Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 24 additions & 24 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Derive version string
id: bin_version
run: echo "bin_version=$(./.version.sh)" >> "$GITHUB_OUTPUT"
Expand Down Expand Up @@ -96,16 +96,16 @@ jobs:
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v4.2.2
uses: actions/checkout@v6
- name: Run MegaLinter
uses: oxsecurity/megalinter@e08c2b05e3dbc40af4c23f41172ef1e068a7d651 # v8.8.0
uses: oxsecurity/megalinter@8fbdead70d1409964ab3d5afa885e18ee85388bb # v9.4.0
env:
# See https://megalinter.io/configuration and .mega-linter.yml
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
APPLY_FIXES_MODE: commit
- name: Archive MegaLinter artifacts
if: ( !env.ACT && ( success() || failure() ) )
uses: actions/upload-artifact@v4.6.2
uses: actions/upload-artifact@v7
with:
name: MegaLinter artifacts
path: |
Expand All @@ -122,38 +122,38 @@ jobs:
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v6

- name: Login to GHCR
if: needs.meta.outputs.is_pull_request != 'true'
uses: docker/login-action@v3
uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Login to Docker Hub
if: needs.meta.outputs.is_pull_request != 'true'
uses: docker/login-action@v3
uses: docker/login-action@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What is the latest version of docker/setup-qemu-action and what breaking changes exist between v3 and v4?

💡 Result:

The latest version of docker/setup-qemu-action is v4.0.0, released on 2026-03-04. Breaking changes between v3 (latest v3.7.0) and v4: - Node.js runtime changed from 20 to 24 (requires GitHub Actions runner v2.327.1+) - Switched to ESM (ECMAScript Modules) - Updated @actions/core to ^3.0.0 (major version bump, potential API changes but action updated successfully) - Updated @docker/actions-toolkit to ^0.77.0 - Other dependency updates and internal tooling changes (eslint, vitest, etc.) No explicit migration guide found; changes are primarily internal with no documented user-facing API alterations. Usage remains the same: uses: docker/setup-qemu-action@v4. Ensure runner supports Node 24.

Citations:


docker/setup-qemu-action@v4.0.0 requires GitHub Actions runners with Node.js 24 support.

The upgrade to v4.0.0 changes the Node.js runtime from 20 to 24, requiring GitHub Actions runner v2.327.1 or later. Verify that your runner configuration meets this requirement, or pin to v3.7.0 if upgrading the runner is not feasible.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/main.yml at line 143, The workflow currently uses
docker/setup-qemu-action@v4 which requires GitHub Actions runners with Node.js
24 (runner v2.327.1+); either update your runner to v2.327.1 or newer to satisfy
docker/setup-qemu-action@v4's Node 24 requirement, or pin the action to
docker/setup-qemu-action@v3.7.0 in the workflow to retain Node 20 compatibility.

with:
platforms: all

- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the latest version of docker/setup-buildx-action and what breaking changes exist between v3 and v4?

💡 Result:

The latest version of docker/setup-buildx-action is v4.0.0, released on 2026-03-05. Breaking changes between v3 (v3.12.0) and v4.0.0: - Node.js runtime upgraded to Node 24 (requires GitHub Actions Runner v2.327.1+). - Removed deprecated inputs: config, config-inline (use buildkitd-config and buildkitd-config-inline instead), and install (use BUILDX_BUILDER env var or direct docker buildx commands). - Removed deprecated outputs: flags (use nodes output instead). - Internal changes: Switched to ESM, updated dependencies like @actions/core to 3.0.0 and @docker/actions-toolkit to 0.79.0, updated testing framework. No further releases after v4.0.0 as of 2026-04-27 (repo last push 2026-04-24, but latest tagged release is v4.0.0).

Citations:


Review the breaking changes between v3 and v4 to ensure workflow compatibility.

