chore: hardening the GA workflows

[Florence-Njeri]

Description

• Pinned all unpinned actions to a commit SHA. The goal is to move from tag pinned to SHA pinned to avoid tag move compromised from affecting our org

• The manual_netlify_priview.yml workflow satisfied most of the requirements of a pwn_request so I split it into two which is Github best practices. chore: update build config #2091 (comment)

• Add a zizmor workflow which scans for common pipeline security issues such as:

  • Hardcoded Secrets in Workflows - API keys, passwords, or tokens hardcoded in YAML files
  • Excessive Permissions - Workflows with unnecessary write permissions
  • Untrusted Actions - Using third-party actions without proper verification
  • Insecure Triggers - Workflows triggered by external events without validation
  • Missing Security Controls - No approval processes for sensitive operations

• harden update-docs-in-website.yml workflow

• Add permissions: {} at workflow level with minimal job-level scopes
  (contents: write, pull-requests: write) to fix excessive-permissions (without this block, the workflow inherits the write-all permissions of the parent)

• Set persist-credentials: false on the generator checkout since it is
  read-only; keep it true on the website checkout for git push

• Replace embedded-token push URL with git push origin HEAD to prevent
  token exposure in logs and process listings (template-injection)

• Move github.sha expansions into env vars to keep shell steps
  injection-safe

• Scope git config to the repository instead of --global

Related issue(s)
TBC

Summary by CodeRabbit

• Chores

  • Pinned third-party GitHub Actions to fixed revisions and tightened workflow permissions for improved CI/CD stability and security.
  • Updated several workflow checkout and setup steps to use explicit credential handling and job-level permission scopes.

• New Features

  • Added two Netlify docs preview workflows to build and deploy per-PR docs previews and post preview links to PRs.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4fda6b0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[asyncapi-bot]

What reviewer looks at during PR review

The following are ideal points maintainers look for during review. Reviewing these points yourself beforehand can help streamline the review process and reduce time to merge.

1. PR Title: Use a concise title that follows our Conventional Commits guidelines and clearly summarizes the change using imperative mood (it means spoken or written as if giving a command or instruction, like "add new helper for listing operations")

   Note - In Generator, prepend feat: or fix: in PR title only when PATCH/MINOR release must be triggered.

2. PR Description: Clearly explain the issue being solved, summarize the changes made, and mention the related issue.

   Note - In Generator, we use Maintainers Work board to track progress. Ensure the PR Description includes Resolves #<issue-number> or Fixes #<issue-number> this will automatically close the linked issue when the PR is merged and helps automate the maintainers workflow.

3. Documentation: Update the relevant Generator documentation to accurately reflect the changes introduced in the PR, ensuring users and contributors have up-to-date guidance.

4. Comments and JSDoc: Write clear and consistent JSDoc comments for functions, including parameter types, return values, and error conditions, so others can easily understand and use the code.

5. DRY Code: Ensure the code follows the Don't Repeat Yourself principle. Look out for duplicate logic that can be reused.

6. Test Coverage: Ensure the new code is well-tested with meaningful test cases that pass consistently and cover all relevant edge cases.

7. Commit History: Contributors should avoid force-pushing as much as possible. It makes it harder to track incremental changes and review the latest updates.

8. Template Design Principles Alignment: While reviewing template-related changes in the packages/ directory, ensure they align with the Assumptions and Principles. If any principle feels outdated or no longer applicable, start a discussion these principles are meant to evolve with the project.

9. Reduce Scope When Needed: If an issue or PR feels too large or complex, consider splitting it and creating follow-up issues. Smaller, focused PRs are easier to review and merge.

10. Bot Comments: As reviewers, check that contributors have appropriately addressed comments or suggestions made by automated bots. If there are bot comments the reviewer disagrees with, react to them or mark them as resolved, so the review history remains clear and accurate.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates many GitHub Actions workflows to pin third-party actions to specific commit SHAs, adds explicit workflow/job permissions and credential persistence changes, and adds Netlify docs-preview build and deploy workflows.

