ci: Harden GitHub Actions workflows with security and performance fixes

[yacosta738]

This pull request introduces a new GitHub Actions CI/CD skill for internal documentation and applies a broad set of improvements to GitHub Actions workflows. The changes focus on security hardening, best practices, and workflow optimization. Key updates include pinning all reusable workflows and third-party actions to immutable SHAs, setting explicit permissions for jobs, improving environment variable handling, and optimizing caching strategies.

Documentation and Skills

• Added a comprehensive github-actions skill in .agents/skills/github-actions/SKILL.md, covering best practices for workflow design, security, and performance, and registered it in .agents/AGENTS.md. [1] [2]

Security Hardening and Best Practices

• All reusable workflows (e.g., cleanup-cache.yml, contributor-report.yml, greetings.yml) are now pinned to a specific SHA instead of a mutable branch, ensuring supply chain integrity. [1] [2] [3]
• Explicit permissions are now set for jobs across workflows, including contents: read and other least-privilege settings, improving security posture and aligning with GitHub recommendations. [1] [2] [3] [4]

Workflow and Action Pinning

• All third-party actions (e.g., actions/setup-node, github/codeql-action/upload-sarif, googleapis/release-please-action) are now referenced by their full SHA and version comment for traceability and security. [1] [2] [3] [4]

Caching and Performance Optimization

• Node.js setup steps now use the cache: "npm" option where appropriate to speed up installs and reduce CI time. [1] [2] [3] [4] [5]
• Default fetch-depth for actions/checkout is set to 1 (shallow clone) in standard jobs to improve checkout performance, except where full history is needed.

Environment Variable Handling

• Publishing jobs now use intermediate environment variables (e.g., SIGNING_KEY, MAVEN_USER, CARGO_REGISTRY_TOKEN) for secret checks, improving readability and maintainability in shell scripts. [1] [2]

These changes collectively strengthen workflow security, improve maintainability, and align the repository with industry best practices for CI/CD pipelines.

[github-actions]

✅ Contributor Report

User: @yacosta738
Status: Passed (12/13 metrics passed)

Metric	Description	Value	Threshold	Status
PR Merge Rate	PRs merged vs closed	89%	>= 30%	✅
Repo Quality	Repos with ≥100 stars	0	>= 0	✅
Positive Reactions	Positive reactions received	9	>= 1	✅
Negative Reactions	Negative reactions received	0	<= 5	✅
Account Age	GitHub account age	3070 days	>= 30 days	✅
Activity Consistency	Regular activity over time	108%	>= 0%	✅
Issue Engagement	Issues with community engagement	0	>= 0	✅
Code Reviews	Code reviews given to others	455	>= 0	✅
Merger Diversity	Unique maintainers who merged PRs	2	>= 0	✅
Repo History Merge Rate	Merge rate in this repo	91%	>= 0%	✅
Repo History Min PRs	Previous PRs in this repo	174	>= 0	✅
Profile Completeness	Profile richness (bio, followers)	90	>= 0	✅
Suspicious Patterns	Spam-like activity detection	1	N/A	❌

---

_{Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-03-25 to 2026-03-25}

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	ac4d5c8
Status:	✅  Deploy successful!
Preview URL:	https://81f556bc.corvus-42x.pages.dev
Branch Preview URL:	https://ci-common-tools.corvus-42x.pages.dev

View logs

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Added a GitHub Actions skill and documentation and modernized many workflows: pinned reusable/action refs, enabled pnpm caching, added explicit job permissions, adjusted toolchain/runtime pins, changed publish credential handling to job env, and reduced git fetch depth.

