ci: normalize setup-node inputs and refresh action pins

[Mehdi-Bl]

Summary

• replace unsupported package-manager-cache with supported actions/setup-node cache inputs (cache, cache-dependency-path)
• refresh core GitHub Action pins to current maintained SHAs (checkout, setup-node, upload/download-artifact, codeql-action)
• update CI/CD security plan notes for setup-node normalization and pin refresh cadence

Validation

• npm run lint
• npm test -- --runInBand

Summary by Sourcery

Normalize Node.js setup and caching across CI workflows and refresh pinned GitHub Actions to current maintained SHAs.

Enhancements:

• Standardize actions/setup-node usage to use supported cache inputs with npm lockfile-based caching across workflows.
• Update pinned SHAs for core GitHub Actions (checkout, setup-node, upload/download-artifact, CodeQL, and related actions) to current maintained releases.

Documentation:

• Extend CI/CD security plan documentation to cover normalized setup-node cache configuration and regular action pin refresh practices.

Summary by CodeRabbit

• New Features

  • Linux build now produces a minimal AppImage artifact for Linux users.

• Chores

  • Updated CI workflow action pins across multiple jobs for improved maintenance.
  • Enabled npm dependency caching to speed up build times.

• Documentation

  • CI/CD security guidance updated to reflect supported workflow cache inputs and pinning practices.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[sourcery-ai]

Reviewer's Guide

Normalizes Node.js setup caching configuration across workflows to use supported setup-node cache inputs and refreshes pinned SHAs for core GitHub Actions (checkout, setup-node, upload/download-artifact, codeql-action), while documenting the new conventions in the CI/CD security plan.

File-Level Changes

Change	Details	Files
Normalize actions/setup-node cache configuration to supported inputs across CI workflows.	Replace deprecated package-manager-cache input with cache and cache-dependency-path inputs where Node 20 is configured. Align cache-dependency-path to package-lock.json for npm-based workflows. Ensure sbom workflow uses the same normalized cache settings as other workflows.	.github/workflows/release.yml .github/workflows/qa-matrix.yml .github/workflows/sonarcloud.yml .github/workflows/sbom.yml
Refresh pinned SHAs for core GitHub Actions used in CI/CD.	Update actions/checkout to a newer maintained commit SHA in all workflows that use it. Update actions/setup-node to a newer maintained commit SHA in workflows that install Node. Update actions/upload-artifact and actions/download-artifact to current maintained SHAs wherever artifacts are uploaded or downloaded. Update github/codeql-action init, analyze, and upload-sarif steps to a newer maintained commit SHA.	.github/workflows/release.yml .github/workflows/qa-matrix.yml .github/workflows/sonarcloud.yml .github/workflows/actions-freshness.yml .github/workflows/codeql.yml .github/workflows/poutine.yml .github/workflows/secrets-gate.yml
Document the new CI conventions for setup-node caching and action pin refreshes.	Extend CI/CD security plan notes to describe normalized setup-node cache usage. Add note about recurring refresh of core GitHub Action SHAs to current maintained releases.	docs/plan/cicd_security.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gemini-code-assist]

Summary of Changes

Hello @Mehdi-Bl, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on maintaining and improving the project's CI/CD pipeline by updating GitHub Actions configurations. The changes ensure that setup-node caching uses supported inputs, refresh action pins to their latest secure versions, and document these important security and maintenance practices within the CI/CD security plan.

Highlights

• CI Configuration Update: Replaced the unsupported package-manager-cache input with the supported cache and cache-dependency-path inputs for actions/setup-node to ensure proper caching.
• GitHub Action Pin Refresh: Updated core GitHub Action pins to their current maintained SHAs for checkout, setup-node, upload/download-artifact, and codeql-action to enhance security and stability.
• Documentation Update: Revised the CI/CD security plan notes to reflect the setup-node normalization and the new cadence for refreshing action pins.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• docs/plan/cicd_security.md
  • Added notes on actions/setup-node cache input normalization.
  • Documented the recurring refresh of core GitHub Action pins.

Ignored Files

• Ignored by pattern: .github/workflows/** (8)
  • .github/workflows/actions-freshness.yml
  • .github/workflows/codeql.yml
  • .github/workflows/poutine.yml
  • .github/workflows/qa-matrix.yml
  • .github/workflows/release.yml
  • .github/workflows/sbom.yml
  • .github/workflows/secrets-gate.yml
  • .github/workflows/sonarcloud.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates pinned GitHub Actions SHAs across multiple workflows, modernizes Setup Node.js cache inputs to cache: npm with cache-dependency-path, and changes the Linux release job to programmatically rewrite package.json to set an AppImage target before rebuilding and uploading artifacts. (49 words)

Changes

Cohort / File(s)	Summary
Action Pin Refreshes \.github/workflows/actions-freshness.yml, \.github/workflows/codeql.yml, \.github/workflows/poutine.yml, \.github/workflows/secrets-gate.yml	Replaced pinned action commit SHAs (e.g., actions/checkout, CodeQL, upload-artifact) with new SHAs; no other inputs or step logic altered.
Node.js Cache Modernization \.github/workflows/qa-matrix.yml, \.github/workflows/sbom.yml, \.github/workflows/sonarcloud.yml	Replaced deprecated package-manager-cache: false with cache: npm and cache-dependency-path: package-lock.json; also updated action pins for checkout/setup-node/upload steps.
Release Pipeline & Linux Build \.github/workflows/release.yml	Updated action pins across jobs and replaced Prepare build with a Configure Linux Build step that programmatically rewrites package.json to set a minimal Linux AppImage target, then rebuilds and uploads artifacts.
Documentation docs/plan/cicd_security.md	Added notes about normalizing actions/setup-node cache inputs and recurring pin refresh practices.

