Skip to content

Draft: Test action updates #1211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hupling wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Draft: Test action updates #1211

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
37c8ecc
Update actionlint.yml
hupling Sep 19, 2025
bedc6a4
fix bug
hupling Sep 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/actionlint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,4 @@ jobs:
name: Run actionlint
runs-on: ubuntu-latest
steps:
- uses: it-at-m/lhm_actions/action-templates/actions/action-actionlint@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
- uses: it-at-m/lhm_actions/action-templates/actions/action-actionlint@test-update
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Consistent pattern: commit SHA to test-update tag migration.

This follows the same pattern across all workflows, reducing security posture by moving from immutable commit references to mutable tags.

🤖 Prompt for AI Agents 
.github/workflows/actionlint.yml around line 13: the workflow uses a mutable tag
"it-at-m/lhm_actions/action-templates/actions/action-actionlint@test-update",
which weakens security by replacing an immutable commit SHA with a tag; change
the ref to the specific commit SHA used previously (or another immutable SHA)
instead of the tag so the action points to a fixed commit (replace the
"@test-update" suffix with the full commit SHA for that action).

10 changes: 5 additions & 5 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,10 @@ jobs:
python: ${{ steps.filter.outputs.python }}
steps:
- name: Checkout repository
uses: it-at-m/lhm_actions/action-templates/actions/action-checkout@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
uses: it-at-m/lhm_actions/action-templates/actions/action-checkout@test-update
- name: Path Filter
id: filter
uses: it-at-m/lhm_actions/action-templates/actions/action-filter@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
uses: it-at-m/lhm_actions/action-templates/actions/action-filter@test-update
codeql-java:
name: Analyze Java source files
runs-on: ubuntu-latest
Expand All @@ -53,7 +53,7 @@ jobs:
matrix:
build-path: ["./refarch-backend", "./refarch-eai"] # JSON array formatted as string, contains the paths to the java projects to build
steps:
- uses: it-at-m/lhm_actions/action-templates/actions/action-codeql@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
- uses: it-at-m/lhm_actions/action-templates/actions/action-codeql@test-update
if: ${{ env.analyze-java == 'true' && (github.ref_name == 'main' || needs.check-changes.outputs.java == 'true') }}
with:
codeql-language: java-kotlin
Expand All @@ -66,7 +66,7 @@ jobs:
runs-on: ubuntu-latest
needs: check-changes
steps:
- uses: it-at-m/lhm_actions/action-templates/actions/action-codeql@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
- uses: it-at-m/lhm_actions/action-templates/actions/action-codeql@test-update
if: ${{ env.analyze-javascript-typescript-vue == 'true' && (github.ref_name == 'main' || needs.check-changes.outputs.javascript-typescript-vue == 'true') }}
with:
codeql-language: javascript-typescript
Expand All @@ -76,7 +76,7 @@ jobs:
runs-on: ubuntu-latest
needs: check-changes
steps:
- uses: it-at-m/lhm_actions/action-templates/actions/action-codeql@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
- uses: it-at-m/lhm_actions/action-templates/actions/action-codeql@test-update
if: ${{ env.analyze-python == 'true' && (github.ref_name == 'main' || needs.check-changes.outputs.python == 'true') }}
with:
codeql-language: python
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,4 @@ jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- uses: it-at-m/lhm_actions/action-templates/actions/action-dependency-review@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
- uses: it-at-m/lhm_actions/action-templates/actions/action-dependency-review@test-update
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Dependency review workflow security reduction.

Even security-focused workflows like dependency review are affected by this change.

🤖 Prompt for AI Agents 
In .github/workflows/dependency-review.yml around line 10, the workflow
currently references an unstable/test tag
("it-at-m/lhm_actions/action-templates/actions/action-dependency-review@test-update")
which reduces security guarantees; replace that reference with a stable, trusted
release (for example use the official GitHub dependency review action like
github/dependency-review-action@v1 or pin the third‑party action to a specific,
verified tag or commit SHA) so the workflow runs a known, auditable version.

4 changes: 2 additions & 2 deletions .github/workflows/deploy-docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- id: build_docs
uses: it-at-m/lhm_actions/action-templates/actions/action-build-docs@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
uses: it-at-m/lhm_actions/action-templates/actions/action-build-docs@test-update
- id: deploy_docs
# Only deploy documentation from the main branch to prevent unauthorized changes
uses: it-at-m/lhm_actions/action-templates/actions/action-deploy-docs@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
uses: it-at-m/lhm_actions/action-templates/actions/action-deploy-docs@test-update
2 changes: 1 addition & 1 deletion .github/workflows/dockercompose-healthcheck.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:
name: Run docker compose healthcheck
runs-on: ubuntu-latest
steps:
- uses: it-at-m/lhm_actions/action-templates/actions/action-dockercompose-healthcheck@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
- uses: it-at-m/lhm_actions/action-templates/actions/action-dockercompose-healthcheck@test-update
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick

Lower risk but still follows concerning pattern.

While this workflow has lower impact (healthcheck only), it continues the pattern of reducing security guarantees.