The update to docker/setup-buildx-action@v4.0.0 introduces significant breaking changes:

  • Node.js runtime upgrade to Node 24 (requires GitHub Actions Runner v2.327.1 or later)
  • Removed deprecated inputs: config, config-inline, install (use buildkitd-config, buildkitd-config-inline, and BUILDX_BUILDER env var instead)
  • Removed deprecated outputs: flags (use nodes output instead)

Verify that the workflow does not rely on these removed inputs/outputs and that the GitHub Actions runner version meets the new requirements.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/main.yml at line 149, Update the workflow to accommodate
docker/setup-buildx-action@v4 by auditing any usage of the action reference
docker/setup-buildx-action@v4 and replacing removed inputs/outputs: change any
uses of inputs config -> buildkitd-config, config-inline ->
buildkitd-config-inline, and install -> set BUILDX_BUILDER via env; replace any
reads of output flags with the nodes output; and ensure the GitHub Actions
runner specified for this job meets v2.327.1 or later (or remove pins that would
run older runners) so Node 24 runtime requirements are satisfied.


- name: Available platforms
run: echo ${{ steps.buildx.outputs.platforms }}

- name: Docker meta
id: docker_meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@v6
with:
images: |
${{ needs.meta.outputs.dockerhub_owner }}/${{ needs.meta.outputs.bin_name }}
Expand All @@ -166,7 +166,7 @@ jobs:
type=semver,pattern={{major}}

- name: Build and push
uses: docker/build-push-action@v5
uses: docker/build-push-action@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the latest version of docker/build-push-action and what breaking changes exist between v5 and v7?

💡 Result:

The latest version of docker/build-push-action is v7.1.0, released on 2026-04-10.

Citations:


🌐 Web query:

docker/build-push-action v7 migration guide breaking changes from v5

💡 Result:

There is no official dedicated migration guide from v5 to v7 for docker/build-push-action. Breaking changes and migration steps must be derived from release notes and changelogs across v5.x, v6.x, and v7.0.0. Key breaking changes in v7.0.0 (released 2026-03-05) from prior versions (including v5 and v6): 1. Node 24 as default runtime - Requires GitHub Actions Runner v2.327.1 or later. Update your runner if using self-hosted, or use GitHub-hosted runners which support it. 2. Removed deprecated environment variables: - DOCKER_BUILD_NO_SUMMARY (use DOCKER_BUILD_SUMMARY=false instead, deprecated earlier in v6.3.0) - DOCKER_BUILD_EXPORT_RETENTION_DAYS 3. Removed legacy export-build tool support for build summary (build record now uses buildx history export since v6.17.0). Other notable changes from v5 to v6/v7 (non-breaking but require awareness): - Switch to ESM (internal, should not affect users). - Dependency bumps: @actions/core to 3.0.0 (may have breaking changes in error handling/logging), @docker/actions-toolkit to 0.79.0. - Git context improvements (e.g., auth token scoping to github.com in v6.19.0). - New inputs like secret-envs, annotations added in v5.1.0+. Migration steps: - Update uses: docker/build-push-action@v7 in your workflow YAML. - Ensure GitHub-hosted runner ubuntu-latest (Node 24 supported) or compatible self-hosted runner. - Remove any usage of removed env vars DOCKER_BUILD_NO_SUMMARY, DOCKER_BUILD_EXPORT_RETENTION_DAYS. - If using build summary with legacy tools, update to use modern buildx history export. - Test workflows thoroughly, especially error handling due to @actions/core v3. - No changes needed for core inputs like context, tags, push, platforms, cache-from/to, etc. - fully backward compatible for standard usage. - Review full changelog: https://github.com/docker/build-push-action/releases/tag/v7.0.0 (compare v6.19.2...v7.0.0), releases page https://github.com/docker/build-push-action/releases, and v5 tag https://github.com/docker/build-push-action/tree/v5 for inputs reference. Example v5 to v7 workflow update: v5: uses: docker/build-push-action@v5 with: push: true tags: user/app:latest v7: (unchanged) uses: docker/build-push-action@v7 with: push: true tags: user/app:latest Primary sources: GitHub release notes for v7.0.0, v6.x, v5.x; compare views v5...v6, v5.0.0...v5.1.0 etc.

Citations:


Review breaking changes before updating to docker/build-push-action@v7.