Sequence Diagram(s)

sequenceDiagram
  participant GH as GitHub Actions (workflow)
  participant Runner as CI Runner
  participant Repo as Repository
  participant Node as Node Build (npm)
  participant Storage as Artifact Store

  GH->>Runner: trigger job (release: linux)
  Runner->>Repo: actions/checkout (pinned SHA)
  Runner->>Node: setup-node (cache: npm)
  Runner->>Runner: Configure Linux Build (rewrite package.json -> AppImage target)
  Runner->>Node: npm ci && npm run build
  Runner->>Storage: upload build artifacts

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ci: add poutine security scanning workflow #54 — edits the same poutine.yml workflow (checkout, upload-sarif, upload-artifact) and likely overlaps on action pin changes.
• CI: harden SBOM workflow permissions and snapshot path #62 — modifies sbom.yml and updates actions/setup-node cache inputs; closely related to cache normalization here.
• feat: restore QA automation and streamline docs on TS branch #23 — touches release.yml and sbom.yml with action pin and SBOM-related adjustments similar to this PR.

Poem

🐰 I hopped through YAML lines tonight,
Pinned actions snug and caches tight.
I nudged the Linux build to dream,
An AppImage tucked inside the seam.
CI hums on — a carrot-flavored flight! 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: normalize setup-node inputs and refresh action pins' accurately and concisely summarizes the main changes across all workflow files and documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/ci-setup-node-normalization

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

.github/workflows/release.yml (1)

80-102: Linux build step programmatically rewrites package.json — looks intentional.

This step deletes any existing build.linux config and replaces it with a minimal AppImage target. The approach works but is brittle — if package.json structure changes or if prepare-build.js is later fixed for Linux, this workaround and the commented-out prepare-build call (line 77) should be revisited.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Normalize setup-node cache inputs and refresh GitHub Action pins

✨ Enhancement

Walkthroughs

Description

• Normalize setup-node cache inputs across all workflows
• Refresh GitHub Action pins to latest maintained SHAs
• Update CI/CD security documentation for normalization changes

Diagram

flowchart LR
  A["Workflow Files"] --> B["Update setup-node cache"]
  A --> C["Refresh action pins"]
  B --> D["Replace package-manager-cache"]
  C --> E["Update checkout/upload/download/codeql"]
  D --> F["CI/CD Security Docs"]
  E --> F

Loading

File Changes

1. .github/workflows/actions-freshness.yml Dependencies +3/-3

Update checkout, setup-node, and upload-artifact action pins

.github/workflows/actions-freshness.yml

---

2. .github/workflows/codeql.yml Dependencies +3/-3

Refresh checkout and codeql-action pins to latest SHAs

.github/workflows/codeql.yml

---

3. .github/workflows/poutine.yml Dependencies +3/-3

Update checkout, codeql-action, and upload-artifact pins

.github/workflows/poutine.yml

---

View more (6)

4. .github/workflows/qa-matrix.yml ⚙️ Configuration changes +7/-6

Normalize setup-node cache and refresh action pins

.github/workflows/qa-matrix.yml

---

5. .github/workflows/release.yml ⚙️ Configuration changes +19/-16

Replace package-manager-cache with cache inputs across build jobs

.github/workflows/release.yml

---

6. .github/workflows/sbom.yml ⚙️ Configuration changes +2/-1

Replace package-manager-cache with supported cache configuration

.github/workflows/sbom.yml

---

7. .github/workflows/secrets-gate.yml Dependencies +2/-2

Update checkout and upload-artifact action pins

.github/workflows/secrets-gate.yml

---

8. .github/workflows/sonarcloud.yml ⚙️ Configuration changes +4/-3

Normalize setup-node cache and update checkout pin

.github/workflows/sonarcloud.yml

---

9. docs/plan/cicd_security.md 📝 Documentation +2/-0

Document setup-node normalization and pin refresh cadence

docs/plan/cicd_security.md

---

[gemini-code-assist]

Code Review

This pull request updates the CI/CD security plan documentation. The changes add notes about normalizing actions/setup-node cache inputs and the process for refreshing GitHub Action pins. These documentation updates are clear, accurate, and correctly reflect the described improvements to the CI/CD process. The changes look good.

