Skip to content

fix(ci): unblock Full Lifecycle Tests workflow #592

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
frankbria merged 3 commits into from
May 19, 2026
Merged

fix(ci): unblock Full Lifecycle Tests workflow #592

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
214297e
fix(ci): unblock Full Lifecycle Tests workflow
May 19, 2026
e710ed5
fix(test): drop invalid --execute flag from cf work batch run calls
May 19, 2026
ef1e5b3
fix(test): promote BACKLOG→READY in lifecycle fixture
May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions .github/workflows/lifecycle.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ jobs:
lifecycle:
name: Lifecycle (${{ inputs.mode || 'cli' }} / ${{ inputs.model || 'haiku' }})
runs-on: ubuntu-latest
environment: staging
timeout-minutes: 60

steps:
Expand Down Expand Up @@ -73,19 +74,24 @@ jobs:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
CODEFRAME_LIFECYCLE_MODEL: ${{ inputs.model || 'haiku' }}
run: |
mkdir -p artifacts
uv run pytest ${{ steps.tests.outputs.path }} \
-m lifecycle \
-v \
--tb=long \
--no-header \
-p no:warnings \
--timeout=1800
--timeout=1800 \
--basetemp=artifacts/pytest \
2>&1 | tee artifacts/pytest.log
exit "${PIPESTATUS[0]}"

- name: Upload test artifacts on failure
if: failure()
uses: actions/upload-artifact@v4
with:
name: lifecycle-failure-${{ github.run_id }}
path: |
/tmp/pytest-*/
artifacts/
retention-days: 7
if-no-files-found: warn
Comment on lines 89 to +97
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/usr/bin/env bash
# Verify unpinned GitHub Actions references in workflow files.
# Expected: no matches after pinning to full 40-char commit SHAs.

rg -n --glob '.github/workflows/*.yml' --glob '.github/workflows/*.yaml' \
  '^\s*uses:\s*[^@]+@(?!(?:[a-f0-9]{40})$).+'

Repository: frankbria/codeframe

Length of output: 326

🏁 Script executed:

#!/bin/bash

# First, find and examine the lifecycle.yml file
echo "=== Finding workflow files ==="
fd -e yml -e yaml '.github/workflows'

echo -e "\n=== Checking lifecycle.yml content (lines 85-100) ==="
if [ -f ".github/workflows/lifecycle.yml" ]; then
  sed -n '85,100p' ".github/workflows/lifecycle.yml"
else
  echo "lifecycle.yml not found"
fi

echo -e "\n=== Checking all uses: statements in workflow files ==="
rg -n 'uses:\s*' '.github/workflows/' -t yaml | head -20

echo -e "\n=== Checking specifically for action versions ==="
rg -n 'uses:\s*.*@' '.github/workflows/' -t yaml

Repository: frankbria/codeframe

Length of output: 5889

Pin actions/upload-artifact to a full commit SHA.

Line 91 uses a mutable tag (@v4), which weakens supply-chain security and provenance guarantees.

Suggested fix 
-      - name: Upload test artifacts on failure
-        if: failure()
-        uses: actions/upload-artifact@v4
+      - name: Upload test artifacts on failure
+        if: failure()
+        uses: actions/upload-artifact@<FULL_COMMIT_SHA>
🧰 Tools
🪛 zizmor (1.25.2)

[error] 91-91: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lifecycle.yml around lines 89 - 97, The workflow step
named "Upload test artifacts on failure" currently uses a mutable tag
actions/upload-artifact@v4; replace that mutable tag with the corresponding full
commit SHA for actions/upload-artifact to pin the action for supply-chain
security. Locate the step with name "Upload test artifacts on failure" and the
uses line referencing actions/upload-artifact@v4 and change it to uses:
actions/upload-artifact@<FULL_COMMIT_SHA> (the specific commit SHA from the
actions/upload-artifact repository release you trust).

1 change: 1 addition & 0 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ dev = [
"pytest-asyncio>=0.23.0",
"pytest-cov>=4.1.0",
"pytest-json-report>=1.5.0",
"pytest-timeout>=2.3.0",
"black>=24.1.0",
"ruff>=0.2.0",
"mypy>=1.8.0",
Expand Down
14 changes: 14 additions & 0 deletions uv.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading