Conversation
snape
force-pushed
the
dev/ci
branch
4 times, most recently
from
5a093e3 to
8ae5ad5
Compare
 |
|
Overall Grade |
Security Reliability Complexity Hygiene Coverage |
Code Review Summary
| Analyzer | Status | Updated (UTC) | Details |
|---|---|---|---|
| C & C++ |  |
May 26, 2026 2:37a.m. | Review ↗ |
| Docker | |
May 26, 2026 2:37a.m. | Review ↗ |
| Python | |
May 26, 2026 2:37a.m. | Review ↗ |
| Secrets | |
May 26, 2026 2:37a.m. | Review ↗ |
| Code coverage | |
May 26, 2026 2:39a.m. | Review ↗ |
Code Coverage Summary
| Language | Line Coverage (New Code) | Line Coverage (Overall) |
|---|---|---|
| Aggregate | 100% |
84.7% |
| C & C++ | 100% |
84.7% |
➟ Additional coverage metrics may have been reported. See full coverage report ↗
Important
AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.
snape
force-pushed
the
dev/ci
branch
2 times, most recently
from
f2c5f91 to
c065a78
Compare
snape
force-pushed
the
main
branch
3 times, most recently
from
9493a74 to
760a759
Compare
snape
force-pushed
the
dev/ci
branch
5 times, most recently
from
9d36ff4 to
c57fee2
Compare
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
snape
force-pushed
the
dev/ci
branch
3 times, most recently
from
82e3eab to
a31c9e1
Compare
snape
force-pushed
the
dev/ci
branch
9 times, most recently
from
d81c4c5 to
84e8592
Compare
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThis PR establishes comprehensive quality assurance and continuous integration infrastructure for RVO2 across multiple analysis domains. It adds GitHub Actions workflows for building, testing, static analysis, coverage measurement, dynamic validation, and security scanning; introduces configurations for clang-tidy, cppcheck, hadolint, DeepSource, and other linters; improves code const-correctness in examples; and updates project documentation to reflect these new capabilities. ChangesQuality Assurance & CI/CD Framework
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes |
snape
force-pushed
the
dev/ci
branch
2 times, most recently
from
b5099a6 to
5d934cf
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 38
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/codeql.yml (1)
63-73:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin GitHub Actions by SHA and disable credential persistence in checkout (CodeQL workflow)
In
.github/workflows/codeql.yml(lines 63-73),actions/checkout@v6andgithub/codeql-action/*@v4`` are tag-pinned, not SHA-pinned, andactions/checkoutdoes not set `persist-credentials: false` (no `persist-credentials` appears in the workflow).
- Pin
actions/checkoutandgithub/codeql-action/init|autobuild|analyzeto commit SHAs- Add
persist-credentials: falseto thecheckoutstep🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/codeql.yml around lines 63 - 73, Update the CodeQL workflow to pin the GitHub Action steps to commit SHAs instead of tags and disable credential persistence: replace uses: actions/checkout@v6 with a SHA-pinned ref and add persist-credentials: false to that checkout step, and replace uses: github/codeql-action/init@v4, github/codeql-action/autobuild@v4, and github/codeql-action/analyze@v4 with their respective commit-SHA pinned refs so each of init, autobuild, and analyze use specific SHAs..github/workflows/cmake.yml (1)
59-590:⚠️ Potential issue | 🟠 Major | 🏗️ Heavy liftPin container/action references and disable checkout credential persistence
container:uses mutable tags (almalinux:10, alpine:3, archlinux:latest, fedora:44, opensuse/leap:16.0, ubuntu:26.04); pin to immutable digests (image@sha256:...).- All
actions/checkout@v6steps omitpersist-credentials: false(default persists credentials); setpersist-credentials: falseon each checkout step.- Pin third-party
uses:actions (e.g.,actions/checkout@v6,actions/cache@v5) to full commit SHAs instead of major/minor tags.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/cmake.yml around lines 59 - 590, The workflow uses mutable container tags (e.g., "container: almalinux:10", "container: alpine:3", "container: archlinux:latest", "container: fedora:44", "container: opensuse/leap:16.0", "container: ubuntu:26.04") and loose action refs (e.g., "uses: actions/checkout@v6", "uses: actions/cache@v5") and omits checkout credential hardening; replace each container: <tag> with the corresponding immutable image digest form "image@sha256:..." and update each third-party uses: (actions/checkout, actions/cache, etc.) to the pinned full commit SHA instead of `@v6/`@v5, and add persist-credentials: false to every checkout step (the steps that currently show "uses: actions/checkout@v6") to disable credential persistence.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.devcontainer/devcontainer.json:
- Line 2: The devcontainer schema currently uses a moving target ("$schema"
value referencing refs/heads/main); update the "$schema" value to point to a
specific release tag or commit SHA (e.g., replace refs/heads/main with
refs/tags/vX.Y.Z or a commit SHA) so the schema is pinned and won't change
unexpectedly—edit the "$schema" entry in .devcontainer/devcontainer.json to use
that fixed tag/sha.
In @.github/workflows/actionlint.yml:
- Line 59: Replace the mutable container tag and disable checkout credential
persistence: pin the container reference used in the workflow (the line
containing container: debian:trixie-slim) to an immutable digest (e.g.,
debian:trixie-slim@sha256:<digest>) to ensure reproducible CI images, and update
the actions/checkout step (the checkout step using actions/checkout@v6) to
include with: { persist-credentials: false } (and optionally replace the
actions/checkout tag with a pinned commit SHA) so credentials are not persisted
to the workspace.
- Around line 77-78: Update the GitHub Actions checkout step named "checkout" to
stop using the floating ref "actions/checkout@v6": pin the uses field to the
specific commit SHA for actions/checkout and add a with block setting
persist-credentials: false so credentials are not persisted to the workspace;
ensure the step still retains the name "checkout" and the exact pinned SHA
replaces the current "actions/checkout@v6" reference.
In @.github/workflows/bazel.yml:
- Around line 354-356: The CI job runs apt-get upgrade without auto-confirmation
which can block non-interactive runs; locate the apt-get upgrade invocations
(the commands containing "apt-get -qq -o APT::Acquire::Retries=4 -o
Dpkg::Use-Pty=0 \ upgrade") and add the -y flag so they become non-interactive,
and do the same for the second occurrence later in the file to ensure both
upgrades run in CI without prompts.
- Line 79: Replace each occurrence of the tag-based checkout "uses:
actions/checkout@v6" in .github/workflows/bazel.yml with a checkout pinned to
the corresponding full commit SHA and add the checkout input
"persist-credentials: false" (i.e., change every step using "uses:
actions/checkout@v6" to use the full commit SHA instead and include a with:
persist-credentials: false block) so all listed checkout steps are pinned and do
not persist credentials.
- Line 59: Replace mutable container image tags with immutable digest-pinned
references for every image entry (e.g., the container: almalinux:10, alpine:3,
archlinux:latest, fedora:44, opensuse/leap:16.0, ubuntu:26.04) so the workflow
is reproducible; obtain the canonical digest for each image from the registry
(docker hub, quay, etc.) using docker pull / docker inspect or the registry API
and update the corresponding container: lines to use image@sha256:<digest>
instead of <image>:<tag>, keeping the same image name but replacing the tag with
the registry-provided digest for each listed job.
In @.github/workflows/buildifier.yml:
- Line 59: The workflow currently uses a mutable container tag and non-immutable
third-party download and leaves checkout credentials persisted; update the
container declaration (the line with "container: debian:trixie-slim") to a
digest-pinned image (replace tag with a SHA256 digest for that image), change
the buildifier download steps that reference ".../releases/latest/..." to fetch
a specific release/version and add a checksum/signature verification step for
the downloaded artifact, and modify the checkout step ("actions/checkout@v6") to
include persist-credentials: false so credentials are not left in the runner.
In @.github/workflows/check-jsonschema.yml:
- Line 59: Replace the mutable container tag, unpinned tool installs, and
unpinned checkout action: change "container: debian:trixie-slim" to a
digest-pinned image (e.g., debian:trixie-slim@sha256:...), pin the Python/tool
installer invocation to a specific version (the check-jsonschema installer at
line 74) instead of "latest", and replace "actions/checkout@v6" with the full
commit SHA for that action and add "persist-credentials: false" to the checkout
step; update the relevant steps that install or invoke check-jsonschema to use
the pinned version string so builds are reproducible.
In @.github/workflows/clang-format.yml:
- Line 59: The workflow currently uses a mutable container tag ("container:
debian:trixie-slim") and a non-pinned checkout action ("actions/checkout@v6")
without setting credentials; update the "container: debian:trixie-slim" entry to
the corresponding immutable image digest (pin to the specific SHA256 digest for
that trixie-slim image) and replace "actions/checkout@v6" with the exact commit
SHA for the checkout action release, and add "persist-credentials: false" to the
checkout step to prevent leaking runner tokens; ensure you update only the YAML
values for "container:" and the "uses: actions/checkout" step and add the
"persist-credentials" field.
In @.github/workflows/clang-tidy.yml:
- Line 59: Replace the mutable container tag and unpinned checkout action with
immutable references and disable credential persistence: change the "container:
debian:trixie-slim" entry to the same Debian image pinned by digest (e.g.,
"debian@sha256:...") so the job uses an immutable image, and update the "uses:
actions/checkout@v6" step to a specific commit SHA (e.g.,
"actions/checkout@<commit-sha>") and add "with: persist-credentials: false" to
that checkout step to harden credentials and ensure reproducible builds.
In @.github/workflows/codespell.yml:
- Around line 59-77: Replace the loose image and action pins: change the
container declaration "container: debian:trixie-slim" to a digest-pinned form
(e.g., "debian:trixie-slim@sha256:...") and pin the checkout action reference
"uses: actions/checkout@v6" to an exact commit SHA; also harden the checkout
step by adding "with: persist-credentials: false" to the checkout step so
credentials are not persisted.
In @.github/workflows/coverage.yml:
- Around line 59-190: The workflow uses mutable image tags and action refs:
replace both instances of "container: debian:trixie-slim" with the image digest
(pin to sha256) and update each "uses:" entry (actions/checkout@v6,
actions/upload-artifact@v7, actions/download-artifact@v8,
deepsourcelabs/test-coverage-action@master) to a specific commit SHA; locate
these strings in the coverage.yml (jobs that run setup/build/test/merge) and
update the container and uses: values to their immutable digests/commit SHAs,
keeping the same semantics and ensuring CI still runs with the pinned refs.
- Around line 189-194: Add a guard to the "publish to deepsource" step so it
only runs when the DeepSource DSN is available (or on push events); update the
step with an if condition that checks the secret (e.g., evaluate
github.event_name == 'push' || secrets.DEEPSOURCE_DSN != '') so the step that
uses deepsourcelabs/test-coverage-action@master and passes dsn: ${{
secrets.DEEPSOURCE_DSN }} is skipped for forked pull requests lacking the
secret.
In @.github/workflows/cppcheck.yml:
- Around line 60-118: The workflow uses mutable image/tags and checkout
defaults: replace the container: debian:trixie-slim with an immutable
digest-pinned image (container image@sha256:...), and pin each uses: entry
(actions/checkout, github/codeql-action/upload-sarif, actions/upload-artifact)
to a specific commit SHA instead of a floating tag (e.g.,
actions/checkout@<commit-sha>), and add persist-credentials: false to the
checkout step (the actions/checkout step block and the uses:
github/codeql-action/upload-sarif@... and uses: actions/upload-artifact@...
lines are the targets to update).
In @.github/workflows/cpplint.yml:
- Around line 59-77: Update the workflow to pin base image and checkout action:
replace the loose image tag "container: debian:trixie-slim" with the immutable
digest form (e.g., "debian:trixie-slim@sha256:..."), pin the checkout action by
replacing "uses: actions/checkout@v6" with the same action locked to a specific
commit SHA (e.g., "uses: actions/checkout@<commit-sha>"), and harden the
checkout step by adding "persist-credentials: false" under that step's settings
to avoid leaking runner credentials.
In @.github/workflows/detect-secrets.yml:
- Around line 59-79: Pin the mutable container and checkout action to immutable
digests/SHAs and disable credential persistence: replace the container reference
"container: debian:trixie-slim" with the same image@sha256 digest, pin the
checkout action "uses: actions/checkout@v6" to a specific commit SHA (e.g.
actions/checkout@<commit-sha>), and add "persist-credentials: false" to the
checkout step to avoid leaving GitHub credentials in the runner/workspace;
update only the lines referencing the container and the checkout step (the
"container: debian:trixie-slim" token and the "uses: actions/checkout@v6" token
and the checkout step block).
In @.github/workflows/docker.yml:
- Around line 69-73: Update the workflow to pin the GitHub Actions to immutable
SHA commits for actions/checkout, docker/setup-buildx-action, and
docker/build-push-action (replace `@v6/`@v3 with their corresponding full commit
SHAs) and harden the checkout step by adding persist-credentials: false to the
actions/checkout invocation; ensure you reference the existing actions/checkout,
docker/setup-buildx-action, and docker/build-push-action occurrences when making
the changes.
In @.github/workflows/gersemi.yml:
- Line 59: Replace the mutable image tag "container: debian:trixie-slim" with an
immutable digest form (e.g. "container: debian:trixie-slim@sha256:<digest>");
obtain the correct sha256 digest for debian:trixie-slim (via docker pull +
docker inspect --format='{{index .RepoDigests 0}}' or from the official Debian
manifest) and update the container line so the workflow references that sha256
digest instead of the floating tag.
- Around line 78-79: Update the checkout step named "checkout" so it pins
actions/checkout to a full commit SHA instead of the floating tag
(actions/checkout@v6) and add the input persist-credentials: false; specifically
replace uses: actions/checkout@v6 with uses: actions/checkout@<full-commit-sha>
and include persist-credentials: false under that step to prevent token
persistence.
In @.github/workflows/hadolint.yml:
- Around line 79-80: Update the checkout step that currently says "uses:
actions/checkout@v6" to pin it to a full commit SHA (replace the floating tag
with the repository@<full-commit-sha>) and add "with: persist-credentials:
false" under the same checkout step; this ensures the checkout action is
immutably pinned and Git credentials are not persisted across subsequent
workflow steps.
- Line 59: The workflow uses an unpinned container image in
jobs.hadolint.container (currently "debian:trixie-slim"); replace the mutable
tag with a pinned digest (e.g., "debian:trixie-slim@sha256:<digest>") to ensure
deterministic builds. Fetch the correct sha256 for debian:trixie-slim from the
Debian image registry (or docker inspect/pull) and update the container value in
.github/workflows/hadolint.yml accordingly. Make sure the string uses the
`@sha256` format and commit the updated workflow.
- Around line 73-75: Replace the moving "releases/latest" download with a pinned
hadolint release: change the wget URL(s) to include a specific tag (e.g.,
vX.Y.Z) and download both hadolint-linux-arm64 and its corresponding .sha256
asset; verify the binary by running sha256sum --check against the downloaded
.sha256 (ensure the .sha256 file references the hadolint-linux-arm64 filename),
fail the step on mismatch, and only then move/chmod the verified binary into
/usr/local/bin/hadolint (keep chmod +x after successful verification).
In @.github/workflows/iwyu.yml:
- Around line 80-81: The checkout step named "checkout" currently uses the tag
reference actions/checkout@v6 and does not disable credential persistence;
update this step to pin the action to a specific commit SHA instead of the tag
and add persist-credentials: false to the step configuration so the token is not
written to local git config (locate the step that uses actions/checkout@v6 and
modify it accordingly).
In @.github/workflows/lizard.yml:
- Around line 78-79: Update the checkout step named "checkout" to pin the
actions/checkout version to a specific commit SHA instead of the floating tag
`actions/checkout@v6`, and add the input `persist-credentials: false` under the
step's `with:` block to prevent persisting runner credentials; locate the step
that currently uses `actions/checkout@v6` and replace the `uses:` value with the
commit SHA for the desired release and add the `persist-credentials: false`
configuration.
- Line 59: The workflow currently uses the mutable image tag "container:
debian:trixie-slim"; replace this with a digest-pinned image (e.g., "container:
debian@sha256:<digest>") to ensure immutability and reproducible CI runs—update
the value where "container: debian:trixie-slim" appears in
.github/workflows/lizard.yml and, if applicable, any other workflows using
"debian:trixie-slim", verifying the chosen digest corresponds to the same Trixie
slim release.
In @.github/workflows/markdownlint.yml:
- Line 59: The workflow uses a floating image tag "container:
debian:trixie-slim"; replace it with a pinned digest form
"debian:trixie-slim@sha256:..." to ensure immutability: locate the workflow step
with the container declaration (the line containing container:
debian:trixie-slim) and update it to the verified digest obtained from Docker
Hub or the official Debian image manifest, then commit that pinned value and
optionally add a comment noting the source/version of the digest for future
updates.