Changes

Cohort / File(s)	Summary
Documentation & Skill .agents/AGENTS.md, .agents/skills/github-actions/SKILL.md	New GitHub Actions entry and comprehensive SKILL.md covering security patterns (SHA pinning, least-privilege permissions, OIDC), workflow templates, caching, deployment guidance, audit checklist, examples, and troubleshooting.
pnpm & Node caching .github/workflows/auto-fix-lockfile.yml, .github/workflows/fix-renovate.yml, .github/workflows/codeql-analysis.yml, .github/workflows/pull-request-check.yml	Added pnpm/action-setup and enabled cache: "pnpm" with multi-path cache-dependency-path entries for root and nested pnpm-lock.yaml files.
Reusable/action pinning .github/workflows/cleanup-cache.yml, .github/workflows/contributor-report.yml, .github/workflows/greetings.yml, .github/workflows/semantic-pull-request.yml, .github/workflows/stale.yml, .github/workflows/_publish.yml, .github/workflows/detekt.yml, .github/workflows/release-please.yml	Replaced floating @main/loose @v* refs with specific commit SHAs (inline version comments added); adjusted some action pins (e.g., actions/setup-node update).
Explicit job permissions .github/workflows/pull-request-check.yml, .github/workflows/pull-request-check-build-logic.yml, .github/workflows/pull-request-limit.yml, .github/workflows/detekt.yml	Added or tightened job-level permissions (e.g., contents: read, issues: write, pull-requests: write, security-events: write) to enforce least-privilege tokens.
Publish / toolchain / checkout tweaks .github/workflows/_publish.yml, .github/workflows/security-dependencies.yml, .github/workflows/core-check.yml	Publish credential checks refactored to use job-level env vars (SIGNING_KEY, MAVEN_USER, CARGO_REGISTRY_TOKEN); Rust toolchain pin updated, Java runtime bumped (21→25), and actions/checkout.fetch-depth changed from 0 → 1.
YAML schema / metadata comments .github/workflows/cleanup-cache.yml, .github/workflows/contributor-report.yml, .github/workflows/greetings.yml, .github/workflows/semantic-pull-request.yml, .github/workflows/stale.yml	Inserted yaml-language-server schema directive comments for editor/validation tooling.
Minor workflow edits .github/workflows/pull-request-limit.yml, .github/workflows/release-please.yml	Small adjustments: permission additions and version comment/pinning tweaks for release-please action.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat(security): sonar security hardening and gateway refactor #119: Overlaps on GitHub Actions documentation and workflow edits (same SKILL.md and .github/workflows/* files).
• ci: Set up automated dependency vulnerability checks for Rust and Kotlin #104: Edits the same security-dependencies workflow (toolchain / Kotlin scan changes) and is directly related.
• ci: update release process #27: Modifies the _publish.yml workflow (publish credential/env handling and action pinning) and overlaps on publish logic.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows Conventional Commits style with 'ci:' prefix, uses clear imperative language, and accurately summarizes the main changes (security hardening and performance optimization of GitHub Actions workflows).
Description check	✅ Passed	Description covers purpose, key changes (documentation, security, action pinning, caching, environment handling), and provides good context for reviewers, though some template sections (Tested Information, Breaking Changes) are not explicitly addressed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/common-tools

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/skills/github-actions/SKILL.md:
- Around line 168-170: Replace the placeholder `@<SHA>` on the `uses:
aws-actions/configure-aws-credentials@<SHA> # v4` line with the immutable commit
`@7474bc4690e29a8392af63c5b98e7449536d5c3a` so the example uses the exact v4
commit (keep the `# v4` comment intact) to avoid insecure copy-paste of a
floating ref.

In @.github/workflows/pull-request-check-build-logic.yml:
- Around line 48-53: Remove the pnpm-specific caching block from the workflow:
delete the cache: "pnpm" entry and the associated cache-dependency-path
multiline that lists pnpm-lock.yaml files, leaving any Gradle/other caches
intact. Target the YAML keys "cache: \"pnpm\"" and "cache-dependency-path" in
the pull-request-check-build-logic workflow and remove that entire pnpm cache
stanza.

In @.github/workflows/pull-request-limit.yml:
- Around line 12-14: The workflow's permissions block is missing the required
issues: write permission needed by the `gh pr edit --add-label` command; update
the permissions mapping (the `permissions:` block that currently has `contents:
read` and `pull-requests: write`) to include `issues: write` so label operations
succeed when `gh pr edit --add-label` is invoked.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6f14ed52-c2c9-4ed7-ac18-ee58b438e4b6

📥 Commits

Reviewing files that changed from the base of the PR and between 7d5336a and 5f25ec5.