Changes

GitHub Actions version pinning & workflow adjustments

Layer / File(s)	Summary
Pin github-script action .github/workflows/add-good-first-issue-labels.yml, .github/workflows/automerge-for-humans-*.yml, .github/workflows/automerge.yml, .github/workflows/bounty-program-commands.yml, .github/workflows/help-command.yml, .github/workflows/microgrant-program-commands.yml, .github/workflows/notify-tsc-members-mention.yml, .github/workflows/please-take-a-look-command.yml, .github/workflows/release-announcements.yml, .github/workflows/transfer-issue.yml, .github/workflows/update-maintainers.yml, .github/workflows/update-pr.yml, .github/workflows/welcome-first-time-contrib.yml, .github/workflows/pr-review-checklist.yml	Replace floating actions/github-script tags with a pinned commit SHA where workflows post comments, add/remove labels, or run inline scripts.
Pin checkout action & credential persistence .github/workflows/bump.yml, .github/workflows/if-nodejs-pr-testing.yml, .github/workflows/local-generate-files.yml, .github/workflows/manual-netlify-preview.yml, .github/workflows/notify-tsc-members-mention.yml, .github/workflows/release-announcements.yml, .github/workflows/release-with-changesets.yml, .github/workflows/transfer-issue.yml, .github/workflows/update-docs-in-website.yml, .github/workflows/update-docs-on-docs-commits.yml, .github/workflows/update-maintainers.yml, .github/workflows/pr-testing-with-test-project.yml	Replace floating actions/checkout tags with pinned commit SHAs and adjust persist-credentials where needed for cross-repo writes or read-only checks.
Pin setup-node and helper actions; Slack notify swap .github/workflows/if-nodejs-pr-testing.yml, .github/workflows/local-generate-files.yml, .github/workflows/manual-netlify-preview.yml, .github/workflows/release-with-changesets.yml, .github/workflows/update-docs-on-docs-commits.yml, .github/workflows/update-maintainers.yml	Pin actions/setup-node and custom get-node-version-from-package-lock actions to commits; replace slack notification action with pinned rtCamp/action-slack-notify where present.
Permissions, job-scoped changes, and test logic .github/workflows/bump.yml, .github/workflows/pr-review-checklist.yml, .github/workflows/pr-testing-with-test-project.yml, .github/workflows/release-with-changesets.yml, .github/workflows/update-docs-in-website.yml, .github/workflows/update-maintainers.yml, .github/workflows/pr-testing-with-test-project.yml	Add or revoke top-level workflow permissions, grant job-scoped permissions, change conditionals for test runs, and modify branch/push handling for workflows that perform cross-repo writes or create PRs.
Netlify docs preview build & deploy .github/workflows/manual-netlify-build.yml, .github/workflows/manual_netlify_preview.yml	Add a build workflow that produces artifacts for docs previews and a deploy workflow that consumes artifacts, deploys a Netlify draft, and posts the preview link as a PR comment.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: hardening GitHub Actions workflows through security improvements (action pinning, permission hardening, etc.)
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[asyncapi-bot]

@derberg @jonaslagoni @magicmatatjahu Please take a look at this PR. Thanks! 👋

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (1)

.github/workflows/update-docs-in-website.yml (1)

38-40: 💤 Low value

git config still uses --global despite PR description.

The PR description states "Scope git config to the repository instead of --global", but lines 39-40 still use --global. While this isn't harmful in an ephemeral CI environment, consider using local config for consistency with the stated hardening objective:

Suggested change

       run: |
-        git config --global user.name asyncapi-bot
-        git config --global user.email info@asyncapi.io
+        git config user.name asyncapi-bot
+        git config user.email info@asyncapi.io

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update-docs-in-website.yml around lines 38 - 40, The git
config calls currently use --global; change them to set repository-local config
instead by removing --global (or using --local) for the two commands that set
user.name and user.email so that git config user.name asyncapi-bot and git
config user.email info@asyncapi.io are applied only to the repository in the
update-docs-in-website.yml workflow.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/manual_netlify_preview.yml:
- Around line 67-68: The deployment directory precedence is wrong: change the
logic that sets DEPLOY_DIR so a static build (site/out) is preferred over
site/.next; instead of defaulting DEPLOY_DIR to site/.next when that directory
exists, first check for site/out and set DEPLOY_DIR="site/out" if present,
otherwise fall back to site/.next. Update the lines that currently set
DEPLOY_DIR and the conditional [ -d "site/.next" ] check so they reference the
functions/variables DEPLOY_DIR and the directories "site/out" and "site/.next"
in that order.