- Around line 78-79: Update the checkout step that currently uses
actions/checkout@v6 to a pinned commit SHA (instead of a tag) and add
persist-credentials: false to the step configuration; specifically locate the
checkout step referencing "actions/checkout@v6" and replace the tag with the
corresponding commit hash for that action version and add the boolean key
"persist-credentials: false" under that step to disable credential persistence.
In @.github/workflows/reuse.yml:
- Around line 61-64: Replace the tag refs with full commit SHAs for both actions
to pin versions: change the uses entries for actions/checkout and
fsfe/reuse-action to their corresponding full commit SHA refs, and add
persist-credentials: false under the actions/checkout step to disable credential
persistence; locate the checkout step (uses: actions/checkout) and the reuse
lint step (uses: fsfe/reuse-action) in the workflow and update those uses values
and the checkout step's persist-credentials field accordingly.
In @.github/workflows/sanitizer.yml:
- Around line 86-87: Replace the three checkout steps that currently use "uses:
actions/checkout@v6" with a pinned checkout action (use the full commit SHA for
actions/checkout) and add "with: persist-credentials: false" under each "name:
checkout" step; update all three occurrences so each checkout step uses the
pinned SHA and includes persist-credentials: false to avoid leaking repo
credentials across jobs.
- Line 59: Replace the mutable image tag used in the sanitizer jobs by
digest-pinning the Debian image: locate the container entries for the sanitizer
jobs (sanitizer-asan, sanitizer-tsan, sanitizer-ubsan) where you have container:
debian:trixie-slim and change them to the digest form
debian:trixie-slim@sha256:<digest>; fetch the correct sha256 for
debian:trixie-slim from the official registry and use that same digest for each
occurrence so runs are reproducible.
In @.github/workflows/valgrind.yml:
- Line 59: Replace the mutable container tag under the "container" key
(currently set to "debian:trixie-slim") with an immutable image digest (e.g.
"debian:trixie-slim@sha256:..."); update the Valgrind job's container definition
to use that sha256 digest so the CI runs a fixed image, and fetch the correct
digest from Docker Hub or Debian's registry and paste it into the container
value in the workflow.
- Around line 87-88: The workflow checkout step named "checkout" currently uses
actions/checkout@v6 which is mutable and leaves credentials persisted; update
that step to use an immutable commit SHA for actions/checkout and add
persist-credentials: false to the step to prevent token leakage (i.e., replace
"actions/checkout@v6" with the pinned SHA for the release you want and include
persist-credentials: false under the checkout step configuration).
In @.github/workflows/validate-cff.yml:
- Line 59: The workflow uses a mutable container tag in the cffconvert job
("container: debian:trixie-slim"); replace that with an immutable digest
reference (e.g., "container: debian@sha256:<digest>") by resolving the correct
SHA256 for the desired trixie-slim image and updating the container field in
.github/workflows/validate-cff.yml so the cffconvert job references the pinned
debian@sha256 digest instead of debian:trixie-slim.
- Around line 78-79: Update the checkout action usage in the validate-cff
workflow to a fixed commit SHA instead of the mutable tag `actions/checkout@v6`
and add the `persist-credentials: false` option to the checkout step;
specifically replace the `uses: actions/checkout@v6` reference with a pinned
`uses: actions/checkout@<commit-sha>` and include `with:` block containing
`persist-credentials: false` so credentials are not left in the workspace.
In @.github/workflows/yamllint.yml:
- Line 59: Replace the mutable container tag "debian:trixie-slim" used in the
workflow job (the jobs.yamllint.container entry shown as container:
debian:trixie-slim) with an immutable digest form
"debian:trixie-slim@sha256:<digest>"; locate other workflows that also use the
same tag (e.g., validate-cff.yml) and update them consistently, obtaining the
correct SHA256 digest from the official Debian image registry and substituting
it into each container declaration.
- Around line 76-77: The checkout step currently uses the mutable tag
actions/checkout@v6 and does not disable credential persistence; update the step
that uses "actions/checkout@v6" to pin to a specific commit SHA (replace the `@v6`
tag with the exact SHA for actions/checkout) and add persist-credentials: false
under that checkout step to prevent Git credentials from persisting in the
runner workspace; apply the same changes wherever actions/checkout@v6 appears
(e.g., validate-cff.yml and other workflows) to keep behavior consistent and
hardened.
In @.hadolint.yaml:
- Around line 36-39: The .hadolint.yaml currently ignores DL3008, DL3013, and
DL3018 which disables version-pinning checks; update the policy by either
removing specific rules you want enforced (e.g., keep DL3008 or DL3018) or
narrow the ignore scope to only specific Dockerfiles/lines where unpinned
installs are intentional, and document the rationale; reference the ignored
symbols DL3008, DL3013, and DL3018 in your change and, if you choose selective
pinning, add pinning for critical packages in the relevant Dockerfile(s) rather
than blanket-ignoring these rules.
In `@requirements.txt`:
- Line 35: Pin the check-jsonschema dependency in requirements.txt to a patched
release by replacing the unpinned "check-jsonschema" entry with a
version-constrained specifier (for example "check-jsonschema>=0.30.0") so
dependency resolution cannot install vulnerable versions; update the
requirements.txt entry for check-jsonschema accordingly to ensure installations
use the patched 0.30.0+ line.
---
Outside diff comments:
In @.github/workflows/cmake.yml:
- Around line 59-590: The workflow uses mutable container tags (e.g.,
"container: almalinux:10", "container: alpine:3", "container: archlinux:latest",
"container: fedora:44", "container: opensuse/leap:16.0", "container:
ubuntu:26.04") and loose action refs (e.g., "uses: actions/checkout@v6", "uses:
actions/cache@v5") and omits checkout credential hardening; replace each
container: <tag> with the corresponding immutable image digest form
"image@sha256:..." and update each third-party uses: (actions/checkout,
actions/cache, etc.) to the pinned full commit SHA instead of `@v6/`@v5, and add
persist-credentials: false to every checkout step (the steps that currently show
"uses: actions/checkout@v6") to disable credential persistence.
In @.github/workflows/codeql.yml:
- Around line 63-73: Update the CodeQL workflow to pin the GitHub Action steps
to commit SHAs instead of tags and disable credential persistence: replace uses:
actions/checkout@v6 with a SHA-pinned ref and add persist-credentials: false to
that checkout step, and replace uses: github/codeql-action/init@v4,
github/codeql-action/autobuild@v4, and github/codeql-action/analyze@v4 with
their respective commit-SHA pinned refs so each of init, autobuild, and analyze
use specific SHAs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2aa37863-80e9-496d-81bb-a1344a3fe75e
📒 Files selected for processing (78)
.bazelignore.buildifier.json.clang-tidy.cppcheck-suppressions.xml.deepsource.toml.devcontainer/devcontainer.json.dockerignore.gersemirc.gitattributes.github/actionlint-matcher.json.github/actionlint-matcher.json.license.github/buildifier-matcher.json.github/buildifier-matcher.json.license.github/clang-tidy-matcher.json.github/clang-tidy-matcher.json.license.github/codespell-matcher.json.github/codespell-matcher.json.license.github/cpplint-matcher.json.github/cpplint-matcher.json.license.github/detect-secrets-matcher.json.github/detect-secrets-matcher.json.license.github/hadolint-matcher.json.github/hadolint-matcher.json.license.github/lizard-matcher.json.github/lizard-matcher.json.license.github/markdownlint-matcher.json.github/markdownlint-matcher.json.license.github/workflows/actionlint.yml.github/workflows/bazel.yml.github/workflows/buildifier.yml.github/workflows/check-jsonschema.yml.github/workflows/clang-format.yml.github/workflows/clang-tidy.yml.github/workflows/cmake.yml.github/workflows/codeql.yml.github/workflows/codespell.yml.github/workflows/coverage.yml.github/workflows/cppcheck.yml.github/workflows/cpplint.yml.github/workflows/detect-secrets.yml.github/workflows/docker.yml.github/workflows/gersemi.yml.github/workflows/hadolint.yml.github/workflows/iwyu.yml.github/workflows/lizard.yml.github/workflows/markdownlint.yml.github/workflows/reuse.yml.github/workflows/sanitizer.yml.github/workflows/valgrind.yml.github/workflows/validate-cff.yml.github/workflows/yamllint.yml.gitignore.hadolint.yaml.iwyu_mappings.imp.pre-commit-config.yaml.secrets.baseline.secrets.baseline.license.vscode/extensions.json.vscode/settings.json.yamllint.yamlBrewfileCITATION.cffCMakeLists.txtCMakePresets.jsonDockerfileQUALITY_DECLARATION.mdREADME.mdcompose.yamldoc/CMakeLists.txtexamples/Blocks.ccexamples/CMakeLists.txtexamples/Circle.ccexamples/Roadmap.ccinclude-what-you-use.imprequirements.txtsrc/CMakeLists.txtsrc/Export.hsrc/KdTree.cc
💤 Files with no reviewable changes (2)
- src/KdTree.cc
- include-what-you-use.imp
snape
force-pushed
the
dev/ci
branch
2 times, most recently
from
616794f to
bd53816
Compare
There was a problem hiding this comment.
Actionable comments posted: 6
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.yamllint.yaml (1)
3-3:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winFix project name typos in header.
Lines 3 and 31 reference "AVO2" and "AVO" but should reference "RVO2" to match this project.
📝 Proposed fix
# # .yamllint.yaml -# AVO2 Library +# RVO2 Library ## Chapel Hill, N.C. 27599-3175 # United States of America # -# <https://gamma.cs.unc.edu/AVO/> +# <https://gamma.cs.unc.edu/RVO2/> #Also applies to: 31-31
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.yamllint.yaml at line 3, Replace the incorrect project name strings "AVO2" and "AVO" in the header comments with the correct project name "RVO2"; locate the header lines containing those exact tokens and update them so all references match "RVO2" consistently..github/workflows/codeql.yml (1)
63-73:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin CodeQL workflow action references to immutable SHAs and disable checkout credential persistence.
- .github/workflows/codeql.yml uses mutable tags at lines 64/66/71/73 (actions/checkout@v6, github/codeql-action/*
@v4); none are pinned to commit SHAs.- checkout step does not set
with: persist-credentials: false.Suggested patch
- name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@<full_commit_sha> + with: + persist-credentials: false - name: initialize codeql - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@<full_commit_sha> with: build-mode: none languages: cpp - name: autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@<full_commit_sha> - name: perform codeql analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@<full_commit_sha>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/codeql.yml around lines 63 - 73, Update the CodeQL workflow steps to use immutable commit SHAs instead of mutable tags for the actions referenced by the step names "checkout", "initialize codeql", "autobuild", and "perform codeql analysis" (replace actions/checkout@v6 and github/codeql-action/*`@v4` with their specific SHA pins), and for the "checkout" step add the input persist-credentials: false under its with: block to disable credential persistence; ensure all four action references are replaced with the exact commit SHAs and that "checkout" includes persist-credentials: false.
♻️ Duplicate comments (7)
.github/workflows/yamllint.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winHarden workflow supply chain refs and checkout credentials.
Line 59 uses a mutable container tag, and Lines 76-77 use
actions/checkout@v6withoutpersist-credentials: false. Pin both refs and disable credential persistence.Suggested hardening patch
- container: debian:trixie-slim + container: debian:trixie-slim@sha256:<digest> - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@<full_commit_sha> # v6 + with: + persist-credentials: falseAlso applies to: 76-77
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/yamllint.yml at line 59, Replace the mutable container tag and disable credential persistence for checkout: pin the container reference used at "container: debian:trixie-slim" to an immutable digest (or a specific immutable tag) instead of the floating "trixie-slim" tag, and update the checkout steps that use "actions/checkout@v6" to include "persist-credentials: false" so credentials are not kept; ensure you modify the workflow entries that reference actions/checkout@v6 and the container line so both use pinned, immutable refs (container digest or fixed tag) and persist-credentials: false..github/workflows/actionlint.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin mutable workflow dependencies and disable checkout credential persistence.
Line 59 uses a mutable container tag, and Lines 77-78 use a floating
actions/checkoutref withoutpersist-credentials: false. This leaves CI behavior non-reproducible and weakens token hygiene.Suggested hardening patch
- container: debian:trixie-slim + container: debian:trixie-slim@sha256:<digest> - name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@<full_commit_sha> # v6 + with: + persist-credentials: falseAlso applies to: 77-78
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/actionlint.yml at line 59, Replace the mutable container tag and floating checkout ref with pinned, immutable versions: change the "container: debian:trixie-slim" entry to a specific digest or a fixed, released tag (e.g., include the full image digest or a stable version like debian:12-slim) and update the "uses: actions/checkout" step (the lines referencing actions/checkout) to a fixed tag (example: actions/checkout@v4) and add "persist-credentials: false" to that checkout step to prevent token persistence; locate the container key and the actions/checkout step in the workflow file and make these substitutions to ensure reproducible CI and improved token hygiene..github/workflows/lizard.yml (1)
59-59:⚠️ Potential issue | 🟠 MajorSecurity hardening needed (unpinned references and credential persistence).
Container image and checkout action lack immutable pinning; credentials persist by default.
Also applies to: 78-79
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/lizard.yml at line 59, The workflow uses an unpinned container image ("container: debian:trixie-slim") and an unpinned actions/checkout reference and leaves credentials persisted; update the container reference to an immutable digest or a specific, reviewed tag, pin the checkout action to a full commit SHA (or a specific major.minor.patch release) instead of floating tags, and set actions/checkout's persist-credentials: false (and token: null where appropriate) to avoid leaking repo credentials to subsequent steps; ensure any other third-party actions in the workflow are similarly pinned to SHAs..github/workflows/clang-format.yml (1)
59-59:⚠️ Potential issue | 🟠 MajorSecurity hardening needed (unpinned references and credential persistence).
Container image and checkout action lack SHA pinning; credentials persist by default.
Also applies to: 80-81
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/clang-format.yml at line 59, Replace the unpinned base image and the unpinned checkout action and disable credential persistence: change "container: debian:trixie-slim" to the same image pinned by digest (e.g., debian:trixie-slim@sha256:...) and replace the actions/checkout usage with a fully pinned ref (use the action's full commit SHA instead of a floating tag) and set actions/checkout persist-credentials: false; apply the same changes for the other occurrences referenced (lines 80-81)..github/workflows/gersemi.yml (1)
59-59:⚠️ Potential issue | 🟠 MajorSecurity hardening needed (unpinned references and credential persistence).
Container image and checkout action are not immutably pinned; credential persistence enabled by default.
Also applies to: 78-79
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/gersemi.yml at line 59, The workflow uses an unpinned container and an unpinned checkout action with default credential persistence; update the container declaration (the line with "container: debian:trixie-slim") to reference an immutable image (pin to a specific digest or fully-qualified immutable tag) and update the actions/checkout usage (the "actions/checkout" step referenced around lines 78-79) to a pinned ref (use the action's commit SHA) and set persist-credentials: false to avoid leaving credentials in the workspace; ensure commit message explains the pins and include the digest/sha values used..github/workflows/docker.yml (1)
69-73:⚠️ Potential issue | 🟠 MajorSecurity hardening needed (unpinned actions and credential persistence).
Multiple actions are unpinned and checkout step lacks
persist-credentials: false.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/docker.yml around lines 69 - 73, Update the workflow to avoid unpinned action risks and prevent credential persistence: change the checkout step (actions/checkout) to include persist-credentials: false, and replace the loose version pins (docker/setup-buildx-action@v3 and docker/build-push-action@v6) with immutable pins (specific commit SHAs or fully-qualified tagged SHAs) for docker/setup-buildx-action and docker/build-push-action so the workflow uses exact action revisions; also review and restrict job permissions if present to the minimum required..github/workflows/iwyu.yml (1)
59-59:⚠️ Potential issue | 🟠 MajorSecurity hardening needed (unpinned references and credential persistence).
The container image and checkout action are not pinned to immutable references, and credentials are persisted by default.
Also applies to: 80-81
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/iwyu.yml at line 59, Pin the container image and the checkout action to immutable refs and stop persisting credentials: replace the unpinned "container: debian:trixie-slim" with a digest-pinned image (or a specific proven immutable tag) and update the checkout step (the "uses: actions/checkout" entry) to a pinned tag/ref (e.g., a specific release tag or full commit SHA), and set the checkout step's persist-credentials to false to avoid leaving credentials in the runner.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.cppcheck-suppressions.xml:
- Around line 41-43: Remove the global <id>unmatchedSuppression</id> entry from
.cppcheck-suppressions.xml (the <suppress> block containing id
"unmatchedSuppression") so cppcheck will continue reporting stale/unused
suppressions; if you must keep it for a specific tooling quirk, narrow its scope
by replacing the global <suppress> with a suppression that targets only the
specific file(s) or check(s) and add a brief comment describing why that narrow
suppression is necessary and referencing the affected file or rule.
In @.github/buildifier-matcher.json:
- Around line 8-12: The current "regexp" value in the buildifier problem matcher
won't handle an optional column and can misassign captures; update the "regexp"
property used in the matcher to handle an optional column (so filename, line,
optional column, category, message are captured) and adjust the capture index
mappings so "file"=1, "line"=2, "code"=4, "message"=5 (leave the
"file"/"line"/"code"/"message" keys as-is but change their numeric values to the
new indices). Use the improved pattern that accepts an optional :column and
trims whitespace around the category and message when replacing the existing
"regexp" value for the matcher entry.
In @.github/workflows/bazel.yml:
- Around line 73-75: The workflow currently downloads Bazelisk via a mutable URL
(the wget -qO /usr/local/bin/bazelisk command) and other .deb artifacts without
integrity checks; update these steps to pin explicit release versions instead of
using releases/latest and add checksum verification before installation (use
sha256sum -c or equivalent) for the bazelisk binary and for each .deb download
path referenced in the file (including the other occurrences around lines
148-150, 190-192, 319-321, 364-366, 410-412); ensure you fetch the matching
.sha256 (or generate a known-good hash in the repo) and only run chmod/install
if the checksum verification succeeds.
In @.github/workflows/buildifier.yml:
- Line 86: Update the buildifier invocation used in the workflow: replace the
current `buildifier -r .` run step with a check-mode invocation (e.g.
`buildifier -mode=check -r .`) so the job exits non-zero when formatting drift
exists; locate the run step that currently executes `buildifier -r .` and change
its flags to include `-mode=check`.
In `@CMakePresets.json`:
- Line 2: The CMakePresets.json currently uses the "$schema" key while declaring
"version": 6 which is invalid (schema support starts at preset version 8+); fix
by either removing the "$schema" entry from CMakePresets.json so it remains a
valid v6 preset, or update the "version" value to 8 (or higher) to match use of
"$schema" — adjust any related comments or tooling expectations accordingly and
ensure the file's "version" and "$schema" are consistent.
In `@README.md`:
- Around line 85-86: The CI build badge in README.md currently references
actions/workflows/ci.yml which was renamed; update the badge URL/path to point
to actions/workflows/cmake.yml (replace the image/link URL segment
"actions/workflows/ci.yml" with "actions/workflows/cmake.yml") so the build
status badge for the RVO2 repository remains valid.
---
Outside diff comments:
In @.github/workflows/codeql.yml:
- Around line 63-73: Update the CodeQL workflow steps to use immutable commit
SHAs instead of mutable tags for the actions referenced by the step names
"checkout", "initialize codeql", "autobuild", and "perform codeql analysis"
(replace actions/checkout@v6 and github/codeql-action/*`@v4` with their specific
SHA pins), and for the "checkout" step add the input persist-credentials: false
under its with: block to disable credential persistence; ensure all four action
references are replaced with the exact commit SHAs and that "checkout" includes
persist-credentials: false.
In @.yamllint.yaml:
- Line 3: Replace the incorrect project name strings "AVO2" and "AVO" in the
header comments with the correct project name "RVO2"; locate the header lines
containing those exact tokens and update them so all references match "RVO2"
consistently.
---
Duplicate comments:
In @.github/workflows/actionlint.yml:
- Line 59: Replace the mutable container tag and floating checkout ref with
pinned, immutable versions: change the "container: debian:trixie-slim" entry to
a specific digest or a fixed, released tag (e.g., include the full image digest
or a stable version like debian:12-slim) and update the "uses: actions/checkout"
step (the lines referencing actions/checkout) to a fixed tag (example:
actions/checkout@v4) and add "persist-credentials: false" to that checkout step
to prevent token persistence; locate the container key and the actions/checkout
step in the workflow file and make these substitutions to ensure reproducible CI
and improved token hygiene.
In @.github/workflows/clang-format.yml:
- Line 59: Replace the unpinned base image and the unpinned checkout action and
disable credential persistence: change "container: debian:trixie-slim" to the
same image pinned by digest (e.g., debian:trixie-slim@sha256:...) and replace
the actions/checkout usage with a fully pinned ref (use the action's full commit
SHA instead of a floating tag) and set actions/checkout persist-credentials:
false; apply the same changes for the other occurrences referenced (lines
80-81).
In @.github/workflows/docker.yml:
- Around line 69-73: Update the workflow to avoid unpinned action risks and
prevent credential persistence: change the checkout step (actions/checkout) to
include persist-credentials: false, and replace the loose version pins
(docker/setup-buildx-action@v3 and docker/build-push-action@v6) with immutable
pins (specific commit SHAs or fully-qualified tagged SHAs) for
docker/setup-buildx-action and docker/build-push-action so the workflow uses
exact action revisions; also review and restrict job permissions if present to
the minimum required.
In @.github/workflows/gersemi.yml:
- Line 59: The workflow uses an unpinned container and an unpinned checkout
action with default credential persistence; update the container declaration
(the line with "container: debian:trixie-slim") to reference an immutable image
(pin to a specific digest or fully-qualified immutable tag) and update the
actions/checkout usage (the "actions/checkout" step referenced around lines
78-79) to a pinned ref (use the action's commit SHA) and set
persist-credentials: false to avoid leaving credentials in the workspace; ensure
commit message explains the pins and include the digest/sha values used.
In @.github/workflows/iwyu.yml:
- Line 59: Pin the container image and the checkout action to immutable refs and
stop persisting credentials: replace the unpinned "container:
debian:trixie-slim" with a digest-pinned image (or a specific proven immutable
tag) and update the checkout step (the "uses: actions/checkout" entry) to a
pinned tag/ref (e.g., a specific release tag or full commit SHA), and set the
checkout step's persist-credentials to false to avoid leaving credentials in the
runner.
In @.github/workflows/lizard.yml:
- Line 59: The workflow uses an unpinned container image ("container:
debian:trixie-slim") and an unpinned actions/checkout reference and leaves
credentials persisted; update the container reference to an immutable digest or
a specific, reviewed tag, pin the checkout action to a full commit SHA (or a
specific major.minor.patch release) instead of floating tags, and set
actions/checkout's persist-credentials: false (and token: null where
appropriate) to avoid leaking repo credentials to subsequent steps; ensure any
other third-party actions in the workflow are similarly pinned to SHAs.
In @.github/workflows/yamllint.yml:
- Line 59: Replace the mutable container tag and disable credential persistence
for checkout: pin the container reference used at "container:
debian:trixie-slim" to an immutable digest (or a specific immutable tag) instead
of the floating "trixie-slim" tag, and update the checkout steps that use
"actions/checkout@v6" to include "persist-credentials: false" so credentials are
not kept; ensure you modify the workflow entries that reference
actions/checkout@v6 and the container line so both use pinned, immutable refs
(container digest or fixed tag) and persist-credentials: false.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: cc965fa6-6893-4427-a3cf-d740562fea7d
📒 Files selected for processing (78)
.bazelignore.buildifier.json.clang-tidy.cppcheck-suppressions.xml.deepsource.toml.devcontainer/devcontainer.json.dockerignore.gersemirc.gitattributes.github/actionlint-matcher.json.github/actionlint-matcher.json.license.github/buildifier-matcher.json.github/buildifier-matcher.json.license.github/clang-tidy-matcher.json.github/clang-tidy-matcher.json.license.github/codespell-matcher.json.github/codespell-matcher.json.license.github/cpplint-matcher.json.github/cpplint-matcher.json.license.github/detect-secrets-matcher.json.github/detect-secrets-matcher.json.license.github/hadolint-matcher.json.github/hadolint-matcher.json.license.github/lizard-matcher.json.github/lizard-matcher.json.license.github/markdownlint-matcher.json.github/markdownlint-matcher.json.license.github/workflows/actionlint.yml.github/workflows/bazel.yml.github/workflows/buildifier.yml.github/workflows/check-jsonschema.yml.github/workflows/clang-format.yml.github/workflows/clang-tidy.yml.github/workflows/cmake.yml.github/workflows/codeql.yml.github/workflows/codespell.yml.github/workflows/coverage.yml.github/workflows/cppcheck.yml.github/workflows/cpplint.yml.github/workflows/detect-secrets.yml.github/workflows/docker.yml.github/workflows/gersemi.yml.github/workflows/hadolint.yml.github/workflows/iwyu.yml.github/workflows/lizard.yml.github/workflows/markdownlint.yml.github/workflows/reuse.yml.github/workflows/sanitizer.yml.github/workflows/valgrind.yml.github/workflows/validate-cff.yml.github/workflows/yamllint.yml.gitignore.hadolint.yaml.iwyu_mappings.imp.pre-commit-config.yaml.secrets.baseline.secrets.baseline.license.vscode/extensions.json.vscode/settings.json.yamllint.yamlBrewfileCITATION.cffCMakeLists.txtCMakePresets.jsonDockerfileQUALITY_DECLARATION.mdREADME.mdcompose.yamldoc/CMakeLists.txtexamples/Blocks.ccexamples/CMakeLists.txtexamples/Circle.ccexamples/Roadmap.ccinclude-what-you-use.imprequirements.txtsrc/CMakeLists.txtsrc/Export.hsrc/KdTree.cc
💤 Files with no reviewable changes (2)
- include-what-you-use.imp
- src/KdTree.cc
There was a problem hiding this comment.
Actionable comments posted: 7
♻️ Duplicate comments (3)
.github/workflows/actionlint.yml (2)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin the container image to an immutable digest.
The workflow uses
debian:trixie-slimwithout SHA256 pinning, which allows the image to change silently and breaks reproducibility. Pin to a specific digest.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/actionlint.yml at line 59, Replace the floating image reference "container: debian:trixie-slim" with a digest-pinned image (e.g., "debian@sha256:...") so the workflow uses an immutable image; locate the "container: debian:trixie-slim" entry and update it to the full image@sha256 digest (obtain the correct digest from the official Debian image registry) to ensure reproducible CI runs.
77-78:⚠️ Potential issue | 🟠 Major | ⚡ Quick winHarden checkout: pin action and disable credential persistence.
The checkout step uses a floating ref
actions/checkout@v6and doesn't setpersist-credentials: false, creating both supply chain and credential persistence risks.🔒 Proposed fix
- name: checkout - uses: actions/checkout@v6 + uses: actions/checkout@<commit_sha> + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/actionlint.yml around lines 77 - 78, The checkout step currently uses the floating ref "actions/checkout@v6" and leaves credentials persisted; update the "checkout" step to pin the action to a fixed immutable reference (replace actions/checkout@v6 with a specific commit SHA or exact non-floating tag) and add the option persist-credentials: false to that step so credentials are not written to the workspace.requirements.txt (1)
35-35:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
check-jsonschemato avoid known vulnerability.OSV advisory GHSA-q6mv-284r-mp36 shows check-jsonschema versions < 0.30.0 are vulnerable to cache confusion. Without version pinning, vulnerable versions may be installed.
🛡️ Proposed fix
-check-jsonschema +check-jsonschema>=0.30.0🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@requirements.txt` at line 35, Pin the vulnerable dependency by updating requirements.txt entry for check-jsonschema to a non-vulnerable version (e.g., change "check-jsonschema" to "check-jsonschema==0.30.0" or "check-jsonschema>=0.30.0,<0.31.0"); ensure any dependency lockfile or CI dependency install step is updated accordingly and run a dependency install/check to verify the new version is picked up.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/bazel.yml:
- Around line 455-456: The winget install invocation contains an invalid `-r`
flag; locate the occurrences of the command string "winget install -e -r bazel
--accept-package-agreements --accept-source-agreements --id Bazel.Bazelisk" (and
the similar duplicate later) and remove the `-r` token or replace it with the
correct documented flag; update both occurrences so the command uses valid flags
(for example: "winget install -e --id Bazel.Bazelisk --accept-package-agreements
--accept-source-agreements") and run a quick grep to confirm no other `-r`
usages remain.
In @.github/workflows/codeql.yml:
- Line 64: Update the workflow step that uses actions/checkout and the codeql
action steps to pin to immutable SHAs (replace floating tags like
actions/checkout@v6 and github/codeql-action/{init,autobuild,analyze}`@v4` with
the corresponding commit SHAs) and add persist-credentials: false to the
checkout step to disable credential persistence; locate the uses entries for
actions/checkout and github/codeql-action/* in .github/workflows/codeql.yml and
replace tag references with their canonical commit SHA strings and add the
persist-credentials: false field under the checkout step.
In @.github/workflows/detect-secrets.yml:
- Line 74: Replace the floating installer command "pipx install detect-secrets"
with a pinned package installation so scans are reproducible; update the
workflow to install a specific detect-secrets version (e.g. change the "pipx
install detect-secrets" invocation to pin to a chosen stable version like
detect-secrets==<version>) and document the pinned version in the workflow
comment so future updates are deliberate.
In @.github/workflows/gersemi.yml:
- Line 74: Replace the unpinned pipx install command so CI installs a specific
gersemi release: change the pipx install gersemi invocation to install a fixed
version (e.g., pipx install "gersemi==X.Y.Z") and commit that version string;
update any related workflow documentation and bump the pinned version
consciously when you want to adopt a newer gersemi.
In `@Dockerfile`:
- Around line 115-117: Replace the mutable download of hadolint (the curl that
writes to /usr/local/bin/hadolint using TARGETARCH) with a pinned release: set a
specific HADOLINT_VERSION (e.g. v2.x.y), download both the matching hadolint
binary and its corresponding hadolint-Linux-<arch>.sha256 asset for the resolved
arch, verify the downloaded binary's SHA256 against the .sha256 file before
moving it to /usr/local/bin/hadolint and marking it executable, and fail the
build if the checksum does not match.
In `@examples/Blocks.cc`:
- Around line 179-182: The OpenMP parallel loop in setPreferredVelocities()
calls std::rand() (used to compute angle and dist) which is not thread-safe;
replace the shared std::rand() usage with a thread-local RNG or serialize the
calls. Fix by introducing a per-thread RNG (e.g., a thread-local std::mt19937
seeded once per thread using omp_get_thread_num or std::random_device) and use
appropriate distributions to produce angle and dist, or alternatively wrap the
std::rand() calls that compute angle/dist in a small `#pragma` omp critical
region; update references to angle and dist accordingly and add necessary
<random> (and <omp.h> if using thread id) includes.
In `@QUALITY_DECLARATION.md`:
- Around line 263-264: Update the inaccurate coverage-upload sentence in
QUALITY_DECLARATION.md that currently reads "from the amd64 build": locate the
sentence containing "from the amd64 build" and replace it with wording that
correctly states the workflow publishes coverage from the merge job using the
merged report (e.g., "from the merge job using the merged coverage report"),
ensuring the sentence now reflects that the merged report is published rather
than a single amd64 build artifact.
---
Duplicate comments:
In @.github/workflows/actionlint.yml:
- Line 59: Replace the floating image reference "container: debian:trixie-slim"
with a digest-pinned image (e.g., "debian@sha256:...") so the workflow uses an
immutable image; locate the "container: debian:trixie-slim" entry and update it
to the full image@sha256 digest (obtain the correct digest from the official
Debian image registry) to ensure reproducible CI runs.
- Around line 77-78: The checkout step currently uses the floating ref
"actions/checkout@v6" and leaves credentials persisted; update the "checkout"
step to pin the action to a fixed immutable reference (replace
actions/checkout@v6 with a specific commit SHA or exact non-floating tag) and
add the option persist-credentials: false to that step so credentials are not
written to the workspace.
