Staging -> Main

[gkorland]

Summary by CodeRabbit

• Chores
  • Updated CI/CD and workflow actions to newer versions across automation workflows.
  • Bumped a development dependency (tqdm) in project configuration.
• Tests
  • Increased several end-to-end test timeouts to reduce intermittent failures.

[overcut-ai]

Completed Working on "Code Review"

✅ Workflow completed successfully.

---

👉 View complete log

[railway-app]

🚅 Deployed to the QueryWeaver-pr-404 environment in queryweaver

Service	Status	Web	Updated (UTC)
QueryWeaver	🕛 Waiting for status checks (View Logs)	Web	Feb 24, 2026 at 12:55 pm

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 29 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/spellcheck.yml

Package	Version	License	Issue Type
actions/checkout	6.*.*	Null	Unknown License

.github/workflows/tests.yml

Package	Version	License	Issue Type
actions/checkout	6.*.*	Null	Unknown License
actions/setup-python	6.*.*	Null	Unknown License

Pipfile.lock

Package	Version	License	Issue Type
authlib	1.6.8	Null	Unknown License
cachetools	7.0.1	Null	Unknown License
cyclopts	4.5.4	Null	Unknown License
falkordb	1.6.0	Null	Unknown License
fastapi	0.131.0	Null	Unknown License
fastmcp	3.0.1	Null	Unknown License
filelock	3.24.3	Null	Unknown License
fsspec	2026.2.0	Null	Unknown License
grpcio	1.78.1	Null	Unknown License
jsonschema-path	0.4.1	Null	Unknown License
litellm	1.80.17	Null	Unknown License
neo4j	6.1.0	Null	Unknown License
openai	2.21.0	Null	Unknown License
packaging	26.0	Null	Unknown License
pathable	0.5.0	Null	Unknown License
platformdirs	4.9.2	Null	Unknown License
py-key-value-aio	0.4.4	Null	Unknown License
pycparser	3.0	Null	Unknown License
pydantic-settings	2.13.1	Null	Unknown License
redis	7.2.0	Null	Unknown License
regex	2026.2.19	Null	Unknown License
rich	14.3.3	Null	Unknown License
typer	0.24.1	Null	Unknown License
typer-slim	0.24.0	Null	Unknown License
websockets	16.0	Null	Unknown License
posthog	7.9.3	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/actions/checkout	6.*.*	🟢 6.2	Details Check Score Reason Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/rojopolis/spellcheck-github-actions	0.58.0	🟢 4.7	Details Check Score Reason Code-Review ⚠️ 0 Found 0/10 approved changesets -- score normalized to 0 Maintained 🟢 10 29 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/actions/checkout	6.*.*	🟢 6.2	Details Check Score Reason Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-python	6.*.*	🟢 5.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
pip/aiofile	3.9.0	🟢 3.1	Details Check Score Reason Code-Review 🟢 4 Found 6/14 approved changesets -- score normalized to 4 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/anyio	4.12.1	Unknown	Unknown
pip/astroid	4.0.4	Unknown	Unknown
pip/authlib	1.6.8	Unknown	Unknown
pip/cachetools	7.0.1	Unknown	Unknown
pip/caio	0.9.25	Unknown	Unknown
pip/certifi	2026.1.4	🟢 6.6	Details Check Score Reason Maintained 🟢 10 12 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 5 Found 1/2 approved changesets -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/certifi	2026.1.4	🟢 6.6	Details Check Score Reason Maintained 🟢 10 12 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 5 Found 1/2 approved changesets -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/cryptography	46.0.5	Unknown	Unknown
pip/cyclopts	4.5.4	Unknown	Unknown
pip/dill	0.4.1	🟢 4.5	Details Check Score Reason Token-Permissions ⚠️ -1 No tokens found Maintained 🟢 8 9 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ -1 no workflows found Code-Review ⚠️ 0 Found 1/25 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/docutils	0.22.4	Unknown	Unknown
pip/falkordb	1.6.0	Unknown	Unknown
pip/fastapi	0.131.0	Unknown	Unknown
pip/fastmcp	3.0.1	Unknown	Unknown
pip/filelock	3.24.3	Unknown	Unknown
pip/fsspec	2026.2.0	Unknown	Unknown
pip/greenlet	3.3.2	Unknown	Unknown
pip/grpcio	1.78.1	Unknown	Unknown
pip/huggingface-hub	1.4.1	🟢 5.7	Details Check Score Reason Code-Review 🟢 9 Found 28/30 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST 🟢 6 SAST tool is not run on all commits -- score normalized to 6
pip/importlib-metadata	8.7.1	Unknown	Unknown
pip/isort	8.0.0	Unknown	Unknown
pip/jaraco.context	6.1.0	Unknown	Unknown
pip/jaraco.functools	4.4.0	Unknown	Unknown
pip/jeepney	0.9.0	Unknown	Unknown
pip/jiter	0.13.0	Unknown	Unknown
pip/jsonref	1.1.0	Unknown	Unknown
pip/jsonschema-path	0.4.1	Unknown	Unknown
pip/litellm	1.80.17	Unknown	Unknown
pip/mcp	1.26.0	Unknown	Unknown
pip/multidict	6.7.1	🟢 7.1	Details Check Score Reason Maintained 🟢 10 17 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 6 Found 5/8 approved changesets -- score normalized to 6 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts.
pip/neo4j	6.1.0	Unknown	Unknown
pip/numpy	2.4.2	Unknown	Unknown
pip/openai	2.21.0	Unknown	Unknown
pip/packaging	26.0	Unknown	Unknown
pip/packaging	26.0	Unknown	Unknown
pip/pathable	0.5.0	Unknown	Unknown
pip/platformdirs	4.9.2	Unknown	Unknown
pip/platformdirs	4.9.2	Unknown	Unknown
pip/posthog	7.9.3	Unknown	Unknown
pip/py-key-value-aio	0.4.4	Unknown	Unknown
pip/pycparser	3.0	Unknown	Unknown
pip/pydantic-settings	2.13.1	Unknown	Unknown
pip/pyee	13.0.1	Unknown	Unknown
pip/pyjwt	2.11.0	Unknown	Unknown
pip/pylint	4.0.5	Unknown	Unknown
pip/python-multipart	0.0.22	Unknown	Unknown
pip/redis	7.2.0	Unknown	Unknown
pip/referencing	0.37.0	Unknown	Unknown
pip/regex	2026.2.19	Unknown	Unknown
pip/rich	14.3.3	Unknown	Unknown
pip/secretstorage	3.5.0	Unknown	Unknown
pip/sse-starlette	3.2.0	Unknown	Unknown
pip/starlette	0.52.1	Unknown	Unknown
pip/tenacity	9.1.4	🟢 6.6	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 9 Found 27/28 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/tokenizers	0.22.2	Unknown	Unknown
pip/tomlkit	0.14.0	Unknown	Unknown
pip/tqdm	4.67.3	Unknown	Unknown
pip/typer	0.24.1	Unknown	Unknown
pip/typer-slim	0.24.0	Unknown	Unknown
pip/urllib3	2.6.3	Unknown	Unknown
pip/watchfiles	1.1.1	🟢 3.4	Details Check Score Reason Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 3 Found 8/25 approved changesets -- score normalized to 3 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/websockets	16.0	Unknown	Unknown
npm/lodash	4.17.23	🟢 6.9	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 7 17 out of 23 merged PRs checked by a CI test -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 7 Found 22/30 approved changesets -- score normalized to 7 Contributors 🟢 10 project has 90 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Maintained 🟢 10 8 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST 🟢 8 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities ⚠️ 0 81 existing vulnerabilities detected

Scanned Files

• .github/workflows/spellcheck.yml
• .github/workflows/tests.yml
• Pipfile.lock
• app/package-lock.json

[coderabbitai]

Warning

Rate limit exceeded

@gkorland has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 10 minutes and 59 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 480a225 and d5c70a2.

⛔ Files ignored due to path filters (2)

• Pipfile.lock is excluded by !**/*.lock
• app/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (8)

• .github/dependabot.yml
• .github/workflows/dependency-review.yml
• .github/workflows/playwright.yml
• .github/workflows/publish-docker.yml
• .github/workflows/pylint.yml
• .github/workflows/spellcheck.yml
• .github/workflows/tests.yml
• Pipfile

📝 Walkthrough

Walkthrough

Bumped versions across multiple GitHub Actions (setup-python, setup-node, upload-artifact, docker/build-push-action, spellcheck) and increased a Playwright e2e test timeout from 20000ms to 30000ms. Also updated tqdm version in Pipfile. No other behavioral changes.

Changes

Cohort / File(s)	Summary
Playwright & Python Workflows ​.github/workflows/playwright.yml, ​.github/workflows/pylint.yml, ​.github/workflows/tests.yml	Bumped actions/setup-python v5 → v6 in all; playwright.yml also updates actions/setup-node v4 → v6 and actions/upload-artifact v4 → v6 (two occurrences).
Docker Build Workflow ​.github/workflows/publish-docker.yml	Bumped docker/build-push-action v5 → v6.
Spellcheck Workflow ​.github/workflows/spellcheck.yml	Upgraded spellcheck/typos action v0.51.0 → v0.58.0.
E2E Tests e2e/tests/chat.spec.ts	Increased waitForConfirmationMessage timeout from 20000ms → 30000ms in three places.
Python Dependencies Pipfile	Bumped tqdm from ~=4.67.1 → ~=4.67.3.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through CI with a cheerful tune,
nudged versions upward, under the moon.
Tests pause a beat — thirty now, not twenty,
tiny bumps and a carrot aplenty,
pipelines hum, and I munch on a prune.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Staging -> Main' is vague and generic, describing only the source and target branches rather than the actual changes (dependency updates and timeout adjustments).	Replace with a descriptive title summarizing the main changes, such as 'Update GitHub Actions and dependencies' or 'Bump action versions and test timeouts'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch staging

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/publish-docker.yml (1)

30-30: Version bump looks good. Consider pinning to a commit SHA for supply-chain hardening.

The upgrade to docker/build-push-action@v6 is valid. CodeQL flags this as an unpinned 3rd-party action — pinning to a full commit SHA (e.g., docker/build-push-action@<sha>) prevents a compromised tag from silently replacing the action. This is optional but worth considering for a publish workflow that handles Docker credentials.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-docker.yml at line 30, The workflow currently
references the third-party action as docker/build-push-action@v6; to harden the
supply chain, replace that tag with a pinned commit SHA
(docker/build-push-action@<full-sha>) in the publish-docker.yml uses line. Find
the action repo's latest v6 release commit SHA (e.g., from
docker/build-push-action GitHub releases or the v6 tag commit) and update the
uses entry to that full SHA so the workflow uses an immutable revision.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/publish-docker.yml:
- Line 30: The workflow currently references the third-party action as
docker/build-push-action@v6; to harden the supply chain, replace that tag with a
pinned commit SHA (docker/build-push-action@<full-sha>) in the
publish-docker.yml uses line. Find the action repo's latest v6 release commit
SHA (e.g., from docker/build-push-action GitHub releases or the v6 tag commit)
and update the uses entry to that full SHA so the workflow uses an immutable
revision.