The upgrade from v5 to v7.1.0 introduces breaking changes:

  • Node 24 runtime required (GitHub Actions Runner v2.327.1+ or use GitHub-hosted runners)
  • Removed deprecated environment variables: DOCKER_BUILD_NO_SUMMARY and DOCKER_BUILD_EXPORT_RETENTION_DAYS
  • Removed legacy export-build tool support for build summaries

Ensure your workflow and self-hosted runners (if applicable) are compatible with these changes. Standard workflow inputs remain backward compatible.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/main.yml at line 169, The workflow upgrade to uses:
docker/build-push-action@v7 introduces breaking changes; update the workflow to
either pin a compatible v6 release or adopt v7 by ensuring your runners support
Node 24 (GitHub Actions Runner v2.327.1+ or GitHub-hosted runners), remove any
uses of the deprecated environment variables DOCKER_BUILD_NO_SUMMARY and
DOCKER_BUILD_EXPORT_RETENTION_DAYS, and remove/replace any legacy export-build
tool or build-summary usage; locate the step referencing
docker/build-push-action@v7 in the main.yml and either revert the action version
or adjust runner settings and environment variables accordingly to restore
compatibility.

with:
context: .
file: ./Dockerfile
Expand All @@ -180,7 +180,7 @@ jobs:

- name: Update Docker Hub description
if: needs.meta.outputs.is_release == 'true'
uses: peter-evans/dockerhub-description@v3
uses: peter-evans/dockerhub-description@v5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the latest version of peter-evans/dockerhub-description and what breaking changes exist between v3 and v5?

💡 Result:

The latest version of peter-evans/dockerhub-description is v5.0.0, released on 2025-10-01. Breaking changes between v3 and v5 primarily involve runtime updates and dependency changes that require updated GitHub Actions runner versions: - v4.0.0 (from v3.4.2): Updated runtime to Node.js 20, requiring Actions runner v2.308.0 or later. - v5.0.0 (from v4.0.2): Updated runtime to Node.js 24, requiring Actions runner v2.327.1 or later (for self-hosted runners). Also updated Docker Hub auth endpoint from /v2/users/login (deprecated) to /v2/auth/token, switched to native fetch, bumped actions/checkout, actions/setup-node, etc. from v4 to v5. No explicit API/input breaking changes listed in release notes; action inputs appear consistent (e.g., username, password, repository, short-description, readme-filepath, enable-url-completion, image-extensions). Users on older runners may need updates for compatibility. Last repo push was 2026-04-01, but no newer release.

Citations:


Verify GitHub Actions runner compatibility with v5.0.0's breaking changes.

peter-evans/dockerhub-description@v5.0.0 exists and is the latest version. However, it includes breaking changes from v3:

  • Node.js 24 runtime (up from Node.js 20 in v4)
  • GitHub Actions runner v2.327.1+ required for self-hosted runners
  • Docker Hub auth endpoint changed from /v2/users/login (deprecated) to /v2/auth/token
  • Dependency updates: actions/checkout and actions/setup-node upgraded from v4 to v5

Ensure your CI/CD runners meet the new version requirements before merging.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/main.yml at line 183, The workflow currently uses
peter-evans/dockerhub-description@v5 which introduces breaking changes (Node.js
24 runtime, GitHub Actions runner v2.327.1+ for self-hosted, changed Docker Hub
auth endpoint, and dependency upgrades); either pin the step back to a
compatible release (e.g., peter-evans/dockerhub-description@v4) or update your
CI environment and related actions to satisfy v5's requirements: ensure
self-hosted runners are >= v2.327.1, confirm any Node tooling supports Node.js
24, update dependent steps to actions/checkout@v5 and actions/setup-node@v5 if
adopting v5, and adjust Docker Hub auth flows to use /v2/auth/token as needed
before merging.

with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
Expand All @@ -196,10 +196,10 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v6

- name: Setup Go
uses: actions/setup-go@v5.5.0
uses: actions/setup-go@v6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the latest version of actions/setup-go and what breaking changes exist between v5 and v6?

💡 Result:

Latest version: v6.4.0 (released 2026-03-30). Breaking changes between v5 and v6: 1) Node.js runtime upgrade for the action: v6 upgrades the action runtime from Node 20 to Node 24. It also notes an action-required requirement that runners be on v2.327.1 or later for compatibility. 2) Enhanced Go toolchain handling: v6 supports reading both go and toolchain directives from go.mod; if the toolchain directive is present, v6 uses that exact version. (V5 did not have this toolchain-directive behavior.) 3) Cache key change for Go modules: v6 changes the default cache key inputs so Go module caching is based on go.mod by default; if you want to use go.sum instead, you must set cache-dependency-path accordingly. 4) Version resolution behavior improvements: v6 documents an updated resolution order (local cache → go-versions repository → direct download from go.dev) and uses the toolchain directive version (when present) as part of version resolution.

