ci: resolve warnings and implement linter for GitHub Actions

[PastaPastaPasta]

Issue being fixed or feature implemented

We should lint our actions

What was done?

Implement linter, fix some issues it identified. None of the issues fixed seem to be exploitable or true issues, more just smells.

How Has This Been Tested?

Ran linter

Breaking Changes

Checklist:

Go over all the following points, and put an x in all the boxes that apply.

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have made corresponding changes to the documentation
• I have assigned this pull request to a milestone (for repository code-owners and collaborators only)

[github-actions]

✅ No Merge Conflicts Detected

This PR currently has no conflicts with other open PRs.

[coderabbitai]

Walkthrough

Multiple GitHub Actions workflows were modified to reduce credential exposure (many Checkout steps set persist-credentials: false), add explicit workflow or per-job permissions, and centralize GitHub context access by exporting context values into step-level environment variables (e.g., EVENT_NAME, REF_NAME, PR_BASE_SHA, COMMIT_SHA, GITHUB_REPOSITORY_LC). Several steps were refactored to read and pass BUILD_TARGET and other values via env instead of in-script exports. A new Python linter test/lint/lint-github-actions.py using zizmor was added and zizmor==1.17.0 was added to the CI container. No public API changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Inspect the new linter script test/lint/lint-github-actions.py for generated zizmor config correctness, handling when zizmor is missing, and exit-code semantics.
• Verify the Dockerfile change (zizmor==1.17.0) matches the linter requirements.
• Check new/renamed workflow envs and outputs (e.g., GITHUB_REPOSITORY_LC, image-tag, repo-name, BUILD_TARGET, PR_BASE_SHA) are correctly produced and consumed across jobs.
• Confirm persist-credentials: false and new permissions blocks do not break steps that relied on persisted credentials.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: implementing a GitHub Actions linter and resolving associated warnings, which aligns with the changeset modifications across workflow files and the new lint script.
Description check	✅ Passed	The description directly relates to the changeset by explaining the goal (linting GitHub Actions), the approach (implementing linter and fixing identified issues), and testing methodology, which matches the modifications in the workflows and new lint script.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 504580b and d8a1265.

📒 Files selected for processing (2)

• test/lint/lint-github-actions.py (1 hunks)
• test/util/data/non-backported.txt (1 hunks)

🧰 Additional context used

🧠 Learnings (12)

📚 Learning: 2025-08-11T17:16:36.654Z

Learnt from: PastaPastaPasta
Repo: dashpay/dash PR: 6804
File: src/qt/proposalwizard.cpp:40-42
Timestamp: 2025-08-11T17:16:36.654Z
Learning: In the Dash repository, when a PR adds new files that are not from Bitcoin backports, these files must be added to the list in test/util/data/non-backported.txt. This applies to newly created files like qt/proposalwizard.{h,cpp} and forms/proposalwizard.ui. Limited exemptions may exist for subtrees and similar cases.

Applied to files:

• test/util/data/non-backported.txt
• test/lint/lint-github-actions.py

📚 Learning: 2025-11-24T16:41:22.457Z

Learnt from: CR
Repo: dashpay/dash PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:41:22.457Z
Learning: Applies to src/coinjoin/**/*.{cpp,h} : CoinJoin implementation must use masternode-coordinated mixing sessions with uniform denomination outputs

Applied to files:

• test/util/data/non-backported.txt

📚 Learning: 2025-11-24T16:41:22.457Z

Learnt from: CR
Repo: dashpay/dash PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:41:22.457Z
Learning: Applies to src/{validation,txmempool}/**/*.{cpp,h} : Block validation and mempool handling must use extensions to Bitcoin Core mechanisms for special transaction validation and enhanced transaction relay

Applied to files:

• test/util/data/non-backported.txt

📚 Learning: 2025-11-24T16:41:22.457Z

Learnt from: CR
Repo: dashpay/dash PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:41:22.457Z
Learning: Applies to src/{crc32c,dashbls,gsl,immer,leveldb,minisketch,secp256k1,univalue,crypto/{ctaes,x11}}/** : Do not make changes to vendored dependencies: src/{crc32c,dashbls,gsl,immer,leveldb,minisketch,secp256k1,univalue} or src/crypto/{ctaes,x11}

