ci: Replace third-party GitHub Actions with trusted alternatives

[mtrezza]

Summary

Replace untrusted third-party GitHub Actions with official alternatives to reduce supply chain attack surface.

Changes

• Replace mansona/npm-lockfile-version with inline lockfile version check
• Replace peaceiris/actions-gh-pages with official actions/configure-pages + actions/upload-pages-artifact + actions/deploy-pages pipeline

Note

The repository Pages source setting must be changed to "GitHub Actions" in Settings > Pages.

Summary by CodeRabbit

• Chores
  • Enhanced CI workflow validation for package dependencies
  • Modernized documentation deployment using official GitHub Pages infrastructure

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

📝 Walkthrough

Walkthrough

Three GitHub Actions workflows updated: npm lockfile version checking now uses an inline shell script instead of a third-party action; documentation publishing migrated from peaceiris/actions-gh-pages to GitHub's official Pages deployment pipeline with explicit permissions and environment configuration.

Changes

Cohort / File(s)	Summary
Lockfile Version Check .github/workflows/ci.yml	Replaced mansona/npm-lockfile-version@v1 action with inline Node.js shell script that reads and validates lockfileVersion from package-lock.json, emitting GitHub Actions error annotation on mismatch.
GitHub Pages Migration .github/workflows/release-automated.yml, .github/workflows/release-manual-docs.yml	Migrated documentation publishing from peaceiris/actions-gh-pages@v3.7.3 to GitHub's official Pages pipeline (actions/configure-pages, actions/upload-pages-artifact, actions/deploy-pages) with explicit job permissions (pages: write, id-token: write) and github-pages environment configuration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	PR description is missing required sections from template: vulnerability disclosure checklist, issue reference, and pre-merge TODOs (tests, documentation, changelog).	Add the complete PR checklist including vulnerability statement, issue reference (Closes: #...), and pre-merge TODOs from the repository template.
Engage In Review Feedback	❓ Inconclusive	Cannot verify user engagement with PR review feedback because GitHub PR review comments and discussion threads are not accessible in the git repository.	Review the PR directly on GitHub at #521 to verify engagement with review feedback.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	PR title follows required format with 'ci:' prefix and clearly describes the main change: replacing third-party GitHub Actions with trusted alternatives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Check	✅ Passed	PR enhances security by replacing third-party GitHub Actions with official GitHub-maintained alternatives, implements least-privilege permissions, uses pinned action versions, and introduces secure inline script without injection vulnerabilities.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 actionlint (1.7.12)

.github/workflows/ci.yml

could not read ".github/workflows/ci.yml": open .github/workflows/ci.yml: no such file or directory

.github/workflows/release-automated.yml

could not read ".github/workflows/release-automated.yml": open .github/workflows/release-automated.yml: no such file or directory

.github/workflows/release-manual-docs.yml

could not read ".github/workflows/release-manual-docs.yml": open .github/workflows/release-manual-docs.yml: no such file or directory

🔧 YAMLlint (1.38.0)

.github/workflows/ci.yml

[Errno 2] No such file or directory: '.github/workflows/ci.yml'

.github/workflows/release-automated.yml

[Errno 2] No such file or directory: '.github/workflows/release-automated.yml'

.github/workflows/release-manual-docs.yml

[Errno 2] No such file or directory: '.github/workflows/release-manual-docs.yml'

🔧 Checkov (3.2.513)

.github/workflows/release-manual-docs.yml

2026-04-04 18:27:54,612 [MainThread ] [ERROR] Template file not found: .github/workflows/release-manual-docs.yml
2026-04-04 18:27:54,632 [MainThread ] [ERROR] Template file not found: .github/workflows/release-manual-docs.yml
2026-04-04 18:27:54,683 [MainThread ] [ERROR] Template file not found: .github/workflows/release-manual-docs.yml
2026-04-04 18:27:54,710 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with .github/workflows/release-manual-docs.yml
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)

... [truncated 9283 characters] ...

file .github/workflows/release-manual-docs.yml
2026-04-04 18:27:54,872 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: '.github/workflows/release-manual-docs.yml'

.github/workflows/ci.yml

2026-04-04 18:27:54,661 [MainThread ] [ERROR] Template file not found: .github/workflows/ci.yml
2026-04-04 18:27:54,665 [MainThread ] [ERROR] Template file not found: .github/workflows/ci.yml
2026-04-04 18:27:54,751 [MainThread ] [ERROR] Template file not found: .github/workflows/ci.yml
2026-04-04 18:27:54,748 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with .github/workflows/ci.yml
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)
^^^^^^^^^^^^^^^^^^^
File "/us

... [truncated 8994 characters] ...

Secret scanning: could not process file .github/workflows/ci.yml
2026-04-04 18:27:54,880 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: '.github/workflows/ci.yml'

.github/workflows/release-automated.yml

2026-04-04 18:27:54,611 [MainThread ] [ERROR] Template file not found: .github/workflows/release-automated.yml
2026-04-04 18:27:54,618 [MainThread ] [ERROR] Template file not found: .github/workflows/release-automated.yml
2026-04-04 18:27:54,669 [MainThread ] [ERROR] Template file not found: .github/workflows/release-automated.yml
2026-04-04 18:27:54,722 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with .github/workflows/release-automated.yml
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)

... [truncated 9249 characters] ...

cess file .github/workflows/release-automated.yml
2026-04-04 18:27:54,872 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: '.github/workflows/release-automated.yml'

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/release-automated.yml (1)

33-35: Include contents: read in job permissions.

This job checks out source at Line 40; adding contents: read makes permission scope explicit and avoids token-related checkout surprises.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-automated.yml around lines 33 - 35, The
permissions block in the workflow currently grants only pages: write and
id-token: write; add an explicit contents: read permission to the same
permissions map so the checkout step (uses: actions/checkout) can reliably read
repository files. Update the permissions section to include contents: read
alongside pages and id-token to make the token scope explicit and prevent
checkout-related token errors.

.github/workflows/release-manual-docs.yml (1)

16-18: Add contents: read to the job permissions.

The GitHub Actions official documentation for actions/checkout explicitly recommends this permission when job-level permissions are explicitly set. This ensures proper functionality and follows security best practices.

Suggested patch

     permissions:
+      contents: read
       pages: write
       id-token: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-manual-docs.yml around lines 16 - 18, The
job-level permissions block currently lists pages: write and id-token: write but
is missing contents: read; update the permissions map by adding contents: read
alongside pages and id-token so the actions/checkout action works correctly when
job permissions are explicitly set—ensure the keys permissions, pages, id-token
and contents are present in the same permissions block.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release-automated.yml:
- Around line 33-35: The permissions block in the workflow currently grants only
pages: write and id-token: write; add an explicit contents: read permission to
the same permissions map so the checkout step (uses: actions/checkout) can
reliably read repository files. Update the permissions section to include
contents: read alongside pages and id-token to make the token scope explicit and
prevent checkout-related token errors.

In @.github/workflows/release-manual-docs.yml:
- Around line 16-18: The job-level permissions block currently lists pages:
write and id-token: write but is missing contents: read; update the permissions
map by adding contents: read alongside pages and id-token so the
actions/checkout action works correctly when job permissions are explicitly
set—ensure the keys permissions, pages, id-token and contents are present in the
same permissions block.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 56af0766-c2a9-48cb-8437-dd6396c1074e

📥 Commits

Reviewing files that changed from the base of the PR and between 081690d and ee71465.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/release-automated.yml
• .github/workflows/release-manual-docs.yml