In @.github/workflows/manual-netlify-build.yml:
- Around line 33-34: Replace the fragile rm commands in the workflow that remove
README.md and the jsdoc2md-handlebars directory with idempotent variants: use rm
-f for the file removal and rm -rf (or rm -rf for the directory) so the steps
succeed even if the targets are missing; update the two commands shown ("rm
website/markdown/docs/tools/generator/README.md" and "rm -r
website/markdown/docs/tools/generator/jsdoc2md-handlebars") to their
force/recursive-force equivalents to make the cleanup resilient.

In @.github/workflows/pr-review-checklist.yml:
- Line 4: The workflow currently triggers on pull_request and uses
secrets.GH_TOKEN to post the checklist, which fails for forked PRs; change the
trigger to pull_request_target or split the posting into a separate job that
runs only for trusted contexts, and ensure any steps that run untrusted PR code
(e.g., actions/checkout of head ref or test/build steps) are not executed under
pull_request_target; specifically, replace the trigger 'pull_request' with
'pull_request_target' or add logic to run the checklist-posting step (the step
that uses secrets.GH_TOKEN) only when the event originates from the same repo or
use a dedicated job that posts comments while avoiding checking out PR code with
elevated secrets.

In @.github/workflows/pr-testing-with-test-project.yml:
- Around line 47-49: The condition currently compares github.actor to a numeric
ID which will never match; update the conditional expression in the workflow to
either compare the login string (github.actor == 'allcontributors[bot]') or use
the numeric id field (github.actor_id == 46447321) so the clause with
startsWith(github.event.pull_request.title, 'docs: add') can evaluate correctly;
modify the expression that references github.actor to use github.actor_id or
change the literal to 'allcontributors[bot]'.

In @.github/workflows/welcome-first-time-contrib.yml:
- Around line 19-21: The workflow permissions use an invalid scope name
'pull_requests'; update the permissions mapping to replace the 'pull_requests'
key with the correct GitHub Actions scope 'pull-requests' so the permissions
block (the permissions: mapping containing 'issues: write' and the erroneous
'pull_requests: write') uses 'pull-requests: write' to allow PR review actions.

---

Nitpick comments:
In @.github/workflows/update-docs-in-website.yml:
- Around line 38-40: The git config calls currently use --global; change them to
set repository-local config instead by removing --global (or using --local) for
the two commands that set user.name and user.email so that git config user.name
asyncapi-bot and git config user.email info@asyncapi.io are applied only to the
repository in the update-docs-in-website.yml workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c5de0b44-964a-4fec-9017-634835142729

📥 Commits

Reviewing files that changed from the base of the PR and between 4419208 and 6125349.

📒 Files selected for processing (27)

• .github/workflows/add-good-first-issue-labels.yml
• .github/workflows/automerge-for-humans-add-ready-to-merge-or-do-not-merge-label.yml
• .github/workflows/automerge-for-humans-merging.yml
• .github/workflows/automerge-for-humans-remove-ready-to-merge-label-on-edit.yml
• .github/workflows/automerge-orphans.yml
• .github/workflows/automerge.yml
• .github/workflows/bounty-program-commands.yml
• .github/workflows/bump.yml
• .github/workflows/help-command.yml
• .github/workflows/if-nodejs-pr-testing.yml
• .github/workflows/local-generate-files.yml
• .github/workflows/manual-netlify-build.yml
• .github/workflows/manual-netlify-preview.yml
• .github/workflows/manual_netlify_preview.yml
• .github/workflows/microgrant-program-commands.yml
• .github/workflows/notify-tsc-members-mention.yml
• .github/workflows/please-take-a-look-command.yml
• .github/workflows/pr-review-checklist.yml
• .github/workflows/pr-testing-with-test-project.yml
• .github/workflows/release-announcements.yml
• .github/workflows/release-with-changesets.yml
• .github/workflows/transfer-issue.yml
• .github/workflows/update-docs-in-website.yml
• .github/workflows/update-docs-on-docs-commits.yml
• .github/workflows/update-maintainers.yml
• .github/workflows/update-pr.yml
• .github/workflows/welcome-first-time-contrib.yml