In `@requirements.txt`:
- Line 35: Pin the vulnerable dependency by updating requirements.txt entry for
check-jsonschema to a non-vulnerable version (e.g., change "check-jsonschema" to
"check-jsonschema==0.30.0" or "check-jsonschema>=0.30.0,<0.31.0"); ensure any
dependency lockfile or CI dependency install step is updated accordingly and run
a dependency install/check to verify the new version is picked up.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 7252ff19-e663-4411-9818-08b03c3264ba
📒 Files selected for processing (78)
.bazelignore.buildifier.json.clang-tidy.cppcheck-suppressions.xml.deepsource.toml.devcontainer/devcontainer.json.dockerignore.gersemirc.gitattributes.github/actionlint-matcher.json.github/actionlint-matcher.json.license.github/buildifier-matcher.json.github/buildifier-matcher.json.license.github/clang-tidy-matcher.json.github/clang-tidy-matcher.json.license.github/codespell-matcher.json.github/codespell-matcher.json.license.github/cpplint-matcher.json.github/cpplint-matcher.json.license.github/detect-secrets-matcher.json.github/detect-secrets-matcher.json.license.github/hadolint-matcher.json.github/hadolint-matcher.json.license.github/lizard-matcher.json.github/lizard-matcher.json.license.github/markdownlint-matcher.json.github/markdownlint-matcher.json.license.github/workflows/actionlint.yml.github/workflows/bazel.yml.github/workflows/buildifier.yml.github/workflows/check-jsonschema.yml.github/workflows/clang-format.yml.github/workflows/clang-tidy.yml.github/workflows/cmake.yml.github/workflows/codeql.yml.github/workflows/codespell.yml.github/workflows/coverage.yml.github/workflows/cppcheck.yml.github/workflows/cpplint.yml.github/workflows/detect-secrets.yml.github/workflows/docker.yml.github/workflows/gersemi.yml.github/workflows/hadolint.yml.github/workflows/iwyu.yml.github/workflows/lizard.yml.github/workflows/markdownlint.yml.github/workflows/reuse.yml.github/workflows/sanitizer.yml.github/workflows/valgrind.yml.github/workflows/validate-cff.yml.github/workflows/yamllint.yml.gitignore.hadolint.yaml.iwyu_mappings.imp.pre-commit-config.yaml.secrets.baseline.secrets.baseline.license.vscode/extensions.json.vscode/settings.json.yamllint.yamlBrewfileCITATION.cffCMakeLists.txtCMakePresets.jsonDockerfileQUALITY_DECLARATION.mdREADME.mdcompose.yamldoc/CMakeLists.txtexamples/Blocks.ccexamples/CMakeLists.txtexamples/Circle.ccexamples/Roadmap.ccinclude-what-you-use.imprequirements.txtsrc/CMakeLists.txtsrc/Export.hsrc/KdTree.cc
💤 Files with no reviewable changes (2)
- include-what-you-use.imp
- src/KdTree.cc
There was a problem hiding this comment.
Actionable comments posted: 5
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.pre-commit-config.yaml (1)
55-57:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAvoid floating pre-commit hook revision (
master).In
.pre-commit-config.yaml(lines 55-57),https://github.com/pocc/pre-commit-hooksusesrev: master, which makes hook behavior nondeterministic across time/CI; pin it to a specific tag or commit SHA instead.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.pre-commit-config.yaml around lines 55 - 57, The pre-commit hook entry for repo "https://github.com/pocc/pre-commit-hooks" currently uses an unpinned revision `rev: master`; update that `rev` value to a specific tag or commit SHA (e.g., a release tag or the commit hash) in .pre-commit-config.yaml so the hook is deterministic in CI and across checkouts.
♻️ Duplicate comments (14)
README.md (1)
85-86:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winUpdate the build badge workflow path to
cmake.yml.The build badge still targets
actions/workflows/ci.yml; after the workflow rename it should point toactions/workflows/cmake.yml.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@README.md` around lines 85 - 86, Update the build status badge URL in README.md so it points to the renamed workflow file: replace the occurrences of "actions/workflows/ci.yml" (the build badge image and link beginning with "https://github.com/snape/RVO2/actions/workflows/ci.yml") with "actions/workflows/cmake.yml" so the badge uses the new workflow path..github/workflows/codeql.yml (1)
64-64:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin all GitHub Actions
uses:refs to full commit SHAs.
actions/checkout@v6andgithub/codeql-action/{init,autobuild,analyze}@v4`` are still floating tags. Pin each to immutable SHAs to meet the unpinned-uses security policy.Also applies to: 68-68, 73-73, 75-75
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/codeql.yml at line 64, The workflow uses floating tags for actions (e.g., actions/checkout@v6 and github/codeql-action/{init,autobuild,analyze}`@v4`); replace those refs with their corresponding immutable commit SHAs (pin the `uses:` values to full commit SHAs) for each occurrence (lines referencing actions/checkout and github/codeql-action init/autobuild/analyze) so the workflow meets the unpinned-uses policy—find each `uses:` entry and substitute the tag with the exact SHA from the action’s release commit..github/workflows/reuse.yml (1)
62-62:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin workflow actions to immutable commit SHAs.
Both
actions/checkout@v6andfsfe/reuse-action@v5are floating refs; pin them to full commit SHAs to satisfy the unpinned-uses policy and reduce supply-chain risk.Also applies to: 66-66
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/reuse.yml at line 62, The workflow currently references floating tags actions/checkout@v6 and fsfe/reuse-action@v5; replace both with their corresponding immutable commit SHAs (full 40-character commit hashes) to satisfy the unpinned-uses policy and reduce supply-chain risk. Locate the uses entries referencing "actions/checkout@v6" and "fsfe/reuse-action@v5" in the workflow and update each to the exact commit SHA from the upstream repositories (e.g., actions/checkout@<full-sha>, fsfe/reuse-action@<full-sha>), ensuring you pin every occurrence (including the other instance noted) and commit the updated workflow.requirements.txt (1)
35-35:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
check-jsonschemato a patched range.
check-jsonschemais still unpinned, so resolution can select vulnerable releases. Please constrain it to a patched minimum (for examplecheck-jsonschema>=0.30.0).🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@requirements.txt` at line 35, The dependency entry for check-jsonschema is unpinned and may allow vulnerable versions; update the requirements entry for check-jsonschema to constrain it to a patched minimum version (e.g., change the package spec for check-jsonschema to include a minimum safe version such as check-jsonschema>=0.30.0) so dependency resolution cannot select known-vulnerable releases..github/workflows/actionlint.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin the container image and checkout action to immutable digests/SHAs.
container: debian:trixie-slimanduses: actions/checkout@v6are mutable references. Pin the container to@sha256:...and checkout to a full commit SHA.Also applies to: 78-78
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/actionlint.yml at line 59, The workflow uses mutable image/tag and action refs: replace "container: debian:trixie-slim" with the image pinned to its immutable sha256 digest (e.g., debian:trixie-slim@sha256:...) and replace "uses: actions/checkout@v6" with the exact commit SHA of the actions/checkout repository (uses: actions/checkout@<full-commit-sha>); fetch the correct sha256 for the Debian image from the official registry and the full commit SHA from the actions/checkout GitHub repo, and update both occurrences (container and checkout) to use those immutable digests/SHAs..github/workflows/docker.yml (1)
69-69:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin all GitHub Actions to full commit SHAs.
These action references are still tag-based and mutable. Please pin
actions/checkout,docker/setup-buildx-action, anddocker/build-push-actionto immutable commit SHAs.Also applies to: 73-73, 75-75
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/docker.yml at line 69, Replace mutable tag-based action references with full commit SHAs for actions/checkout@v6, docker/setup-buildx-action, and docker/build-push-action: locate the three "uses:" entries that reference those actions in the workflow and update each to the corresponding immutable commit SHA (e.g., actions/checkout@<full-sha>, docker/setup-buildx-action@<full-sha>, docker/build-push-action@<full-sha>) so the workflow pins exact commits instead of tags..github/workflows/iwyu.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin workflow dependencies to immutable digests/SHAs.
container: debian:trixie-slim(Line 59) andactions/checkout@v6(Line 81) are still mutable references. Please pin both to immutable values (@sha256:...for image, full commit SHA for action).Also applies to: 81-81
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/iwyu.yml at line 59, Replace mutable workflow references with immutable digests: change the container image reference "container: debian:trixie-slim" to the corresponding image pinned by sha256 digest (e.g., "debian:trixie-slim@sha256:...") and change the action reference "actions/checkout@v6" to the action pinned to a full commit SHA (e.g., "actions/checkout@{full-commit-sha}"); update both occurrences so the workflow uses the exact immutable identifiers instead of the mutable tags.examples/Blocks.cc (1)
179-182:⚠️ Potential issue | 🟠 Major | ⚡ Quick winReplace
std::rand()inside the OpenMP loop.Calling
std::rand()in the#pragma omp parallel forregion is thread-unsafe and can produce racy/nondeterministic behavior. Use a per-thread RNG (thread_localengine) or guard RNG calls with a critical section.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@examples/Blocks.cc` around lines 179 - 182, In the OpenMP parallel loop where angle and dist are computed, replace the thread-unsafe std::rand() calls with a per-thread RNG (e.g., a thread_local std::mt19937 seeded per thread using omp_get_thread_num()) and use std::uniform_real_distribution to produce the needed [0,1) values for computing angle (multiplied by RVO_TWO_PI) and dist (scaled by 0.0001F/RAND_MAX equivalent); specifically update the computations of angle and dist to draw from the per-thread engine instead of std::rand(), or alternatively protect the std::rand() calls with a critical section if you cannot introduce a per-thread engine..github/workflows/gersemi.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winHarden this workflow with immutable pins for image/action/tool install.
Use immutable references for all three mutable dependencies: container image digest (Line 59),
actions/checkoutcommit SHA (Line 79), and a fixedgersemiversion inpipx install(Line 74).Also applies to: 74-74, 79-79
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/gersemi.yml at line 59, Replace the three mutable dependencies with immutable pins: change the container image reference "container: debian:trixie-slim" to a specific digest (e.g., debian@sha256:...), pin the actions/checkout usage to a specific commit SHA instead of a floating tag, and pin the gersemi install in the "pipx install gersemi" step to a fixed release version (e.g., pipx install gersemi==x.y.z); update the workflow steps that reference actions/checkout and the pipx install to use these exact pins..github/workflows/check-jsonschema.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin mutable CI dependencies to immutable revisions.
Line 59 uses a mutable container tag, Line 74 installs an unpinned tool version, and Line 79 uses a mutable action tag. Please pin all three (
container@sha256,check-jsonschema==x.y.z,actions/checkout@<full_sha>) for reproducible and hardened CI.🔒 Suggested patch shape
- container: debian:trixie-slim + container: debian:trixie-slim@sha256:<digest> - pipx install check-jsonschema + pipx install check-jsonschema==<version> - uses: actions/checkout@v6 + uses: actions/checkout@<full_commit_sha> # v6Also applies to: 74-74, 79-79
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/check-jsonschema.yml at line 59, Replace mutable CI dependencies with immutable pins: change the container declaration "container: debian:trixie-slim" to a digest-pinned form (e.g., container: debian@sha256:<digest>), pin the installed Python package "check-jsonschema" to an exact version (use check-jsonschema==x.y.z in the install step), and update the GitHub action reference "actions/checkout" to the full commit SHA (actions/checkout@<full_sha>) so all three references are immutable and reproducible..github/workflows/yamllint.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winUse immutable pins for container and checkout action.
Line 59 and Line 77 are still mutable references. Please pin to
debian:trixie-slim@sha256:...andactions/checkout@<full_sha>to prevent CI drift and supply-chain variance.Also applies to: 77-77
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/yamllint.yml at line 59, Replace the mutable image and action refs with immutable pins: update the "container: debian:trixie-slim" entry to use the image digest (e.g., debian:trixie-slim@sha256:...) and change the "actions/checkout" usage to the full commit SHA (actions/checkout@<full_sha>); locate the occurrences by searching for the literal "container: debian:trixie-slim" and the "actions/checkout" step in the workflow and substitute the mutable tags with their corresponding immutable sha256 pins..github/workflows/lizard.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin container, tool version, and checkout action.
Line 59, Line 74, and Line 79 are mutable dependency references. Please pin image digest,
lizardversion, and checkout SHA to keep CI deterministic and policy-compliant.Also applies to: 74-74, 79-79
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/lizard.yml at line 59, The workflow currently uses mutable references: the container image "debian:trixie-slim", the "lizard" tool, and the "actions/checkout" action; pin each to an immutable reference by replacing "container: debian:trixie-slim" with the image+digest (e.g., debian:trixie-slim@sha256:...), change the lizard invocation (the step that references "lizard" or uses a marketplace action named lizard) to a specific released version or digest (e.g., vX.Y.Z or `@sha256`:...), and lock "actions/checkout" to a specific commit SHA instead of a floating tag; update the three occurrences (container line and the steps that reference "lizard" and "actions/checkout") so CI is deterministic..github/workflows/valgrind.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin mutable container and action references.
Line 59 (
debian:trixie-slim) and Line 88 (actions/checkout@v6) should be pinned to immutable digests/SHAs to avoid non-reproducible runs and reduce supply-chain risk.Also applies to: 88-88
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/valgrind.yml at line 59, The workflow currently pins mutable references ("container: debian:trixie-slim" and "uses: actions/checkout@v6"), so update both to immutable digests/SHAs: replace "container: debian:trixie-slim" with the Debian image pinned by its sha256 digest (e.g., debian@sha256:<digest>) and replace "uses: actions/checkout@v6" with a specific commit SHA (e.g., actions/checkout@<commit-sha>); locate the strings "container: debian:trixie-slim" and "uses: actions/checkout@v6" in the workflow and substitute the appropriate sha256 and git commit values obtained from the image registry and the actions repo respectively..github/workflows/bazel.yml (1)
83-83:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
actions/cacheto commit SHAs (eliminate@v5tags)
.github/workflows/bazel.ymlusesactions/cache@v5in all cache steps at lines 83, 120, 162, 206, 233, 252, 279, 298, 341, 387, 433, 456, 480, 503, and 529; pin each to a fixed commit SHA for immutable supply-chain guarantees.Suggested patch pattern
- - name: cache - uses: actions/cache@v5 + - name: cache + uses: actions/cache@<full_commit_sha_for_v5>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/bazel.yml at line 83, Replace every occurrence of the literal "uses: actions/cache@v5" with a pinned commit SHA form "uses: actions/cache@<full-commit-sha>" (use the full 40-char commit from the actions/cache GitHub repo) so each cache step is immutably pinned; locate all instances of the string "uses: actions/cache@v5" in the workflow and update them to the chosen SHA (use the same SHA for all steps or pin each step to the specific release commit you audited), and commit the change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/cmake.yml:
- Line 59: Replace all tag-based container image specifications with immutable
digest-pinned references: locate the seven occurrences of container: lines
(almalinux:10, alpine:3, archlinux:latest, fedora:44, opensuse/leap:16.0,
ubuntu:26.04 for amd64 and arm64) in the workflow and change each to the
corresponding container: <image>`@sha256`:<digest>; obtain the correct sha256
digests using a registry manifest query (e.g., docker pull + docker image
inspect to read RepoDigests or skopeo/docker manifest inspect for the specific
platform/arch) and ensure you pick the digest that matches the intended platform
(amd64 vs arm64) before replacing the tag strings in the file.
- Around line 82-84: Replace all instances of the string "uses:
actions/checkout@v6" in the workflow with the corresponding immutable commit
SHAs (e.g., "actions/checkout@<full-commit-sha>") to pin the action and ensure
deterministic CI; locate every occurrence of the exact token "uses:
actions/checkout@v6" in the .github/workflows/cmake.yml file and update each one
to the latest known commit SHA for actions/checkout, keeping the existing
"with:" settings (like persist-credentials) intact.
In @.github/workflows/meson.yml:
- Around line 79-81: Replace every floating reference "uses:
actions/checkout@v6" with the corresponding full commit SHA pin (e.g., "uses:
actions/checkout@<full-commit-sha>") in this workflow; locate each occurrence of
the string "uses: actions/checkout@v6" and update them to the same verified
commit SHA to ensure reproducibility and supply-chain integrity, and verify the
chosen SHA is from the actions/checkout repository mainline before committing.
In `@compose.yaml`:
- Line 34: compose.yaml currently references the moving "master" Compose schema
URL via the $schema comment; pick the exact compose-spec commit SHA or tag you
want (e.g., the project-supported release) and replace the URL string
"https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json"
with the pinned raw URL containing that commit SHA
(https://raw.githubusercontent.com/compose-spec/compose-spec/<COMMIT_SHA>/schema/compose-spec.json)
so the yaml-language-server uses a deterministic schema; update the commit SHA
to the chosen tag/commit and commit the change.
In `@Dockerfile`:
- Around line 127-133: The Dockerfile uses an unpinned pip install command that
installs cffconvert, check-jsonschema, detect-secrets, lizard, and pre-commit
which leads to non-deterministic builds; update the pip install invocation in
the same RUN step to pin each package to a specific version (or reference a
requirements/constraints file), e.g., replace the floating package names in the
list (cffconvert, check-jsonschema, detect-secrets, lizard, pre-commit) with
explicit versions or add --constraint / -r pointing to a committed requirements
file so image builds are reproducible and auditable.
---
Outside diff comments:
In @.pre-commit-config.yaml:
- Around line 55-57: The pre-commit hook entry for repo
"https://github.com/pocc/pre-commit-hooks" currently uses an unpinned revision
`rev: master`; update that `rev` value to a specific tag or commit SHA (e.g., a
release tag or the commit hash) in .pre-commit-config.yaml so the hook is
deterministic in CI and across checkouts.
---
Duplicate comments:
In @.github/workflows/actionlint.yml:
- Line 59: The workflow uses mutable image/tag and action refs: replace
"container: debian:trixie-slim" with the image pinned to its immutable sha256
digest (e.g., debian:trixie-slim@sha256:...) and replace "uses:
actions/checkout@v6" with the exact commit SHA of the actions/checkout
repository (uses: actions/checkout@<full-commit-sha>); fetch the correct sha256
for the Debian image from the official registry and the full commit SHA from the
actions/checkout GitHub repo, and update both occurrences (container and
checkout) to use those immutable digests/SHAs.
