ci: add standard GitHub Actions workflows

[JarbasAl]

Summary

• Adds the full standard OVOS CI/CD workflow suite to a repo that previously had no .github/workflows/ at all
• Configures install_extras: 'test,ovos' for build-tests so OPM-dependent tests (test/unittests/test_opm.py) do not fail on import
• Configures install_extras: '-e .[test,ovos]' for coverage (the coverage reusable workflow takes a raw pip argument, not an extras name)
• Adds opm-check with plugin_type: 'auto' — markovonnx registers multiple OPM entry points (opm.lang.detect, opm.postag, opm.keywords, opm.segmentation, opm.g2p, opm.agents.chat, opm.transformer.text)
• Adds sympy to the test optional-dependency group to fix test_onnx_export.py::TestQuantizeModel::test_quantize_success (was failing due to missing sympy import)
• All OpenVoiceOS/gh-automations reusable workflows are pinned to @dev (never a SHA hash)

Workflows added

File	Purpose
build-tests.yml	Build + pytest on Python 3.10–3.13
coverage.yml	pytest + coverage report
lint.yml	ruff check (informational, non-blocking)
license_check.yml	Blocks GPL/AGPL dependencies
pip_audit.yml	CVE scan
repo-health.yml	Checks README, LICENSE, version.py presence
release-preview.yml	Predicts next version bump from PR labels
release_workflow.yml	Auto alpha release on PR merge to dev
publish_stable.yml	Stable release on push to master
opm-check.yml	OPM plugin entry-point validation
conventional-label.yaml	Auto-labels PRs from commit prefix

Required secrets

Before pushing workflows to production, ensure these are set at org or repo level:

• PYPI_TOKEN — PyPI API token
• MATRIX_TOKEN — Matrix access token

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Established comprehensive CI/CD pipeline with automated workflows for continuous integration testing, code coverage reporting, code quality checks, license verification, dependency auditing, and release automation.
  • Updated development test dependencies to support expanded testing capabilities.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request establishes a comprehensive CI/CD infrastructure by adding ten GitHub Actions workflows that orchestrate pull request validation, release automation, and repository health monitoring, along with updating test dependencies in pyproject.toml.

Changes

CI/CD Workflow Infrastructure

Layer / File(s)	Summary
Pull Request Quality Checks .github/workflows/build-tests.yml, .github/workflows/coverage.yml, .github/workflows/lint.yml, .github/workflows/pip_audit.yml, .github/workflows/license_check.yml, .github/workflows/opm-check.yml	Six workflows execute on pull requests to validate code via test execution with multiple Python versions, code coverage analysis, ruff linting (non-blocking), pip dependency audits, license compliance checks, and OPM plugin validation. All delegate to external reusable workflows from OpenVoiceOS/gh-automations@dev while inheriting repository secrets.
Release Automation Workflows .github/workflows/release-preview.yml, .github/workflows/publish_stable.yml, .github/workflows/release_workflow.yml	Three workflows manage release automation: release preview on dev branch PRs, stable publishing when PRs merge into master/main, and alpha publishing on merged dev PRs. All pass version file paths and release configuration (PyPI publish, Matrix notification, changelog updates) to external reusable workflows.
Repository Health and Labeling .github/workflows/repo-health.yml, .github/workflows/conventional-label.yaml	Repository health workflow checks repo metrics on PRs targeting dev/master/main, and conventional release labeling applies semantic labels to PRs on open/edit events using the bcoe/conventional-release-labels action.
Test Dependency Update pyproject.toml	Adds sympy to the test optional dependency extra alongside pytest, pytest-cov, and hypothesis.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

A rabbit hops through the CI garden,
Building workflows left and right,
Tests run swift, linters approve with grace,
Releases flow like morning light,
The repository blooms bright! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: add standard GitHub Actions workflows' accurately and specifically describes the main change—adding multiple GitHub Actions workflows for CI/CD automation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Beep boop! Data processing finished. ⚙️

I've aggregated the results of the automated checks for this PR below.

📋 Repo Health

Health report: The repository is thriving! 🌟

✅ All required files present.

Latest Version: 0.0.0

✅ markovonnx/version.py — Version file
✅ README.md — README
✅ LICENSE — License file
✅ pyproject.toml — pyproject.toml
⚠️ setup.py — setup.py
⚠️ CHANGELOG.md — Changelog
✅ markovonnx/version.py has valid version block markers

🏷️ Release Preview

I've performed a final polish on the release notes. 🧼

Current: 0.0.0 → Next: 0.0.1a1

Signal	Value
Label	(none)
PR title	ci: add standard GitHub Actions workflows
Bump	alpha

✅ PR title follows conventional commit format.