💤 Files with no reviewable changes (1)

• .github/workflows/manual-netlify-preview.yml

✅ Files skipped from review due to trivial changes (3)

• .github/workflows/update-pr.yml
• .github/workflows/please-take-a-look-command.yml
• .github/workflows/transfer-issue.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Deploy dir precedence can publish the wrong artifact.

This currently prefers site/.next whenever it exists. If both site/out and site/.next are present, it can deploy a non-static build output and break docs preview.

Suggested patch

-          DEPLOY_DIR="site/out"
-          [ -d "site/.next" ] && DEPLOY_DIR="site/.next"
+          if [ -d "site/out" ]; then
+            DEPLOY_DIR="site/out"
+          elif [ -d "site/.next" ]; then
+            DEPLOY_DIR="site/.next"
+          else
+            echo "No deployable output found (expected site/out or site/.next)"
+            exit 1
+          fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	DEPLOY_DIR="site/out"
	[ -d "site/.next" ] && DEPLOY_DIR="site/.next"
	if [ -d "site/out" ]; then
	DEPLOY_DIR="site/out"
	elif [ -d "site/.next" ]; then
	DEPLOY_DIR="site/.next"
	else
	echo "No deployable output found (expected site/out or site/.next)"
	exit 1
	fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/manual_netlify_preview.yml around lines 67 - 68, The
deployment directory precedence is wrong: change the logic that sets DEPLOY_DIR
so a static build (site/out) is preferred over site/.next; instead of defaulting
DEPLOY_DIR to site/.next when that directory exists, first check for site/out
and set DEPLOY_DIR="site/out" if present, otherwise fall back to site/.next.
Update the lines that currently set DEPLOY_DIR and the conditional [ -d
"site/.next" ] check so they reference the functions/variables DEPLOY_DIR and
the directories "site/out" and "site/.next" in that order.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Make docs cleanup resilient to missing files/directories.

rm here will fail when those paths are absent, which can unnecessarily fail the preview build. Use force flags for idempotent cleanup.

Suggested patch

-          rm website/markdown/docs/tools/generator/README.md
-          rm -r website/markdown/docs/tools/generator/jsdoc2md-handlebars
+          rm -f website/markdown/docs/tools/generator/README.md
+          rm -rf website/markdown/docs/tools/generator/jsdoc2md-handlebars

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	rm website/markdown/docs/tools/generator/README.md
	rm -r website/markdown/docs/tools/generator/jsdoc2md-handlebars
	rm -f website/markdown/docs/tools/generator/README.md
	rm -rf website/markdown/docs/tools/generator/jsdoc2md-handlebars

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/manual-netlify-build.yml around lines 33 - 34, Replace the
fragile rm commands in the workflow that remove README.md and the
jsdoc2md-handlebars directory with idempotent variants: use rm -f for the file
removal and rm -rf (or rm -rf for the directory) so the steps succeed even if
the targets are missing; update the two commands shown ("rm
website/markdown/docs/tools/generator/README.md" and "rm -r
website/markdown/docs/tools/generator/jsdoc2md-handlebars") to their
force/recursive-force equivalents to make the cleanup resilient.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🌐 Web query:

For GitHub Actions triggered by pull_request from forks, are repository secrets available? Also, can GITHUB_TOKEN with pull-requests: write post PR comments in this context?

💡 Result:

Yes—when a workflow is triggered by pull_request from a fork, repository Actions secrets are not available to the workflow run; only the automatically-provided GITHUB_TOKEN is available, and it has reduced permissions by default in this context [1][2]. As for commenting on the PR: a workflow triggered by pull_request from a fork will get a GITHUB_TOKEN with write access limited by the fork security restrictions. In particular, GitHub documents that workflows triggered from a fork using the pull_request event have read-only permissions and have no access to secrets [2]. Therefore, you should not expect to be able to post PR comments using GITHUB_TOKEN with pull-requests: write in this exact forked pull_request context, even if you set permissions in the workflow—fork safety downgrades write permissions to read-only for pull request events from forks (except pull_request_target) [3][2]. If you need to comment, the typical safe approach is to use pull_request_target (runs in the base repo context and can access secrets / write token permissions) but it must be handled carefully because it executes in a more privileged context [2].

Citations:

• 1: https://github.com/github/docs/blob/main/content/code-security/reference/secret-security/understanding-github-secret-types.md
• 2: https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md
• 3: https://github.com/github/docs/blob/main/content/actions/concepts/security/compromised-runners.md

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/pr-review-checklist.yml"
echo "=== Lines 1-120 ==="
nl -ba "$FILE" | sed -n '1,120p'
echo
echo "=== Search for tokens/permissions ==="
rg -n "GH_TOKEN|GITHUB_TOKEN|pull_request_target|pull-requests: write|permissions:" "$FILE" || true

Repository: asyncapi/generator

Length of output: 143

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/pr-review-checklist.yml"

echo "=== Check file exists ==="
ls -la "$FILE"

echo
echo "=== Lines 1-140 ==="
awk '{printf "%6d:%s\n", NR, $0}' "$FILE" | sed -n '1,140p'

echo
echo "=== Search tokens/permissions ==="
rg -n "GH_TOKEN|GITHUB_TOKEN|pull_request_target|pull-requests: write|permissions:" "$FILE" || true

echo
echo "=== Search jobs/steps for comment posting ==="
rg -n "comment|issues\.createComment|pulls\.comments|octokit|actions/github-script|create-comment|rest\.issues|rest\.pulls" "$FILE" || true

Repository: asyncapi/generator

Length of output: 2148

---

Fix checklist posting for fork PRs (secrets token won’t be available).

The workflow runs on pull_request (line 4) but posts the comment using token: ${{ secrets.GH_TOKEN }} (line 30). For fork-origin PRs, repository secrets aren’t provided to pull_request runs, so this step can fail and the checklist won’t be posted for many external contributions. Use a fork-safe approach (typically pull_request_target, with careful handling of untrusted code) or split behavior so fork PRs don’t rely on repo secrets.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-review-checklist.yml at line 4, The workflow currently
triggers on pull_request and uses secrets.GH_TOKEN to post the checklist, which
fails for forked PRs; change the trigger to pull_request_target or split the
posting into a separate job that runs only for trusted contexts, and ensure any
steps that run untrusted PR code (e.g., actions/checkout of head ref or
test/build steps) are not executed under pull_request_target; specifically,
replace the trigger 'pull_request' with 'pull_request_target' or add logic to
run the checklist-posting step (the step that uses secrets.GH_TOKEN) only when
the event originates from the same repo or use a dedicated job that posts
comments while avoiding checking out PR code with elevated secrets.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify if 46447321 is a user ID and find the corresponding username
curl -s "https://api.github.com/user/46447321" | jq -r '.login // "User not found"'

Repository: asyncapi/generator

Length of output: 83

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/pr-testing-with-test-project.yml"
echo "== File = $FILE =="
echo "== Lines 35-75 =="
nl -ba "$FILE" | sed -n '35,75p'

echo
echo "== Search for github.actor == "
rg -n "github\.actor" "$FILE" || true

echo
echo "== Search for pull_request\.user\.id or actor-id like fields =="
rg -n "pull_request\.(user|author)\.id|\.user\.id|actor.*id|github\.event\.pull_request\..*id" "$FILE" || true

Repository: asyncapi/generator

Length of output: 205

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/pr-testing-with-test-project.yml"
echo "== File = $FILE =="
echo "== Lines 35-75 =="
python3 - <<PY
from pathlib import Path
p=Path("$FILE")
lines=p.read_text().splitlines()
for i in range(35, min(76, len(lines)+1)):
    print(f"{i:4d}: {lines[i-1]}")
PY

echo
echo "== Search for github.actor =="
rg -n "github\.actor" "$FILE" || true

echo
echo "== Search for pull_request.user.id/actor-id patterns =="
rg -n "pull_request\.(user|author)\.id|\.user\.id|actor.*id|github\.event\.pull_request\..*id" "$FILE" || true

Repository: asyncapi/generator

Length of output: 2482

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "== GitHub API for /user/46447321 =="
curl -s "https://api.github.com/user/46447321" | jq '{id,login,html_url,type}'
echo
echo "== Search workflow for 46447321 / allcontributors =="
FILE=".github/workflows/pr-testing-with-test-project.yml"
rg -n "46447321|allcontributors" "$FILE" || true

Repository: asyncapi/generator

Length of output: 328

---

🌐 Web query:

What does GitHub Actions context variable github.actor contain (login/username vs user id)?

💡 Result:

In GitHub Actions, the context variable github.actor contains the username/login (a string handle), not the user’s numeric ID. [1][2] If you need the account’s numeric ID, use github.actor_id (account ID of the person or app that triggered the initial workflow run). [1]

Citations:

• 1: https://docs.github.com/en/actions/reference/workflows-and-actions/contexts
• 2: https://github.com/github/docs/blob/main/content/actions/reference/workflows-and-actions/contexts.md

---

Fix github.actor == '46447321' condition (wrong context value).

github.actor is the actor login string, but 46447321 is a numeric account id (it maps to allcontributors[bot]). So this condition will never be true.
Use either github.actor == 'allcontributors[bot]' or github.actor_id == 46447321 at .github/workflows/pr-testing-with-test-project.yml lines 47-49.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-testing-with-test-project.yml around lines 47 - 49, The
condition currently compares github.actor to a numeric ID which will never
match; update the conditional expression in the workflow to either compare the
login string (github.actor == 'allcontributors[bot]') or use the numeric id
field (github.actor_id == 46447321) so the clause with
startsWith(github.event.pull_request.title, 'docs: add') can evaluate correctly;
modify the expression that references github.actor to use github.actor_id or
change the literal to 'allcontributors[bot]'.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Invalid permission scope: pull_requests should be pull-requests.

The permission scope pull_requests on line 21 is invalid. GitHub Actions permission scopes use hyphens, not underscores. The correct scope is pull-requests.

This will cause the workflow to either fail validation or lack the required permissions to create PR reviews.

Proposed fix

     permissions:
       issues: write  # createComment on issues
-      pull_requests: write # createReview on PRs
+      pull-requests: write # createReview on PRs

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	issues: write # createComment on issues
	pull_requests: write # createReview on PRs
	permissions:
	issues: write # createComment on issues
	pull-requests: write # createReview on PRs

🧰 Tools

🪛 actionlint (1.7.12)

[error] 21-21: unknown permission scope "pull_requests". all available permission scopes are "actions", "artifact-metadata", "attestations", "checks", "contents", "deployments", "discussions", "id-token", "issues", "models", "packages", "pages", "pull-requests", "repository-projects", "security-events", "statuses"

(permissions)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/welcome-first-time-contrib.yml around lines 19 - 21, The
workflow permissions use an invalid scope name 'pull_requests'; update the
permissions mapping to replace the 'pull_requests' key with the correct GitHub
Actions scope 'pull-requests' so the permissions block (the permissions: mapping
containing 'issues: write' and the erroneous 'pull_requests: write') uses
'pull-requests: write' to allow PR review actions.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This PR hardens GitHub Actions workflows by pinning many actions to commit SHAs, reducing default token permissions, and replacing the previous Netlify preview workflow with a split build/deploy workflow.

Changes:

• Pins many workflow actions to specific SHAs and adjusts checkout credential persistence.
• Adds deny-by-default workflow permissions with job-level scopes in several workflows.
• Replaces the Netlify docs preview workflow with separate pull request build and workflow-run deploy workflows.

