fix(release): merge develop into main

[bedatty]

GitHub Actions Shared Workflows

---

Description

Type of Change

• feat: New workflow or new input/output/step in an existing workflow
• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

None.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @develop or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run:

Related Issues

Closes #

Summary by CodeRabbit

• Chores
  • Pinned GitHub Actions to specific commit SHAs for enhanced security and stability.
  • Improved runtime detection of test framework versions to ensure correct coverage reporting command format.
  • Refactored workflow variable handling for better clarity and consistency in CI/CD pipeline execution.

[coderabbitai]

Walkthrough

Pinned GitHub Actions to commit SHAs for security hardening and refactored the frontend PR analysis workflow to use environment variables for changed file detection, added runtime Vitest version detection for coverage flag formatting, and consolidated coverage output writing into a single shell block.

Changes

Cohort / File(s)	Summary
GitHub Actions pinning .github/workflows/frontend-pr-analysis.yml	Replaced version tags (@v6, @v7, @v8) with commit SHAs for actions/checkout, actions/setup-node, actions/upload-artifact, actions/download-artifact, and actions/github-script.
Changed files detection refactoring .github/workflows/frontend-pr-analysis.yml	Moved GitHub context values to environment variables (EVENT_NAME, PR_BASE_SHA, PR_HEAD_SHA, BASE_REF, EVENT_BEFORE, CURRENT_SHA) and simplified diff logic with consistent PR/non-PR branching using quoted shell variables instead of inline expressions.
Coverage test command logic .github/workflows/frontend-pr-analysis.yml	Added runtime detection of Vitest major version to conditionally select coverage flag format: --coverage.reporter=... for Vitest ≥3, otherwise --coverageReporters...; applies to yarn test, pnpm test, and npm test invocations.
Coverage output handling .github/workflows/frontend-pr-analysis.yml	Consolidated coverage output appending into a single shell block using grouped key/value echoes to $GITHUB_OUTPUT; moved interpolated expressions to environment variables (COVERAGE, THRESHOLD, per-metric coverage vars) in subsequent echo and error formatting steps.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Suggested labels

workflow, security

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title 'fix(release): merge develop into main' does not match the actual changeset, which updates GitHub Actions workflow configuration with security hardening and Vitest detection logic.	Revise the title to reflect the primary changes: something like 'fix: pin GitHub Actions to SHAs and refactor coverage detection' or 'fix: harden workflow security and detect Vitest version at runtime'.
Description check	❓ Inconclusive	The description is partially complete but lacks critical detail: the 'Description' section is empty (no summary of changes or affected workflows), and the 'Caller repo / workflow run' validation link is missing despite testing claims.	Fill the Description section with specifics on which workflows were changed and what behavior improvements were made. Provide the caller repo/workflow run link to substantiate the testing claims.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	1 file(s)	✅ success
Action Lint	1 file(s)	✅ success
Pinned Actions	1 file(s)	✅ success
Markdown Link Check	no changes	⏭️ skipped
Spelling Check	1 file(s)	✅ success
Shell Check	1 file(s)	✅ success
README Check	1 file(s)	✅ success
Composite Schema	no changes	⏭️ skipped

---

_{🔍 View full scan logs}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

✅ No security issues found.

---

_{🔍 View full scan logs | 🛡️ Security tab}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/frontend-pr-analysis.yml (1)

137-140: 🧹 Nitpick | 🔵 Trivial

Consider env mapping for consistency.

These lines still interpolate ${{ }} directly in the run block. While step outputs and workflow inputs are generally trusted (unlike PR titles/branch names), mapping them through env: would maintain consistency with the refactored pattern in the previous step.

Not a security issue since steps.changed.outputs.files and inputs.* are controlled sources, but consider for uniformity.

♻️ Optional: Use env mapping

       - name: Build matrix from changed paths
         id: set-matrix
         shell: bash
+        env:
+          FILES: ${{ steps.changed.outputs.files }}
+          FILTER_PATHS: ${{ inputs.filter_paths }}
+          PATH_LEVEL: ${{ inputs.path_level }}
+          APP_NAME_PREFIX: ${{ inputs.app_name_prefix }}
         run: |
-          FILES="${{ steps.changed.outputs.files }}"
-          FILTER_PATHS='${{ inputs.filter_paths }}'
-          PATH_LEVEL="${{ inputs.path_level }}"
-          APP_NAME_PREFIX="${{ inputs.app_name_prefix }}"
+          # Variables now come from env block

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/frontend-pr-analysis.yml around lines 137 - 140, Map the
workflow inputs and step outputs through the step's env block instead of
interpolating ${...} directly in the run block: define environment variables
FILES, FILTER_PATHS, PATH_LEVEL, and APP_NAME_PREFIX using
steps.changed.outputs.files and inputs.filter_paths / inputs.path_level /
inputs.app_name_prefix in the step's env:, then reference those env vars (e.g.,
$FILES, $FILTER_PATHS, $PATH_LEVEL, $APP_NAME_PREFIX) inside the run script to
match the refactored pattern and keep usage consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/frontend-pr-analysis.yml:
- Around line 137-140: Map the workflow inputs and step outputs through the
step's env block instead of interpolating ${...} directly in the run block:
define environment variables FILES, FILTER_PATHS, PATH_LEVEL, and
APP_NAME_PREFIX using steps.changed.outputs.files and inputs.filter_paths /
inputs.path_level / inputs.app_name_prefix in the step's env:, then reference
those env vars (e.g., $FILES, $FILTER_PATHS, $PATH_LEVEL, $APP_NAME_PREFIX)
inside the run script to match the refactored pattern and keep usage consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2e7e55d5-1f51-4f19-bcfb-9709ba05f2cc

📥 Commits

Reviewing files that changed from the base of the PR and between 8439c02 and f5cc607.

📒 Files selected for processing (1)

• .github/workflows/frontend-pr-analysis.yml