v4.36.1 (SHA-pinned) in the CodeQL workflow.
  • Update callers of ByronWilliamsCPA/.github reusable workflows to the latest pinned digest.

Reviewed changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/sonarcloud.yml Updates org reusable SonarCloud workflow digest pin.
.github/workflows/security-analysis.yml Updates org reusable security-analysis workflow digest pin.
.github/workflows/scorecard.yml Updates org reusable scorecard workflow digest pin.
.github/workflows/sbom.yml Updates org reusable SBOM workflow digest pin.
.github/workflows/reuse.yml Bumps actions/checkout to v6.0.3 (SHA-pinned) for REUSE checks.
.github/workflows/release.yml Updates org reusable release workflow digest pin.
.github/workflows/release-sign.yml Bumps actions/checkout to v6.0.3 (SHA-pinned) for signing workflow.
.github/workflows/qlty.yml Updates org reusable Qlty coverage workflow digest pin.
.github/workflows/python-compatibility.yml Updates org reusable compatibility workflow digest pin.
.github/workflows/publish-pypi.yml Updates org reusable PyPI publish workflow digest pin.
.github/workflows/pr-validation.yml Updates org reusable CI workflow digest pin; bumps actions/checkout to v6.0.3 (SHA-pinned) in additional jobs.
.github/workflows/postman-api-tests.yml Bumps actions/checkout to v6.0.3 (SHA-pinned).
.github/workflows/performance-regression.yml Bumps actions/checkout to v6.0.3 (SHA-pinned) and updates org reusable perf workflow digest pin.
.github/workflows/mutation-testing.yml Updates org reusable mutation testing workflow digest pin.
.github/workflows/fips-compatibility.yml Bumps actions/checkout to v6.0.3 (SHA-pinned) in FIPS jobs.
.github/workflows/docs.yml Updates org reusable docs workflow digest pin.
.github/workflows/dependency-review.yml Bumps actions/checkout to v6.0.3 (SHA-pinned).
.github/workflows/coverage.yml Updates org reusable Qlty coverage workflow digest pin.
.github/workflows/container-security.yml Updates org reusable container security workflow digest pin.
.github/workflows/codeql.yml Bumps actions/checkout to v6.0.3 and github/codeql-action to v4.36.1 (both SHA-pinned).
.github/workflows/codecov.yml Updates org reusable Codecov workflow digest pin.
.github/workflows/ci.yml Updates org reusable CI workflow digest pin; bumps actions/checkout to v6.0.3 (SHA-pinned).

@williaby williaby force-pushed the renovate/github-actions branch from 2370c17 to b2b7ac8 Compare June 6, 2026 05:16
@github-actions

github-actions Bot commented Jun 6, 2026

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.26 2.32 +3.0%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.90 1.92 📈 0.9%
p95_ms 2.26 2.32 📈 3.0%
p99_ms 2.36 2.42 📈 2.6%
mean_ms 1.36 1.37 📈 0.9%
min_ms 0.05 0.05 ➡️ 0.0%
max_ms 2.37 2.58 📈 8.7%
throughput_ops 734.05 727.63 📉 -0.9%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 0.91 0.93 📈 1.3%
avg_throughput_all_benchmarks_ops 1146691.85 1065940.17 📉 -7.0%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from b2b7ac8 to cc8a6cc Compare June 6, 2026 11:15
@github-actions

github-actions Bot commented Jun 6, 2026

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.25 2.24 -0.3%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.82 1.82 📉 -0.3%
p95_ms 2.25 2.24 📉 -0.3%
p99_ms 3.39 2.26 📉 -33.5%
mean_ms 1.37 1.32 📉 -3.3%
min_ms 0.05 0.05 ➡️ 0.0%
max_ms 3.82 2.73 📉 -28.5%
throughput_ops 731.13 756.00 📈 3.4%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 0.89 0.88 📉 -1.2%
avg_throughput_all_benchmarks_ops 991346.06 996106.35 📈 0.5%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from cc8a6cc to 566de1e Compare June 6, 2026 14:15
@github-actions

github-actions Bot commented Jun 6, 2026

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.30 2.27 -1.3%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.92 1.92 📈 0.3%
p95_ms 2.30 2.27 📉 -1.3%
p99_ms 2.37 2.37 📈 0.1%
mean_ms 1.37 1.37 📉 -0.5%
min_ms 0.05 0.05 ➡️ 0.0%
max_ms 2.40 2.38 📉 -0.6%
throughput_ops 728.09 731.89 📈 0.5%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 0.92 0.93 📈 0.1%
avg_throughput_all_benchmarks_ops 1113407.38 844495.53 📉 -24.2%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from 566de1e to 3733bba Compare June 7, 2026 17:37
@socket-security