---

🚀 Release Channel Compatibility

Predicted next version: 0.0.1a1

Channel	Status	Note	Current Constraint
Stable	⚪	Not in channel	-
Testing	⚪	Not in channel	-
Alpha	⚪	Not in channel	-

📊 Coverage

Ensuring the logic is battle-tested. ⚔️

✅ 85.5% total coverage

Files below 80% coverage (1 file)

File	Coverage	Missing lines
markovonnx/opm.py	69.2%	139

Full report: download the coverage-report artifact.

🔒 Security (pip-audit)

Checking for any potential security regressions. 🔄

✅ No known vulnerabilities found (39 packages scanned).

🔨 Build Tests

The build results are looking solid. 💎

✅ All versions pass

Python	Build	Install	Tests
3.10	✅	✅	✅
3.11	✅	✅	✅
3.12	✅	✅	✅
3.13	✅	✅	✅

---

System.exit(0); // With love from OVOS 🖥️

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

.github/workflows/lint.yml (1)

11-20: ⚡ Quick win

Redundant non-blocking error handling.

Both continue-on-error: true (Line 11) and || true (Line 20) suppress lint failures. Dropping || true would still keep the job non-blocking (via continue-on-error) while letting the step itself surface a red ❌ when ruff finds problems — useful signal in the PR checks UI. As-is, the step is always green and you lose visibility into lint regressions.

Proposed fix

       - name: Run ruff
-        run: ruff check . || true
+        run: ruff check .

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint.yml around lines 11 - 20, The "Run ruff" step
currently masks failures twice: the job-level continue-on-error: true and the
step-level shell suffix "|| true"; remove the "|| true" from the run command
(the line containing "ruff check . || true") so the step will surface a failing
status while the job remains non-blocking via continue-on-error; leave
continue-on-error as-is and only change the run value to "ruff check ." in the
Run ruff step.

.github/workflows/coverage.yml (1)

15-15: 💤 Low value

Clarify the install_extras contract mismatch between workflows
In .github/workflows/coverage.yml, install_extras is passed as a raw pip argument (-e .[test,ovos]). The coverage.yml reusable workflow documents install_extras as “extra pip install arguments” (e.g. .[dev] / -r ...), while build-tests.yml documents it as “pip extras appended to the install command” (e.g. test / dev,test). Add a brief inline comment next to install_extras: '-e .[test,ovos]' so this isn’t “normalized” into the wrong format later.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/coverage.yml at line 15, Add a brief inline comment next
to the existing install_extras entry to clarify the intended format and avoid
downstream normalization: explain that install_extras is being passed as a raw
pip argument '-e .[test,ovos]' (not just extras like 'test' or 'dev') so
maintainers know this value includes the '-e' editable flag and explicit extras
list; reference the install_extras key and the literal '-e .[test,ovos]' in the
comment so future edits to the coverage reusable workflow or build-tests.yml
preserve the expected contract.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/conventional-label.yaml:
- Around line 6-10: Add an explicit permissions block for the label job so the
action can write labels: in the job named "label" that runs the step using
bcoe/conventional-release-labels@v1, declare least-privilege permissions with
pull-requests: write (and keep other permissions minimal or read-only as needed)
to ensure the GITHUB_TOKEN can call the Issues/PRs API and avoid 403s in
read-only defaults.
- Line 10: Replace the floating action tag with the specific commit SHA: update
the uses reference `bcoe/conventional-release-labels@v1` to the immutable commit
`bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8` so
the workflow running on pull_request_target no longer follows a moving tag and
is pinned to the known commit.

In @.github/workflows/release_workflow.yml:
- Around line 12-13: Replace the loose workflow reference and broad secrets
inheritance with a pinned ref and an explicit secrets list: change the uses
entry currently pointing to
OpenVoiceOS/gh-automations/.github/workflows/publish-alpha.yml@dev to a commit
SHA or immutable tag (pin the ref) and replace secrets: inherit with an explicit
secrets: mapping that only supplies the secrets the publish-alpha workflow needs
(match the required secret names defined by publish-alpha.yml); apply the same
pin-and-explicit-secrets change for other occurrences (e.g., release-preview.yml
and publish_stable.yml) to ensure immutable inputs and least-privilege secrets.

In @.github/workflows/release-preview.yml:
- Around line 10-11: The reusable workflow invocation in release-preview.yml
uses a mutable ref ("uses:
OpenVoiceOS/gh-automations/.../release-preview.yml@dev") and forwards all
secrets via "secrets: inherit"; change the "uses" ref to a pinned immutable ref
(tag or commit SHA) and remove "secrets: inherit", instead explicitly pass only
the minimum required secrets by name (or omit the secrets block if none are
needed) so secrets are not broadly exposed; update the "uses" line and replace
the "secrets: inherit" entry with an explicit mapping of required secrets (or
remove it) to harden the release-preview workflow.

---

Nitpick comments:
In @.github/workflows/coverage.yml:
- Line 15: Add a brief inline comment next to the existing install_extras entry
to clarify the intended format and avoid downstream normalization: explain that
install_extras is being passed as a raw pip argument '-e .[test,ovos]' (not just
extras like 'test' or 'dev') so maintainers know this value includes the '-e'
editable flag and explicit extras list; reference the install_extras key and the
literal '-e .[test,ovos]' in the comment so future edits to the coverage
reusable workflow or build-tests.yml preserve the expected contract.

In @.github/workflows/lint.yml:
- Around line 11-20: The "Run ruff" step currently masks failures twice: the
job-level continue-on-error: true and the step-level shell suffix "|| true";
remove the "|| true" from the run command (the line containing "ruff check . ||
true") so the step will surface a failing status while the job remains
non-blocking via continue-on-error; leave continue-on-error as-is and only
change the run value to "ruff check ." in the Run ruff step.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0e6d79c1-6bd1-4758-bbc6-818d4bfb1a9b

📥 Commits

Reviewing files that changed from the base of the PR and between c99c9cf and a954012.

📒 Files selected for processing (12)

• .github/workflows/build-tests.yml
• .github/workflows/conventional-label.yaml
• .github/workflows/coverage.yml
• .github/workflows/license_check.yml
• .github/workflows/lint.yml
• .github/workflows/opm-check.yml
• .github/workflows/pip_audit.yml
• .github/workflows/publish_stable.yml
• .github/workflows/release-preview.yml
• .github/workflows/release_workflow.yml
• .github/workflows/repo-health.yml
• pyproject.toml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add an explicit permissions: block — the job needs pull-requests: write to apply labels.

bcoe/conventional-release-labels@v1 calls the Issues/PRs API to add labels using GITHUB_TOKEN. In repositories (or orgs) where the default workflow token is read-only, the labeling step will fail with a 403. Declaring least-privilege permissions explicitly also tightens the security posture of a pull_request_target workflow (which runs with access to repo secrets) and silences the dangerous-triggers concern from static analysis since this job only labels and never checks out PR code.

🛡️ Proposed fix

 # auto add labels to PRs
 on:
   pull_request_target:
     types: [ opened, edited ]
 name: conventional-release-labels
+permissions:
+  contents: read
+  pull-requests: write
 jobs:
   label:
     runs-on: ubuntu-latest
     steps:
       - uses: bcoe/conventional-release-labels@v1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	jobs:
	label:
	runs-on: ubuntu-latest
	steps:
	- uses: bcoe/conventional-release-labels@v1
	# auto add labels to PRs
	on:
	pull_request_target:
	types: [ opened, edited ]
	name: conventional-release-labels
	permissions:
	contents: read
	pull-requests: write
	jobs:
	label:
	runs-on: ubuntu-latest
	steps:
	- uses: bcoe/conventional-release-labels@v1

🧰 Tools

🪛 zizmor (1.25.2)

[error] 10-10: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/conventional-label.yaml around lines 6 - 10, Add an
explicit permissions block for the label job so the action can write labels: in
the job named "label" that runs the step using
bcoe/conventional-release-labels@v1, declare least-privilege permissions with
pull-requests: write (and keep other permissions minimal or read-only as needed)
to ensure the GITHUB_TOKEN can call the Issues/PRs API and avoid 403s in
read-only defaults.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Resolve current v1 tag of bcoe/conventional-release-labels to a commit SHA
gh api repos/bcoe/conventional-release-labels/git/refs/tags/v1 --jq '.object'
gh api repos/bcoe/conventional-release-labels/releases --jq '.[0:3] | .[] | {tag_name, published_at}'

Repository: TigreGotico/markovonnx

Length of output: 430

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Confirm the targeted workflow line
echo "---- workflow snippet ----"
sed -n '1,80p' .github/workflows/conventional-label.yaml

