ci: Replace third-party GitHub Actions with trusted alternatives

[mtrezza]

Summary

Replace untrusted third-party GitHub Actions with official alternatives to reduce supply chain attack surface.

Changes

• Replace crazy-max/ghaction-chocolatey with direct choco commands (pre-installed on Windows runners)

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow configuration for dependency installation process.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

📝 Walkthrough

Walkthrough

The CI workflow's Chocolatey package installation step is refactored to use a direct shell command instead of a GitHub Action wrapper, while maintaining installation of the same packages.

Changes

Cohort / File(s)	Summary
CI Workflow Configuration .github/workflows/ci.yml	Replaced crazy-max/ghaction-chocolatey@v1 GitHub Action with direct choco install shell command for installing opencover.portable and codecov packages.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Engage In Review Feedback	❓ Inconclusive	The custom check requires verification of GitHub pull request review feedback engagement, which exists outside the git repository in GitHub's PR system.	Manually navigate to the pull request on GitHub at #424 and review the Conversation tab for reviewer comments and author responses.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title correctly uses the 'ci:' prefix and accurately describes the main change: replacing a third-party GitHub Action with a direct shell command.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Check	✅ Passed	The PR replaces a third-party GitHub Action with a direct choco install command containing hardcoded package names, no command injection risks, proper secret handling, and reduces supply chain attack surface.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 actionlint (1.7.12)

.github/workflows/ci.yml

could not read ".github/workflows/ci.yml": open .github/workflows/ci.yml: no such file or directory

🔧 YAMLlint (1.38.0)

.github/workflows/ci.yml

[Errno 2] No such file or directory: '.github/workflows/ci.yml'

🔧 Checkov (3.2.513)

.github/workflows/ci.yml

2026-04-04 18:14:19,244 [MainThread ] [ERROR] Template file not found: .github/workflows/ci.yml
2026-04-04 18:14:19,252 [MainThread ] [ERROR] Template file not found: .github/workflows/ci.yml
2026-04-04 18:14:19,283 [MainThread ] [ERROR] Template file not found: .github/workflows/ci.yml
2026-04-04 18:14:19,298 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with .github/workflows/ci.yml
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)
^^^^^^^^^^^^^^^^^^^
File "/us

... [truncated 8994 characters] ...

[Errno 2] No such file or directory: '.github/workflows/ci.yml'
2026-04-04 18:14:19,328 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: '.github/workflows/ci.yml'

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

38-38: Consider removing the unused codecov Chocolatey package.

The codecov CLI is installed via Chocolatey, but the workflow uses codecov/codecov-action@v4 (lines 45-48) which bundles its own uploader. The Chocolatey codecov package appears unused.

-      run: choco install opencover.portable codecov -y
+      run: choco install opencover.portable -y

Also applies to: 44-48

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml at line 38, Remove the unused Chocolatey "codecov"
package from the choco install command(s): replace "choco install
opencover.portable codecov -y" with just "choco install opencover.portable -y"
(apply the same change to any duplicate install steps), since the workflow
already uses the bundled uploader via the "codecov/codecov-action@v4" action;
keep opencover.portable and ensure no other steps rely on the chocolatey codecov
binary.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/ci.yml:
- Line 38: Remove the unused Chocolatey "codecov" package from the choco install
command(s): replace "choco install opencover.portable codecov -y" with just
"choco install opencover.portable -y" (apply the same change to any duplicate
install steps), since the workflow already uses the bundled uploader via the
"codecov/codecov-action@v4" action; keep opencover.portable and ensure no other
steps rely on the chocolatey codecov binary.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 078e68c8-848f-4dfb-b717-0cc57f2dad31

📥 Commits

Reviewing files that changed from the base of the PR and between 6c2750a and 21de36c.

📒 Files selected for processing (1)

• .github/workflows/ci.yml