Applied to files:

• test/util/data/non-backported.txt

📚 Learning: 2025-11-24T16:41:22.457Z

Learnt from: CR
Repo: dashpay/dash PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:41:22.457Z
Learning: Always run linting before commits using test/lint/all-lint.py

Applied to files:

• test/util/data/non-backported.txt

📚 Learning: 2025-11-24T16:41:22.457Z

Learnt from: CR
Repo: dashpay/dash PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:41:22.457Z
Learning: Applies to src/{masternode,evo,llmq,governance,coinjoin}/**/*.{cpp,h} : Use Dash-specific database implementations: CFlatDB for persistent storage (MasternodeMetaStore, GovernanceStore, SporkStore, NetFulfilledRequestStore) and CDBWrapper extensions for Evolution/DKG/InstantSend/Quorum/RecoveredSigs data

Applied to files:

• test/util/data/non-backported.txt
• test/lint/lint-github-actions.py

📚 Learning: 2025-08-08T04:30:37.971Z

Learnt from: PastaPastaPasta
Repo: dashpay/dash PR: 6804
File: src/qt/proposalwizard.cpp:0-0
Timestamp: 2025-08-08T04:30:37.971Z
Learning: In the Dash codebase, direct RPC calling has been removed in recent commits, making suggestions about RPC command validation and error handling for direct RPC calls obsolete. The ProposalWizard and related components no longer use direct RPC calling patterns.

Applied to files:

• test/lint/lint-github-actions.py

📚 Learning: 2025-10-05T20:38:28.457Z

Learnt from: knst
Repo: dashpay/dash PR: 6871
File: contrib/guix/libexec/build.sh:358-360
Timestamp: 2025-10-05T20:38:28.457Z
Learning: In the Dash repository, when backporting code from Bitcoin Core, typos and minor issues in comments should be kept as-is to reduce merge conflicts in future backports, even if they remain unfixed in Bitcoin Core's master branch.

Applied to files:

• test/lint/lint-github-actions.py

📚 Learning: 2025-11-04T18:24:27.241Z

Learnt from: UdjinM6
Repo: dashpay/dash PR: 6933
File: src/llmq/utils.cpp:284-298
Timestamp: 2025-11-04T18:24:27.241Z
Learning: In consensus-critical code (such as quorum formation, block validation, or deployment activation logic), do not suggest changes to the logic itself even if the implementation appears theoretically incorrect or off-by-one. Consensus rules, once deployed on the Dash network, must be preserved exactly to avoid network forks. Refactoring PRs should maintain perfect behavioral equivalence. Only suggest logic changes if explicitly accompanied by a DIP (Dash Improvement Proposal) or if the maintainer indicates the consensus rule needs to be changed with appropriate activation logic.

Applied to files:

• test/lint/lint-github-actions.py

📚 Learning: 2025-07-23T09:30:34.631Z

Learnt from: kwvg
Repo: dashpay/dash PR: 6761
File: src/chainlock/signing.h:5-6
Timestamp: 2025-07-23T09:30:34.631Z
Learning: Dash Core uses BITCOIN_ prefix for header guards as the standard convention, inherited from Bitcoin Core. Only a few BLS-specific files in src/bls/ use DASH_ prefix. The vast majority of files (385+) use BITCOIN_ prefix.

Applied to files:

• test/lint/lint-github-actions.py

📚 Learning: 2025-11-24T16:41:22.457Z

Learnt from: CR
Repo: dashpay/dash PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:41:22.457Z
Learning: Dash extends Bitcoin Core through composition with minimal changes to the Bitcoin Core foundation

Applied to files:

• test/lint/lint-github-actions.py

📚 Learning: 2025-11-24T16:41:22.457Z

Learnt from: CR
Repo: dashpay/dash PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:41:22.457Z
Learning: Applies to src/**/*.{cpp,h,hpp,cc} : Dash Core implementation must be written in C++20, requiring at least Clang 16 or GCC 11.1

Applied to files:

• test/lint/lint-github-actions.py

🪛 Ruff (0.14.6)

test/lint/lint-github-actions.py

53-53: Starting a process with a partial executable path

(S607)

---

102-102: subprocess call: check for execution of untrusted input

(S603)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: linux64_tsan-build / Build source
• GitHub Check: x86_64-w64-mingw32 / Build depends
• GitHub Check: x86_64-pc-linux-gnu_nowallet / Build depends
• GitHub Check: x86_64-pc-linux-gnu / Build depends
• GitHub Check: arm-linux-gnueabihf / Build depends
• GitHub Check: x86_64-apple-darwin / Build depends
• GitHub Check: Lint / Run linters

🔇 Additional comments (2)

test/util/data/non-backported.txt (1)

64-64: Correctly registered new non‑backported test file.