Citations:


Address breaking changes in actions/setup-go@v6 upgrade.

Upgrading from v5 to v6.4.0 introduces multiple breaking changes:

  • Node.js runtime upgraded from Node 20 to Node 24 (action-required)
  • Requires GitHub Actions runners v2.327.1 or later
  • Cache key now defaults to go.mod instead of go.sum; override with cache-dependency-path if needed
  • Enhanced Go toolchain handling: v6 reads and uses toolchain directive from go.mod if present

Verify your environment meets the runner version requirement and adjust cache configuration if necessary.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/main.yml at line 202, The workflow currently uses
actions/setup-go@v6 which has breaking changes; update the workflow to ensure
the runner meets v2.327.1+ (upgrade the GitHub Actions runner or set runs-on to
a compatible image), explicitly set cache-dependency-path if you need the cache
to key off go.sum (add cache-dependency-path: go.sum), and if you depend on a
specific Go toolchain behavior, explicitly set the action's toolchain input or
add a toolchain directive to go.mod to control the Go version; also review any
Node.js tooling steps for compatibility with the action's implicit upgrade to
Node 24 and adjust those steps accordingly.

with:
go-version: stable
- name: Go version
Expand All @@ -225,7 +225,7 @@ jobs:
cp ./*.deb ./gh-release/
find . -name '${{ needs.meta.outputs.bin_name }}-*' -executable -type f -maxdepth 1 -print0 | xargs -0 -I {} tar --transform='flags=r;s|.*|${{ needs.meta.outputs.bin_name }}|' -czvf ./gh-release/{}.tar.gz {}
- name: Upload binaries & packages
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: ${{ needs.meta.outputs.bin_name }} Binary Artifacts
path: out/gh-release/*
Expand All @@ -241,15 +241,15 @@ jobs:
contents: write
steps:
- name: Download binaries & packages
uses: actions/download-artifact@v4
uses: actions/download-artifact@v8

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

What is the latest version of actions/download-artifact and what breaking changes exist between v4 and v8?

💡 Result:

Latest version (as of 2026-04-27): actions/download-artifact@v8.0.1. Breaking changes between v4 and v8: 1) v4 -> v8 are incompatible with each other’s artifact formats: artifacts created with versions v3 and below are not compatible with v4 actions (so upgrading only download may break). This is explicitly called out in the v4 release notes. 2) ESM migration (breaking/behavior change for forks): v8 migrates to an ESM module; callers should be unaffected, but forks might need significant changes. 3) Hash/digest mismatch enforcement (breaking): in v8, hash mismatches now error by default (previously they were warnings). You can override via the digest-mismatch parameter. 4) “Direct downloads” / decompression behavior change (breaking): v8 will check Content-Type before attempting to unzip downloaded content; it skips non-zipped files. A new skip-decompress parameter was added to control downloading zipped files “as-is”.

Citations:


🏁 Script executed:

cat -n .github/workflows/main.yml | sed -n '240,250p'

Repository: cdzombak/gallerygen

Length of output: 457


🏁 Script executed:

cat -n .github/workflows/main.yml | sed -n '279,289p'

Repository: cdzombak/gallerygen

Length of output: 493


🌐 Web query:

actions/download-artifact v8 name parameter breaking changes compatibility with v4

💡 Result:

There are no breaking changes to the 'name' parameter itself between actions/download-artifact v4 and v8. The 'name' input remains optional, used to specify the artifact name to download (or all artifacts if unspecified), with the same description and behavior in both versions. Key v8 changes (released Feb 2026) are: - Default digest mismatch behavior changed to 'error' (new 'digest-mismatch' input: ignore/info/warn/error). - Skips unzipping non-zipped files based on Content-Type (to support upload-artifact direct uploads); new 'skip-decompress' input to download zips as-is. - Migrated to ESM module (transparent to users). Earlier changes (v5, 2025): Fixed path for single artifact by ID to be direct (not nested), but does not affect 'name'. The 'name' parameter is fully compatible. Workflows using 'name' in v4 will work unchanged in v8, except potential impacts from new defaults if hash mismatches occur or non-zipped artifacts are downloaded.

Citations:


The name parameter has no breaking changes between v4 and v8; however, verify handling of other v8 breaking changes.

actions/download-artifact@v8 exists and is stable, but v4→v8 introduces breaking changes unrelated to the name parameter:

  • Digest mismatch handling: v8 errors on hash mismatches by default (v4 warned). If artifacts have hash issues, add digest-mismatch: warn to maintain previous behavior.
  • Decompression behavior: v8 skips unzipping non-zipped files based on Content-Type. If non-zipped artifacts are expected to be decompressed, add skip-decompress: true to download as-is.

Verify the artifacts produced by the upload step don't trigger either scenario.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/main.yml at line 244, Update the GitHub Action usage of
actions/download-artifact@v8 to handle v8 breaking changes: either verify the
uploaded artifacts won’t trigger digest mismatches or decompression issues, or
explicitly add the download inputs to preserve v4 behavior—set digest-mismatch:
warn if you want to ignore hash mismatches and set skip-decompress: true if you
need non-zipped artifacts downloaded as-is; locate the uses:
actions/download-artifact@v8 step in the workflow to apply these inputs or
confirm the upload step produces compatible artifacts.

with:
name: ${{ needs.meta.outputs.bin_name }} Binary Artifacts
path: out
- name: List artifacts
working-directory: out
run: ls -R
- name: Create GitHub release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@v3
with:
files: out/${{ needs.meta.outputs.bin_name }}-*
prerelease: ${{ needs.meta.outputs.is_prerelease == 'true' }}
Expand All @@ -265,9 +265,9 @@ jobs:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Update running major/minor version tags
uses: sersoft-gmbh/running-release-tags-action@v3
uses: sersoft-gmbh/running-release-tags-action@v4
with:
fail-on-non-semver-tag: true
create-release: false
Expand All @@ -280,7 +280,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Download binaries & packages
uses: actions/download-artifact@v4
uses: actions/download-artifact@v8
with:
name: ${{ needs.meta.outputs.bin_name }} Binary Artifacts
path: out
Expand All @@ -289,7 +289,7 @@ jobs:
working-directory: out

- name: Login to Tailscale
uses: tailscale/github-action@v3
uses: tailscale/github-action@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the latest version of tailscale/github-action and what breaking changes exist between v3 and v4?

💡 Result:

Latest version (as of 2026-04-27): tailscale/github-action v4.1.2. Breaking changes between v3 and v4: 1) Action implementation/runtime changed: v4 is a TypeScript-based GitHub Action (not the prior bash-based runner). This also means the action requires runners capable of installing Node.js 24. 2) New/changed behavior at workflow end: v4 automatically runs tailscale logout when the workflow completes (enabled by default), which was not available in bash-based actions. 3) New functionality: v4 adds a ping input/parameter to block the workflow until connectivity and DNS resolution for specified tailnet devices is ready. 4) Caching behavior: v4 enables binary caching by default (speed/reliability improvement vs the bash-based implementation).

Citations:


Verify tailscale/github-action v4 breaking changes and compatibility.

v4.1.2 exists (confirmed). Review these breaking changes:

  • Runtime changed: v4 is TypeScript-based and requires Node.js 24 (previously bash-based)
  • Automatic logout: v4 runs tailscale logout by default at workflow end (new behavior)
  • Binary caching: Now enabled by default (behavior change from v3)
  • New input parameter: ping parameter added for connectivity verification

Ensure your workflow and runners support Node.js 24 and review whether automatic logout and caching changes affect your use case.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/main.yml at line 292, The workflow currently uses the
action reference "uses: tailscale/github-action@v4" which requires you to either
(A) explicitly pin to a known non-breaking release (e.g., v4.1.2) or (B) update
the workflow environment and inputs to be compatible with v4: ensure runners
provide Node.js 24 before invoking the action, review and set the new "ping"
input if you need connectivity verification, and account for the new automatic
logout behavior (tailscale logout runs at workflow end) and default binary
caching by adjusting any stateful steps or reauth flows that relied on v3
behavior; make these changes around the "uses: tailscale/github-action@v4"
reference and test the workflow end-to-end.

with:
oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
Expand Down Expand Up @@ -325,7 +325,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Release to ${{ needs.meta.outputs.brewtap_owner }}/${{ needs.meta.outputs.brewtap_name }} tap
uses: Justintime50/homebrew-releaser@ae8677299789c63078cc7952583734336eced9e1
uses: Justintime50/homebrew-releaser@a62d7a359683bfc047cdb2431f53ee58241464d1 # v3.3.0
with:
homebrew_owner: ${{ needs.meta.outputs.brewtap_owner }}
homebrew_tap: homebrew-${{ needs.meta.outputs.brewtap_name }}
Expand All @@ -349,7 +349,7 @@ jobs:
needs: [meta, docker, binaries, release, aptly, homebrew]
steps:
- name: Send success notification
uses: niniyas/ntfy-action@9c6dc60073292f562769f83df2ace9f64ab31c78
uses: niniyas/ntfy-action@2ebc39afb288e8b01804a6ec1be0db2e7a458387 # V1.0.5

@coderabbitai coderabbitai Bot Apr 27, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify ntfy-action SHA matches the v1.0.5 tag

git clone --depth 1 --branch v1.0.5 https://github.com/niniyas/ntfy-action.git /tmp/ntfy-action 2>/dev/null
cd /tmp/ntfy-action
git rev-parse HEAD

Repository: cdzombak/gallerygen

Length of output: 189


SHA for ntfy-action does not match v1.0.5 release tag.

The workflow file pins niniyas/ntfy-action to SHA 2ebc39afb288e8b01804a6ec1be0db2e7a458387, but the actual v1.0.5 release tag points to 41df2f98dfd43da872e8aea19baacbdde43740d3. Update the SHA to match the correct v1.0.5 tag or verify the intended commit.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/main.yml at line 352, Update the pinned commit for the
GitHub Action usage: the line referencing
niniyas/ntfy-action@2ebc39afb288e8b01804a6ec1be0db2e7a458387 should be changed
to use the actual v1.0.5 commit SHA (41df2f98dfd43da872e8aea19baacbdde43740d3)
or swap to the tag form niniyas/ntfy-action@v1.0.5 to ensure the workflow points
to the intended release; verify the chosen SHA/tag corresponds to the intended
release commit before committing the change.

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Manually confirmed that this PR is correct: https://github.com/NiNiyas/ntfy-action/releases/tag/V1.0.5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cdzombak, thank you for verifying! My analysis was incorrect — the false positive was caused by a case sensitivity issue in my verification script. I used --branch v1.0.5 (lowercase v) when cloning, but the actual release tag is V1.0.5 (uppercase V), so my script resolved to the wrong commit and reported a mismatch. The pinned SHA 2ebc39afb288e8b01804a6ec1be0db2e7a458387 is indeed correct for the V1.0.5 release. Apologies for the noise!


✏️ Learnings added
Learnt from: cdzombak
Repo: cdzombak/gallerygen PR: 4
File: .github/workflows/main.yml:352-352
Timestamp: 2026-04-27T15:47:04.943Z
Learning: The `niniyas/ntfy-action` GitHub Action (repo: NiNiyas/ntfy-action) uses uppercase-V release tags (e.g., `V1.0.5`, not `v1.0.5`). The SHA `2ebc39afb288e8b01804a6ec1be0db2e7a458387` corresponds to the `V1.0.5` release. When verifying SHAs for this action, use `--branch V1.0.5` (capital V) in git commands.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

if: ${{ !contains(needs.*.result, 'failure') && (needs.meta.outputs.is_release == 'true' || needs.meta.outputs.is_prerelease == 'true') }}
with:
url: "https://ntfy.cdzombak.net"
Expand All @@ -360,7 +360,7 @@ jobs:
title: ${{ github.event.repository.name }} ${{ needs.meta.outputs.bin_version }} available
details: ${{ github.event.repository.name }} version ${{ needs.meta.outputs.bin_version }} is now available.
- name: Send failure notification
uses: niniyas/ntfy-action@9c6dc60073292f562769f83df2ace9f64ab31c78
uses: niniyas/ntfy-action@2ebc39afb288e8b01804a6ec1be0db2e7a458387 # V1.0.5
if: ${{ contains(needs.*.result, 'failure') }}
with:
url: "https://ntfy.cdzombak.net"
Expand Down
Loading