chore: bump ubuntu version in docs.yml workflow

[KooshaPari]

User description

Automated from stash.

Note

Medium Risk
Changes affect merge gating and secret scanning paths; malformed workflow YAML or broken GH_TOKEN templating could disable or weaken CI/security checks without obvious application code changes.

Overview
Adds workflow concurrency (cancel-in-progress) across CI, journey gate, security scans, and manual gate workflows so newer runs on the same ref supersede stale ones.

Introduces a new lint workflow that runs golangci-lint on push/PR to main, master, and develop. Docs CI switches docs dependency install from npm install to npm ci --frozen-lockfile. TruffleHog scanning drops the trufflehog/actions/setup@main action in favor of Go setup + go install of trufflehog v3.

Several workflow files were edited in ways that merge step metadata onto a single step (e.g. checkout + run/uses/name on one step in ci.yml, codeql.yml, docs.yml, sast-quick.yml, and gate scripts), which likely breaks YAML step structure unless fixed in a follow-up. TruffleHog’s GH_TOKEN env uses a backslash-escaped \${{ secrets.GITHUB_TOKEN }}, which may prevent secret injection.

^{Reviewed by Cursor Bugbot for commit 050ddc3. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

CodeAnt-AI Description

Tighten workflow runs, add repo linting, and update docs and secret scans

What Changed

• Repeated CI, security, and gate runs on the same branch now cancel older runs, so the newest check finishes without waiting on stale jobs
• A new lint workflow runs Go lint checks on pushes and pull requests to the main branches
• Docs builds now install dependencies with a locked install, which keeps the docs site build in sync with the checked-in lockfile
• Secret scanning now installs TruffleHog through Go instead of the previous setup action

Impact

✅ Fewer stale CI runs
✅ Earlier Go lint failures
✅ More reliable docs builds
✅ Clearer secret scan setup

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Warning

Review limit reached

@KooshaPari, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 41 minutes and 43 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1a89e4e2-f1ec-4af1-b817-f6e40739e970

📥 Commits

Reviewing files that changed from the base of the PR and between b4f95c7 and 050ddc3.

📒 Files selected for processing (11)

• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/docs.yml
• .github/workflows/journey-gate.yml
• .github/workflows/lint.yml
• .github/workflows/policy-gate.yml
• .github/workflows/quality-gate.yml
• .github/workflows/sast-quick.yml
• .github/workflows/scorecard.yml
• .github/workflows/self-merge-gate.yml
• .github/workflows/trufflehog.yml

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key: "pre_merge_checks"

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/ubuntu-24-docs-yml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[codeant-ai]

🔴 Architect Review — CRITICAL

The first docs build step defines both checkout and Node setup in a single step with duplicate uses keys, so the actions/checkout invocation is overridden and the repository is never actually checked out before bun/npm commands run, causing the docs build to run against an empty workspace.

Suggestion: Split this into two separate sequential steps (one uses: actions/checkout@<pinned-sha>, then one uses: actions/setup-node@<pinned-sha> with the existing with: block) so the workspace is checked out before any bun/npm-based build steps execute.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/docs.yml
**Line:** 22:24
**Comment:**
	*CRITICAL: The first docs build step defines both checkout and Node setup in a single step with duplicate `uses` keys, so the `actions/checkout` invocation is overridden and the repository is never actually checked out before `bun`/`npm` commands run, causing the docs build to run against an empty workspace.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

🔴 Architect Review — CRITICAL

The Pages deploy job merges actions/configure-pages and actions/deploy-pages into a single step with duplicate uses keys, so configure-pages is never invoked and the job calls only deploy-pages, which can break the required GitHub Pages deployment contract on main.