📒 Files selected for processing (18)

• .agents/AGENTS.md
• .agents/skills/github-actions/SKILL.md
• .github/workflows/_publish.yml
• .github/workflows/auto-fix-lockfile.yml
• .github/workflows/cleanup-cache.yml
• .github/workflows/codeql-analysis.yml
• .github/workflows/contributor-report.yml
• .github/workflows/core-check.yml
• .github/workflows/detekt.yml
• .github/workflows/fix-renovate.yml
• .github/workflows/greetings.yml
• .github/workflows/pull-request-check-build-logic.yml
• .github/workflows/pull-request-check.yml
• .github/workflows/pull-request-limit.yml
• .github/workflows/release-please.yml
• .github/workflows/security-dependencies.yml
• .github/workflows/semantic-pull-request.yml
• .github/workflows/stale.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: sonar
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (1)

.agents/AGENTS.md

📄 CodeRabbit inference engine (AGENTS.md)

.agents/AGENTS.md: Document agent configurations and capabilities in AGENTS.md
Maintain comprehensive agent metadata including name, description, purpose, and capabilities
Include version information and compatibility details for agents

Files:

• .agents/AGENTS.md

🧠 Learnings (4)

📚 Learning: 2026-02-17T07:28:38.934Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Document agent configurations and capabilities in AGENTS.md

Applied to files:

• .agents/AGENTS.md
• .agents/skills/github-actions/SKILL.md

📚 Learning: 2026-02-17T07:28:38.934Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Maintain comprehensive agent metadata including name, description, purpose, and capabilities

Applied to files:

• .agents/AGENTS.md

📚 Learning: 2026-02-17T07:28:38.934Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Include version information and compatibility details for agents

Applied to files:

• .agents/AGENTS.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

Applied to files:

• .github/workflows/pull-request-check-build-logic.yml
• .github/workflows/pull-request-check.yml
• .agents/skills/github-actions/SKILL.md
• .github/workflows/detekt.yml

🪛 LanguageTool

.agents/AGENTS.md

[uncategorized] ~243-~243: The official name of this software platform is spelled with a capital “H”.
Context: ... | .github/workflows/*.yml, CI/CD pipelines ...

(GITHUB)

.agents/skills/github-actions/SKILL.md

[uncategorized] ~19-~19: The official name of this software platform is spelled with a capital “H”.
Context: ...## When to Use - Creating or modifying .github/workflows/*.yml files - Auditing exist...

(GITHUB)

---

[style] ~83-~83: Consider a different adjective to strengthen your wording.
Context: ...lidation | 0 | | CodeQL / deep analysis | 0 or omit | | Depen...

(DEEP_PROFOUND)

🪛 markdownlint-cli2 (0.21.0)

.agents/skills/github-actions/SKILL.md

[warning] 153-153: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (20)

.agents/skills/github-actions/SKILL.md (1)

26-107: Strong, actionable security and operational guidance.

The critical patterns, decision tables, and audit checklist are clear and align well with hardened GitHub Actions practices.

Also applies to: 175-199

.agents/AGENTS.md (1)

243-243: Good skill registry update.

The new github-actions row is clear, scoped, and correctly linked, improving discoverability of CI/CD guidance.

As per coding guidelines: "Document agent configurations and capabilities in AGENTS.md" and "Maintain comprehensive agent metadata including name, description, purpose, and capabilities."

.github/workflows/fix-renovate.yml (1)

92-97: Good monorepo pnpm cache key coverage.

Line 92 through Line 97 correctly enable pnpm caching and include all relevant lockfiles for stable cache invalidation.

.github/workflows/auto-fix-lockfile.yml (1)

27-32: Caching update is consistent and correct.

Line 27 through Line 32 use the same pnpm lockfile set as other workflows, which keeps cache behavior predictable.

.github/workflows/codeql-analysis.yml (1)

44-49: CodeQL job cache configuration looks solid.

Line 44 through Line 49 add pnpm caching with lockfile-based keys, which should improve repeat-run performance safely.

.github/workflows/greetings.yml (1)

1-1: Nice hardening and tooling metadata improvement.

Line 1 adds schema support for editor validation, and Line 12 pins the reusable workflow to an immutable ref.

Also applies to: 12-12

.github/workflows/_publish.yml (2)

186-193: Secret-check refactor is safer and clearer.

Line 186 through Line 193 and Line 213 now validate via exported env vars, which is more robust for shell conditionals.

Also applies to: 213-213

---

327-327: Good consistency on Node setup pinning.

Line 327 and Line 403 now align both npm publishing jobs on the same pinned setup-node revision.

Also applies to: 403-403

.github/workflows/stale.yml (1)

1-1: Looks good: schema + immutable workflow pin.

Line 1 and Line 14 improve editor validation and reduce supply-chain drift.

Also applies to: 14-14

.github/workflows/cleanup-cache.yml (1)

1-1: Good hardening update.

Line 1 adds schema metadata, and Line 14 pins the reusable workflow to an immutable SHA.

