Conversation
Update .beads/.gitignore with new Dolt server runtime file patterns and updated structure for v0.59.0. Add Dolt database patterns to root .gitignore.
Add Zizmor GitHub Action security scanning
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughAdds backup data under Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment Tip You can enable review details to help with troubleshooting, context usage and more.Enable the |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.gitignore (1)
49-51: Scope these new database ignores to the repo root.
*.dbwill also hide any future fixture or example databases anywhere in the tree. If these rules are only forbd initartefacts at the top level, anchor them with/instead.Suggested diff
# Dolt database files (added by bd init) -.dolt/ -*.db +/.dolt/ +/*.db🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.gitignore around lines 49 - 51, Anchor the new ignore patterns to the repository root by replacing the unscoped rules ".dolt/" and "*.db" with root-anchored patterns (e.g., "/.dolt/" and "/.db") so only top-level bd init artefacts are ignored; update the .gitignore entry that currently contains ".dolt/" and "*.db" to use leading slashes to avoid hiding fixture/example databases in subdirectories.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.beads/.gitignore:
- Around line 37-38: The .beads/.gitignore entry "backup/" conflicts with
tracked files added in this PR; remove the churn by either untracking the backup
files or moving canonical data out of the ignored path: run git rm --cached on
the tracked .beads/backup/*.jsonl and .beads/backup/backup_state.json (or
otherwise remove them from the index) so the ignore takes effect, or relocate
the canonical seed files to a non-ignored directory and update any references;
ensure the .beads/.gitignore continues to contain "backup/" if you intend to
keep runtime exports untracked.
In @.github/workflows/zizmor.yml:
- Around line 9-20: The workflow-level permissions block is empty so
GITHUB_TOKEN lacks repo access; add a contents: read permission so the
actions/checkout step can access the repository. Update the permissions object
(either the top-level permissions or the zizmor job permissions) to include
"contents: read" alongside existing "security-events: write" so the Checkout
repository step (uses: actions/checkout@...) succeeds while keeping
persist-credentials: false.
---
Nitpick comments:
In @.gitignore:
- Around line 49-51: Anchor the new ignore patterns to the repository root by
replacing the unscoped rules ".dolt/" and "*.db" with root-anchored patterns
(e.g., "/.dolt/" and "/.db") so only top-level bd init artefacts are ignored;
update the .gitignore entry that currently contains ".dolt/" and "*.db" to use
leading slashes to avoid hiding fixture/example databases in subdirectories.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f5069768-d25f-4511-99bf-bddd0823fb6d
📒 Files selected for processing (10)
.beads/.gitignore.beads/backup/backup_state.json.beads/backup/comments.jsonl.beads/backup/config.jsonl.beads/backup/dependencies.jsonl.beads/backup/events.jsonl.beads/backup/issues.jsonl.beads/backup/labels.jsonl.github/workflows/zizmor.yml.gitignore
| # Backup data (auto-exported JSONL, local-only) | ||
| backup/ |
There was a problem hiding this comment.
backup/ being ignored conflicts with the tracked files added in this PR.
Git ignore rules do not apply to files already in the index, so the new .beads/backup/*.jsonl and backup_state.json files will still churn on every local export. Either untrack this directory or move any canonical seed data to a non-backup path before merging.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.beads/.gitignore around lines 37 - 38, The .beads/.gitignore entry
"backup/" conflicts with tracked files added in this PR; remove the churn by
either untracking the backup files or moving canonical data out of the ignored
path: run git rm --cached on the tracked .beads/backup/*.jsonl and
.beads/backup/backup_state.json (or otherwise remove them from the index) so the
ignore takes effect, or relocate the canonical seed files to a non-ignored
directory and update any references; ensure the .beads/.gitignore continues to
contain "backup/" if you intend to keep runtime exports untracked.
| permissions: {} | ||
|
|
||
| jobs: | ||
| zizmor: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| security-events: write | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| persist-credentials: false |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
For actions/checkout, what GITHUB_TOKENpermissions are required when a workflow setspermissions: {} globally and the job checks out the current repository?
💡 Result:
When you set permissions: {} at the workflow level, all GITHUB_TOKEN permissions become none unless explicitly granted [2]. To let actions/checkout check out the current repository, the job needs:
permissions:
contents: readThis is the recommended (and effectively required) minimum for actions/checkout when using GITHUB_TOKEN authentication [1].
Sources: [1] [2]
Add contents: read permission for actions/checkout.
With permissions: {} set at the workflow level, the GITHUB_TOKEN receives no permissions unless explicitly granted. The job currently grants only security-events: write, but actions/checkout requires contents: read to access the repository. Without this permission, the workflow will fail at the checkout step before the zizmor scan executes.
Suggested fix
jobs:
zizmor:
runs-on: ubuntu-latest
permissions:
+ contents: read
security-events: write🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/zizmor.yml around lines 9 - 20, The workflow-level
permissions block is empty so GITHUB_TOKEN lacks repo access; add a contents:
read permission so the actions/checkout step can access the repository. Update
the permissions object (either the top-level permissions or the zizmor job
permissions) to include "contents: read" alongside existing "security-events:
write" so the Checkout repository step (uses: actions/checkout@...) succeeds
while keeping persist-credentials: false.
Ran zizmor v1.23.1 against all workflow files and resolved all high-priority findings (reduced from 30 high to 0 high): - Pin all action references to commit SHAs to prevent supply-chain attacks: - actions/checkout@de0fac2e (v6.0.2) - actions/cache@cdf6c1fa (v5) - actions/upload-artifact@bbbca2dd (v7) - erlef/setup-beam@ee09b1e5 (v1) - philss/rustler-precompiled-action@853ac56 (v1.1.4) - Add persist-credentials: false to all checkout steps (artipacked) - Remove overly broad pull-requests: write from workflow-level permissions - Fix template injection in all-checks-pass job by passing needs results via env vars rather than inline ${{ }} expressions - Move Turso secrets from job-level env to step-level env to reduce exposure surface (secrets-outside-env) - Replace dtolnay/rust-toolchain action with direct rustup script calls as recommended (superfluous-actions) - Replace softprops/action-gh-release action with gh release CLI call Remaining findings: 4 medium secrets-outside-env warnings for Turso secrets, which require configuring a GitHub Deployment Environment in repo settings. https://claude.ai/code/session_01EUdjWCLtSWQYY5j4yc8Qb5
…-TYtjO security: apply zizmor GitHub Actions security improvements
Define project tool versions (Erlang 27.0, Elixir 1.18.0-otp-27) via mise version manager, replacing reliance on the erlef/setup-beam GitHub Action which triggers Node.js 20 deprecation warnings.
- Replace erlef/setup-beam GitHub Action with mise version manager installed via curl (pure shell, no third-party JS action). This eliminates the Node.js 20 deprecation warning that setup-beam triggers. - Remove `environment: test` from turso-remote-tests job to fix "Branch refs/pull/N/merge is not allowed to deploy to test" error. The job's if-condition already restricts it to PRs targeting main. - Add zizmor inline suppressions for secrets-outside-env warnings. - Add explicit mix local.hex/rebar setup (previously handled by setup-beam automatically).
2 participants
Summary by CodeRabbit
New Features
Chores