🤖 Prompt for AI Agents 
In .github/workflows/dockercompose-healthcheck.yml around line 12, the workflow
references an external action via a non-upstream ref
(it-at-m/lhm_actions/action-templates/actions/action-dockercompose-healthcheck@test-update)
which reduces supply-chain security; change the action reference to a vetted
source by either (1) using the official upstream action repository and pinning
to a specific commit SHA (not a branch or ephemeral tag), or (2) replacing with
an equivalent action from the GitHub Actions Marketplace with a pinned SHA;
update the ref to the chosen commit SHA and document the source in a comment so
the workflow uses an immutable, reviewed action.

with:
skip-exited: true # required for keycloakmigration init container
compose-file-path: "./stack/"
8 changes: 4 additions & 4 deletions .github/workflows/maven-node-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,19 +21,19 @@ jobs:
- app-path: refarch-webcomponent

steps:
- uses: it-at-m/lhm_actions/action-templates/actions/action-checkout@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
- uses: it-at-m/lhm_actions/action-templates/actions/action-checkout@test-update
- if: ${{ hashFiles(format('./{0}/package.json', matrix.app-path))!=null }}
id: node
uses: it-at-m/lhm_actions/action-templates/actions/action-npm-build@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
uses: it-at-m/lhm_actions/action-templates/actions/action-npm-build@test-update
with:
app-path: ${{ matrix.app-path }}
- if: ${{ hashFiles(format('./{0}/pom.xml', matrix.app-path))!=null }}
id: maven
uses: it-at-m/lhm_actions/action-templates/actions/action-maven-build@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
uses: it-at-m/lhm_actions/action-templates/actions/action-maven-build@test-update
with:
app-path: ${{ matrix.app-path }}
- if: github.ref == 'refs/heads/main'
uses: it-at-m/lhm_actions/action-templates/actions/action-build-image@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
uses: it-at-m/lhm_actions/action-templates/actions/action-build-image@test-update
with:
path: ${{ matrix.app-path }}
image-name: ${{ matrix.app-path }}
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/maven-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
TZ: Europe/Berlin # timezone
steps:
- id: maven-release-step
uses: it-at-m/lhm_actions/action-templates/actions/action-maven-release@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
uses: it-at-m/lhm_actions/action-templates/actions/action-maven-release@test-update
with:
app-path: ${{ github.event.inputs.app-path }}
releaseVersion: ${{ github.event.inputs.releaseVersion }}
Expand All @@ -43,7 +43,7 @@ jobs:
runs-on: ubuntu-latest
needs: release-maven
steps:
- uses: it-at-m/lhm_actions/action-templates/actions/action-build-image@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
- uses: it-at-m/lhm_actions/action-templates/actions/action-build-image@test-update
with:
path: ${{ github.event.inputs.app-path }}
image-name: ${{ github.event.inputs.app-path }}
Expand All @@ -59,7 +59,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Download a single artifact
uses: it-at-m/lhm_actions/action-templates/actions/action-create-github-release@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
uses: it-at-m/lhm_actions/action-templates/actions/action-create-github-release@test-update
with:
artifact-name: ${{ needs.release-maven.outputs.ARTIFACT_NAME }}
tag-name: ${{ inputs.app-path }}-${{ github.event.inputs.releaseVersion }}
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/npm-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,12 +36,12 @@ jobs:
ARTIFACT_VERSION: ${{ steps.npm_release.outputs.ARTIFACT_VERSION }}
steps:
- id: npm_release
uses: it-at-m/lhm_actions/action-templates/actions/action-npm-release@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
uses: it-at-m/lhm_actions/action-templates/actions/action-npm-release@test-update
with:
app-path: ${{ inputs.app-path }}
releaseVersion: ${{ inputs.release-version }}
- id: node
uses: it-at-m/lhm_actions/action-templates/actions/action-npm-build@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
uses: it-at-m/lhm_actions/action-templates/actions/action-npm-build@test-update
with:
app-path: ${{ inputs.app-path }}
- if: ${{ !inputs.skip-deployment }}
Expand All @@ -55,7 +55,7 @@ jobs:
runs-on: ubuntu-latest
needs: release
steps:
- uses: it-at-m/lhm_actions/action-templates/actions/action-build-image@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
- uses: it-at-m/lhm_actions/action-templates/actions/action-build-image@test-update
with:
path: ${{ inputs.app-path }}
image-name: ${{ inputs.app-path }}
Expand All @@ -70,7 +70,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Create GitHub Release
uses: it-at-m/lhm_actions/action-templates/actions/action-create-github-release@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
uses: it-at-m/lhm_actions/action-templates/actions/action-create-github-release@test-update
with:
artifact-name: ${{ needs.release.outputs.ARTIFACT_NAME }}
tag-name: ${{ inputs.app-path }}-${{ needs.release.outputs.ARTIFACT_VERSION }}
2 changes: 1 addition & 1 deletion .github/workflows/pr-labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,4 @@ jobs:
issues: write # permission to create labels if not exist
runs-on: ubuntu-latest
steps:
- uses: it-at-m/lhm_actions/action-templates/actions/action-pr-labeler@9767179088fd2e344d1a24c17404ab809a60f1b6 # v1.0.20
- uses: it-at-m/lhm_actions/action-templates/actions/action-pr-labeler@test-update
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Action pinning security concern applies here as well.

Same security implications as noted in other workflows - moving from pinned commit SHA to test-update tag reduces security guarantees.

Loading