Suggestion: Restore two explicit steps in order—a Configure Pages step that runs actions/configure-pages@<pinned-sha>, followed by a Deploy step running actions/deploy-pages@<pinned-sha> with the existing id and url wiring—so the Pages environment is configured before deployment.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/docs.yml
**Line:** 75:77
**Comment:**
	*CRITICAL: The Pages deploy job merges `actions/configure-pages` and `actions/deploy-pages` into a single step with duplicate `uses` keys, so `configure-pages` is never invoked and the job calls only `deploy-pages`, which can break the required GitHub Pages deployment contract on `main`.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

🟠 Architect Review — HIGH

Multiple workflows in this PR define "combined steps" that include both uses and run, or multiple uses keys, in a single step mapping (e.g. CI test checkout/run, docs checkout/Node setup, CodeQL checkout/init, SAST license checkout/reuse, quality-gate/policy-gate checkout/run), which GitHub Actions does not support and results in earlier actions (typically actions/checkout or actions/configure-pages) being ignored or steps failing validation so intended gates do not run correctly.

Suggestion: Normalize all seven affected locations so each step has exactly one uses or one run and each logical operation (checkout, setup, analysis, gate script, etc.) is its own list item, ensuring that required checkouts and setup actions execute before dependent scripts across CI, docs, CodeQL, SAST, quality-gate, and policy-gate workflows.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/ci.yml
**Line:** 25:27
**Comment:**
	*HIGH: Multiple workflows in this PR define "combined steps" that include both `uses` and `run`, or multiple `uses` keys, in a single step mapping (e.g. CI test checkout/run, docs checkout/Node setup, CodeQL checkout/init, SAST license checkout/reuse, quality-gate/policy-gate checkout/run), which GitHub Actions does not support and results in earlier actions (typically `actions/checkout` or `actions/configure-pages`) being ignored or steps failing validation so intended gates do not run correctly.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Autofix Details

Bugbot Autofix prepared fixes for both issues found in the latest run.

• ✅ Fixed: YAML indentation error breaks entire docs workflow
  • Corrected indentation and added missing list indicator to separate Configure Pages and Deploy steps.
• ✅ Fixed: Steps merged into one due to missing list indicators
  • Added missing list indicators to separate workflow steps in docs.yml, codeql.yml, and sast-quick.yml.

Or push these changes by commenting:

@cursor push 90d565a23e

Preview (90d565a23e)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -20,18 +20,21 @@
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4with:
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
           languages: ${{ matrix.language }}
           config-file: .github/codeql/codeql-config.yml
       - name: Set up Go
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5with:
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
           go-version-file: go.mod
           cache: true
       - name: Build
         run: go build ./...
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4analyze-skip-for-migrated-router-fix:
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+  analyze-skip-for-migrated-router-fix:
     name: Analyze (Go)
     if: ${{ startsWith(github.head_ref, 'ci/fix-migrated-router-20260225060000-feature_ampcode-alias') }}
     runs-on: ubuntu-latest

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -20,14 +20,16 @@
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4with:
+      - name: Setup Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
+        with:
           node-version: "20"
           cache: "npm"
           cache-dependency-path: docs/package.json
 
       - name: Setup Bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2with:
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        with:
           bun-version: latest
 
       - name: Install OXC dependencies
@@ -51,7 +53,8 @@
         run: test -f docs/.vitepress/dist/index.html
 
       - name: Upload pages artifact
-        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3with:
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
+        with:
           path: docs/.vitepress/dist/
 
   build-skip-branch-ci-unblock:
@@ -73,6 +76,6 @@
     steps:
       - name: Configure Pages
         uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
-         name: Deploy
+      - name: Deploy
         id: deployment
         uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
\ No newline at end of file

diff --git a/.github/workflows/sast-quick.yml b/.github/workflows/sast-quick.yml
--- a/.github/workflows/sast-quick.yml
+++ b/.github/workflows/sast-quick.yml
@@ -21,9 +21,11 @@
     # Tier 3: Advisory - security enrichment only
     continue-on-error: true
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
           fetch-depth: 0
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5with:
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
           python-version: "3.12"
       - name: Install Semgrep
         run: python -m pip install --disable-pip-version-check semgrep==1.157.0
@@ -33,7 +35,8 @@
         run: |
           semgrep scan --sarif --sarif-output=semgrep.sarif --max-target-bytes 1000000 --quiet --config=auto || true
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always()
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        if: always()
         with:
           sarif_file: semgrep.sarif
 