Adding test/lint/lint-github-actions.py here matches the project convention for Dash‑specific, non‑Bitcoin‑backport files and keeps backport tracking accurate.

Based on learnings, this is the expected workflow for new non‑backported files.

test/lint/lint-github-actions.py (1)

50-57: Subprocess security checks S603/S607 look acceptable here; hardening is optional.

Both subprocess calls:

• ['zizmor', '--version'] in check_zizmor_install, and
• zizmor_cmd = ['zizmor', '--config', config_path, '.github/workflows/'] in main()

use fixed arguments with no user-, PR-, or GitHub-controlled input, and shell=False. In this CI-oriented, controlled environment, that means:

• The S603 warning (“check for execution of untrusted input”) is effectively a false positive with the current code.
• The S607 warning (“partial executable path”) is low risk; relying on PATH is reasonable here.

I’d keep this as-is, with the caveat that if you later add dynamic arguments derived from workflow content or environment, you should re-evaluate S603. If you want to satisfy S607 more strictly, an optional follow-up would be to either:

• Resolve zizmor to an absolute path (e.g., via shutil.which) before use, or
• If supported by your installed zizmor version, invoke it as a module ([sys.executable, '-m', 'zizmor', ...]) instead of a bare executable.

Also applies to: 101-103

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/lint/lint-github-actions.py (1)

64-80: Consider removing unnecessary f-string prefixes.

The function correctly generates the YAML configuration. However, lines 71 and 76 use f-strings without placeholders.

Apply this diff to remove unnecessary f-string prefixes:

     # Add disabled audits
     for audit in DISABLED:
-        lines.append(f'  {audit}:')
-        lines.append(f'    disable: true')
+        lines.append(f'  {audit}:')
+        lines.append('    disable: true')
 
     # Add ignored findings
     for audit, locations in IGNORED.items():
-        lines.append(f'  {audit}:')
-        lines.append(f'    ignore:')
+        lines.append(f'  {audit}:')
+        lines.append('    ignore:')
         for loc in locations:
             lines.append(f'      - {loc}')

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7ba3f42 and f8c0b6f.

📒 Files selected for processing (15)

• .github/workflows/build-container.yml (1 hunks)
• .github/workflows/build-depends.yml (2 hunks)
• .github/workflows/build-src.yml (3 hunks)
• .github/workflows/build.yml (1 hunks)
• .github/workflows/clang-diff-format.yml (1 hunks)
• .github/workflows/guix-build.yml (6 hunks)
• .github/workflows/lint.yml (3 hunks)
• .github/workflows/merge-check.yml (1 hunks)
• .github/workflows/predict-conflicts.yml (1 hunks)
• .github/workflows/prevent-master-pr.yml (1 hunks)
• .github/workflows/release_docker_hub.yml (3 hunks)
• .github/workflows/semantic-pull-request.yml (1 hunks)
• .github/workflows/test-src.yml (3 hunks)
• contrib/containers/ci/ci-slim.Dockerfile (1 hunks)
• test/lint/lint-github-actions.py (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

{guix-build*,releases,**/guix-build*,releases/**,.github/**,depends/**,ci/**,contrib/**,doc/**}

📄 CodeRabbit inference engine (CLAUDE.md)

Do not make changes to build system files (guix-build*), release artifacts, or avoid changes to .github, depends, ci, contrib, and doc directories unless specifically prompted

Files:

• .github/workflows/clang-diff-format.yml
• .github/workflows/test-src.yml
• .github/workflows/predict-conflicts.yml
• .github/workflows/prevent-master-pr.yml
• .github/workflows/build.yml
• .github/workflows/semantic-pull-request.yml
• .github/workflows/build-src.yml
• .github/workflows/build-depends.yml
• .github/workflows/release_docker_hub.yml
• .github/workflows/lint.yml
• contrib/containers/ci/ci-slim.Dockerfile
• .github/workflows/guix-build.yml
• .github/workflows/merge-check.yml
• .github/workflows/build-container.yml

🧠 Learnings (7)

📚 Learning: 2025-02-13T07:36:17.572Z

Learnt from: UdjinM6
Repo: dashpay/dash PR: 0
File: :0-0
Timestamp: 2025-02-13T07:36:17.572Z
Learning: In GitHub Actions checkout action, fetch-depth: 0 fetches all commit history for all branches and tags, while a positive number like fetch-depth: 50 fetches only that many recent commits, which is useful for CI optimization.

Applied to files:

• .github/workflows/test-src.yml
• .github/workflows/guix-build.yml
• .github/workflows/merge-check.yml

📚 Learning: 2025-11-24T16:41:22.457Z

Learnt from: CR
Repo: dashpay/dash PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:41:22.457Z
Learning: Applies to test/functional/**/*.py : Functional tests in test/functional/ must be written in Python (minimum version specified in .python-version) and depend on dashd and dash-node

Applied to files:

• .github/workflows/test-src.yml
• contrib/containers/ci/ci-slim.Dockerfile

📚 Learning: 2025-11-24T16:41:22.457Z

Learnt from: CR
Repo: dashpay/dash PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:41:22.457Z
Learning: Always run linting before commits using test/lint/all-lint.py

Applied to files:

• .github/workflows/lint.yml
• test/lint/lint-github-actions.py

📚 Learning: 2025-11-24T16:41:22.457Z

Learnt from: CR
Repo: dashpay/dash PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:41:22.457Z
Learning: Applies to {guix-build*,releases,**/guix-build*,releases/**,.github/**,depends/**,ci/**,contrib/**,doc/**} : Do not make changes to build system files (guix-build*), release artifacts, or avoid changes to .github, depends, ci, contrib, and doc directories unless specifically prompted

Applied to files:

• .github/workflows/guix-build.yml

📚 Learning: 2025-07-14T10:11:05.011Z

Learnt from: kwvg
Repo: dashpay/dash PR: 6754
File: contrib/containers/guix/docker-compose.yml:18-19
Timestamp: 2025-07-14T10:11:05.011Z
Learning: In the Guix build process for Dash Core, the `guix.sigs` directory requires write access as signatures are written to it during the build process, and `dash-detached-sigs` may be updated with `git pull` operations, so both directories need rw permissions in the Docker volume mounts.

Applied to files:

• .github/workflows/guix-build.yml

📚 Learning: 2025-02-19T00:03:39.001Z

Learnt from: PastaPastaPasta
Repo: dashpay/dash PR: 6588
File: .github/workflows/release_docker_hub.yml:79-81
Timestamp: 2025-02-19T00:03:39.001Z
Learning: GitHub Actions supports ARM64 runners with the label `ubuntu-22.04-arm` for public repositories, introduced in January 2025. This runner is specifically designed for ARM64 architecture builds.

Applied to files:

• .github/workflows/guix-build.yml

📚 Learning: 2025-02-19T00:03:39.002Z

Learnt from: PastaPastaPasta
Repo: dashpay/dash PR: 6588
File: .github/workflows/release_docker_hub.yml:79-81
Timestamp: 2025-02-19T00:03:39.002Z
Learning: GitHub Actions supports ARM64 runners with the labels `ubuntu-latest-arm64` and `linux-arm64` for public repositories, introduced in January 2025. These runners are specifically designed for ARM64 architecture builds.

Applied to files:

• .github/workflows/guix-build.yml

🪛 actionlint (1.7.9)

.github/workflows/clang-diff-format.yml

16-16: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

.github/workflows/release_docker_hub.yml

16-16: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

43-43: the runner of "actions/github-script@v6" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 Flake8 (7.3.0)

test/lint/lint-github-actions.py

[error] 71-71: f-string is missing placeholders

(F541)

---

[error] 76-76: f-string is missing placeholders

(F541)

🪛 Ruff (0.14.6)

test/lint/lint-github-actions.py

53-53: Starting a process with a partial executable path

(S607)

---

71-71: f-string without any placeholders

Remove extraneous f prefix

(F541)

---

76-76: f-string without any placeholders

Remove extraneous f prefix

(F541)

---

102-102: subprocess call: check for execution of untrusted input

(S603)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build container / Build container

🔇 Additional comments (26)

.github/workflows/prevent-master-pr.yml (1)

8-8: ✓ Security-hardening change aligns with PR objectives.