In @.github/workflows/bazel.yml:
- Line 83: Replace every occurrence of the literal "uses: actions/cache@v5" with
a pinned commit SHA form "uses: actions/cache@<full-commit-sha>" (use the full
40-char commit from the actions/cache GitHub repo) so each cache step is
immutably pinned; locate all instances of the string "uses: actions/cache@v5" in
the workflow and update them to the chosen SHA (use the same SHA for all steps
or pin each step to the specific release commit you audited), and commit the
change.
In @.github/workflows/check-jsonschema.yml:
- Line 59: Replace mutable CI dependencies with immutable pins: change the
container declaration "container: debian:trixie-slim" to a digest-pinned form
(e.g., container: debian@sha256:<digest>), pin the installed Python package
"check-jsonschema" to an exact version (use check-jsonschema==x.y.z in the
install step), and update the GitHub action reference "actions/checkout" to the
full commit SHA (actions/checkout@<full_sha>) so all three references are
immutable and reproducible.
In @.github/workflows/codeql.yml:
- Line 64: The workflow uses floating tags for actions (e.g.,
actions/checkout@v6 and github/codeql-action/{init,autobuild,analyze}`@v4`);
replace those refs with their corresponding immutable commit SHAs (pin the
`uses:` values to full commit SHAs) for each occurrence (lines referencing
actions/checkout and github/codeql-action init/autobuild/analyze) so the
workflow meets the unpinned-uses policy—find each `uses:` entry and substitute
the tag with the exact SHA from the action’s release commit.
In @.github/workflows/docker.yml:
- Line 69: Replace mutable tag-based action references with full commit SHAs for
actions/checkout@v6, docker/setup-buildx-action, and docker/build-push-action:
locate the three "uses:" entries that reference those actions in the workflow
and update each to the corresponding immutable commit SHA (e.g.,
actions/checkout@<full-sha>, docker/setup-buildx-action@<full-sha>,
docker/build-push-action@<full-sha>) so the workflow pins exact commits instead
of tags.
In @.github/workflows/gersemi.yml:
- Line 59: Replace the three mutable dependencies with immutable pins: change
the container image reference "container: debian:trixie-slim" to a specific
digest (e.g., debian@sha256:...), pin the actions/checkout usage to a specific
commit SHA instead of a floating tag, and pin the gersemi install in the "pipx
install gersemi" step to a fixed release version (e.g., pipx install
gersemi==x.y.z); update the workflow steps that reference actions/checkout and
the pipx install to use these exact pins.
In @.github/workflows/iwyu.yml:
- Line 59: Replace mutable workflow references with immutable digests: change
the container image reference "container: debian:trixie-slim" to the
corresponding image pinned by sha256 digest (e.g.,
"debian:trixie-slim@sha256:...") and change the action reference
"actions/checkout@v6" to the action pinned to a full commit SHA (e.g.,
"actions/checkout@{full-commit-sha}"); update both occurrences so the workflow
uses the exact immutable identifiers instead of the mutable tags.
In @.github/workflows/lizard.yml:
- Line 59: The workflow currently uses mutable references: the container image
"debian:trixie-slim", the "lizard" tool, and the "actions/checkout" action; pin
each to an immutable reference by replacing "container: debian:trixie-slim" with
the image+digest (e.g., debian:trixie-slim@sha256:...), change the lizard
invocation (the step that references "lizard" or uses a marketplace action named
lizard) to a specific released version or digest (e.g., vX.Y.Z or `@sha256`:...),
and lock "actions/checkout" to a specific commit SHA instead of a floating tag;
update the three occurrences (container line and the steps that reference
"lizard" and "actions/checkout") so CI is deterministic.
In @.github/workflows/reuse.yml:
- Line 62: The workflow currently references floating tags actions/checkout@v6
and fsfe/reuse-action@v5; replace both with their corresponding immutable commit
SHAs (full 40-character commit hashes) to satisfy the unpinned-uses policy and
reduce supply-chain risk. Locate the uses entries referencing
"actions/checkout@v6" and "fsfe/reuse-action@v5" in the workflow and update each
to the exact commit SHA from the upstream repositories (e.g.,
actions/checkout@<full-sha>, fsfe/reuse-action@<full-sha>), ensuring you pin
every occurrence (including the other instance noted) and commit the updated
workflow.
In @.github/workflows/valgrind.yml:
- Line 59: The workflow currently pins mutable references ("container:
debian:trixie-slim" and "uses: actions/checkout@v6"), so update both to
immutable digests/SHAs: replace "container: debian:trixie-slim" with the Debian
image pinned by its sha256 digest (e.g., debian@sha256:<digest>) and replace
"uses: actions/checkout@v6" with a specific commit SHA (e.g.,
actions/checkout@<commit-sha>); locate the strings "container:
debian:trixie-slim" and "uses: actions/checkout@v6" in the workflow and
substitute the appropriate sha256 and git commit values obtained from the image
registry and the actions repo respectively.
In @.github/workflows/yamllint.yml:
- Line 59: Replace the mutable image and action refs with immutable pins: update
the "container: debian:trixie-slim" entry to use the image digest (e.g.,
debian:trixie-slim@sha256:...) and change the "actions/checkout" usage to the
full commit SHA (actions/checkout@<full_sha>); locate the occurrences by
searching for the literal "container: debian:trixie-slim" and the
"actions/checkout" step in the workflow and substitute the mutable tags with
their corresponding immutable sha256 pins.
In `@examples/Blocks.cc`:
- Around line 179-182: In the OpenMP parallel loop where angle and dist are
computed, replace the thread-unsafe std::rand() calls with a per-thread RNG
(e.g., a thread_local std::mt19937 seeded per thread using omp_get_thread_num())
and use std::uniform_real_distribution to produce the needed [0,1) values for
computing angle (multiplied by RVO_TWO_PI) and dist (scaled by 0.0001F/RAND_MAX
equivalent); specifically update the computations of angle and dist to draw from
the per-thread engine instead of std::rand(), or alternatively protect the
std::rand() calls with a critical section if you cannot introduce a per-thread
engine.
In `@README.md`:
- Around line 85-86: Update the build status badge URL in README.md so it points
to the renamed workflow file: replace the occurrences of
"actions/workflows/ci.yml" (the build badge image and link beginning with
"https://github.com/snape/RVO2/actions/workflows/ci.yml") with
"actions/workflows/cmake.yml" so the badge uses the new workflow path.
In `@requirements.txt`:
- Line 35: The dependency entry for check-jsonschema is unpinned and may allow
vulnerable versions; update the requirements entry for check-jsonschema to
constrain it to a patched minimum version (e.g., change the package spec for
check-jsonschema to include a minimum safe version such as
check-jsonschema>=0.30.0) so dependency resolution cannot select
known-vulnerable releases.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: a926c4fe-753a-4eb2-9a21-14da3d680e2e
📒 Files selected for processing (79)
.bazelignore.buildifier.json.clang-tidy.cppcheck-suppressions.xml.deepsource.toml.devcontainer/devcontainer.json.dockerignore.gersemirc.gitattributes.github/actionlint-matcher.json.github/actionlint-matcher.json.license.github/buildifier-matcher.json.github/buildifier-matcher.json.license.github/clang-tidy-matcher.json.github/clang-tidy-matcher.json.license.github/codespell-matcher.json.github/codespell-matcher.json.license.github/cpplint-matcher.json.github/cpplint-matcher.json.license.github/detect-secrets-matcher.json.github/detect-secrets-matcher.json.license.github/hadolint-matcher.json.github/hadolint-matcher.json.license.github/lizard-matcher.json.github/lizard-matcher.json.license.github/markdownlint-matcher.json.github/markdownlint-matcher.json.license.github/workflows/actionlint.yml.github/workflows/bazel.yml.github/workflows/buildifier.yml.github/workflows/check-jsonschema.yml.github/workflows/clang-format.yml.github/workflows/clang-tidy.yml.github/workflows/cmake.yml.github/workflows/codeql.yml.github/workflows/codespell.yml.github/workflows/coverage.yml.github/workflows/cppcheck.yml.github/workflows/cpplint.yml.github/workflows/detect-secrets.yml.github/workflows/docker.yml.github/workflows/gersemi.yml.github/workflows/hadolint.yml.github/workflows/iwyu.yml.github/workflows/lizard.yml.github/workflows/markdownlint.yml.github/workflows/meson.yml.github/workflows/reuse.yml.github/workflows/sanitizer.yml.github/workflows/valgrind.yml.github/workflows/validate-cff.yml.github/workflows/yamllint.yml.gitignore.hadolint.yaml.iwyu_mappings.imp.pre-commit-config.yaml.secrets.baseline.secrets.baseline.license.vscode/extensions.json.vscode/settings.json.yamllint.yamlBrewfileCITATION.cffCMakeLists.txtCMakePresets.jsonDockerfileQUALITY_DECLARATION.mdREADME.mdcompose.yamldoc/CMakeLists.txtexamples/Blocks.ccexamples/CMakeLists.txtexamples/Circle.ccexamples/Roadmap.ccinclude-what-you-use.imprequirements.txtsrc/CMakeLists.txtsrc/Export.hsrc/KdTree.cc
💤 Files with no reviewable changes (2)
- src/KdTree.cc
- include-what-you-use.imp
Comment on lines
127
to
133
| && pip install --no-cache-dir -qq \ | ||
| cffconvert \ | ||
| check-jsonschema \ | ||
| detect-secrets \ | ||
| lizard \ | ||
| pre-commit \ | ||
| && echo "ubuntu ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/ubuntu \ |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Verify all Python installs in the Dockerfile and whether they are pinned.
awk '
/pipx?[[:space:]]+install/ {print NR ":" $0}
' DockerfileRepository: snape/RVO2
Length of output: 96
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show Dockerfile section around the reported lines
nl -ba Dockerfile | sed -n '110,160p'
echo "----"
# Find all pip install occurrences and print the package lines that follow until the line ending with '\'
awk '
/pipx?[[:space:]]+install/ { start=1; print "MATCH:" NR ":" $0; next }
start==1 {
# package lines in this Dockerfile appear indented and end with "\" in the pip install block
if ($0 ~ /^[[:space:]]*[a-zA-Z0-9_.-]+[[:space:]]*(==|>=|<=|~=|!=)/ || $0 ~ /^[[:space:]]*[a-zA-Z0-9_.-]+[[:space:]]*\\/) {
print NR ":" $0
}
# stop after we reach a non-package line (heuristic: line not ending with '\' and not continuing \)
if ($0 !~ /\\[[:space:]]*$/) { start=0 }
}
' Dockerfile | head -n 200
echo "----"
# List all lines in Dockerfile that contain these specific packages to check for pinning
rg -n --fixed-strings --no-heading "check-jsonschema|detect-secrets|lizard|pre-commit|cffconvert" Dockerfile || true
echo "----"
# Check for any pinned versions in pip install lines (presence of '==' on the same line)
rg -n --no-heading "pipx?[[:space:]]+install.*==|\\s+==\\s+" Dockerfile || trueRepository: snape/RVO2
Length of output: 97
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "---- Dockerfile lines 110-160 ----"
awk 'NR>=110 && NR<=160 {print NR ":" $0}' Dockerfile
echo "---- pip install blocks containing the listed tools ----"
rg -n --context 3 --no-heading -e "pip install" Dockerfile || true
echo "---- matching packages and nearby lines (for pinning check) ----"
rg -n --no-heading -C 2 "check-jsonschema|detect-secrets|lizard|pre-commit|cffconvert" Dockerfile || true
echo "---- any pinned versions in pip install lines ----"
rg -n --no-heading "pipx?[[:space:]]+install|pip[[:space:]]+install" Dockerfile | head -n 200
echo "---- check whether these specific packages use == in the Dockerfile ----"
for p in check-jsonschema detect-secrets lizard pre-commit cffconvert; do
echo "## $p"
rg -n --no-heading "${p}.*==" Dockerfile || true
doneRepository: snape/RVO2
Length of output: 2454
Pin the newly added Python tool dependencies for deterministic image builds.
pip install installs check-jsonschema and detect-secrets (and also cffconvert, lizard, pre-commit) without any version pinning, so the build will pick up floating latest releases.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@Dockerfile` around lines 127 - 133, The Dockerfile uses an unpinned pip
install command that installs cffconvert, check-jsonschema, detect-secrets,
lizard, and pre-commit which leads to non-deterministic builds; update the pip
install invocation in the same RUN step to pin each package to a specific
version (or reference a requirements/constraints file), e.g., replace the
floating package names in the list (cffconvert, check-jsonschema,
detect-secrets, lizard, pre-commit) with explicit versions or add --constraint /
-r pointing to a committed requirements file so image builds are reproducible
and auditable.
3466cda to
d94d22b
Compare
There was a problem hiding this comment.
Actionable comments posted: 5
♻️ Duplicate comments (9)
.github/workflows/yamllint.yml (2)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin yamllint job container image to an immutable digest.
Line 59 uses
debian:trixie-slim(mutable). Usedebian:trixie-slim@sha256:...for deterministic CI runs.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/yamllint.yml at line 59, The yamllint job currently uses a mutable image reference "container: debian:trixie-slim"; replace it with an immutable digest by changing that line to use "debian:trixie-slim@sha256:<actual-digest>" (obtain the correct sha256 from the official image registry or Docker Hub) so the yamllint job uses a pinned, deterministic image; update the "container: debian:trixie-slim" entry in the yamllint job to the pinned digest form.
77-77:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
actions/checkoutto a commit SHA.Line 77 references mutable
actions/checkout@v6; replace with an immutable SHA pin.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/yamllint.yml at line 77, Replace the mutable actions/checkout@v6 reference with an immutable commit SHA: locate the uses: actions/checkout@v6 entry in .github/workflows/yamllint.yml and change it to uses: actions/checkout@<COMMIT_SHA> where <COMMIT_SHA> is the full commit hash for the desired actions/checkout release (pinning the action to that SHA)..github/workflows/validate-cff.yml (2)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin CFF validation container to a SHA256 digest.
Line 59 is a mutable image tag (
debian:trixie-slim), which can drift and break reproducibility.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/validate-cff.yml at line 59, Replace the mutable image tag "container: debian:trixie-slim" with an image pinned to its SHA256 digest (e.g., debian@sha256:...) so the workflow uses an immutable, reproducible image; fetch the correct digest from the registry (pull the image or check the image's RepoDigest on Docker Hub/registry) and update the container field to the exact repo@sha256 value.
79-79:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
actions/checkoutin this workflow.Line 79 uses mutable
actions/checkout@v6; replace with a full commit SHA.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/validate-cff.yml at line 79, The workflow uses an unpinned action reference "uses: actions/checkout@v6"; replace that mutable tag with the corresponding full commit SHA for actions/checkout (i.e., change "actions/checkout@v6" to "actions/checkout@<full-commit-sha>") so the job is pinned to a specific commit; update the line where "uses: actions/checkout@v6" appears and commit the new SHA string..github/workflows/sanitizer.yml (2)
87-87:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
actions/checkoutto a commit SHA.Line 87, Line 141, and Line 194 still use mutable
actions/checkout@v6. Use immutable commit SHAs to reduce action supply-chain risk.🔒 Suggested patch
- uses: actions/checkout@v6 + uses: actions/checkout@<full_commit_sha_for_v6> with: persist-credentials: falseAlso applies to: 141-141, 194-194
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/sanitizer.yml at line 87, Replace the mutable action reference "uses: actions/checkout@v6" with an immutable pinned commit SHA for actions/checkout in the workflow; locate each occurrence of the string "uses: actions/checkout@v6" (appearing in the three spots noted) and replace the tag with a specific commit SHA (e.g., "uses: actions/checkout@<COMMIT_SHA>") obtained from the actions/checkout repository release or commit history, verify the SHA is for the v6 release and update all three instances consistently, then run a quick workflow lint or dry-run to confirm syntax.
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin sanitizer container images to immutable digests.