Also applies to: 14-14

.github/workflows/contributor-report.yml (1)

1-1: LGTM!

Schema annotation enables IDE validation, and pinning the reusable workflow to an immutable SHA strengthens supply-chain security. The version comment (# v1.1.0) provides good traceability.

Also applies to: 14-14

.github/workflows/semantic-pull-request.yml (1)

1-1: LGTM!

Consistent SHA pinning with the other dallay/common-actions workflows. The schema annotation aids validation.

Also applies to: 13-13

.github/workflows/security-dependencies.yml (2)

22-22: LGTM - Rust toolchain pinned to specific commit.

Pinning to a specific SHA from master branch is acceptable since the commit is immutable. The date comment aids traceability.

---

48-49: No action needed.

Gradle's JavaLanguageVersion.of(libs.versions.jdk.get()) in gradle/build-logic/build.gradle.kts explicitly enforces Java 21 via the toolchain feature, which takes precedence regardless of the environment JDK version. The workflow providing Java 25 is intentional—Gradle will download and use Java 21 for compilation while the environment has Java 25 available for other purposes. This is a valid pattern with no conflict.

			> Likely an incorrect or invalid review comment.

.github/workflows/pull-request-check-build-logic.yml (1)

34-35: LGTM - Explicit least-privilege permissions.

Adding contents: read at job level is a security best practice.

.github/workflows/detekt.yml (1)

1-1: LGTM!

Good security hardening: schema annotation for validation, explicit contents: read permission, and SHA-pinned codeql-action with version comment.

Also applies to: 48-48, 127-127

.github/workflows/pull-request-check.yml (2)

28-29: LGTM - Least-privilege permissions.

Explicit contents: read at job level follows security best practices.

---

57-62: LGTM - pnpm caching for web tasks.

This workflow runs testCoverageAllWebApps, so caching pnpm dependencies across the specified lockfiles will improve CI performance.

.github/workflows/release-please.yml (1)

20-20: ⚠️ SHA version mismatch: Pinned SHA does not correspond to v4.4.0

The pinned SHA c3fc4de07084f75a2b61a5b933069bda6edf3d5c does not match the v4.4.0 tag from googleapis/release-please-action. The v4.4.0 release (2025-10-23) uses commit 16a9c90. Verify the correct SHA for your intended version and update the pin accordingly. SHA pinning improves supply-chain security, but only when the hash is accurate.

			> Likely an incorrect or invalid review comment.

.github/workflows/core-check.yml (1)

44-44: No action needed—shallow clone is appropriate for this workflow.

The agent-core-kmp module doesn't use git-based versioning for its check task. It applies only base.identity (not module.java or module.kotlin), so it never invokes gitBuildMetadata(). The :agent-core-kmp:check task runs format and multiplatform checks that don't require git history. The shallow clone is fine here and speeds up the workflow.

			> Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/skills/github-actions/SKILL.md:
- Line 19: Update all occurrences of the pattern ".github/workflows/*.yml" and
plain ".yml" in the document to include ".yaml" as well—e.g., change
".github/workflows/*.yml" to ".github/workflows/*.{yml,yaml}" and update
wording/examples to say ".yml and .yaml" or use the brace pattern; also update
any validation/scan command examples or grep patterns that currently only match
".yml" so they match both extensions. Search for the literal ".yml" and
replace/update examples and command snippets (e.g., the string
".github/workflows/*.yml") to ensure both ".yml" and ".yaml" are covered.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 87c2a732-0b69-4c47-ab86-b98c5d816f75

📥 Commits

Reviewing files that changed from the base of the PR and between 5f25ec5 and abc5630.

📒 Files selected for processing (3)

• .agents/skills/github-actions/SKILL.md
• .github/workflows/pull-request-check-build-logic.yml
• .github/workflows/pull-request-limit.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: sonar
• GitHub Check: Cloudflare Pages

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

Applied to files:

• .github/workflows/pull-request-check-build-logic.yml
• .agents/skills/github-actions/SKILL.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Follow `.github/pull_request_template.md` and keep PR descriptions concrete with problem, change, non-goals, risk, and rollback information

Applied to files:

• .github/workflows/pull-request-limit.yml

📚 Learning: 2026-02-17T07:28:38.934Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Document agent configurations and capabilities in AGENTS.md

Applied to files:

• .agents/skills/github-actions/SKILL.md

🪛 LanguageTool

.agents/skills/github-actions/SKILL.md

[uncategorized] ~19-~19: The official name of this software platform is spelled with a capital “H”.
Context: ...## When to Use - Creating or modifying .github/workflows/*.yml files - Auditing exist...