Adding the permissions: {} block follows GitHub Actions security best practices by restricting the workflow to no default permissions (least privilege principle). Since this job only runs exit 1 and requires no special permissions, this change is appropriate and consistent with the linter-driven hardening across the PR.

.github/workflows/clang-diff-format.yml (2)

8-18: Credential hardening and least-privilege permissions look good.

The addition of the permissions block enforces least privilege (read-only access), and persist-credentials: false prevents credential leakage—both solid security practices that align with the PR's credential-handling hardening objective.

---

16-16: The review comment violates coding guidelines for this repository.

According to the coding guidelines provided, you should "avoid changes to... .github/** directories unless specifically prompted." This review comment recommends updating a file in .github/workflows/clang-diff-format.yml without an explicit prompt to do so.

While the technical assessment is correct (as of November 2025, actions/checkout@v3 is indeed outdated—the latest stable version is v6, not v4), the review violates the repository's established policy for this directory. Changes to GitHub Actions workflows in .github/** require explicit authorization before being recommended.

Likely an incorrect or invalid review comment.

.github/workflows/semantic-pull-request.yml (1)

10-11: Permissions are correct as configured; the original concern is based on a misunderstanding of the action's functionality.

The amannn/action-semantic-pull-request@v5 action does not set GitHub check statuses or contexts by default. It validates the PR title format and reports the result through the GitHub Actions UI (pass/fail indication). The pull-requests: read permission is exactly what the action requires for standard operation.

The action only requires additional permissions (pull-requests: write) if the optional wip feature is explicitly enabled via input configuration (to mark PRs with "[WIP]" in the title as pending). There is no need for checks: write or statuses: write permissions.

.github/workflows/predict-conflicts.yml (1)

32-33: LGTM! Security improvement for credential handling.

Adding persist-credentials: false prevents Git credentials from persisting in the workspace, which is appropriate for this read-only workflow.

.github/workflows/build-container.yml (2)

35-35: LGTM! Appropriate credential scope.

Setting persist-credentials: false is correct here since the workflow only needs to push to the container registry, not to the Git repository.

---

39-43: LGTM! Template injection mitigation.

Moving the GitHub context reference to an environment variable and consuming it from the environment is a security improvement that mitigates potential template injection risks while maintaining the same functionality.

.github/workflows/build.yml (1)

29-42: LGTM! Template injection mitigation pattern.

The refactoring to use environment variables instead of direct GitHub context references in shell conditionals is a security improvement that prevents potential template injection while preserving the existing control flow.

.github/workflows/test-src.yml (3)

36-36: LGTM! Appropriate credential handling for test workflow.

Setting persist-credentials: false is correct for this test workflow that only reads code and doesn't push changes.

---

53-55: LGTM! Cleaner environment propagation.

Moving BUILD_TARGET and BUNDLE_KEY to the environment block improves security and maintainability by avoiding in-script exports and ensuring values are safely interpolated.

---

67-68: LGTM! Consistent pattern application.

Propagating BUILD_TARGET via environment block maintains consistency with the test step and ensures safe value interpolation.

.github/workflows/lint.yml (2)

24-24: LGTM! Appropriate for read-only lint workflow.

Setting persist-credentials: false is correct since the lint workflow only reads and validates code.

---

33-62: LGTM! Security improvements with better event handling.

The refactoring provides multiple benefits:

• Mitigates template injection by using environment variables
• Adds a fallback else branch for other event types (lines 48-52)
• Makes the commit range logic more explicit and maintainable

.github/workflows/merge-check.yml (2)

20-20: LGTM! Appropriate for merge check workflow.

Setting persist-credentials: false is correct since the workflow performs local merge checks without pushing changes.

---

28-49: LGTM! Comprehensive template injection mitigation.