Line 59, Line 113, and Line 166 use mutable
debian:trixie-slim, so runner environments can drift between executions. Pin to a multi-arch SHA256 digest for reproducible CI.🔒 Suggested patch
- container: debian:trixie-slim + container: debian:trixie-slim@sha256:<multi_arch_digest> ... - container: debian:trixie-slim + container: debian:trixie-slim@sha256:<multi_arch_digest> ... - container: debian:trixie-slim + container: debian:trixie-slim@sha256:<multi_arch_digest>Also applies to: 113-113, 166-166
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/sanitizer.yml at line 59, Replace mutable images by pinning the Debian image to an immutable multi-arch SHA256 digest: locate every occurrence of the YAML key "container: debian:trixie-slim" and replace it with the same image referenced by its official digest (e.g., "debian@sha256:<multi-arch-digest>") so CI is reproducible; update all occurrences that match that exact string (previously at three places) and verify the chosen digest is the official multi-arch Debian Trixie slim digest..github/workflows/valgrind.yml (2)
88-88:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
actions/checkoutto an immutable SHA.Line 88 uses
actions/checkout@v6(mutable tag). Pin to a full commit SHA to harden the workflow.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/valgrind.yml at line 88, The workflow currently uses the mutable tag "actions/checkout@v6"; replace that with a pinned immutable commit SHA by finding the "uses: actions/checkout@v6" entry in the workflow and replacing the tag with the full commit SHA for the desired actions/checkout release (e.g., "actions/checkout@<full-commit-sha>"), commit the updated workflow, and ensure CI still passes; this hardens the workflow against tag drift.
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin Valgrind container image by digest.
Line 59 uses mutable
debian:trixie-slim; this makes CI behavior non-deterministic over time. Pin to@sha256.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/valgrind.yml at line 59, Replace the mutable image reference "container: debian:trixie-slim" with a digest-pinned image (e.g. "debian:trixie-slim@sha256:<digest>") so the CI uses a fixed immutable image; locate the occurrence of container: debian:trixie-slim in the workflow and update it to the correct sha256 digest you obtain for the desired tag, then commit the updated workflow.requirements.txt (1)
35-35:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
check-jsonschemato a patched version range.
check-jsonschemais still unpinned; pin it to a safe floor (for example,check-jsonschema>=0.30.0) to prevent vulnerable resolution paths.What versions of check-jsonschema are affected by GHSA-q6mv-284r-mp36, and what is the first patched version?Suggested change
-check-jsonschema +check-jsonschema>=0.30.0🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@requirements.txt` at line 35, Update the unpinned dependency in requirements.txt by pinning check-jsonschema to a patched minimum version (e.g., change "check-jsonschema" to "check-jsonschema>=0.30.0") so resolution cannot select vulnerable releases; edit the requirements.txt entry for check-jsonschema to the chosen >= version and run your dependency install/lock step to validate the update.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/hadolint-matcher.json:
- Around line 7-12: The problem matcher currently uses capture group 4 for
severity ("severity": 4) which can be hadolint values like "info"/"style" that
GitHub only accepts as "warning" or "error"; update
.github/hadolint-matcher.json to normalize capture group 4 into GitHub values by
mapping "error" -> "error" and everything else (e.g., "info", "style",
"warning") -> "warning", by changing the matcher so the "severity" field is a
normalized literal ("warning" or "error") derived from regexp group 4 (adjust
the "regexp" and/or use an alternation/conditional in the pattern to set the
final severity value instead of directly using group 4).
In @.github/workflows/bazel.yml:
- Line 83: The workflow is using the tag-based action reference
"actions/cache@v5" which should be pinned to an immutable commit SHA; update
every occurrence of the uses: entry that references actions/cache@v5 (all
instances like the one shown) to use the corresponding full commit SHA (e.g.,
actions/cache@<commit-sha>) by finding each uses: actions/cache@v5 in the file
and replacing the tag with the canonical commit SHA from the actions/cache
repository, ensuring all 15 occurrences are updated consistently.
In @.github/workflows/coverage.yml:
- Around line 195-197: The step using deepsourcelabs/test-coverage-action@master
currently references secrets.DEEPSOURCE_DSN inside the step `if:` which
actionlint rejects; fix it by moving the secret into the step `env` (set
DEEPSOURCE_DSN: ${{ secrets.DEEPSOURCE_DSN }}) and update the step `if:` to use
env.DEEPSOURCE_DSN (e.g. github.event_name == 'push' || env.DEEPSOURCE_DSN !=
'') and also change the action input `with.dsn` to reference env.DEEPSOURCE_DSN
instead of secrets.DEEPSOURCE_DSN so the conditional and inputs use the
environment variable.
In @.github/workflows/lizard.yml:
- Line 74: The CI step currently runs the unpinned command "pipx install lizard"
so the workflow will float to whatever PyPI publishes; change that command to
pin a concrete lizard release (e.g., "pipx install lizard==<desired-version>")
and update other references where lizard is declared (requirements.txt and
Dockerfile) to the same pinned version to ensure reproducible builds; replace
the unpinned "pipx install lizard" invocation and the unpinned entries in
requirements.txt/Dockerfile with the chosen version string.
In `@QUALITY_DECLARATION.md`:
- Around line 316-318: Update the reference in QUALITY_DECLARATION.md where it
mentions `.cppcheck.xml` (around the cppcheck bullet) to the actual filename
present in the repo `.cppcheck-suppressions.xml` so the docs reflect the
repository state; alternatively add the missing `.cppcheck.xml` file if the
intent was to reference a different config—make the change in the cppcheck
bullet text to use `.cppcheck-suppressions.xml` to resolve the mismatch.
---
Duplicate comments:
In @.github/workflows/sanitizer.yml:
- Line 87: Replace the mutable action reference "uses: actions/checkout@v6" with
an immutable pinned commit SHA for actions/checkout in the workflow; locate each
occurrence of the string "uses: actions/checkout@v6" (appearing in the three
spots noted) and replace the tag with a specific commit SHA (e.g., "uses:
actions/checkout@<COMMIT_SHA>") obtained from the actions/checkout repository
release or commit history, verify the SHA is for the v6 release and update all
three instances consistently, then run a quick workflow lint or dry-run to
confirm syntax.
- Line 59: Replace mutable images by pinning the Debian image to an immutable
multi-arch SHA256 digest: locate every occurrence of the YAML key "container:
debian:trixie-slim" and replace it with the same image referenced by its
official digest (e.g., "debian@sha256:<multi-arch-digest>") so CI is
reproducible; update all occurrences that match that exact string (previously at
three places) and verify the chosen digest is the official multi-arch Debian
Trixie slim digest.
In @.github/workflows/valgrind.yml:
- Line 88: The workflow currently uses the mutable tag "actions/checkout@v6";
replace that with a pinned immutable commit SHA by finding the "uses:
actions/checkout@v6" entry in the workflow and replacing the tag with the full
commit SHA for the desired actions/checkout release (e.g.,
"actions/checkout@<full-commit-sha>"), commit the updated workflow, and ensure
CI still passes; this hardens the workflow against tag drift.
- Line 59: Replace the mutable image reference "container: debian:trixie-slim"
with a digest-pinned image (e.g. "debian:trixie-slim@sha256:<digest>") so the CI
uses a fixed immutable image; locate the occurrence of container:
debian:trixie-slim in the workflow and update it to the correct sha256 digest
you obtain for the desired tag, then commit the updated workflow.
In @.github/workflows/validate-cff.yml:
- Line 59: Replace the mutable image tag "container: debian:trixie-slim" with an
image pinned to its SHA256 digest (e.g., debian@sha256:...) so the workflow uses
an immutable, reproducible image; fetch the correct digest from the registry
(pull the image or check the image's RepoDigest on Docker Hub/registry) and
update the container field to the exact repo@sha256 value.
- Line 79: The workflow uses an unpinned action reference "uses:
actions/checkout@v6"; replace that mutable tag with the corresponding full
commit SHA for actions/checkout (i.e., change "actions/checkout@v6" to
"actions/checkout@<full-commit-sha>") so the job is pinned to a specific commit;
update the line where "uses: actions/checkout@v6" appears and commit the new SHA
string.
In @.github/workflows/yamllint.yml:
- Line 59: The yamllint job currently uses a mutable image reference "container:
debian:trixie-slim"; replace it with an immutable digest by changing that line
to use "debian:trixie-slim@sha256:<actual-digest>" (obtain the correct sha256
from the official image registry or Docker Hub) so the yamllint job uses a
pinned, deterministic image; update the "container: debian:trixie-slim" entry in
the yamllint job to the pinned digest form.
- Line 77: Replace the mutable actions/checkout@v6 reference with an immutable
commit SHA: locate the uses: actions/checkout@v6 entry in
.github/workflows/yamllint.yml and change it to uses:
actions/checkout@<COMMIT_SHA> where <COMMIT_SHA> is the full commit hash for the
desired actions/checkout release (pinning the action to that SHA).
In `@requirements.txt`:
- Line 35: Update the unpinned dependency in requirements.txt by pinning
check-jsonschema to a patched minimum version (e.g., change "check-jsonschema"
to "check-jsonschema>=0.30.0") so resolution cannot select vulnerable releases;
edit the requirements.txt entry for check-jsonschema to the chosen >= version
and run your dependency install/lock step to validate the update.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 7944a898-9067-4741-889c-3509f8ac1f39
📒 Files selected for processing (79)
.bazelignore.buildifier.json.clang-tidy.cppcheck-suppressions.xml.deepsource.toml.devcontainer/devcontainer.json.dockerignore.gersemirc.gitattributes.github/actionlint-matcher.json.github/actionlint-matcher.json.license.github/buildifier-matcher.json.github/buildifier-matcher.json.license.github/clang-tidy-matcher.json.github/clang-tidy-matcher.json.license.github/codespell-matcher.json.github/codespell-matcher.json.license.github/cpplint-matcher.json.github/cpplint-matcher.json.license.github/detect-secrets-matcher.json.github/detect-secrets-matcher.json.license.github/hadolint-matcher.json.github/hadolint-matcher.json.license.github/lizard-matcher.json.github/lizard-matcher.json.license.github/markdownlint-matcher.json.github/markdownlint-matcher.json.license.github/workflows/actionlint.yml.github/workflows/bazel.yml.github/workflows/buildifier.yml.github/workflows/check-jsonschema.yml.github/workflows/clang-format.yml.github/workflows/clang-tidy.yml.github/workflows/cmake.yml.github/workflows/codeql.yml.github/workflows/codespell.yml.github/workflows/coverage.yml.github/workflows/cppcheck.yml.github/workflows/cpplint.yml.github/workflows/detect-secrets.yml.github/workflows/docker.yml.github/workflows/gersemi.yml.github/workflows/hadolint.yml.github/workflows/iwyu.yml.github/workflows/lizard.yml.github/workflows/markdownlint.yml.github/workflows/meson.yml.github/workflows/reuse.yml.github/workflows/sanitizer.yml.github/workflows/valgrind.yml.github/workflows/validate-cff.yml.github/workflows/yamllint.yml.gitignore.hadolint.yaml.iwyu_mappings.imp.pre-commit-config.yaml.secrets.baseline.secrets.baseline.license.vscode/extensions.json.vscode/settings.json.yamllint.yamlBrewfileCITATION.cffCMakeLists.txtCMakePresets.jsonDockerfileQUALITY_DECLARATION.mdREADME.mdcompose.yamldoc/CMakeLists.txtexamples/Blocks.ccexamples/CMakeLists.txtexamples/Circle.ccexamples/Roadmap.ccinclude-what-you-use.imprequirements.txtsrc/CMakeLists.txtsrc/Export.hsrc/KdTree.cc
💤 Files with no reviewable changes (2)
- include-what-you-use.imp
- src/KdTree.cc
snape
force-pushed
the
dev/ci
branch
2 times, most recently
from
a153da4 to
3c2778b
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (24)
.github/workflows/codespell.yml (1)
59-79:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin the container image and checkout action to immutable digests/SHAs.
container: debian:trixie-slimanduses: actions/checkout@v6are still mutable references. Please pin both to immutable values to reduce CI supply-chain risk.#!/bin/bash # Verify mutable references in workflow files rg -n --type=yaml -C2 '^\s*container:\s+[^@]+:[^@ ]+\s*$|^\s*uses:\s*actions/checkout@v[0-9]+' .github/workflows🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/codespell.yml around lines 59 - 79, The workflow uses mutable references: the container image "debian:trixie-slim" and the action reference "actions/checkout@v6"; update them to immutable digests by replacing the container image with its specific digest (e.g., debian@sha256:<digest>) and pinning the checkout action to a specific commit SHA (e.g., actions/checkout@<commit-sha>) so both references are immutable and reproducible..github/workflows/buildifier.yml (4)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin the container image to an immutable digest.
Line 59 uses a mutable tag (
debian:trixie-slim), which can drift and reduce reproducibility/security guarantees. Pin todebian@sha256:....🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/buildifier.yml at line 59, The workflow uses a mutable container tag at the container key (container: debian:trixie-slim); replace that with an immutable digest by pinning to the official Debian image digest (e.g., container: debian@sha256:<digest>) so the action runs against a fixed image; update the container field in .github/workflows/buildifier.yml accordingly and verify the chosen sha256 matches the desired trixie-slim variant before committing.
88-88:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winRun buildifier in check mode to enforce formatting in CI.
Line 88 uses
buildifier -r ., which can auto-rewrite instead of failing on drift. Use-mode=check -r .to make formatting violations fail the job.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/buildifier.yml at line 88, The CI job currently runs buildifier with auto-rewrite mode via the command "buildifier -r .", which will silently fix formatting instead of failing the build; update the workflow step that executes buildifier to use check mode by replacing the invocation with "buildifier -mode=check -r ." so formatting violations cause the job to fail (look for the run line that currently contains buildifier -r .).
80-80:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
actions/checkoutby commit SHA.Line 80 uses
actions/checkout@v6(mutable tag). Keeppersist-credentials: falsebut pin the action to a full commit SHA.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/buildifier.yml at line 80, Replace the mutable tag "uses: actions/checkout@v6" with a pinned commit SHA for the actions/checkout action (e.g., "uses: actions/checkout@<full-commit-sha>"); keep the existing "persist-credentials: false" configuration intact. Locate the checkout step in the workflow where "uses: actions/checkout@v6" appears and update only the tag to the repository's full commit SHA to ensure immutability while preserving the current options.
73-75:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAvoid
releases/latestfor buildifier and verify artifact integrity.Lines 73-75 download a mutable “latest” binary with no checksum/signature verification. Pin a specific version and verify checksum before install.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/buildifier.yml around lines 73 - 75, The workflow currently downloads buildifier from a mutable "releases/latest" URL without integrity checks; change it to pin a specific buildifier version and verify the downloaded artifact's checksum before making it executable. Replace the "buildifier" download URL with the exact release asset URL for the chosen version (e.g., the vX.Y.Z buildifier-linux-arm64 asset) and add a step that fetches the published checksum (or hardcodes the known sha256) and compares it (e.g., via sha256sum -c or an explicit comparison) after download and before chmod +x; ensure the failure path aborts the job if the checksum/signature does not match. Use the symbol "buildifier" to locate the existing wget/chmod steps to modify..github/workflows/validate-cff.yml (2)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin the workflow container image by digest.
Line 59 uses a mutable image tag. Replace with
debian@sha256:...to prevent image drift and improve reproducibility.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/validate-cff.yml at line 59, Replace the mutable image reference "container: debian:trixie-slim" with a pinned digest form "container: debian@sha256:<digest>" so the workflow uses an immutable image; locate the "container: debian:trixie-slim" line in .github/workflows/validate-cff.yml and update it with the correct sha256 digest for the debian trixie-slim image (obtain the digest from the official Debian image registry or docker manifest) to prevent image drift.
79-79:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
actions/checkoutto a commit SHA.Line 79 is tag-based (
@v6). Use a full SHA pin; keeppersist-credentials: falseas already configured.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/validate-cff.yml at line 79, The workflow step using the checkout action is pinned to a tag ("uses: actions/checkout@v6"); replace that tag with the specific commit SHA for actions/checkout (i.e., change the uses value to the full repo commit SHA) while leaving the existing persist-credentials: false setting intact so credentials behavior is unchanged..github/workflows/actionlint.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winUse immutable refs for container and checkout action.
Line 59 (
debian:trixie-slim) and Line 78 (actions/checkout@v6) are mutable references. Pin both to immutable digest/SHA for repeatable and safer CI execution.Also applies to: 78-80
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/actionlint.yml at line 59, The workflow uses mutable refs: the container image "debian:trixie-slim" and the action reference "actions/checkout@v6"; replace both with immutable digests/SHA pins to ensure repeatable CI. For the container, switch "container: debian:trixie-slim" to the image's SHA digest (e.g., debian@sha256:...) and for the action, change "actions/checkout@v6" to the commit SHA form (actions/checkout@<full-commit-sha>) or use the action's released digest; update the two occurrences so the workflow always pulls the exact immutable artifact..github/workflows/iwyu.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin workflow dependencies to immutable digests/SHAs.
