Draft: Test action updates

[hupling]

Pull Request

Changes

• ...
• ...

Reference

Issue: #XXX

Checklist

Note: If some checklist items are not relevant for your PR, just remove them.

General

• I have read the Contribution Guidelines (TBD)
• Met all acceptance criteria of the issue
• Added meaningful PR title and list of changes in the description
• Opened documentation issue in refarch repository (if applicable)
• Opened follow-up issue in refarch repository (if applicable)

Code

• Wrote code and comments in English
• Added unit tests
• Removed waste on branch (e.g. console.log), see code quality tooling

Frontend / WebComponent

• Added component tests (if component was changed)
• Considered and tested accessibility (if UI change was made)
• Checked / Updated Node.js engine requirements in package.json (if dependencies were changed)

Backend / EAI

• Added integration tests
• Updated database migration scripts (if changes to model were made)
• Added Swagger API annotations (if changes to API was made)
• Checked Spring Boot version matching Camel version in pom.xml (if Camel version was bumped)

Development Stack

• Approved image change company internal (if Docker image was added or version was modified)
• Checked functionality of Docker stack (if Docker stack was modified or images were changed)

Screenshots (if UI was changed)

Summary by CodeRabbit

• Chores
  • Updated automation workflows to use tag-based action references across linting, security scanning, dependency review, documentation deployment, build/release, and health checks.
  • Consolidated version references in CI to a common tag for consistency.
  • No changes to application behavior or public APIs.

[coderabbitai]

Walkthrough

All edited GitHub Actions workflows switch action references from a pinned commit SHA to the tag test-update. No step logic, inputs, or conditions were changed, except for removing an inline version comment in dependency-review.

Changes

Cohort / File(s)	Summary of Changes
Linting .github/workflows/actionlint.yml	action-actionlint: commit SHA → @test-update
Security Analysis .github/workflows/codeql.yml, .github/workflows/dependency-review.yml	codeql: checkout/filter/codeql actions → @test-update; dependency-review action → @test-update; removed inline version comment
Documentation .github/workflows/deploy-docs.yml	action-build-docs and action-deploy-docs: commit SHAs → @test-update
Healthcheck .github/workflows/dockercompose-healthcheck.yml	action-dockercompose-healthcheck: commit SHA → @test-update
Build Pipelines .github/workflows/maven-node-build.yml	checkout, npm-build, maven-build, build-image: commit SHAs → @test-update
Release Pipelines .github/workflows/maven-release.yml, .github/workflows/npm-release.yml	maven/npm release, build-image, create-github-release (and npm-build in npm release): commit SHAs → @test-update
Repo Hygiene .github/workflows/pr-labeler.yml	pr-labeler: commit SHA (v1.0.20) → @test-update

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10–15 minutes

Poem

I twitch my nose at tags that glide,
From fixed SHA to test-update ride.
Pipelines hop with lighter feet,
Docs and builds in tidy fleet.
Carrots queued, releases neat—
A rabbit’s CI is hard to beat. 🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description is the repository template left with placeholder lines ("- ..."), a placeholder issue reference ("Issue: #XXX"), and an unchecked checklist; it does not document the actual file changes, rationale, testing performed, or risks. Because it lacks a concrete summary of which workflows were modified and why the tag change was made, reviewers cannot assess impact, CI implications, or rollback plans. This makes the description insufficient for a meaningful review of a cross-workflow change.	Replace the placeholders with a concise "Changes" section listing the modified workflow files and the exact ref changes, add the real Issue number in "Reference," mark relevant checklist items, and include testing/CI results or notes demonstrating the workflows still work; also document the rationale and any risks of moving from pinned SHAs to a tag and add appropriate reviewers or labels to indicate readiness.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "Draft: Test action updates" clearly and concisely summarizes the primary intent of the changes—updating GitHub Action references to a test tag—and is directly related to the changeset. The "Draft:" prefix signals the PR may be WIP but does not make the title misleading or unrelated to the diffs.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch test-action-updates

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (5)

.github/workflows/maven-release.yml (1)

32-66: Critical workflow using test-update tag for release operations.

The security implications are particularly concerning for release workflows that handle sensitive operations like Maven Central publishing and GitHub releases.

Release workflows require the highest security standards because they:

• Handle signing keys (SIGN_KEY_PASS, GPG_PRIVATE_KEY)
• Publish to external registries (Maven Central)
• Create official releases and artifacts
• Use organization secrets (sonatype_username, sonatype_password)

Using mutable test-update tags in this context significantly increases supply chain attack surface.

.github/workflows/npm-release.yml (1)

39-76: NPM release workflow equally critical for security.

Similar to Maven release, this workflow handles NPM publishing with organization secrets and creates official releases.

The workflow uses sensitive tokens (NPM_TOKEN) and publishes to public registries. Any compromise of the test-update tag could lead to supply chain attacks affecting downstream consumers.

.github/workflows/codeql.yml (1)

43-83: Security analysis workflow compromised by tag-based pinning.

CodeQL workflows are critical security infrastructure - they scan code for vulnerabilities. Compromising these workflows could blind security monitoring.