socket-security Bot commented Jun 7, 2026

Copy link
Copy Markdown

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

@github-actions

github-actions Bot commented Jun 7, 2026

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.26 2.24 -1.2%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.83 1.83 📉 -0.1%
p95_ms 2.26 2.24 📉 -1.2%
p99_ms 2.28 2.29 📈 0.4%
mean_ms 1.32 1.32 📈 0.1%
min_ms 0.05 0.05 ➡️ 0.0%
max_ms 2.28 2.29 📈 0.3%
throughput_ops 757.63 757.20 📉 -0.1%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 0.90 0.89 📉 -2.0%
avg_throughput_all_benchmarks_ops 1013181.98 1047942.38 📈 3.4%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from 3733bba to f206cc8 Compare June 7, 2026 20:20
@github-actions

github-actions Bot commented Jun 7, 2026

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.28 2.33 +2.1%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.90 1.90 📈 0.2%
p95_ms 2.28 2.33 📈 2.1%
p99_ms 2.37 2.37 📉 -0.1%
mean_ms 1.36 1.37 📈 0.4%
min_ms 0.05 0.05 ➡️ 0.0%
max_ms 2.38 2.38 📉 -0.4%
throughput_ops 733.41 731.25 📉 -0.3%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 0.92 0.92 📉 -0.2%
avg_throughput_all_benchmarks_ops 1113867.72 1149892.09 📈 3.2%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from f206cc8 to a911d9d Compare June 9, 2026 17:36
@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

🎉 Performance Regression Check

Status: PERFORMANCE IMPROVED

Metric Baseline (main) PR Branch Change
p95_ms 2.79 2.60 -6.5%

Threshold: +/-10% allowed regression

Great work!: Performance has improved.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.99 1.90 📉 -4.2%
p95_ms 2.79 2.60 📉 -6.5%
p99_ms 3.01 2.74 📉 -8.9%
mean_ms 1.54 1.46 📉 -5.4%
min_ms 0.06 0.06 📉 -5.2%
max_ms 3.19 2.84 📉 -10.9%
throughput_ops 647.10 684.26 📈 5.7%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 1.38 1.04 📉 -25.0%
avg_throughput_all_benchmarks_ops 907955.45 919811.61 📈 1.3%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from a911d9d to 19f938e Compare June 10, 2026 20:12
@github-actions

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.44 2.45 +0.4%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.88 1.87 📉 -0.4%
p95_ms 2.44 2.45 📈 0.4%
p99_ms 2.52 2.53 📈 0.4%
mean_ms 1.42 1.41 📉 -0.6%
min_ms 0.06 0.06 📉 -1.8%
max_ms 2.57 2.53 📉 -1.2%
throughput_ops 705.00 709.22 📈 0.6%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 0.99 0.98 📉 -0.7%
avg_throughput_all_benchmarks_ops 1004433.48 1057014.96 📈 5.2%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from 19f938e to 900c818 Compare June 11, 2026 05:18
@github-actions

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.17 2.21 +1.8%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.83 1.83 📉 -0.3%
p95_ms 2.17 2.21 📈 1.8%
p99_ms 2.27 2.29 📈 0.6%
mean_ms 1.32 1.32 ➡️ 0.0%
min_ms 0.05 0.05 📈 3.9%
max_ms 2.28 2.31 📈 1.2%
throughput_ops 757.47 757.45 📉 -0.0%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 0.88 0.89 📈 2.1%
avg_throughput_all_benchmarks_ops 997439.06 976792.27 📉 -2.1%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from 900c818 to 425aa68 Compare June 12, 2026 05:15
@github-actions

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.23 2.29 +2.7%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.91 1.91 📈 0.1%
p95_ms 2.23 2.29 📈 2.7%
p99_ms 2.42 2.39 📉 -1.6%
mean_ms 1.36 1.37 📈 0.1%
min_ms 0.05 0.05 ➡️ 0.0%
max_ms 2.43 2.46 📈 1.2%
throughput_ops 733.18 732.24 📉 -0.1%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 0.91 0.91 📈 0.4%
avg_throughput_all_benchmarks_ops 1109774.64 1051732.89 📉 -5.2%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from c2b1ec7 to 19c063e Compare June 23, 2026 05:16
@github-actions