@@ -46,14 +49,16 @@
     continue-on-error: true
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        name: Analyze licenses
-        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true  # Allow findings but don't fail
+      - name: Analyze licenses
+        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4
+        continue-on-error: true  # Allow findings but don't fail
       - name: Check for non-reusable licenses
         run: |
           # Check for problematic licenses
           grep -r "GPL\|AGPL" --include="*.toml" --include="*.json" . || true
       - name: Check license compliance
-        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4continue-on-error: true
+        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4
+        continue-on-error: true
 
   # Secret Scanning - Tier 2: Important (runs in parallel)
   secrets:
@@ -61,10 +66,12 @@
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4with:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
           fetch-depth: 0
       - name: Run Gitleaks
-        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2env:
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
+        env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           args: --verbose --redact
@@ -77,6 +84,7 @@
           output: trivy-results.sarif
         continue-on-error: true
       - name: Upload Trivy results
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4if: always()
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        if: always()
         with:
           sarif_file: 'trivy-results.sarif'

_{You can send follow-ups to the cloud agent here.}

[cursor]

YAML indentation error breaks entire docs workflow

High Severity

The name: Deploy line has 9 spaces of indentation while all sibling properties (uses:, id:) in the same step mapping have 8 spaces. YAML block mappings require all keys at the same level to share identical indentation. This mismatch will cause a YAML parse error, preventing the entire docs.yml workflow file from loading — breaking both the build and deploy jobs.

 

^{Reviewed by Cursor Bugbot for commit 6733dc6. Configure here.}

[cursor]

Steps merged into one due to missing list indicators

High Severity

The commit splits step names that were previously embedded in YAML comments (e.g., # v4- name: Setup Node) into separate lines, but adds them as properties of the same step instead of creating new list items with - . This produces duplicate name: and uses: keys in single steps. YAML's last-wins behavior silently drops the first action (typically actions/checkout), so the repository is never checked out before subsequent steps run.

Additional Locations (2)

• .github/workflows/codeql.yml#L21-L24
• .github/workflows/sast-quick.yml#L47-L50

 

^{Reviewed by Cursor Bugbot for commit 6733dc6. Configure here.}

[codeant-ai]

CodeAnt AI is running Incremental review

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[codeant-ai]

CodeAnt AI Incremental review completed.

[cursor]

Cursor Bugbot has reviewed your changes and found 5 potential issues.

There are 7 total unresolved issues (including 2 from previous reviews).

^{Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issues.}

^{Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.}

[cursor]

Invalid flag on npm ci

Medium Severity

The docs install step runs npm ci --frozen-lockfile, but --frozen-lockfile is an npm install / Yarn option, not valid for npm ci. That can make the install step exit with a CLI usage error and block the docs build.

 

^{Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.}

[cursor]

Deploy step YAML broken

High Severity

The Pages deploy job folds configure-pages and deploy-pages into one step, with a mis-indented name: Deploy line. GitHub Actions expects separate steps; duplicate uses keys and bad indentation can prevent the deploy job from running or from setting steps.deployment correctly.

 

^{Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.}

[cursor]

Checkout step includes run

High Severity

The first CI step sets uses: actions/checkout and also defines a run block for refreshing models.json. A single step cannot combine an action and run, so the catalog refresh may never execute and tests may use a missing or stale models file.

 

^{Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.}

[cursor]

CodeQL init merged with checkout

High Severity

The CodeQL job combines actions/checkout and github/codeql-action/init in one step with two uses keys. That can skip checkout or init and break the subsequent go build and analysis steps.

 

^{Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.}

[cursor]

License scan step malformed

Medium Severity

The license-compliance job puts actions/checkout and fsfe/reuse-action in one step with two uses entries. The REUSE license check may not run, weakening that advisory job.

 

^{Reviewed by Cursor Bugbot for commit 050ddc3. Configure here.}