Reviewed changes

Copilot reviewed 27 out of 27 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
.github/workflows/add-good-first-issue-labels.yml	Pins github-script.
.github/workflows/automerge-for-humans-add-ready-to-merge-or-do-not-merge-label.yml	Pins github-script steps.
.github/workflows/automerge-for-humans-merging.yml	Pins github-script steps.
.github/workflows/automerge-for-humans-remove-ready-to-merge-label-on-edit.yml	Pins github-script.
.github/workflows/automerge-orphans.yml	Pins checkout and github-script.
.github/workflows/automerge.yml	Pins github-script.
.github/workflows/bounty-program-commands.yml	Pins github-script steps.
.github/workflows/bump.yml	Adds default-deny permissions and pins checkout.
.github/workflows/help-command.yml	Pins github-script steps.
.github/workflows/if-nodejs-pr-testing.yml	Pins checkout, setup-node, and shared node-version action.
.github/workflows/local-generate-files.yml	Adds default-deny permissions, pins actions, and changes Slack notifier.
.github/workflows/manual-netlify-preview.yml	Removes the previous combined Netlify preview workflow.
.github/workflows/manual-netlify-build.yml	Adds pull request build workflow for docs preview artifacts.
.github/workflows/manual_netlify_preview.yml	Adds workflow-run deploy workflow for Netlify preview comments.
.github/workflows/microgrant-program-commands.yml	Pins github-script steps.
.github/workflows/notify-tsc-members-mention.yml	Pins checkout, setup-node, and github-script steps.
.github/workflows/please-take-a-look-command.yml	Pins github-script.
.github/workflows/pr-review-checklist.yml	Changes trigger and permissions while pinning checkout.
.github/workflows/pr-testing-with-test-project.yml	Adds reduced permissions and pins checkout/shared actions.
.github/workflows/release-announcements.yml	Pins checkout and github-script.
.github/workflows/release-with-changesets.yml	Adds reduced permissions, pins actions, and changes Slack notifier.
.github/workflows/transfer-issue.yml	Pins checkout and github-script.
.github/workflows/update-docs-in-website.yml	Hardens permissions, checkout credentials, and push behavior.
.github/workflows/update-docs-on-docs-commits.yml	Pins checkout, setup-node, and shared node-version action.
.github/workflows/update-maintainers.yml	Adds default-deny permissions, pins actions, updates Node, and hardens push flow.
.github/workflows/update-pr.yml	Pins github-script steps.
.github/workflows/welcome-first-time-contrib.yml	Adds job permissions and pins github-script.

Comments suppressed due to low confidence (3)

.github/workflows/release-with-changesets.yml:85

• This switches to rtCamp/action-slack-notify but keeps the old 8398a7/action-slack inputs and SLACK_WEBHOOK_URL variable. The rtCamp action expects values such as SLACK_WEBHOOK and SLACK_MESSAGE in env, so this failure notification will not be sent until the configuration is migrated to that action's interface.

        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
        with:
          status: ${{ job.status }}
          fields: repo,action,workflow
          text: "Release workflow failed in testing job"
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CI_FAIL_NOTIFY }}

.github/workflows/release-with-changesets.yml:153

• This failure notification was changed to rtCamp/action-slack-notify but still uses the old action's with inputs and SLACK_WEBHOOK_URL env name. Migrate these values to the rtCamp action's expected env variables, for example SLACK_WEBHOOK and SLACK_MESSAGE, otherwise release-job failures will not notify Slack.

        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
        with:
          status: ${{ job.status }}
          fields: repo,action,workflow
          text: "Release workflow failed in release job"
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CI_FAIL_NOTIFY }}

.github/workflows/local-generate-files.yml:58

• This action was migrated to rtCamp/action-slack-notify, but the configuration is still for 8398a7/action-slack (with.status, with.fields, with.text, and SLACK_WEBHOOK_URL). Use the rtCamp action's env-based configuration such as SLACK_WEBHOOK and SLACK_MESSAGE; otherwise release asset-generation failures will not produce Slack notifications.

        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
        with:
          status: ${{ job.status }}
          fields: repo,action,workflow
          text: 'Unable to bump the version in package.json after the release'
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CI_FAIL_NOTIFY }}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.