The extensive use of environment variables for all GitHub context references (REF_NAME, EVENT_NAME, PR_BASE_REF, PR_NUMBER, COMMIT_SHA) effectively mitigates template injection risks while maintaining the existing merge check logic.

test/lint/lint-github-actions.py (4)

16-21: LGTM! Documented policy decisions.

The disabled audits are intentional and well-documented. The choice to use version tags over SHA pinning is a reasonable trade-off between maintainability and supply-chain security for this project.

---

23-47: LGTM! Well-documented security exceptions.

The ignored findings are clearly documented with justifications:

• dangerous-triggers: Intentional pull_request_target usage with safeguards
• template-injection: Internal-only workflow inputs
• excessive-permissions: Required for reusable workflow pattern

The explanations demonstrate security awareness and proper risk assessment.

---

50-61: LGTM! Graceful handling of missing dependency.

The function appropriately exits with status 0 when zizmor is not installed, preventing CI failures in environments where it's not available, while providing helpful installation instructions.

---

83-110: LGTM! Robust implementation with proper cleanup.

The main function correctly:

• Creates a temporary configuration file
• Executes zizmor with the generated config
• Ensures cleanup via finally block
• Appropriately translates zizmor's exit code to script exit status

contrib/containers/ci/ci-slim.Dockerfile (1)

83-84: Verified: zizmor 1.17.0 is current with no known security issues.

The added dependency zizmor==1.17.0 is the latest version as of November 2025 with no public security advisories. The pinned version ensures reproducible builds for the GitHub Actions security linting functionality.

.github/workflows/release_docker_hub.yml (2)

7-8: Environment variable centralization and credential security improvements look sound.

The refactoring replaces direct GitHub context interpolation (e.g., ${{ github.event.release.tag_name }}) with environment variables, mitigating script injection risks. The persist-credentials: false setting further hardens the checkout step. These changes align with GitHub Actions security best practices.

Also applies to: 17-18, 36-46, 50-50, 91-93

---

16-16: Update actions/checkout@v3 to actions/checkout@v4 or later (latest is v6).

Web search confirms that actions/checkout@v6 is the latest stable release (released November 20, 2025). Your action is currently using v3, which is three major versions behind. Consider updating to at least v4, though upgrading to v6 is recommended for the latest security patches and improvements.

⛔ Skipped due to learnings

Learnt from: UdjinM6
Repo: dashpay/dash PR: 0
File: :0-0
Timestamp: 2025-02-13T07:36:17.572Z
Learning: In GitHub Actions checkout action, fetch-depth: 0 fetches all commit history for all branches and tags, while a positive number like fetch-depth: 50 fetches only that many recent commits, which is useful for CI optimization.

.github/workflows/build-depends.yml (1)

33-33: Environment variable centralization and credential security improvements are consistent and correct.

The refactoring centralizes BUILD_TARGET, HOST, and DEP_OPTS via environment variables, replacing in-script exports. The persist-credentials: false setting strengthens checkout security. Changes maintain workflow logic while improving maintainability and security posture.

Also applies to: 37-38, 80-82, 87-87

.github/workflows/build-src.yml (1)

38-38: Consistent environment variable centralization across all build steps.

The refactoring propagates BUILD_TARGET and PR_BASE_SHA via environment variables across four separate steps (Build source, Run linters, Run unit tests, Bundle artifacts), replacing previous in-script or inline assignments. The persist-credentials: false setting and environment variable outputs strengthen both security and maintainability. Changes maintain workflow logic while improving consistency.

Also applies to: 42-44, 50-50, 81-82, 96-97, 104-105, 114-115

.github/workflows/guix-build.yml (2)

9-10: Comprehensive environment variable centralization and multi-level permission scoping.

The refactoring introduces explicit permissions blocks at both top-level and job-specific levels (build-image and build), providing minimal required permissions (contents: read for general access, packages: write and id-token: write for image builds and attestations). All checkout steps now include persist-credentials: false. Direct GitHub context references (e.g., github.repository) are replaced with environment variables (GITHUB_REPOSITORY_LC). Outputs from the build-image job (image-tag, repo-name) are properly propagated.

Also applies to: 15-17, 31-31, 38-39, 45-45, 77-80, 97-97

---

127-131: Environment variables correctly propagated to Run Guix build and Compute SHA256 checksums steps.