Line 59 uses a mutable container tag (
debian:trixie-slim), and Line 81 uses a floating action ref (actions/checkout@v6). Pin both to immutable references to avoid supply-chain drift between runs.Suggested patch
- container: debian:trixie-slim + container: debian:trixie-slim@sha256:<image_digest> ... - - name: checkout - uses: actions/checkout@v6 + - name: checkout + uses: actions/checkout@<full_commit_sha> with: persist-credentials: falseAlso applies to: 81-81
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/iwyu.yml at line 59, Replace the mutable container tag and floating action ref with immutable digests/SHAs: for the container entry identified by "container: debian:trixie-slim" replace the tag with the image's immutable digest (e.g., debian@sha256:...) fetched from the registry, and for the checkout action identified by "uses: actions/checkout@v6" pin it to the specific commit SHA (e.g., actions/checkout@<full-sha>) instead of the floating tag; ensure both occurrences are updated to their corresponding immutable references so the workflow uses exact artifacts..github/workflows/docker.yml (1)
69-75:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin GitHub Actions to immutable commit SHAs.
Lines 69, 73, and 75 still use floating refs (
@v6/@v3). Pinningactions/checkout,docker/setup-buildx-action, anddocker/build-push-actionto full SHAs improves workflow integrity and reproducibility.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/docker.yml around lines 69 - 75, Replace floating tags with immutable commit SHAs for the GitHub Actions used: change the actions/checkout@v6, docker/setup-buildx-action@v3, and docker/build-push-action@v6 references to their corresponding full commit SHAs (the specific SHAs for actions/checkout, docker/setup-buildx-action, and docker/build-push-action) so the workflow uses pinned versions; update the uses: entries for these three symbols to the full SHA refs and commit the updated workflow.CMakePresets.json (1)
2-3:⚠️ Potential issue | 🟠 Major | ⚡ Quick winMake
"$schema"consistent with presetversion.
"$schema"is declared whileversionis6; keep v6 and remove"$schema", or bump to v8+ if you intentionally require schema metadata.Suggested minimal fix (keep CMake 3.26 compatibility)
- "$schema": "https://raw.githubusercontent.com/Kitware/CMake/master/Help/manual/presets/schema.json", "version": 6,According to the official CMake `cmake-presets(7)` documentation, from which preset schema version is the root `$schema` field supported?🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@CMakePresets.json` around lines 2 - 3, The preset declares "$schema" while "version" is 6; either remove the root "$schema" entry to keep compatibility with CMake presets version 6 (and thus CMake 3.26), or bump "version" to 8 (or higher) if you need schema metadata support—update the "version" value accordingly and ensure the "$schema" URL matches the chosen preset version; reference the "$schema" and "version" keys in CMakePresets.json when making the change..github/workflows/reuse.yml (1)
62-62:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin both actions to immutable commit SHAs.
uses:still references mutable major tags. Keeppersist-credentials: false, but pin both actions to full commit SHAs.Suggested patch
- - name: checkout - uses: actions/checkout@v6 + - name: checkout + uses: actions/checkout@<full_commit_sha> with: persist-credentials: false - name: reuse lint - uses: fsfe/reuse-action@v5 + uses: fsfe/reuse-action@<full_commit_sha>#!/bin/bash set -euo pipefail resolve_tag() { local owner_repo="$1" local tag="$2" local sha sha="$(gh api "repos/${owner_repo}/git/ref/tags/${tag}" --jq '.object.sha')" local type type="$(gh api "repos/${owner_repo}/git/ref/tags/${tag}" --jq '.object.type')" if [ "$type" = "tag" ]; then sha="$(gh api "repos/${owner_repo}/git/tags/${sha}" --jq '.object.sha')" fi echo "${owner_repo}@${tag} -> ${sha}" } resolve_tag actions/checkout v6 resolve_tag fsfe/reuse-action v5Also applies to: 66-66
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/reuse.yml at line 62, The workflow currently references mutable tags (actions/checkout@v6 and fsfe/reuse-action@v5); update both `uses:` entries to pin to their immutable full commit SHAs instead (replace the tag suffix with the resolved commit SHA for each action), while preserving the existing `persist-credentials: false` setting; locate the `uses:` lines for actions/checkout and fsfe/reuse-action in .github/workflows/reuse.yml and swap the tag references to the corresponding commit SHAs returned by the GitHub API..github/workflows/cppcheck.yml (1)
60-60:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin container image and all action refs to immutable digests/SHAs.
Mutable tags are still used for the container and action references; pin them to immutable values.
Suggested patch
- container: debian:trixie-slim + container: debian:trixie-slim@sha256:<image_digest> ... - uses: actions/checkout@v6 + uses: actions/checkout@<full_commit_sha> ... - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@<full_commit_sha> ... - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@<full_commit_sha>#!/bin/bash set -euo pipefail resolve_tag() { local owner_repo="$1" local tag="$2" local sha sha="$(gh api "repos/${owner_repo}/git/ref/tags/${tag}" --jq '.object.sha')" local type type="$(gh api "repos/${owner_repo}/git/ref/tags/${tag}" --jq '.object.type')" if [ "$type" = "tag" ]; then sha="$(gh api "repos/${owner_repo}/git/tags/${sha}" --jq '.object.sha')" fi echo "${owner_repo}@${tag} -> ${sha}" } echo "debian:trixie-slim digests:" curl -fsSL "https://registry.hub.docker.com/v2/repositories/library/debian/tags/trixie-slim" \ | jq -r '.images[] | "\(.architecture)\t\(.digest)"' resolve_tag actions/checkout v6 resolve_tag github/codeql-action v4 resolve_tag actions/upload-artifact v7Also applies to: 83-83, 115-115, 120-120
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/cppcheck.yml at line 60, The workflow currently uses mutable tags—replace the Docker image "debian:trixie-slim" and the action refs like "actions/checkout@v6", "github/codeql-action@v4", and "actions/upload-artifact@v7" with immutable digests/SHAs: look up the image digest for debian:trixie-slim and update container: to the digest form, and resolve each action ref to its Git commit SHA and pin the action references (e.g., actions/checkout@<commit-sha>) so the workflow uses immutable versions across the occurrences of those strings in the file.Dockerfile (2)
127-133:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin Python tooling versions for deterministic image builds.
Line 127 installs CLI tools without explicit versions, which makes image behavior drift over time. Pin exact versions (or use a constraints file).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@Dockerfile` around lines 127 - 133, The Dockerfile currently runs pip install for the CLI tools (cffconvert, check-jsonschema, detect-secrets, lizard, pre-commit) without pinned versions; update the pip install invocation in that Dockerfile snippet to use explicit version pins (e.g., cffconvert==X.Y.Z) or reference a constraints file (pip install -c constraints.txt ...) and add a committed constraints.txt listing exact versions for those packages so image builds are deterministic; ensure the same pinned names appear where the tools are used (cffconvert, check-jsonschema, detect-secrets, lizard, pre-commit) and keep the sudoers change (echo "ubuntu ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/ubuntu) intact.
115-117:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAvoid mutable hadolint download and verify artifact integrity.
Line 116 fetches from
releases/latestand installs without checksum verification. Pin a specific hadolint version and verify SHA256 before install.Also applies to: 121-121
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@Dockerfile` around lines 115 - 117, The Dockerfile currently downloads hadolint from "releases/latest" and writes straight to /usr/local/bin/hadolint without integrity checks; instead pin a specific hadolint version (replace "releases/latest" with a concrete tag) and add a SHA256 verification step: fetch the matching .sha256 (or .sha256sum) for that tag, verify the downloaded binary against the expected checksum (e.g., with sha256sum -c or by comparing computed sha256), and only then install to /usr/local/bin/hadolint and set executable mode; update both occurrences of the curl download (the hadolint URL and the similar line at the other occurrence) to use the pinned tag and the verification flow..github/workflows/lizard.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin the workflow image and checkout action.
Line 59 and Line 79 remain unpinned. Please use digest-pinned container image and commit-pinned
actions/checkout.Also applies to: 79-81
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/lizard.yml at line 59, The workflow currently uses an unpinned container image and an unpinned checkout action; replace the bare container reference "container: debian:trixie-slim" with a digest-pinned image (e.g., debian:trixie-slim@sha256:...) and pin the checkout action by changing the "uses: actions/checkout@..." step to a commit SHA (e.g., actions/checkout@<commit-sha>) instead of a floating tag; update both occurrences mentioned (the container line with "container: debian:trixie-slim" and the checkout step(s) around the "uses: actions/checkout" lines) so the workflow is reproducible and secure..github/workflows/cpplint.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winUse immutable pins for container image and checkout action.
Line 59 and Line 77 should be pinned (
@sha256for image, full commit SHA for action) for deterministic and safer CI runs.Also applies to: 77-79
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/cpplint.yml at line 59, Replace the mutable image tag and action ref with immutable pins: update the "container: debian:trixie-slim" entry to use the official Debian image digest (e.g., append `@sha256`:<digest>) and change the actions/checkout usage (e.g., "uses: actions/checkout@v3") to the full commit SHA (full 40-char commit) for deterministic CI; locate and update the entries that match the strings "container: debian:trixie-slim" and "uses: actions/checkout@" accordingly..github/workflows/cmake.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | 🏗️ Heavy liftApply immutable pinning across all CMake workflow jobs.
Container images (Lines 59, 111, 156, 204, 355, 403, 457) and checkout actions (Lines 82, 127, 175, 225, 257, 307, 374, 428, 482, 534, 587) are still mutable references. Pin images by digest and actions by full commit SHA.
Also applies to: 111-111, 156-156, 204-204, 355-355, 403-403, 457-457, 82-84, 127-129, 175-177, 225-227, 257-259, 307-309, 374-376, 428-430, 482-484, 534-536, 587-589
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/cmake.yml at line 59, Replace all mutable container image tags and action short pins in .github/workflows/cmake.yml with immutable pins: change every "container: almalinux:10" (and other container: ... entries at the listed occurrences) to the image@sha256:<digest> form and replace every uses: actions/checkout@<ref> (and other uses: actions/checkout occurrences) with uses: actions/checkout@<full-commit-SHA>. Update the specific occurrences referenced in the review (all container entries and all actions/checkout uses shown) so every job uses digest-pinned images and commit-SHA-pinned checkout actions; obtain the correct image digests from the registry and the full commit SHAs from the action repository’s commits and substitute them in place of the mutable tags..github/workflows/clang-tidy.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin container and checkout to immutable references.
Line 59 uses a mutable image tag and Line 82 uses a floating action tag. Pin both to immutable digests/commit SHAs to avoid drift in CI behavior.
Also applies to: 82-84
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/clang-tidy.yml at line 59, Replace the mutable container image "container: debian:trixie-slim" with an immutable image digest (e.g., "debian@sha256:...") and pin the GitHub Action checkout usage (the floating actions/checkout tag around lines 82-84) to a specific commit SHA (e.g., actions/checkout@<commit-sha>) so CI behavior cannot drift; update the workflow to use those immutable digests/SHAs where "container: debian:trixie-slim" and the actions/checkout reference appear..github/workflows/coverage.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin containers and actions to immutable digests/SHAs.
Line 59 and Line 146 use mutable image tags, and Lines 89/136/161/167/189/198 use mutable action refs (including
@master). This weakens reproducibility and supply-chain integrity.Suggested pattern
- container: debian:trixie-slim + container: debian:trixie-slim@sha256:<image-digest> - uses: actions/checkout@v6 + uses: actions/checkout@<40-char-commit-sha> - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@<40-char-commit-sha> - uses: actions/download-artifact@v8 + uses: actions/download-artifact@<40-char-commit-sha> - uses: deepsourcelabs/test-coverage-action@master + uses: deepsourcelabs/test-coverage-action@<40-char-commit-sha>Also applies to: 89-89, 136-136, 146-146, 161-161, 167-167, 189-189, 198-198
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/coverage.yml at line 59, The workflow uses mutable container tags and action refs (e.g., the container declaration "container: debian:trixie-slim" and multiple action references currently using branch tags like "`@master`"); update each to an immutable digest or commit SHA to improve reproducibility and supply-chain security by replacing "debian:trixie-slim" with the corresponding image digest (e.g., debian@sha256:...) and replacing action refs like "actions/checkout@master" or other mutable refs with the exact commit SHA (e.g., actions/checkout@<full-sha>); locate and update the occurrences referenced in the review (the container declaration and the action refs on the cited lines) and verify the workflow still runs by testing the workflow in a branch after making these substitutions..github/workflows/valgrind.yml (1)
59-59:⚠️ Potential issue | 🟠 Major | ⚡ Quick winUse immutable refs for container image and checkout action.
Line 59 (
container) and Line 88 (actions/checkout) are still mutable references. Please pin both to immutable digests/commit SHAs.Also applies to: 88-88
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/valgrind.yml at line 59, Replace the mutable container image and checkout action with immutable references: change the container entry currently using "container: debian:trixie-slim" to a digest-pinned image (e.g., debian@sha256:...) and update the "uses: actions/checkout" step to reference a specific commit SHA (uses: actions/checkout@<commit-sha>) instead of a floating tag; ensure both replacements use verified immutable digests/SHAs and update any related comments to reflect the pinned values..github/workflows/bazel.yml (3)
59-59:⚠️ Potential issue | 🟠 Major | 🏗️ Heavy liftPin all container images to digests.
These job containers are tag-based and mutable. Please replace each with
image@sha256:<digest>to prevent drift and improve provenance.Also applies to: 103-103, 139-139, 182-182, 318-318, 361-361, 407-407
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/bazel.yml at line 59, Replace mutable tag-based container image references like the string "container: almalinux:10" with an immutable digest form "almalinux@sha256:<digest>" throughout the workflow; locate the job container fields (e.g., the container key that currently holds "almalinux:10") and update them to use image@sha256 digests, and do the same for the other container entries mentioned in the review (the additional container occurrences referenced) so every container line is pinned to a specific sha256 digest.
79-79:⚠️ Potential issue | 🟠 Major | 🏗️ Heavy liftPin all GitHub Actions to commit SHAs.
actions/checkout@v6andactions/cache@v5are used via mutable tags across the workflow. Pin eachuses:to a full 40-character commit SHA.Also applies to: 83-83, 116-116, 120-120, 158-158, 162-162, 202-202, 206-206, 229-229, 233-233, 252-252, 275-275, 279-279, 298-298, 337-337, 341-341, 383-383, 387-387, 429-429, 433-433, 456-456, 476-476, 480-480, 503-503, 525-525, 529-529
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/bazel.yml at line 79, The workflow currently uses mutable tags like actions/checkout@v6 and actions/cache@v5 which should be pinned to explicit 40-character commit SHAs; update every uses: entry that references actions/checkout and actions/cache (and any other third-party action lines listed) to use the corresponding full commit SHA instead of the tag (e.g., replace "actions/checkout@v6" and "actions/cache@v5" with "actions/checkout@<full-commit-sha>" and "actions/cache@<full-commit-sha>") to ensure immutability across the workflow; find these occurrences by searching for the literal strings actions/checkout and actions/cache in the workflow and substitute each tag with the correct 40-char SHA from the action repositories.
73-75:⚠️ Potential issue | 🟠 Major | 🏗️ Heavy liftAvoid
releases/latestdownloads; pin Bazelisk versions and verify checksums.These steps fetch executable artifacts from mutable URLs and execute/install them without integrity verification. Pin explicit release versions and validate SHA256 before
chmod/dpkg -i.Suggested hardening pattern
- wget -qO /usr/local/bin/bazelisk \ - https://github.com/bazelbuild/bazelisk/releases/latest/download/bazelisk-linux-amd64 + BAZELISK_VERSION=vX.Y.Z + wget -qO /usr/local/bin/bazelisk \ + "https://github.com/bazelbuild/bazelisk/releases/download/${BAZELISK_VERSION}/bazelisk-linux-amd64" + echo "<expected_sha256> /usr/local/bin/bazelisk" | sha256sum -c -Also applies to: 152-154, 196-198, 331-333, 376-378, 422-424
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/bazel.yml around lines 73 - 75, The workflow currently downloads Bazelisk from a mutable releases/latest URL and blindly sets it executable (wget to /usr/local/bin/bazelisk and chmod +x /usr/local/bin/bazelisk), which is unsafe; update those steps to pin an explicit Bazelisk release tag (not releases/latest), fetch the corresponding checksum file (or embed the known SHA256), verify the downloaded binary's SHA256 before proceeding, and only run chmod/install (or dpkg -i) if the checksum matches; apply the same change pattern to all similar blocks that download binaries (the wget/chmod and dpkg -i sequences for bazelisk/bazel artifacts) so each download is version-pinned and integrity-checked.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.yamllint.yaml:
- Line 42: Replace the global disable of the yamllint "line-length" rule with a
relaxed configuration: change the entry "line-length: disable" to something like
"line-length: {max: 120, allow-non-breakable-words: true}" (or max: 100 if you
prefer) so the rule is enforced with a higher threshold and permits long
unbreakable tokens; update the "line-length" setting accordingly rather than
fully disabling it.