(GITHUB)

---

[style] ~83-~83: Consider a different adjective to strengthen your wording.
Context: ...lidation | 0 | | CodeQL / deep analysis | 0 or omit | | Depen...

(DEEP_PROFOUND)

🔇 Additional comments (3)

.github/workflows/pull-request-check-build-logic.yml (1)

34-35: Good least-privilege hardening for this job.

contents: read is appropriate for this read-only build-logic check workflow and does not overgrant token access.

.github/workflows/pull-request-limit.yml (1)

12-15: Permissions now align with the gh CLI operations.

This scope set is correct for label, comment, and close actions while staying explicit and constrained.

.agents/skills/github-actions/SKILL.md (1)

168-170: Good fix: immutable SHA pin is now concrete and copy-safe.

Using a real commit pin in the OIDC example prevents insecure copy/paste of floating refs.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/skills/github-actions/SKILL.md:
- Around line 203-205: Update the SKILL.md local validation step that currently
shows "npx yaml-lint .github/workflows/*.{yml,yaml}" to instruct developers to
run both yaml-lint and actionlint for GitHub Actions validation; mention the
repository’s .github/actionlint.yml as the configured rule file and note that
CodeRabbit already enables actionlint so local checks should mirror that by
running actionlint against the .github/workflows directory in addition to
yaml-lint.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: ef8bddee-83d0-493b-881d-e86f456ed981

📥 Commits

Reviewing files that changed from the base of the PR and between abc5630 and 866c285.

📒 Files selected for processing (5)

• .agents/skills/github-actions/SKILL.md
• .github/workflows/auto-fix-lockfile.yml
• .github/workflows/codeql-analysis.yml
• .github/workflows/fix-renovate.yml
• .github/workflows/pull-request-check.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: Cloudflare Pages
• GitHub Check: pr-checks

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

Applied to files:

• .github/workflows/pull-request-check.yml
• .github/workflows/auto-fix-lockfile.yml
• .agents/skills/github-actions/SKILL.md

📚 Learning: 2026-02-17T07:28:38.934Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-17T07:28:38.934Z
Learning: Applies to .agents/AGENTS.md : Document agent configurations and capabilities in AGENTS.md

Applied to files:

• .agents/skills/github-actions/SKILL.md

🪛 LanguageTool

.agents/skills/github-actions/SKILL.md

[uncategorized] ~19-~19: The official name of this software platform is spelled with a capital “H”.
Context: ...## When to Use - Creating or modifying .github/workflows/*.{yml,yaml} files - Auditin...

(GITHUB)

---

[style] ~83-~83: Consider a different adjective to strengthen your wording.
Context: ...lidation | 0 | | CodeQL / deep analysis | 0 or omit | | Depen...

(DEEP_PROFOUND)

🔇 Additional comments (6)

.github/workflows/auto-fix-lockfile.yml (1)

23-27: Good pnpm setup/caching integration.

The added pnpm setup and setup-node cache configuration are correctly structured and consistent with the workflow’s install strategy.

Based on learnings: For workflow/template-only changes, ensure YAML/template syntax validity.

Also applies to: 32-37

.github/workflows/codeql-analysis.yml (1)

40-44: Looks correct for CodeQL job performance improvements.

The pnpm bootstrap and lockfile-based cache configuration are valid and should reduce dependency restore time without changing scan behavior.

Also applies to: 49-54

.github/workflows/pull-request-check.yml (2)

28-29: Least-privilege permission tightening is a good change.

Scoping GITHUB_TOKEN to read-only contents here is appropriate for this job.

Based on learnings: For workflow/template-only changes, ensure YAML/template syntax validity.

---

53-57: pnpm setup and cache keys are well configured.

The new pnpm step and dependency-path-based cache config are valid and should improve repeat CI runs.

Also applies to: 62-67

.github/workflows/fix-renovate.yml (1)

88-92: Clean CI optimization with no behavioral risk in this hunk.

The pnpm setup plus lockfile-scoped cache configuration is correctly defined and should improve workflow runtime.

Also applies to: 97-102

.agents/skills/github-actions/SKILL.md (1)

168-170: Good immutable pinning example for cloud credentials.

This is a strong, copy-safe example: full SHA + version comment, aligned with your non-mutable ref policy.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
87.5% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud