Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 15 additions & 15 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,11 @@ jobs:
name: ui (build + test + budget)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6

- uses: actions/setup-node@v4
- uses: actions/setup-node@v6
with:
node-version: '20'
node-version: '22'
cache: 'npm'
cache-dependency-path: ui/package-lock.json

Expand Down Expand Up @@ -46,7 +46,7 @@ jobs:
fi

- name: Upload ui/dist
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: ui-dist
path: ui/dist
Expand All @@ -64,18 +64,18 @@ jobs:
env:
CGO_ENABLED: "1"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6

- uses: actions/setup-go@v5
- uses: actions/setup-go@v6
with:
go-version: '1.22'
go-version-file: go.mod

- name: Assert C toolchain (macOS)
if: runner.os == 'macOS'
run: clang --version

- name: Go build cache
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: |
~/.cache/go-build
Expand All @@ -88,7 +88,7 @@ jobs:
# Hydrate ui/dist with the build artifact produced by the `ui` job so
# the //go:embed ui/dist directive has real assets to embed.
- name: Download ui/dist
uses: actions/download-artifact@v4
uses: actions/download-artifact@v8
with:
name: ui-dist
path: ui/dist
Expand All @@ -103,7 +103,7 @@ jobs:
run: CGO_ENABLED=1 go build -tags sqlite_fts5 -o docsiq ./

- name: Upload docsiq binary
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: docsiq-${{ matrix.os }}
path: docsiq
Expand All @@ -115,22 +115,22 @@ jobs:
needs: ui
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6

- uses: actions/setup-go@v5
- uses: actions/setup-go@v6
with:
go-version: '1.22'
go-version-file: go.mod

- name: cache go build
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: go-integ-${{ hashFiles('go.sum') }}

- name: Download ui/dist
uses: actions/download-artifact@v4
uses: actions/download-artifact@v8
with:
name: ui-dist
path: ui/dist
Expand Down
53 changes: 53 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
name: release

# Auto-cuts a beta prerelease on every main push.
# Tag pushes are ignored so the workflow doesn't recurse.
on:
push:
branches: [main]

permissions:
contents: write

concurrency:
group: release-main
cancel-in-progress: false
Comment on lines +12 to +14

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Fixed concurrency group can skip releases for intermediate pushes

Line 13 uses a single workflow-level concurrency key. With GitHub Actions concurrency semantics, older pending runs in the same group are replaced by newer queued runs, so not every main push will get a prerelease.

In GitHub Actions workflow-level concurrency, does a new queued run replace an existing pending run in the same concurrency group when cancel-in-progress is false?
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 12 - 14, The workflow-level
concurrency group "release-main" causes newer queued runs to replace older
pending runs; to ensure every main push produces a release, make the concurrency
key unique per run (e.g. change group to include a run-specific expression like
release-${{ github.sha }} or release-${{ github.run_id }}) while keeping
cancel-in-progress as needed; update the concurrency block (symbols:
concurrency, group, cancel-in-progress) so each push has its own group and won't
be skipped.


jobs:
release:
name: auto-tag + release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Verify mutable action refs in workflow files
fd -p '.github/workflows/*.yml' | xargs rg -nP 'uses:\s*[^@]+@v[0-9]+'
# Expected after hardening: no matches

Repository: RandomCodeSpace/docsiq

Length of output: 332


🏁 Script executed:

cat -n .github/workflows/release.yml | head -30

Repository: RandomCodeSpace/docsiq

Length of output: 874


🏁 Script executed:

cat -n .github/workflows/release.yml

Repository: RandomCodeSpace/docsiq

Length of output: 1701


Pin action to a commit SHA in this write-scoped workflow

Line 21 uses a mutable major tag (actions/checkout@v6) in a workflow with contents: write permissions (line 10). Pinning to a full commit SHA reduces supply-chain risk.

🔒 Suggested hardening
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@dcd71f646680f2efd8db4ead08a20234aee33c24
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v6
- uses: actions/checkout@dcd71f646680f2efd8db4ead08a20234aee33c24
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 21, Replace the mutable action
reference "actions/checkout@v6" with a pinned full commit SHA for the
actions/checkout step in the release workflow; locate the "uses:
actions/checkout@v6" entry in the release.yml and update it to "uses:
actions/checkout@<full-commit-sha>" (the latest verified commit for
actions/checkout) so the workflow that has contents: write permission is not
using a mutable tag.

with:
fetch-depth: 0

- name: Compute next beta tag
id: ver
run: |
latest=$(git tag -l 'v0.0.0-beta.*' \
| grep -E 'v0\.0\.0-beta\.[0-9]+$' \
| sort -V \
| tail -1)
if [ -z "$latest" ]; then
next="v0.0.0-beta.1"
else
n=${latest##*.}
next="v0.0.0-beta.$((n+1))"
fi
echo "tag=$next" >> "$GITHUB_OUTPUT"
echo "Next tag: $next"

- name: Create tag + release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -eu
tag="${{ steps.ver.outputs.tag }}"
git tag "$tag"
git push origin "$tag"
gh release create "$tag" \
--target "${{ github.sha }}" \
--prerelease \
--generate-notes \
--title "$tag"
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

[![Security Scan](https://github.com/RandomCodeSpace/docsiq/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/RandomCodeSpace/docsiq/actions/workflows/ci.yml)
[![OpenSSF Score](https://api.scorecard.dev/projects/github.com/RandomCodeSpace/docsiq/badge)](https://scorecard.dev/viewer/?uri=github.com/RandomCodeSpace/docsiq)
[![Release](https://img.shields.io/github/v/release/RandomCodeSpace/docsiq)](https://github.com/RandomCodeSpace/docsiq/releases)
[![Release](https://img.shields.io/github/v/release/RandomCodeSpace/docsiq?include_prereleases&sort=semver)](https://github.com/RandomCodeSpace/docsiq/releases)
[![Go Version](https://img.shields.io/github/go-mod/go-version/RandomCodeSpace/docsiq)](https://github.com/RandomCodeSpace/docsiq/blob/main/go.mod)

docsiq is a GraphRAG-powered knowledge base that runs as a single Go binary.
Expand Down
Loading