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.26 2.25 -0.4%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.87 1.85 📉 -0.6%
p95_ms 2.26 2.25 📉 -0.4%
p99_ms 2.38 2.33 📉 -2.1%
mean_ms 1.35 1.34 📉 -0.8%
min_ms 0.05 0.05 ➡️ 0.0%
max_ms 2.44 2.35 📉 -3.6%
throughput_ops 737.90 744.14 📈 0.8%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 0.92 0.91 📉 -0.8%
avg_throughput_all_benchmarks_ops 932540.30 1011063.25 📈 8.4%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from 19c063e to eea33c4 Compare June 23, 2026 17:13
@github-actions

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.22 2.30 +3.3%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.85 1.85 📈 0.1%
p95_ms 2.22 2.30 📈 3.3%
p99_ms 2.36 2.36 📉 -0.1%
mean_ms 1.34 1.35 📈 0.6%
min_ms 0.05 0.05 ➡️ 0.0%
max_ms 2.37 2.38 📈 0.7%
throughput_ops 746.33 741.90 📉 -0.6%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 0.98 0.92 📉 -6.5%
avg_throughput_all_benchmarks_ops 911593.66 898726.79 📉 -1.4%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 63: The actions/checkout step at line 63 in the CI workflow is using the
default behavior which persists git credentials in the runner's config, creating
a security risk by leaving the runner authenticated longer than necessary. Add
the `persist-credentials: false` parameter to the
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 step to disable
credential persistence and match the security hardening requirement.

In @.github/workflows/dependency-review.yml:
- Line 36: The checkout action at the line using
`actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10` is missing the
security hardening configuration. Add the `persist-credentials: false` parameter
to the checkout step configuration to prevent credentials from being persisted
on the runner. This ensures that runner sessions do not have access to
repository credentials, following security best practices for workflow jobs.

In @.github/workflows/fips-compatibility.yml:
- Line 64: Both `actions/checkout` calls in the workflow (at lines 64 and 201)
are missing the `persist-credentials: false` credential hardening setting for
security best practices. Add the `persist-credentials: false` parameter to each
`actions/checkout` action step to ensure Git credentials are not persisted in
the workflow environment.

In @.github/workflows/performance-regression.yml:
- Line 62: The actions/checkout action on line 62 does not disable credential
persistence for security reasons. Add a `with` section to the checkout step that
includes `persist-credentials: false` to prevent unnecessary credential storage,
following the security best practice for modified checkout steps in workflow
PRs.

In @.github/workflows/postman-api-tests.yml:
- Line 66: The checkout action using
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 does not explicitly
disable credential persistence. Add `persist-credentials: false` as a
configuration parameter to the checkout step to disable the default credential
persistence behavior and follow the repository's security learnings for workflow
steps.

In @.github/workflows/pr-validation.yml:
- Line 59: All three instances of the actions/checkout action on lines 59, 102,
and 136 in the workflow file need security hardening. Add the parameter
`persist-credentials: false` to each of these checkout steps to prevent Git
credentials from being persisted in the runner environment. This should be added
as a separate line in the `with:` section of each `uses: actions/checkout`
action to follow security best practices.

In @.github/workflows/release-sign.yml:
- Around line 25-26: The checkout step using
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 has credential
persistence enabled by default, which is a security risk as it retains
token-backed git auth on the runner. Add the `persist-credentials: false`
parameter to the checkout action step to explicitly disable credential
persistence and harden the workflow security posture.

In @.github/workflows/reuse.yml:
- Around line 30-31: The checkout steps in the GitHub Actions workflow use
default credential persistence settings, which leaves unnecessary token-backed
git configuration on the runner. Add the input parameter persist-credentials:
false to both instances of the actions/checkout step (the one currently at line
31 and the other one at line 62) to prevent credential persistence and harden
the workflow security posture.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 22303863-9418-43d8-afb9-1b98cc3455e2

📥 Commits

Reviewing files that changed from the base of the PR and between a06abe3 and eea33c4.