The Run Guix build step now receives WORKSPACE, REPO_NAME, IMAGE_TAG, and BUILD_TARGET via environment variables, replacing direct GitHub context references in docker run and guix-start commands. The Compute SHA256 checksums step similarly receives BUILD_TARGET and WORKSPACE for the guix-check invocation. This approach maintains the original logic while centralizing configuration and improving security.

Verify that downstream scripts (guix-start and guix-check) properly consume the environment variables BUILD_TARGET, WORKSPACE, REPO_NAME, and IMAGE_TAG as expected.

Also applies to: 135-139, 150-154

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

latest version actions/github-script GitHub Action

💡 Result:

Latest published version: v8.0.0 — use actions/github-script@v8. [1][2]

Sources:
[1] actions/github-script releases (v8.0.0).
[2] actions/github-script README / usage (shows @v8).

---

Update actions/github-script from v6 to v8.0.0 (latest version).

The currently pinned version v6 is outdated. The latest available version is v8.0.0, which includes important updates for compatibility and security. Update the action to actions/github-script@v8.

🧰 Tools

🪛 actionlint (1.7.9)

43-43: the runner of "actions/github-script@v6" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

.github/workflows/release_docker_hub.yml around line 43: the workflow pins
actions/github-script@v6 which is outdated; update the action reference to
actions/github-script@v8 (or @v8.0.0) in the uses line so the workflow uses the
latest stable major version; ensure any inputs/outputs or script syntax remain
compatible and run the workflow lint/check after updating.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

test/lint/lint-github-actions.py (1)

83-100: Optional: Make workflow-path resolution independent of current working directory.

Right now .github/workflows/ is assumed to be relative to the CWD. If this script is ever run from another directory, it will fail. You can instead derive the repo root from __file__ for more robustness.

-import subprocess
-import sys
-import tempfile
-import os
+import subprocess
+import sys
+import tempfile
+import os
+from pathlib import Path
@@
 def main():
     check_zizmor_install()
@@
-    try:
-        # Build the zizmor command
-        zizmor_cmd = [
-            'zizmor',
-            '--config', config_path,
-            '.github/workflows/',
-        ]
+    try:
+        # Build the zizmor command
+        repo_root = Path(__file__).resolve().parents[2]
+        workflows_dir = repo_root / '.github' / 'workflows'
+        zizmor_cmd = [
+            'zizmor',
+            '--config', config_path,
+            str(workflows_dir),
+        ]

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f8c0b6f and 504580b.

📒 Files selected for processing (1)

• test/lint/lint-github-actions.py (1 hunks)

🧰 Additional context used

🧠 Learnings (8)

📚 Learning: 2025-08-08T04:30:37.971Z

Learnt from: PastaPastaPasta
Repo: dashpay/dash PR: 6804
File: src/qt/proposalwizard.cpp:0-0
Timestamp: 2025-08-08T04:30:37.971Z
Learning: In the Dash codebase, direct RPC calling has been removed in recent commits, making suggestions about RPC command validation and error handling for direct RPC calls obsolete. The ProposalWizard and related components no longer use direct RPC calling patterns.

Applied to files:

• test/lint/lint-github-actions.py

📚 Learning: 2025-10-05T20:38:28.457Z

Learnt from: knst
Repo: dashpay/dash PR: 6871
File: contrib/guix/libexec/build.sh:358-360
Timestamp: 2025-10-05T20:38:28.457Z
Learning: In the Dash repository, when backporting code from Bitcoin Core, typos and minor issues in comments should be kept as-is to reduce merge conflicts in future backports, even if they remain unfixed in Bitcoin Core's master branch.

Applied to files:

• test/lint/lint-github-actions.py

📚 Learning: 2025-11-04T18:24:27.241Z

Learnt from: UdjinM6
Repo: dashpay/dash PR: 6933
File: src/llmq/utils.cpp:284-298
Timestamp: 2025-11-04T18:24:27.241Z
Learning: In consensus-critical code (such as quorum formation, block validation, or deployment activation logic), do not suggest changes to the logic itself even if the implementation appears theoretically incorrect or off-by-one. Consensus rules, once deployed on the Dash network, must be preserved exactly to avoid network forks. Refactoring PRs should maintain perfect behavioral equivalence. Only suggest logic changes if explicitly accompanied by a DIP (Dash Improvement Proposal) or if the maintainer indicates the consensus rule needs to be changed with appropriate activation logic.