[sourcery-ai]

Hey - I've left some high level feedback:

• If this repo uses multiple package-lock files (e.g., workspaces or tooling subdirs), consider switching cache-dependency-path: package-lock.json to a glob (like **/package-lock.json) so the setup-node cache covers all relevant installs.
• For consistency with the stated goal of normalizing setup-node usage, you may want to also add explicit cache / cache-dependency-path settings to the actions-freshness.yml workflow (and any other remaining workflows) so all Node setups follow the same pattern.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- If this repo uses multiple package-lock files (e.g., workspaces or tooling subdirs), consider switching `cache-dependency-path: package-lock.json` to a glob (like `**/package-lock.json`) so the setup-node cache covers all relevant installs.
- For consistency with the stated goal of normalizing setup-node usage, you may want to also add explicit `cache` / `cache-dependency-path` settings to the `actions-freshness.yml` workflow (and any other remaining workflows) so all Node setups follow the same pattern.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

• .github/workflows/release.yml
• .github/workflows/sonarcloud.yml

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. PRs now use npm cache 🐞 Bug ⛯ Reliability

Description

PR-triggered workflows now enable actions/setup-node npm caching, which changes runtime behavior
(cache restore/save) compared to the prior effectively-no-cache setup. This is likely intended
(documented), but if you want to avoid cache write attempts/noise or reduce risk surface for
external PRs, consider scoping caching to trusted contexts only.

Code

.github/workflows/qa-matrix.yml[R31-35]

+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
        with:
          node-version: 20
-          package-manager-cache: false
+          cache: npm
+          cache-dependency-path: package-lock.json

Evidence

qa-matrix runs on pull_request, and the updated setup-node step now enables npm caching with a
lockfile-derived key. The repository’s CI/CD security plan explicitly calls out normalizing
setup-node to supported cache inputs and even shows cache: npm in an example PR workflow; the
referenced package-lock.json exists at repo root, so the config will take effect.

.github/workflows/qa-matrix.yml[3-8]
.github/workflows/qa-matrix.yml[30-36]
docs/plan/cicd_security.md[64-93]
package-lock.json[1-6]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
PR-triggered workflows now explicitly enable npm caching via `actions/setup-node`. If you want to avoid cache save attempts on untrusted contexts (e.g., fork PRs) or keep behavior closer to the previous effectively-no-cache state, scope caching to trusted runs.

## Issue Context
- `qa-matrix.yml`, `sbom.yml`, and `sonarcloud.yml` run on `pull_request`.
- `cache: npm` will activate restore/save logic keyed off `package-lock.json`.

## Fix Focus Areas
- .github/workflows/qa-matrix.yml[30-36]
- .github/workflows/sbom.yml[26-35]
- .github/workflows/sonarcloud.yml[19-30]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.yml (1)

79-110: ⚠️ Potential issue | 🟠 Major

Functional change to Linux build is out of stated PR scope and introduces platform inconsistency.

This PR is described as normalizing setup-node inputs and refreshing action pins, but this section introduces a significant behavioral change:

1. Skips prepare-build.js that Windows (line 31) and macOS (line 140) both call, creating platform inconsistency. The script has a dedicated prepareLinux() function that handles icon setup and build configuration.
2. Mutates package.json at runtime with inline Node.js — this is brittle, hard to test, and removes the icon reference that prepare-build.js provides (icon: 'build/icons'), which could cause build failures.
3. Uses a different build command pattern (npm run build -- --linux AppImage) vs the platform-specific npm scripts used by Windows (build:win) and macOS (build:mac-universal).
4. The comment says "seems to be causing issues" — root cause is undiagnosed.

Consider:

• Splitting this Linux build fix into its own PR with proper investigation and testing.
• Fixing prepare-build.js to work for Linux instead of bypassing it.
• At minimum, if this stays, extract the inline node -e script into a proper file (e.g., scripts/configure-linux-build.js) and ensure icon paths are preserved.

🤖 Fix all issues with AI agents

In @.github/workflows/release.yml:
- Around line 23-27: The Zizmor cache-poisoning warning is triggered by the
three actions/setup-node steps that include "cache: npm" and
"cache-dependency-path: package-lock.json" (e.g., the uses:
actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 step); to fix,
remove the cache and cache-dependency-path keys from those setup-node steps so
the release workflow no longer attempts npm caching, or alternatively (if you
must keep caching) add an inline suppression comment like "# zizmor:
ignore[cache-poisoning]" immediately above each offending setup-node step to
acknowledge the risk.

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

18-27: Add version comments next to pinned SHAs for maintainability.

All pinned SHAs are verified as current releases:

• checkout@de0fac2e… corresponds to v6.0.2
• setup-node@6044e13b… corresponds to v6.2.0
• upload-artifact@b7c566a7… corresponds to v6.0.0

However, bare SHA pins without version comments make it hard for maintainers to know which release is in use at a glance. Consider adding # vX.Y.Z comments, as is common practice (and as dependabot does automatically).

This applies to all action references in the file.

Example for this block (apply same pattern to all other references)

      - name: Check out Git repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false

       - name: Install Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: 20
           cache: npm
           cache-dependency-path: package-lock.json

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud