ci: harden GitHub Actions workflows

[peaceiris]

概要

• Pin GitHub Actions workflow dependencies to immutable commit SHAs with readable version comments.
• Add explicit job permissions and timeouts, and move lightweight workflows to ubuntu-slim or ubuntu-24.04.
• Update actions/labeler to v6.1.0 and migrate .github/labeler.yml to the current config format.

参考

• No related issue.
• lib/index.js was generated locally only so actionlint could resolve uses: ./; it was not committed.
• Expected secret references were kept as GitHub Actions expressions only.

Test plan

• npm ci --ignore-scripts
• npm run build
• actionlint
• npm run lint
• npm test
• git diff --check

Summary by CodeRabbit

• Chores
  • Pinned third‑party GitHub Action references for deterministic workflows and improved security.
  • Standardized and tightened job permissions across workflows.
  • Updated workflow runner environments and added job timeouts to improve reliability.
  • Restructured label matching rules for the repository labeler, expanding test globs and consolidating Docker-related patterns.

[coderabbitai]

📝 Walkthrough

Walkthrough

Modernizes CI/CD: restructures labeler matching, pins GitHub Actions to commit SHAs, updates runner images, and adds job-level timeouts and permissions across workflows.

Changes

CI/CD Infrastructure Modernization

Layer / File(s)	Summary
Labeler configuration refactoring .github/labeler.yml	Replaced flat changed-files globs with any-glob-to-any-file objects for cicd, dependencies, documentation, test (expanded to __tests__/**), and docker patterns.
CodeQL security workflow hardening .github/workflows/codeql.yml	Adds workflow-level permissions, sets CodeQL-Build timeout-minutes: 20, and pins actions/checkout and all github/codeql-action steps to commit SHAs.
Test workflow modernization .github/workflows/test.yml	Adds timeout-minutes: 30, pins key actions (checkout, setup-node, upload-artifact, codecov, mdBook) to commit SHAs, and changes format/lint/coverage steps to run on ubuntu-24.04.
Automation and utility workflows modernization .github/workflows/dependency-review.yml, .github/workflows/label-commenter.yml, .github/workflows/labeler.yml, .github/workflows/pages-status-check.yml, .github/workflows/purge-readme-image-cache.yml, .github/workflows/release.yml, .github/workflows/update-major-tag.yml	Pin action uses to commit SHAs, switch runner images between ubuntu-slim/ubuntu-24.04, add/adjust timeout-minutes, and set restrictive job permissions where added. Minor command quoting/formatting change in purge pipeline retained.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• peaceiris/actions-gh-pages#1147: Overlapping workflow modernization including action SHA pinning and runner image updates (e.g., ubuntu-24.04 and ubuntu-slim).

Suggested labels

dependencies

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: harden GitHub Actions workflows' accurately captures the main change—hardening CI workflows through pinning actions to commit SHAs, adding explicit permissions and timeouts, and migrating to lighter runners.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/review-github-actions-workflows

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/pages-status-check.yml (1)

13-15: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix assert message formatting in Python shell step.

Line 15 uses named placeholders but passes positional args to .format(...). On assertion failure, this throws KeyError instead of surfacing the intended status/error message.

Suggested patch

-          assert status == 'built', 'Status: {status}\nError: {errormsg}'.format(status, errormsg)
+          assert status == 'built', 'Status: {status}\nError: {errormsg}'.format(status=status, errormsg=errormsg)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pages-status-check.yml around lines 13 - 15, The assert
line currently uses named placeholders 'Status: {status}\nError: {errormsg}' but
calls .format(status, errormsg), causing a KeyError; update the format call in
the Python shell step so the template and arguments match — either pass keyword
args to .format(status=status, errormsg=errormsg), switch the template to
positional placeholders '{}' and use .format(status, errormsg), or replace with
an f-string using status and errormsg; modify the assertion around the variables
status and errormsg accordingly.

🧹 Nitpick comments (1)

.github/workflows/purge-readme-image-cache.yml (1)

15-19: ⚡ Quick win

Consider adding error handling and empty-results protection.

The shell pipeline lacks explicit error handling and will fail if no camo images are found. Consider these improvements:

1. Add set -eo pipefail to fail fast on errors.
2. Use xargs -r to handle empty input gracefully (or check grep exit code first).
3. Note that the unauthenticated curl will fail for private repositories.

♻️ Suggested improvements

-    - run: >
-        curl -sL "https://github.com/${GITHUB_REPOSITORY}" |
-        grep -oE '<img src="https?://camo.githubusercontent.com(/[^"]+' |
-        sed -e 's/<img src="//' |
-        xargs -I % curl -sX PURGE "%"
+    - run: |
+        set -eo pipefail
+        curl -sL "https://github.com/${GITHUB_REPOSITORY}" |
+        grep -oE '<img src="https?://camo.githubusercontent.com/[^"]+' |
+        sed -e 's/<img src="//' |
+        xargs -r -I % curl -sX PURGE "%"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/purge-readme-image-cache.yml around lines 15 - 19, The
pipeline that fetches and purges camo images should fail fast and handle empty
results; update the script wrapper to enable safe shell options (set -eo
pipefail), use xargs -r (or conditional check of grep's exit status) so PURGE is
skipped when no matches are found, and surface curl failures for private repos
by using an authenticated curl when a GITHUB_TOKEN is available (or explicitly
check curl's exit code before piping to grep); apply these changes around the
commands shown (curl | grep -oE '<img
src="https?://camo.githubusercontent.com/[^"]+' | sed -e 's/<img src="//' |
xargs -I % curl -sX PURGE "%") and ensure errors are logged and cause the job to
fail.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/pages-status-check.yml:
- Around line 13-15: The assert line currently uses named placeholders 'Status:
{status}\nError: {errormsg}' but calls .format(status, errormsg), causing a
KeyError; update the format call in the Python shell step so the template and
arguments match — either pass keyword args to .format(status=status,
errormsg=errormsg), switch the template to positional placeholders '{}' and use
.format(status, errormsg), or replace with an f-string using status and
errormsg; modify the assertion around the variables status and errormsg
accordingly.

---

Nitpick comments:
In @.github/workflows/purge-readme-image-cache.yml:
- Around line 15-19: The pipeline that fetches and purges camo images should
fail fast and handle empty results; update the script wrapper to enable safe
shell options (set -eo pipefail), use xargs -r (or conditional check of grep's
exit status) so PURGE is skipped when no matches are found, and surface curl
failures for private repos by using an authenticated curl when a GITHUB_TOKEN is
available (or explicitly check curl's exit code before piping to grep); apply
these changes around the commands shown (curl | grep -oE '<img
src="https?://camo.githubusercontent.com/[^"]+' | sed -e 's/<img src="//' |
xargs -I % curl -sX PURGE "%") and ensure errors are logged and cause the job to
fail.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: a47c9355-9cf3-4b71-8e89-c44a02c3b420

📥 Commits

Reviewing files that changed from the base of the PR and between 0d6e9f4 and 2d1d460.

📒 Files selected for processing (10)

• .github/labeler.yml
• .github/workflows/codeql.yml
• .github/workflows/dependency-review.yml
• .github/workflows/label-commenter.yml
• .github/workflows/labeler.yml
• .github/workflows/pages-status-check.yml
• .github/workflows/purge-readme-image-cache.yml
• .github/workflows/release.yml
• .github/workflows/test.yml
• .github/workflows/update-major-tag.yml

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/test.yml (1)

66-73: ⚡ Quick win

Scope coverage publishing to one matrix leg to avoid redundant uploads.

Consider gating artifact upload + Codecov to ubuntu-24.04 only, matching the single-leg quality-check pattern and reducing CI noise/cost.

♻️ Suggested diff

       - name: Upload test coverage as artifact
+        if: startsWith(matrix.os, 'ubuntu-24.04')
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: coverage-${{ matrix.os }}
           path: coverage

-      - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+      - if: startsWith(matrix.os, 'ubuntu-24.04')
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yml around lines 66 - 73, The coverage artifact
upload and Codecov step are running on every matrix leg; restrict them to a
single leg by adding a matrix guard so they only run when matrix.os ==
'ubuntu-24.04' (apply an if: condition) for the "Upload test coverage as
artifact" step (actions/upload-artifact) and the codecov/codecov-action step;
this keeps the existing steps and names but prevents redundant uploads on other
matrix entries.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/test.yml:
- Around line 66-73: The coverage artifact upload and Codecov step are running
on every matrix leg; restrict them to a single leg by adding a matrix guard so
they only run when matrix.os == 'ubuntu-24.04' (apply an if: condition) for the
"Upload test coverage as artifact" step (actions/upload-artifact) and the
codecov/codecov-action step; this keeps the existing steps and names but
prevents redundant uploads on other matrix entries.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 0a0a75de-3526-43c5-9f12-3f7658fb4054

📥 Commits

Reviewing files that changed from the base of the PR and between 2d1d460 and 9dcb5b9.

📒 Files selected for processing (10)

• .github/labeler.yml
• .github/workflows/codeql.yml
• .github/workflows/dependency-review.yml
• .github/workflows/label-commenter.yml
• .github/workflows/labeler.yml
• .github/workflows/pages-status-check.yml
• .github/workflows/purge-readme-image-cache.yml
• .github/workflows/release.yml
• .github/workflows/test.yml
• .github/workflows/update-major-tag.yml

✅ Files skipped from review due to trivial changes (3)

• .github/workflows/update-major-tag.yml
• .github/workflows/purge-readme-image-cache.yml
• .github/workflows/dependency-review.yml

🚧 Files skipped from review as they are similar to previous changes (5)

• .github/workflows/label-commenter.yml
• .github/workflows/pages-status-check.yml
• .github/labeler.yml
• .github/workflows/labeler.yml
• .github/workflows/release.yml