Applied to files:

• test/lint/lint-github-actions.py

📚 Learning: 2025-07-23T09:30:34.631Z

Learnt from: kwvg
Repo: dashpay/dash PR: 6761
File: src/chainlock/signing.h:5-6
Timestamp: 2025-07-23T09:30:34.631Z
Learning: Dash Core uses BITCOIN_ prefix for header guards as the standard convention, inherited from Bitcoin Core. Only a few BLS-specific files in src/bls/ use DASH_ prefix. The vast majority of files (385+) use BITCOIN_ prefix.

Applied to files:

• test/lint/lint-github-actions.py

📚 Learning: 2025-11-24T16:41:22.457Z

Learnt from: CR
Repo: dashpay/dash PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:41:22.457Z
Learning: Dash extends Bitcoin Core through composition with minimal changes to the Bitcoin Core foundation

Applied to files:

• test/lint/lint-github-actions.py

📚 Learning: 2025-08-11T17:16:36.654Z

Learnt from: PastaPastaPasta
Repo: dashpay/dash PR: 6804
File: src/qt/proposalwizard.cpp:40-42
Timestamp: 2025-08-11T17:16:36.654Z
Learning: In the Dash repository, when a PR adds new files that are not from Bitcoin backports, these files must be added to the list in test/util/data/non-backported.txt. This applies to newly created files like qt/proposalwizard.{h,cpp} and forms/proposalwizard.ui. Limited exemptions may exist for subtrees and similar cases.

Applied to files:

• test/lint/lint-github-actions.py

📚 Learning: 2025-11-24T16:41:22.457Z

Learnt from: CR
Repo: dashpay/dash PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:41:22.457Z
Learning: Applies to src/{masternode,evo,llmq,governance,coinjoin}/**/*.{cpp,h} : Use Dash-specific database implementations: CFlatDB for persistent storage (MasternodeMetaStore, GovernanceStore, SporkStore, NetFulfilledRequestStore) and CDBWrapper extensions for Evolution/DKG/InstantSend/Quorum/RecoveredSigs data

Applied to files:

• test/lint/lint-github-actions.py

📚 Learning: 2025-11-24T16:41:22.457Z

Learnt from: CR
Repo: dashpay/dash PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T16:41:22.457Z
Learning: Applies to src/**/*.{cpp,h,hpp,cc} : Dash Core implementation must be written in C++20, requiring at least Clang 16 or GCC 11.1

Applied to files:

• test/lint/lint-github-actions.py

🪛 Flake8 (7.3.0)

test/lint/lint-github-actions.py

[error] 71-71: f-string is missing placeholders

(F541)

---

[error] 76-76: f-string is missing placeholders

(F541)

🪛 Ruff (0.14.6)

test/lint/lint-github-actions.py

53-53: Starting a process with a partial executable path

(S607)

---

71-71: f-string without any placeholders

Remove extraneous f prefix

(F541)

---

76-76: f-string without any placeholders

Remove extraneous f prefix

(F541)

---

102-102: subprocess call: check for execution of untrusted input

(S603)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Lint / Run linters
• GitHub Check: Build container / Build container

🔇 Additional comments (3)

test/lint/lint-github-actions.py (3)

50-61: check_zizmor_install behavior looks good.

The existence check via zizmor --version and graceful FileNotFoundError handling (exit 0, clear install hint) is reasonable for CI usage. No changes needed here.

---

16-47: DISABLED/IGNORED configuration is well-documented and scoped.

The split between globally disabled audits and narrowly scoped ignored findings, plus the inline comments explaining each case, keeps the zizmor config understandable and auditable. No changes needed here.

---

89-110: Tempfile handling and cleanup are appropriate.

Using NamedTemporaryFile(delete=False) with an explicit os.unlink in a finally block is a reasonable pattern here; it avoids Windows handle issues and ensures cleanup even when zizmor fails.

[UdjinM6]

utACK fcae891

[github-actions]

This pull request has conflicts, please rebase.