# 2) Resolve the tag object returned for refs/tags/v1 to the underlying commit SHA
echo "---- resolve tag object -> commit ----"
gh api repos/bcoe/conventional-release-labels/git/tags/b503ca473654e07521c051628c5f1f969e7436da --jq '{sha: .object.sha, object_type: .object.type, tag: .tag}'

# Also resolve tags/v1.3.1, to ensure it matches
echo "---- resolve v1.3.1 tag -> commit ----"
gh api repos/bcoe/conventional-release-labels/git/refs/tags/v1.3.1 --jq '.object'
EOF

Repository: TigreGotico/markovonnx

Length of output: 728

---

Pin bcoe/conventional-release-labels to an immutable commit SHA

This workflow runs on pull_request_target, so pinning avoids supply-chain risk from a moving tag. bcoe/conventional-release-labels@v1 currently resolves to commit 886f696738527c7be444262c327c89436dfb95a8 (v1.3.1).

Suggested change

-      - uses: bcoe/conventional-release-labels@v1
+      - uses: bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8 # v1.3.1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: bcoe/conventional-release-labels@v1
	- uses: bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8 # v1.3.1

🧰 Tools

🪛 zizmor (1.25.2)

[error] 10-10: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/conventional-label.yaml at line 10, Replace the floating
action tag with the specific commit SHA: update the uses reference
`bcoe/conventional-release-labels@v1` to the immutable commit
`bcoe/conventional-release-labels@886f696738527c7be444262c327c89436dfb95a8` so
the workflow running on pull_request_target no longer follows a moving tag and
is pinned to the known commit.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the specific workflow and surrounding lines
ls -la .github/workflows || true
sed -n '1,220p' .github/workflows/release_workflow.yml | nl -ba | sed -n '1,220p'

# Extract the publish_alpha job section (best-effort)
rg -n "publish_alpha|publish-alpha\.yml|secrets:\s*inherit|uses:\s*OpenVoiceOS/gh-automations" .github/workflows/release_workflow.yml -n || true

# Find other workflows using the same automation repo/workflow to see if they pin commits and how they handle secrets
rg -n "OpenVoiceOS/gh-automations/\.github/workflows/publish-alpha\.yml|OpenVoiceOS/gh-automations/.github/workflows/publish-alpha\.yml@|secrets:\s*inherit" .github/workflows -S || true

Repository: TigreGotico/markovonnx

Length of output: 949

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the workflow with line numbers (using awk to avoid nl dependency)
awk '{printf "%4d\t%s\n", NR, $0}' .github/workflows/release_workflow.yml | sed -n '1,220p'

# Pull only the relevant bits for publish_alpha
awk 'NR>=1 && NR<=220 {print}' .github/workflows/release_workflow.yml | \
  rg -n "publish_alpha|publish-alpha\.yml|secrets:\s*inherit|OpenVoiceOS/gh-automations" || true

# Search other workflows for the same automation and for secrets inheritance
rg -n "OpenVoiceOS/gh-automations/\.github/workflows/publish-alpha\.yml@|OpenVoiceOS/gh-automations/.github/workflows/publish-alpha\.yml@|secrets:\s*inherit" .github/workflows || true

# Also check if publish_stable is similarly pinned
rg -n "publish_stable|publish-stable\.yml|OpenVoiceOS/gh-automations" .github/workflows || true

Repository: TigreGotico/markovonnx

Length of output: 2606

---

Pin the gh-automations ref and restrict secrets for alpha publish automation (publish_alpha)

• In .github/workflows/release_workflow.yml lines 12-13, uses: OpenVoiceOS/gh-automations/.github/workflows/publish-alpha.yml@dev is not pinned to an immutable commit.
• secrets: inherit grants the called workflow access to all available repo secrets; switch to an explicit secrets: list containing only what publish-alpha.yml requires (the same @dev + secrets: inherit pattern also exists in other workflows in this repo, e.g., release-preview.yml, publish_stable.yml).

🧰 Tools

🪛 zizmor (1.25.2)

[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[warning] 12-12: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release_workflow.yml around lines 12 - 13, Replace the
loose workflow reference and broad secrets inheritance with a pinned ref and an
explicit secrets list: change the uses entry currently pointing to
OpenVoiceOS/gh-automations/.github/workflows/publish-alpha.yml@dev to a commit
SHA or immutable tag (pin the ref) and replace secrets: inherit with an explicit
secrets: mapping that only supplies the secrets the publish-alpha workflow needs
(match the required secret names defined by publish-alpha.yml); apply the same
pin-and-explicit-secrets change for other occurrences (e.g., release-preview.yml
and publish_stable.yml) to ensure immutable inputs and least-privilege secrets.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant section with line numbers
sed -n '1,200p' .github/workflows/release-preview.yml | nl -ba | sed -n '1,120p'

Repository: TigreGotico/markovonnx

Length of output: 109

---

🌐 Web query:

OpenVoiceOS gh-automations reusable workflow release-preview.yml secrets inherit requirements

💡 Result:

In GitHub Actions, the secrets: inherit keyword is a mechanism used when calling reusable workflows to implicitly pass all secrets from the caller workflow to the called (reusable) workflow [1][2][3]. Regarding your query about OpenVoiceOS release-preview.yml and secret inheritance requirements: 1. Functionality: When you specify secrets: inherit in a job that calls a reusable workflow, the called workflow gains access to all secrets available to the caller (including repository and environment secrets, provided the environment is correctly scoped) [1][3][4]. This avoids the need to explicitly map each individual secret [1][2]. 2. Requirements and Limitations: * Scope: Secret inheritance works only for reusable workflows within the same organization or enterprise [3]. * Principle of Least Privilege: While secrets: inherit simplifies configuration, it is often discouraged by security tooling (e.g., Semgrep rules) because it violates the principle of least privilege by granting the called workflow access to all repository secrets, rather than only those strictly required [5]. * Implementation in OpenVoiceOS: The release-preview.yml in OpenVoiceOS/gh-automations is a standard reusable workflow [6]. If you are implementing this in your own repository, you can call it using: yaml jobs: release-preview: uses: OpenVoiceOS/gh-automations/.github/workflows/release-preview.yml@main secrets: inherit 3. Troubleshooting: If secrets are not propagating as expected, ensure you are not chaining workflows incorrectly. Secrets are only passed to directly called workflows [7][3]. In a chain of A > B > C, workflow C will only receive secrets from A if they are passed from A to B, and then from B to C [7][3]. If you continue to face evaluation errors, you may need to explicitly define the required secrets in the secrets map as a fallback [8].

Citations:

• 1: https://stackoverflow.com/questions/71524542/how-to-use-reusable-github-workflows-and-keep-secrets-in-a-single-place
• 2: https://github.blog/changelog/2022-05-03-github-actions-simplify-using-secrets-with-reusable-workflows/
• 3: https://docs.github.com/en/actions/how-tos/reuse-automations/reuse-workflows
• 4: https://cloudchronicles.blog/blog/Passing-Environment-Secrets-and-Variables-to-Reusable-Workflows-in-GitHub-Actions/
• 5: semgrep/semgrep-rules@6b4f11f
• 6: https://github.com/OpenVoiceOS/gh-automations
• 7: https://github.com/github/docs/blob/main/content/actions/how-tos/reuse-automations/reuse-workflows.md
• 8: Passing in secrets to reusable workflow does not work actions/runner#2709

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Print file with line numbers (avoid `nl`, since it may not exist)
awk 'NR>=1 && NR<=60 {printf "%d: %s\n", NR, $0}' .github/workflows/release-preview.yml

Repository: TigreGotico/markovonnx

Length of output: 410

---

Pin the reusable workflow ref and avoid secrets: inherit

In .github/workflows/release-preview.yml (lines 10–11), the job calls OpenVoiceOS/gh-automations/.../release-preview.yml@dev (mutable ref) and forwards all secrets via secrets: inherit, increasing supply-chain and secret-exposure risk in the release preview path.

Suggested hardening diff

-    uses: OpenVoiceOS/gh-automations/.github/workflows/release-preview.yml@dev
-    secrets: inherit
+    uses: OpenVoiceOS/gh-automations/.github/workflows/release-preview.yml@<pinned_commit_sha>
+    # Omit secrets unless this reusable workflow explicitly requires them.

🧰 Tools

🪛 zizmor (1.25.2)

[error] 10-10: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[warning] 10-10: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-preview.yml around lines 10 - 11, The reusable
workflow invocation in release-preview.yml uses a mutable ref ("uses:
OpenVoiceOS/gh-automations/.../release-preview.yml@dev") and forwards all
secrets via "secrets: inherit"; change the "uses" ref to a pinned immutable ref
(tag or commit SHA) and remove "secrets: inherit", instead explicitly pass only
the minimum required secrets by name (or omit the secrets block if none are
needed) so secrets are not broadly exposed; update the "uses" line and replace
the "secrets: inherit" entry with an explicit mapping of required secrets (or
remove it) to harden the release-preview workflow.