📒 Files selected for processing (22)
  • .github/workflows/ci.yml
  • .github/workflows/codecov.yml
  • .github/workflows/codeql.yml
  • .github/workflows/container-security.yml
  • .github/workflows/coverage.yml
  • .github/workflows/dependency-review.yml
  • .github/workflows/docs.yml
  • .github/workflows/fips-compatibility.yml
  • .github/workflows/mutation-testing.yml
  • .github/workflows/performance-regression.yml
  • .github/workflows/postman-api-tests.yml
  • .github/workflows/pr-validation.yml
  • .github/workflows/publish-pypi.yml
  • .github/workflows/python-compatibility.yml
  • .github/workflows/qlty.yml
  • .github/workflows/release-sign.yml
  • .github/workflows/release.yml
  • .github/workflows/reuse.yml
  • .github/workflows/sbom.yml
  • .github/workflows/scorecard.yml
  • .github/workflows/security-analysis.yml
  • .github/workflows/sonarcloud.yml

Comment thread .github/workflows/ci.yml
egress-policy: audit # TODO: switch to block after 2026-06-30 (compliance audit deferral)
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Add persist-credentials: false to checkout.

Line 63 updates actions/checkout, but the step still persists credentials by default; this leaves the runner git config authenticated longer than needed.

Suggested patch
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: “if the PR does touch a workflow that has an actions/checkout step, add persist-credentials: false there to match intended security hardening.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 62-63: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 63, The actions/checkout step at line 63 in
the CI workflow is using the default behavior which persists git credentials in
the runner's config, creating a security risk by leaving the runner
authenticated longer than necessary. Add the `persist-credentials: false`
parameter to the actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 step
to disable credential persistence and match the security hardening requirement.

Sources: Learnings, Linters/SAST tools


- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Harden checkout credentials handling.

Line 36 updates checkout but omits persist-credentials: false; keep credentials non-persistent on runner jobs.

Suggested patch
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: “if the PR modifies a workflow checkout step, add persist-credentials: false.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 35-36: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-review.yml at line 36, The checkout action at
the line using `actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10` is
missing the security hardening configuration. Add the `persist-credentials:
false` parameter to the checkout step configuration to prevent credentials from
being persisted on the runner. This ensures that runner sessions do not have
access to repository credentials, following security best practices for workflow
jobs.

Sources: Learnings, Linters/SAST tools


- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Apply checkout credential hardening in both jobs.

Lines 64 and 201 update actions/checkout but both steps still omit persist-credentials: false.

Suggested patch
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
...
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: every modified checkout in .github/workflows should explicitly set persist-credentials: false.

Also applies to: 201-201

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 63-64: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/fips-compatibility.yml at line 64, Both `actions/checkout`
calls in the workflow (at lines 64 and 201) are missing the
`persist-credentials: false` credential hardening setting for security best
practices. Add the `persist-credentials: false` parameter to each
`actions/checkout` action step to ensure Git credentials are not persisted in
the workflow environment.

Source: Learnings


- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Set non-persistent credentials on checkout.

Line 62 updates checkout but does not disable credential persistence.

Suggested patch
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: modified checkout steps in workflow PRs should include persist-credentials: false.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 61-62: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/performance-regression.yml at line 62, The
actions/checkout action on line 62 does not disable credential persistence for
security reasons. Add a `with` section to the checkout step that includes
`persist-credentials: false` to prevent unnecessary credential storage,
following the security best practice for modified checkout steps in workflow
PRs.

Sources: Learnings, Linters/SAST tools


- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Add persist-credentials: false for checkout.

Line 66 updates checkout pin but keeps default credential persistence.

Suggested patch
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: modified checkout steps should explicitly disable credential persistence in this repo’s workflows.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 65-66: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/postman-api-tests.yml at line 66, The checkout action
using actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 does not
explicitly disable credential persistence. Add `persist-credentials: false` as a
configuration parameter to the checkout step to disable the default credential
persistence behavior and follow the repository's security learnings for workflow
steps.

Source: Learnings


- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Harden all modified checkout steps in this workflow.

Lines 59, 102, and 136 all bump actions/checkout without persist-credentials: false.

Suggested patch
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
...
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
...
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: checkout hardening must be applied when these workflow files are modified.

Also applies to: 102-102, 136-136

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 58-59: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-validation.yml at line 59, All three instances of the
actions/checkout action on lines 59, 102, and 136 in the workflow file need
security hardening. Add the parameter `persist-credentials: false` to each of
these checkout steps to prevent Git credentials from being persisted in the
runner environment. This should be added as a separate line in the `with:`
section of each `uses: actions/checkout` action to follow security best
practices.

Sources: Learnings, Linters/SAST tools

Comment on lines 25 to +26
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Set persist-credentials: false on checkout.

Line 26 updates the checkout pin but still leaves credential persistence enabled, which can retain token-backed git auth on the runner. Add explicit hardening on this step.