Security scanners process files from repositories and some include features that can execute code during configuration, creating opportunities for attackers to abuse legitimate tools to gain code execution in the pipeline.

If the test-update tag is compromised, attackers could:

1. Disable security scanning
2. Hide malicious code from detection
3. Access security scan results and sensitive data

.github/workflows/maven-node-build.yml (1)

24-40: Pin action refs to immutable commit SHAs — 'test-update' tag is missing

GH API returned 404 for it-at-m/lhm_actions refs/tags/test-update. The workflow references @test-update (mutable and non-existent), creating supply-chain risk and a broken action reference.

• Replace all @test-update refs in .github/workflows/maven-node-build.yml (lines 24–40) with commit SHAs (recommended) or a verified, permanent release tag that actually exists.
• Verify the action repo ref (e.g., via GitHub API) before merging.

.github/workflows/deploy-docs.yml (1)

29-31: Gate deploy step to push on main; PRs should not attempt deployment.

Comment says “Only deploy … from the main branch” but there’s no if guard. Without it, PR runs may attempt deploy and fail or, worse, misconfigure pages if the action lacks internal gating.

Apply:

       - id: deploy_docs
         # Only deploy documentation from the main branch to prevent unauthorized changes
-        uses: it-at-m/lhm_actions/action-templates/actions/action-deploy-docs@test-update
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        uses: it-at-m/lhm_actions/action-templates/actions/action-deploy-docs@<commit-sha> # test-update

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1b172ab and bedc6a4.

📒 Files selected for processing (9)

• .github/workflows/actionlint.yml (1 hunks)
• .github/workflows/codeql.yml (4 hunks)
• .github/workflows/dependency-review.yml (1 hunks)
• .github/workflows/deploy-docs.yml (1 hunks)
• .github/workflows/dockercompose-healthcheck.yml (1 hunks)
• .github/workflows/maven-node-build.yml (1 hunks)
• .github/workflows/maven-release.yml (3 hunks)
• .github/workflows/npm-release.yml (3 hunks)
• .github/workflows/pr-labeler.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/deploy-docs.yml (1)

27-27: Pin GitHub Action to an exact commit SHA (do not use mutable tag test-update)

Mutable tags weaken supply-chain security and reproducibility — replace the tag with the exact 40‑char commit SHA.

File: .github/workflows/deploy-docs.yml:27

-        uses: it-at-m/lhm_actions/action-templates/actions/action-build-docs@test-update
+        uses: it-at-m/lhm_actions/action-templates/actions/action-build-docs@<commit-sha> # test-update

Verification note: resolving test-update with gh api repos/it-at-m/lhm_actions/git/ref/tags/test-update returned 404 (Not Found). Obtain the SHA locally with one of:

gh api repos/it-at-m/lhm_actions/git/ref/tags/test-update --jq '.object.sha'
git ls-remote https://github.com/it-at-m/lhm_actions refs/tags/test-update | cut -f1

[coderabbitai]

⚠️ Potential issue

Consistent pattern: commit SHA to test-update tag migration.

This follows the same pattern across all workflows, reducing security posture by moving from immutable commit references to mutable tags.

🤖 Prompt for AI Agents

.github/workflows/actionlint.yml around line 13: the workflow uses a mutable tag
"it-at-m/lhm_actions/action-templates/actions/action-actionlint@test-update",
which weakens security by replacing an immutable commit SHA with a tag; change
the ref to the specific commit SHA used previously (or another immutable SHA)
instead of the tag so the action points to a fixed commit (replace the
"@test-update" suffix with the full commit SHA for that action).

[coderabbitai]

⚠️ Potential issue

Dependency review workflow security reduction.

Even security-focused workflows like dependency review are affected by this change.

🤖 Prompt for AI Agents

In .github/workflows/dependency-review.yml around line 10, the workflow
currently references an unstable/test tag
("it-at-m/lhm_actions/action-templates/actions/action-dependency-review@test-update")
which reduces security guarantees; replace that reference with a stable, trusted
release (for example use the official GitHub dependency review action like
github/dependency-review-action@v1 or pin the third‑party action to a specific,
verified tag or commit SHA) so the workflow runs a known, auditable version.

[coderabbitai]

🧹 Nitpick

Lower risk but still follows concerning pattern.

While this workflow has lower impact (healthcheck only), it continues the pattern of reducing security guarantees.

🤖 Prompt for AI Agents

In .github/workflows/dockercompose-healthcheck.yml around line 12, the workflow
references an external action via a non-upstream ref
(it-at-m/lhm_actions/action-templates/actions/action-dockercompose-healthcheck@test-update)
which reduces supply-chain security; change the action reference to a vetted
source by either (1) using the official upstream action repository and pinning
to a specific commit SHA (not a branch or ephemeral tag), or (2) replacing with
an equivalent action from the GitHub Actions Marketplace with a pinned SHA;
update the ref to the chosen commit SHA and document the source in a comment so
the workflow uses an immutable, reviewed action.

[coderabbitai]

⚠️ Potential issue

Action pinning security concern applies here as well.

Same security implications as noted in other workflows - moving from pinned commit SHA to test-update tag reduces security guarantees.