---
Duplicate comments:
In @.github/workflows/actionlint.yml:
- Line 59: The workflow uses mutable refs: the container image
"debian:trixie-slim" and the action reference "actions/checkout@v6"; replace
both with immutable digests/SHA pins to ensure repeatable CI. For the container,
switch "container: debian:trixie-slim" to the image's SHA digest (e.g.,
debian@sha256:...) and for the action, change "actions/checkout@v6" to the
commit SHA form (actions/checkout@<full-commit-sha>) or use the action's
released digest; update the two occurrences so the workflow always pulls the
exact immutable artifact.
In @.github/workflows/bazel.yml:
- Line 59: Replace mutable tag-based container image references like the string
"container: almalinux:10" with an immutable digest form
"almalinux@sha256:<digest>" throughout the workflow; locate the job container
fields (e.g., the container key that currently holds "almalinux:10") and update
them to use image@sha256 digests, and do the same for the other container
entries mentioned in the review (the additional container occurrences
referenced) so every container line is pinned to a specific sha256 digest.
- Line 79: The workflow currently uses mutable tags like actions/checkout@v6 and
actions/cache@v5 which should be pinned to explicit 40-character commit SHAs;
update every uses: entry that references actions/checkout and actions/cache (and
any other third-party action lines listed) to use the corresponding full commit
SHA instead of the tag (e.g., replace "actions/checkout@v6" and
"actions/cache@v5" with "actions/checkout@<full-commit-sha>" and
"actions/cache@<full-commit-sha>") to ensure immutability across the workflow;
find these occurrences by searching for the literal strings actions/checkout and
actions/cache in the workflow and substitute each tag with the correct 40-char
SHA from the action repositories.
- Around line 73-75: The workflow currently downloads Bazelisk from a mutable
releases/latest URL and blindly sets it executable (wget to
/usr/local/bin/bazelisk and chmod +x /usr/local/bin/bazelisk), which is unsafe;
update those steps to pin an explicit Bazelisk release tag (not
releases/latest), fetch the corresponding checksum file (or embed the known
SHA256), verify the downloaded binary's SHA256 before proceeding, and only run
chmod/install (or dpkg -i) if the checksum matches; apply the same change
pattern to all similar blocks that download binaries (the wget/chmod and dpkg -i
sequences for bazelisk/bazel artifacts) so each download is version-pinned and
integrity-checked.
In @.github/workflows/buildifier.yml:
- Line 59: The workflow uses a mutable container tag at the container key
(container: debian:trixie-slim); replace that with an immutable digest by
pinning to the official Debian image digest (e.g., container:
debian@sha256:<digest>) so the action runs against a fixed image; update the
container field in .github/workflows/buildifier.yml accordingly and verify the
chosen sha256 matches the desired trixie-slim variant before committing.
- Line 88: The CI job currently runs buildifier with auto-rewrite mode via the
command "buildifier -r .", which will silently fix formatting instead of failing
the build; update the workflow step that executes buildifier to use check mode
by replacing the invocation with "buildifier -mode=check -r ." so formatting
violations cause the job to fail (look for the run line that currently contains
buildifier -r .).
- Line 80: Replace the mutable tag "uses: actions/checkout@v6" with a pinned
commit SHA for the actions/checkout action (e.g., "uses:
actions/checkout@<full-commit-sha>"); keep the existing "persist-credentials:
false" configuration intact. Locate the checkout step in the workflow where
"uses: actions/checkout@v6" appears and update only the tag to the repository's
full commit SHA to ensure immutability while preserving the current options.
- Around line 73-75: The workflow currently downloads buildifier from a mutable
"releases/latest" URL without integrity checks; change it to pin a specific
buildifier version and verify the downloaded artifact's checksum before making
it executable. Replace the "buildifier" download URL with the exact release
asset URL for the chosen version (e.g., the vX.Y.Z buildifier-linux-arm64 asset)
and add a step that fetches the published checksum (or hardcodes the known
sha256) and compares it (e.g., via sha256sum -c or an explicit comparison) after
download and before chmod +x; ensure the failure path aborts the job if the
checksum/signature does not match. Use the symbol "buildifier" to locate the
existing wget/chmod steps to modify.
In @.github/workflows/clang-tidy.yml:
- Line 59: Replace the mutable container image "container: debian:trixie-slim"
with an immutable image digest (e.g., "debian@sha256:...") and pin the GitHub
Action checkout usage (the floating actions/checkout tag around lines 82-84) to
a specific commit SHA (e.g., actions/checkout@<commit-sha>) so CI behavior
cannot drift; update the workflow to use those immutable digests/SHAs where
"container: debian:trixie-slim" and the actions/checkout reference appear.
In @.github/workflows/cmake.yml:
- Line 59: Replace all mutable container image tags and action short pins in
.github/workflows/cmake.yml with immutable pins: change every "container:
almalinux:10" (and other container: ... entries at the listed occurrences) to
the image@sha256:<digest> form and replace every uses: actions/checkout@<ref>
(and other uses: actions/checkout occurrences) with uses:
actions/checkout@<full-commit-SHA>. Update the specific occurrences referenced
in the review (all container entries and all actions/checkout uses shown) so
every job uses digest-pinned images and commit-SHA-pinned checkout actions;
obtain the correct image digests from the registry and the full commit SHAs from
the action repository’s commits and substitute them in place of the mutable
tags.
In @.github/workflows/codespell.yml:
- Around line 59-79: The workflow uses mutable references: the container image
"debian:trixie-slim" and the action reference "actions/checkout@v6"; update them
to immutable digests by replacing the container image with its specific digest
(e.g., debian@sha256:<digest>) and pinning the checkout action to a specific
commit SHA (e.g., actions/checkout@<commit-sha>) so both references are
immutable and reproducible.
In @.github/workflows/coverage.yml:
- Line 59: The workflow uses mutable container tags and action refs (e.g., the
container declaration "container: debian:trixie-slim" and multiple action
references currently using branch tags like "`@master`"); update each to an
immutable digest or commit SHA to improve reproducibility and supply-chain
security by replacing "debian:trixie-slim" with the corresponding image digest
(e.g., debian@sha256:...) and replacing action refs like
"actions/checkout@master" or other mutable refs with the exact commit SHA (e.g.,
actions/checkout@<full-sha>); locate and update the occurrences referenced in
the review (the container declaration and the action refs on the cited lines)
and verify the workflow still runs by testing the workflow in a branch after
making these substitutions.
In @.github/workflows/cppcheck.yml:
- Line 60: The workflow currently uses mutable tags—replace the Docker image
"debian:trixie-slim" and the action refs like "actions/checkout@v6",
"github/codeql-action@v4", and "actions/upload-artifact@v7" with immutable
digests/SHAs: look up the image digest for debian:trixie-slim and update
container: to the digest form, and resolve each action ref to its Git commit SHA
and pin the action references (e.g., actions/checkout@<commit-sha>) so the
workflow uses immutable versions across the occurrences of those strings in the
file.
In @.github/workflows/cpplint.yml:
- Line 59: Replace the mutable image tag and action ref with immutable pins:
update the "container: debian:trixie-slim" entry to use the official Debian
image digest (e.g., append `@sha256`:<digest>) and change the actions/checkout
usage (e.g., "uses: actions/checkout@v3") to the full commit SHA (full 40-char
commit) for deterministic CI; locate and update the entries that match the
strings "container: debian:trixie-slim" and "uses: actions/checkout@"
accordingly.
In @.github/workflows/docker.yml:
- Around line 69-75: Replace floating tags with immutable commit SHAs for the
GitHub Actions used: change the actions/checkout@v6,
docker/setup-buildx-action@v3, and docker/build-push-action@v6 references to
their corresponding full commit SHAs (the specific SHAs for actions/checkout,
docker/setup-buildx-action, and docker/build-push-action) so the workflow uses
pinned versions; update the uses: entries for these three symbols to the full
SHA refs and commit the updated workflow.
In @.github/workflows/iwyu.yml:
- Line 59: Replace the mutable container tag and floating action ref with
immutable digests/SHAs: for the container entry identified by "container:
debian:trixie-slim" replace the tag with the image's immutable digest (e.g.,
debian@sha256:...) fetched from the registry, and for the checkout action
identified by "uses: actions/checkout@v6" pin it to the specific commit SHA
(e.g., actions/checkout@<full-sha>) instead of the floating tag; ensure both
occurrences are updated to their corresponding immutable references so the
workflow uses exact artifacts.
In @.github/workflows/lizard.yml:
- Line 59: The workflow currently uses an unpinned container image and an
unpinned checkout action; replace the bare container reference "container:
debian:trixie-slim" with a digest-pinned image (e.g.,
debian:trixie-slim@sha256:...) and pin the checkout action by changing the
"uses: actions/checkout@..." step to a commit SHA (e.g.,
actions/checkout@<commit-sha>) instead of a floating tag; update both
occurrences mentioned (the container line with "container: debian:trixie-slim"
and the checkout step(s) around the "uses: actions/checkout" lines) so the
workflow is reproducible and secure.
In @.github/workflows/reuse.yml:
- Line 62: The workflow currently references mutable tags (actions/checkout@v6
and fsfe/reuse-action@v5); update both `uses:` entries to pin to their immutable
full commit SHAs instead (replace the tag suffix with the resolved commit SHA
for each action), while preserving the existing `persist-credentials: false`
setting; locate the `uses:` lines for actions/checkout and fsfe/reuse-action in
.github/workflows/reuse.yml and swap the tag references to the corresponding
commit SHAs returned by the GitHub API.
In @.github/workflows/valgrind.yml:
- Line 59: Replace the mutable container image and checkout action with
immutable references: change the container entry currently using "container:
debian:trixie-slim" to a digest-pinned image (e.g., debian@sha256:...) and
update the "uses: actions/checkout" step to reference a specific commit SHA
(uses: actions/checkout@<commit-sha>) instead of a floating tag; ensure both
replacements use verified immutable digests/SHAs and update any related comments
to reflect the pinned values.
In @.github/workflows/validate-cff.yml:
- Line 59: Replace the mutable image reference "container: debian:trixie-slim"
with a pinned digest form "container: debian@sha256:<digest>" so the workflow
uses an immutable image; locate the "container: debian:trixie-slim" line in
.github/workflows/validate-cff.yml and update it with the correct sha256 digest
for the debian trixie-slim image (obtain the digest from the official Debian
image registry or docker manifest) to prevent image drift.
- Line 79: The workflow step using the checkout action is pinned to a tag
("uses: actions/checkout@v6"); replace that tag with the specific commit SHA for
actions/checkout (i.e., change the uses value to the full repo commit SHA) while
leaving the existing persist-credentials: false setting intact so credentials
behavior is unchanged.
In `@CMakePresets.json`:
- Around line 2-3: The preset declares "$schema" while "version" is 6; either
remove the root "$schema" entry to keep compatibility with CMake presets version
6 (and thus CMake 3.26), or bump "version" to 8 (or higher) if you need schema
metadata support—update the "version" value accordingly and ensure the "$schema"
URL matches the chosen preset version; reference the "$schema" and "version"
keys in CMakePresets.json when making the change.
In `@Dockerfile`:
- Around line 127-133: The Dockerfile currently runs pip install for the CLI
tools (cffconvert, check-jsonschema, detect-secrets, lizard, pre-commit) without
pinned versions; update the pip install invocation in that Dockerfile snippet to
use explicit version pins (e.g., cffconvert==X.Y.Z) or reference a constraints
file (pip install -c constraints.txt ...) and add a committed constraints.txt
listing exact versions for those packages so image builds are deterministic;
ensure the same pinned names appear where the tools are used (cffconvert,
check-jsonschema, detect-secrets, lizard, pre-commit) and keep the sudoers
change (echo "ubuntu ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/ubuntu) intact.
- Around line 115-117: The Dockerfile currently downloads hadolint from
"releases/latest" and writes straight to /usr/local/bin/hadolint without
integrity checks; instead pin a specific hadolint version (replace
"releases/latest" with a concrete tag) and add a SHA256 verification step: fetch
the matching .sha256 (or .sha256sum) for that tag, verify the downloaded binary
against the expected checksum (e.g., with sha256sum -c or by comparing computed
sha256), and only then install to /usr/local/bin/hadolint and set executable
mode; update both occurrences of the curl download (the hadolint URL and the
similar line at the other occurrence) to use the pinned tag and the verification
flow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: bdc2d5f1-1488-4fbd-bbba-b94c509c3431
📒 Files selected for processing (79)
.bazelignore.buildifier.json.clang-tidy.cppcheck-suppressions.xml.deepsource.toml.devcontainer/devcontainer.json.dockerignore.gersemirc.gitattributes.github/actionlint-matcher.json.github/actionlint-matcher.json.license.github/buildifier-matcher.json.github/buildifier-matcher.json.license.github/clang-tidy-matcher.json.github/clang-tidy-matcher.json.license.github/codespell-matcher.json.github/codespell-matcher.json.license.github/cpplint-matcher.json.github/cpplint-matcher.json.license.github/detect-secrets-matcher.json.github/detect-secrets-matcher.json.license.github/hadolint-matcher.json.github/hadolint-matcher.json.license.github/lizard-matcher.json.github/lizard-matcher.json.license.github/markdownlint-matcher.json.github/markdownlint-matcher.json.license.github/workflows/actionlint.yml.github/workflows/bazel.yml.github/workflows/buildifier.yml.github/workflows/check-jsonschema.yml.github/workflows/clang-format.yml.github/workflows/clang-tidy.yml.github/workflows/cmake.yml.github/workflows/codeql.yml.github/workflows/codespell.yml.github/workflows/coverage.yml.github/workflows/cppcheck.yml.github/workflows/cpplint.yml.github/workflows/detect-secrets.yml.github/workflows/docker.yml.github/workflows/gersemi.yml.github/workflows/hadolint.yml.github/workflows/iwyu.yml.github/workflows/lizard.yml.github/workflows/markdownlint.yml.github/workflows/meson.yml.github/workflows/reuse.yml.github/workflows/sanitizer.yml.github/workflows/valgrind.yml.github/workflows/validate-cff.yml.github/workflows/yamllint.yml.gitignore.hadolint.yaml.iwyu_mappings.imp.pre-commit-config.yaml.secrets.baseline.secrets.baseline.license.vscode/extensions.json.vscode/settings.json.yamllint.yamlBrewfileCITATION.cffCMakeLists.txtCMakePresets.jsonDockerfileQUALITY_DECLARATION.mdREADME.mdcompose.yamldoc/CMakeLists.txtexamples/Blocks.ccexamples/CMakeLists.txtexamples/Circle.ccexamples/Roadmap.ccinclude-what-you-use.imprequirements.txtsrc/CMakeLists.txtsrc/Export.hsrc/KdTree.cc
💤 Files with no reviewable changes (3)
- include-what-you-use.imp
- src/KdTree.cc
- README.md
snape
force-pushed
the
dev/ci
branch
9 times, most recently
from
811ea85 to
88f1924
Compare
- Rename .github/workflows/ci.yml to cmake.yml (CMake jobs only) - Add .github/workflows/bazel.yml with all Bazel jobs: AlmaLinux, Alpine Linux (musl, --config=alpine), Arch Linux, Fedora, openSUSE, Ubuntu (amd64 and arm64), macOS (arm64 and x86_64), and Windows (amd64 and arm64) - Add individual workflow files: actionlint, buildifier, check-jsonschema, clang-format, clang-tidy, codespell, coverage, cppcheck, cpplint, detect-secrets, docker, gersemi, hadolint, iwyu, lizard, markdownlint, meson-format, reuse, sanitizer, valgrind, validate-cff, and yamllint - Add amd64 and arm64 matrix jobs (ubuntu-latest / ubuntu-24.04-arm) to coverage, docker, sanitizer, and valgrind workflows; restrict DeepSource upload to amd64 and scope Docker GHA cache by arch - Fix line length violations (> 80 chars) in examples/Roadmap.cc (cpplint) - Fix missing closing quote in codespell.yml add-matcher echo command - Replace unsupported glob cmake-build-*/ in .bazelignore with explicit directory entries (Bazel rejects wildcard paths) - Update QUALITY_DECLARATION.md to reflect new CI structure, per-workflow platform coverage, and amd64/arm64 matrix in dynamic analysis workflows Signed-off-by: Jamie Snape <snape@me.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Linux (musl, --config=alpine), Arch Linux, Fedora, openSUSE, Ubuntu
(amd64 and arm64), macOS (arm64 and x86_64), and Windows (amd64 and arm64)
clang-format, clang-tidy, codespell, coverage, cppcheck, cpplint,
detect-secrets, docker, gersemi, hadolint, iwyu, lizard, markdownlint,
reuse, sanitizer, valgrind, validate-cff, and yamllint
coverage, docker, sanitizer, and valgrind workflows; restrict DeepSource
upload to amd64 and scope Docker GHA cache by arch
directory entries (Bazel rejects wildcard paths)
platform coverage, and amd64/arm64 matrix in dynamic analysis workflows