Suggested fix
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: “ensure every actions/checkout step includes persist-credentials: false,” and as per path instructions: “Review GitHub Actions workflows for security best practices.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 25-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-sign.yml around lines 25 - 26, The checkout step
using actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 has credential
persistence enabled by default, which is a security risk as it retains
token-backed git auth on the runner. Add the `persist-credentials: false`
parameter to the checkout action step to explicitly disable credential
persistence and harden the workflow security posture.

Sources: Path instructions, Learnings, Linters/SAST tools

Comment on lines 30 to +31
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Harden both checkout steps with persist-credentials: false.

Both updated checkout steps (Line 31 and Line 62) still use default credential persistence. This leaves unnecessary token-backed git config on the runner.

Suggested fix
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
@@
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

Based on learnings: “every actions/checkout step should set persist-credentials: false,” and as per path instructions: “Review GitHub Actions workflows for security best practices.”

Also applies to: 61-62

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 30-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/reuse.yml around lines 30 - 31, The checkout steps in the
GitHub Actions workflow use default credential persistence settings, which
leaves unnecessary token-backed git configuration on the runner. Add the input
parameter persist-credentials: false to both instances of the actions/checkout
step (the one currently at line 31 and the other one at line 62) to prevent
credential persistence and harden the workflow security posture.

Sources: Path instructions, Learnings, Linters/SAST tools

@williaby williaby force-pushed the renovate/github-actions branch from eea33c4 to 087092b Compare June 24, 2026 05:19
@github-actions

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.50 2.44 -2.4%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.87 1.88 📈 0.2%
p95_ms 2.50 2.44 📉 -2.4%
p99_ms 2.55 2.56 📈 0.4%
mean_ms 1.43 1.43 📉 -0.1%
min_ms 0.06 0.06 ➡️ 0.0%
max_ms 2.56 2.58 📈 0.9%
throughput_ops 699.77 700.59 📈 0.1%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 1.00 0.99 📉 -0.7%
avg_throughput_all_benchmarks_ops 1094897.70 1000695.27 📉 -8.6%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from 087092b to 7959092 Compare June 26, 2026 20:19
@github-actions

Copy link
Copy Markdown

❌ Performance Regression Check

Status: REGRESSION DETECTED

Metric Baseline (main) PR Branch Change
p95_ms 2.29 3.00 +31.4%

Threshold: +/-10% allowed regression

⚠️ Action Required: Performance regression detected.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.91 1.96 📈 2.8%
p95_ms 2.29 3.00 📈 31.4%
p99_ms 2.39 3.29 📈 37.8%
mean_ms 1.37 1.49 📈 8.6%
min_ms 0.05 0.05 ➡️ 0.0%
max_ms 2.40 3.31 📈 38.0%
throughput_ops 731.58 673.60 📉 -7.9%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 0.92 1.05 📈 15.2%
avg_throughput_all_benchmarks_ops 1086320.78 1088299.78 📈 0.2%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from 7959092 to 2d346e2 Compare June 27, 2026 17:39
@github-actions

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.56 2.57 +0.4%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.87 1.87 📉 -0.3%
p95_ms 2.56 2.57 📈 0.4%
p99_ms 2.66 2.59 📉 -2.6%
mean_ms 1.45 1.45 ➡️ 0.0%
min_ms 0.06 0.06 ➡️ 0.0%
max_ms 2.71 2.65 📉 -2.0%
throughput_ops 690.86 691.28 📈 0.1%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 1.02 1.02 📉 -0.4%
avg_throughput_all_benchmarks_ops 1088075.99 1083991.81 📉 -0.4%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from 2d346e2 to 5659a25 Compare June 27, 2026 20:27
@github-actions

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.59 2.52 -2.4%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.87 1.87 📉 -0.1%
p95_ms 2.59 2.52 📉 -2.4%
p99_ms 2.72 2.59 📉 -4.6%
mean_ms 1.45 1.44 📉 -1.1%
min_ms 0.06 0.06 ➡️ 0.0%
max_ms 2.83 2.61 📉 -7.6%
throughput_ops 688.06 695.85 📈 1.1%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 1.02 1.00 📉 -2.1%
avg_throughput_all_benchmarks_ops 1087748.67 936913.96 📉 -13.9%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from 5659a25 to 80a6865 Compare June 27, 2026 23:28
@github-actions

Copy link
Copy Markdown

🎉 Performance Regression Check

Status: PERFORMANCE IMPROVED

Metric Baseline (main) PR Branch Change
p95_ms 2.65 2.50 -5.8%

Threshold: +/-10% allowed regression

Great work!: Performance has improved.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.88 1.88 📉 -0.2%
p95_ms 2.65 2.50 📉 -5.8%
p99_ms 3.31 2.67 📉 -19.2%
mean_ms 1.49 1.44 📉 -3.3%
min_ms 0.06 0.06 ➡️ 0.0%
max_ms 3.95 2.69 📉 -32.1%
throughput_ops 670.74 693.42 📈 3.4%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 1.04 1.00 📉 -3.5%
avg_throughput_all_benchmarks_ops 980705.84 1034324.70 📈 5.5%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from 80a6865 to 2fe8eb4 Compare June 28, 2026 02:28
@github-actions

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.54 2.46 -3.1%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 2.00 2.03 📈 1.5%
p95_ms 2.54 2.46 📉 -3.1%
p99_ms 2.58 2.54 📉 -1.6%
mean_ms 1.48 1.49 📈 0.3%
min_ms 0.06 0.06 ➡️ 0.0%
max_ms 2.62 2.55 📉 -2.6%
throughput_ops 675.09 673.41 📉 -0.2%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 1.01 0.99 📉 -2.5%
avg_throughput_all_benchmarks_ops 1074365.95 1062259.83 📉 -1.1%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from 2fe8eb4 to acc6334 Compare June 29, 2026 02:18
@github-actions

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.58 2.65 +2.9%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.89 1.88 📉 -0.2%
p95_ms 2.58 2.65 📈 2.9%
p99_ms 2.67 2.69 📈 0.7%
mean_ms 1.46 1.47 📈 1.1%
min_ms 0.06 0.06 ➡️ 0.0%
max_ms 2.79 2.69 📉 -3.4%
throughput_ops 686.14 678.90 📉 -1.1%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 1.04 1.06 📈 1.6%
avg_throughput_all_benchmarks_ops 1029102.13 1047137.73 📈 1.8%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from acc6334 to 8d805e7 Compare June 29, 2026 20:17
@github-actions

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.58 2.55 -1.1%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.87 1.87 ➡️ 0.0%
p95_ms 2.58 2.55 📉 -1.1%
p99_ms 2.70 2.63 📉 -2.6%
mean_ms 1.46 1.45 📉 -0.4%
min_ms 0.06 0.06 ➡️ 0.0%
max_ms 2.71 2.63 📉 -2.7%
throughput_ops 686.73 689.70 📈 0.4%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 1.04 1.02 📉 -2.1%
avg_throughput_all_benchmarks_ops 1015613.17 1060221.14 📈 4.4%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from 8d805e7 to fc572b3 Compare June 30, 2026 20:16
@github-actions

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.61 2.48 -4.9%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.88 1.90 📈 1.1%
p95_ms 2.61 2.48 📉 -4.9%
p99_ms 2.72 2.60 📉 -4.4%
mean_ms 1.47 1.45 📉 -1.2%
min_ms 0.06 0.06 ➡️ 0.0%
max_ms 2.83 2.65 📉 -6.3%
throughput_ops 680.46 688.62 📈 1.2%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 1.03 1.01 📉 -1.7%
avg_throughput_all_benchmarks_ops 950839.75 1033983.92 📈 8.7%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@williaby williaby force-pushed the renovate/github-actions branch from fc572b3 to 02edd6e Compare July 1, 2026 02:16
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric Baseline (main) PR Branch Change
p95_ms 2.42 2.48 +2.4%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric Baseline PR Change
p50_ms 1.88 1.87 📉 -0.3%
p95_ms 2.42 2.48 📈 2.4%
p99_ms 2.60 2.59 📉 -0.1%
mean_ms 1.43 1.43 📈 0.3%
min_ms 0.06 0.06 ➡️ 0.0%
max_ms 2.65 2.62 📉 -1.0%
throughput_ops 700.03 697.71 📉 -0.3%
total_iterations 500.00 500.00 ➡️ 0.0%
avg_p95_all_benchmarks_ms 0.98 1.00 📈 1.8%
avg_throughput_all_benchmarks_ops 1103878.59 1087039.30 📉 -1.5%
About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

  • Regression Threshold: 10%
  • Warmup Iterations: 5
  • Benchmark Iterations: 50
  • Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

@sonarqubecloud

sonarqubecloud Bot commented Jul 1, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants