chore: [StepSecurity] Apply security best practices

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @nitrocode. Please merge the Pull Request to incorporate the requested changes. Please tag @nitrocode on your message if you have any questions related to the PR.

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Keeping your actions up to date with Dependabot

With Dependabot version updates, when Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF).

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Secure Dockerfiles

Pin image tags to digests in Dockerfiles. With the Docker v2 API release, it became possible to use digests in place of tags when pulling images or to use them in FROM lines in Dockerfiles.

• The Open Source Security Foundation (OpenSSF) Security Guide

Add OpenSSF Scorecard Workflow

OpenSSF Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project.

Scorecard workflow also allows maintainers to display a Scorecard badge on their repository to show off their hard work.

• The Open Source Security Foundation (OpenSSF) Scorecard

Maintain Code Quality with Pre-Commit

Pre-commit is a framework for managing and maintaining multi-language pre-commit hooks. Hooks can be any scripts, code, or binaries that run at any stage of the git workflow. Pre-commit hooks are useful for enforcing code quality, code formatting, and detecting security vulnerabilities.

• Official Pre-commit documentation
• Getting Started guide

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

Summary by CodeRabbit

• New Features

  • Added a Scorecard supply‑chain security analysis workflow.

• Chores

  • Pinned Docker base images and CI actions to fixed digests for reproducible builds.
  • Configured Dependabot for more frequent (daily) updates across Docker, Go modules, and npm.
  • Added gitleaks and additional linting hooks to pre-commit.
  • Hardened CI with explicit workflow permission blocks and job-level permissions.

[mergify]

Important

Cloud Posse Engineering Team Review Required

This pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes.

To expedite this process, reach out to us on Slack in the #pr-reviews channel.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6b9040cc-c5cd-43ea-ac6a-37399f1f527f

📥 Commits

Reviewing files that changed from the base of the PR and between 21144cf and 28aa586.

📒 Files selected for processing (1)

• .github/workflows/build.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/build.yml

---

📝 Walkthrough

Walkthrough

Pins many GitHub Actions and Docker base images to specific commit SHAs/digests, adds a Scorecard supply-chain security workflow, expands dependabot update schedules, and adds new pre-commit hooks for secret scanning.

Changes

Cohort / File(s)	Summary
Docker Base Image Pinning .devcontainer/Dockerfile, Dockerfile, demo/screenshots/Dockerfile	Replaced tag-only image references with explicit sha256 digests for deterministic base images.
Composite Actions .github/actions/go-version-check/action.yml, .github/actions/pr-sizer/action.yml, .github/actions/remove-dependabot-semver-labels/action.yml	Replaced floating actions/github-script tags with pinned commit SHAs inside composite actions.
Workflows — General pinning .github/workflows/... (many files) e.g. autofix.yml, build.yml, screengrabs.yaml, vhs.yaml, website-deploy-prod.yml, website-preview-*, screengrabs.yaml, vhs.yaml	Replaced many uses: references with specific commit SHAs (checkout, setup, aws, docker-build-push, etc.) without changing steps or control flow.
Workflows — Test, Lint & Security .github/workflows/codeql.yml, pre-commit.yml, test.yml, scorecards.yml	Pinned CI actions to commit SHAs; added top-level and per-job permissions in some workflows; added new Scorecard workflow producing/uploading SARIF.
Workflows — Dependency/Validation & Utilities dependency-review.yml, changelog-check.yml, go-version-check.yml, link-check.yml, validate-codeowners.yml, clear-cache.yml, pr-size-labeler.yml, setup-go-cache-warmup.yml	Pinned actions to SHAs; added/adjusted minimal permissions; added matrix and timeout in cache warmup; pr-size-labeler and others pinned checkout.
Dependabot & Pre-commit .github/dependabot.yml, .pre-commit-config.yaml	Added additional dependabot schedules (daily) across ecosystems; added gitleaks and jumanjihouse/pre-commit-hooks entries to pre-commit config.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Runner as GitHub Actions Runner
participant Checkout as actions/checkout (pinned)
participant Scorecard as scorecard action
participant SARIF as SARIF artifact storage
participant CodeScanning as GitHub Code Scanning API

Runner->>Checkout: clone repository (no persisted credentials)
Runner->>Scorecard: run Scorecard analysis
Scorecard->>SARIF: write results.sarif
Runner->>SARIF: upload artifact (retain 5 days) rgba(52,152,219,0.5)
Runner->>CodeScanning: upload SARIF to code-scanning rgba(46,204,113,0.5)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix: Move PR size labeler to dedicated workflow #1816 — related edits to PR size labeling workflows and checkout pinning.
• ci: format Go code by autofix.ci #991 — related changes to the autofix.yml workflow (pinning actions).
• fix: auto-remove semver labels from Dependabot PRs to fix CI checks #1462 — touches the remove-dependabot-semver-labels composite action that was pinned.

Suggested reviewers

• aknysh

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective of the changeset: applying security best practices across multiple files, including pinning dependencies, setting least-privileged permissions, and adding security workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

.github/workflows/validate-codeowners.yml (1)

12-37: ⚠️ Potential issue | 🟡 Minor

Update pinned version in comment to match actual version.

Line 22 references version 0.7.1, but both instances of the action on lines 23 and 37 pin to v0.7.4. Align the comment with the actual pinned version.

Suggested fix

-    # Leave pinned at 0.7.1 until https://github.com/mszostok/codeowners-validator/issues/173 is resolved
+    # Leave pinned at 0.7.4 until https://github.com/mszostok/codeowners-validator/issues/173 is resolved

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/validate-codeowners.yml around lines 12 - 37, Update the
inline comment that currently reads "Leave pinned at 0.7.1 until ..." to reflect
the actual pinned version used (v0.7.4) so the comment matches the two
mszostok/codeowners-validator pins
(mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f) and
avoid confusion between the comment and the action versions; change "0.7.1" to
"0.7.4" in that comment.

.devcontainer/Dockerfile (1)

1-51: ⚠️ Potential issue | 🟠 Major

Run the final devcontainer image as a non-root user.

There is no USER instruction, so the final container defaults to root. Add an explicit non-root user at the end of the Dockerfile.

Suggested fix

 RUN chown -R vscode:vscode /home/vscode/.config && \
     chmod -R 755 /home/vscode/.config && \
     chmod 644 /home/vscode/.config/direnv/direnvrc
+
+USER vscode

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.devcontainer/Dockerfile around lines 1 - 51, The final image is running as
root because there is no USER instruction; add an explicit non-root USER (e.g.,
USER vscode) at the end of the Dockerfile so the container runs as the existing
vscode user; ensure the referenced user is the same one modified earlier by
usermod -aG docker vscode and chown -R vscode:vscode /home/vscode/.config so
permissions match, and place the USER instruction after the final
COPY/permission steps (after the chown/chmod) so ownership changes apply before
switching users.

.github/workflows/claude.yml (1)

1-10: ⚠️ Potential issue | 🟠 Major

Declare explicit permissions for this workflow.

This workflow still relies on implicit token permissions. For least-privilege hardening, define explicit scopes at workflow (or job) level.

Suggested fix

 on:
   pull_request:
     types: [opened, synchronize, reopened]
@@
       - '.github/actions/check-claude-md-size/**'
+
+permissions:
+  contents: read
+  pull-requests: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/claude.yml around lines 1 - 10, Add an explicit
permissions block to the workflow (top-level `permissions` key) to avoid
implicit token scopes; for this PR set minimal scopes such as `contents: read`
(and add any additional least-privilege scopes needed by jobs, e.g.,
`pull-requests: write` if you update PRs) by inserting a `permissions:` mapping
at the top-level of the YAML (use the `permissions` key as the identifier)
rather than relying on implicit defaults.

.github/workflows/test.yml (1)

1-27: ⚠️ Potential issue | 🟠 Major

Add explicit workflow/job permissions for least privilege.

This workflow still depends on implicit token scopes. Please declare explicit read-only defaults and grant write only to jobs that require it (for example, SARIF upload).

Suggested baseline

 name: Tests
 on:
@@
   workflow_dispatch:
+
+permissions:
+  contents: read

Then set job-level write scopes only where needed (e.g., security-events: write for the SARIF upload job).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test.yml around lines 1 - 27, Add explicit GitHub Actions
permissions: insert a top-level permissions block in the workflow to set
conservative, read-only defaults (e.g., contents: read, packages: read, actions:
read, id-token: write only if needed) and then grant job-level write scopes only
where required; locate the top-level jobs block and add a permissions stanza
there, and in the SARIF upload job (the job that performs security/SARIF
reporting) add/override permissions to include security-events: write (and any
other specific write scopes needed) so no implicit token scopes are used.

🧹 Nitpick comments (1)

.github/dependabot.yml (1)

61-114: Add PR-rate controls to the new daily Dependabot blocks.

These new entries are valid, but without open-pull-requests-limit/cooldown/grouping, they can create noisy PR bursts. Consider aligning them with your existing policy controls.

Example pattern to apply to new blocks

 - package-ecosystem: docker
   directory: /.devcontainer
+  open-pull-requests-limit: 3
+  labels:
+    - dependencies
+    - no-release
   schedule:
     interval: daily
+  cooldown:
+    default-days: 14
+  ignore:
+    - dependency-name: "*"
+      update-types: ["version-update:semver-major"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 61 - 114, The new Dependabot blocks for
package-ecosystem: docker (directories /.devcontainer, /, /demo/screenshots,
/examples/devcontainer-build, /examples/quick-start-advanced),
package-ecosystem: gomod (directories /tools/gomodcheck, /tools/lintroller) and
package-ecosystem: npm (multiple /website/plugins/* directories) need PR-rate
controls added; update each added block to include the existing policy keys used
elsewhere (for example open-pull-requests-limit and optionally
pull-request-grouping/cooldown settings) so they follow the same limits as
current entries—open the package-ecosystem blocks named above and add an
open-pull-requests-limit value and any cooldown/grouping keys you use in the
repo policy to prevent bursty PRs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/scorecards.yml:
- Around line 6-16: The workflow only triggers on branch_protection_rule,
schedule and push (see the top-level "on:" block) so it never runs for pull
requests; add a pull_request trigger to the "on:" block (e.g., pull_request:
branches: ["main"]) so CI runs on PRs as required, ensuring the existing checks
(branch_protection_rule, schedule, push) remain unchanged and the new
pull_request entry targets the same branch filter.

In @.pre-commit-config.yaml:
- Line 81: Change the pre-commit hook id from "RuboCop" to the lowercase
"rubocop" in .pre-commit-config.yaml so it matches the upstream
jumanjihouse/pre-commit-hooks@3.0.0 hook ID; update the id value where "RuboCop"
appears to "rubocop" (ensure any reference to the RuboCop hook in the file uses
the lowercase id).
- Around line 74-80: The pre-commit config uses an incorrect hook ID casing and
mutable tags; change the hook ID `RuboCop` to lowercase `rubocop` where hooks
are declared and replace the `rev: v8.16.3` and `rev: 3.0.0` entries with the
exact commit SHAs `62aef54969078f83cf8c4bffd4142bd43d726b86` for the gitleaks
repo and `38980559e3a605691d6579f96222c30778e5a69e` for the
jumanjihouse/pre-commit-hooks repo to pin versions and harden supply chain.

---

Outside diff comments:
In @.devcontainer/Dockerfile:
- Around line 1-51: The final image is running as root because there is no USER
instruction; add an explicit non-root USER (e.g., USER vscode) at the end of the
Dockerfile so the container runs as the existing vscode user; ensure the
referenced user is the same one modified earlier by usermod -aG docker vscode
and chown -R vscode:vscode /home/vscode/.config so permissions match, and place
the USER instruction after the final COPY/permission steps (after the
chown/chmod) so ownership changes apply before switching users.

In @.github/workflows/claude.yml:
- Around line 1-10: Add an explicit permissions block to the workflow (top-level
`permissions` key) to avoid implicit token scopes; for this PR set minimal
scopes such as `contents: read` (and add any additional least-privilege scopes
needed by jobs, e.g., `pull-requests: write` if you update PRs) by inserting a
`permissions:` mapping at the top-level of the YAML (use the `permissions` key
as the identifier) rather than relying on implicit defaults.

In @.github/workflows/test.yml:
- Around line 1-27: Add explicit GitHub Actions permissions: insert a top-level
permissions block in the workflow to set conservative, read-only defaults (e.g.,
contents: read, packages: read, actions: read, id-token: write only if needed)
and then grant job-level write scopes only where required; locate the top-level
jobs block and add a permissions stanza there, and in the SARIF upload job (the
job that performs security/SARIF reporting) add/override permissions to include
security-events: write (and any other specific write scopes needed) so no
implicit token scopes are used.

In @.github/workflows/validate-codeowners.yml:
- Around line 12-37: Update the inline comment that currently reads "Leave
pinned at 0.7.1 until ..." to reflect the actual pinned version used (v0.7.4) so
the comment matches the two mszostok/codeowners-validator pins
(mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f) and
avoid confusion between the comment and the action versions; change "0.7.1" to
"0.7.4" in that comment.

---

Nitpick comments:
In @.github/dependabot.yml:
- Around line 61-114: The new Dependabot blocks for package-ecosystem: docker
(directories /.devcontainer, /, /demo/screenshots, /examples/devcontainer-build,
/examples/quick-start-advanced), package-ecosystem: gomod (directories
/tools/gomodcheck, /tools/lintroller) and package-ecosystem: npm (multiple
/website/plugins/* directories) need PR-rate controls added; update each added
block to include the existing policy keys used elsewhere (for example
open-pull-requests-limit and optionally pull-request-grouping/cooldown settings)
so they follow the same limits as current entries—open the package-ecosystem
blocks named above and add an open-pull-requests-limit value and any
cooldown/grouping keys you use in the repo policy to prevent bursty PRs.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d30448e and 7e4dda8.

📒 Files selected for processing (29)

• .devcontainer/Dockerfile
• .github/actions/go-version-check/action.yml
• .github/actions/pr-sizer/action.yml
• .github/actions/remove-dependabot-semver-labels/action.yml
• .github/dependabot.yml
• .github/workflows/autofix.yml
• .github/workflows/build.yml
• .github/workflows/changelog-check.yml
• .github/workflows/claude.yml
• .github/workflows/clear-cache.yml
• .github/workflows/codeql.yml
• .github/workflows/dependency-review.yml
• .github/workflows/go-version-check.yml
• .github/workflows/link-check.yml
• .github/workflows/pr-size-labeler.yml
• .github/workflows/pre-commit.yml
• .github/workflows/scorecards.yml
• .github/workflows/screengrabs.yaml
• .github/workflows/setup-go-cache-warmup.yml
• .github/workflows/test.yml
• .github/workflows/validate-codeowners.yml
• .github/workflows/vhs.yaml
• .github/workflows/website-deploy-prod.yml
• .github/workflows/website-preview-build.yml
• .github/workflows/website-preview-deploy.yml
• .github/workflows/website-preview-destroy.yml
• .pre-commit-config.yaml
• Dockerfile
• demo/screenshots/Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add a PR trigger to align with required PR CI policy.

This new workflow currently runs on branch_protection_rule, schedule, and push only, so it won’t execute on pull requests.

🔧 Suggested change

 on:
+  pull_request:
+    branches: ["main"]
+    types: [opened, synchronize, reopened]
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
   branch_protection_rule:

As per coding guidelines ".github/workflows/*.{yml,yaml}: Configure CI to run unit tests, integration tests, golangci-lint, and coverage reporting on all pull requests".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	on:
	# For Branch-Protection check. Only the default branch is supported. See
	# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
	branch_protection_rule:
	# To guarantee Maintained check is occasionally updated. See
	# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
	schedule:
	- cron: '20 7 * * 2'
	push:
	branches: ["main"]
	on:
	pull_request:
	branches: ["main"]
	types: [opened, synchronize, reopened]
	# For Branch-Protection check. Only the default branch is supported. See
	# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
	branch_protection_rule:
	# To guarantee Maintained check is occasionally updated. See
	# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
	schedule:
	- cron: '20 7 * * 2'
	push:
	branches: ["main"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/scorecards.yml around lines 6 - 16, The workflow only
triggers on branch_protection_rule, schedule and push (see the top-level "on:"
block) so it never runs for pull requests; add a pull_request trigger to the
"on:" block (e.g., pull_request: branches: ["main"]) so CI runs on PRs as
required, ensuring the existing checks (branch_protection_rule, schedule, push)
remain unchanged and the new pull_request entry targets the same branch filter.

[nitrocode]

@coderabbitai has this been addressed?

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
cat .github/workflows/scorecards.yml

Length of output: 3229

---

@nitrocode, this has not been addressed. The on: block in .github/workflows/scorecards.yml still only contains branch_protection_rule, schedule, and push — no pull_request trigger. The suggested fix remains applicable:

on:
  pull_request:
    branches: ["main"]
    types: [opened, synchronize, reopened]
  # For Branch-Protection check. Only the default branch is supported. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
  branch_protection_rule:
  # To guarantee Maintained check is occasionally updated. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
  schedule:
    - cron: '20 7 * * 2'
  push:
    branches: ["main"]

Note: It's worth mentioning that the Scorecard workflow is primarily designed for supply-chain security analysis of the default branch rather than individual PRs. If the intent is to only run it on push to main and on a schedule (which is the standard Scorecard setup), this could be intentionally left without a PR trigger. The concern here is purely about the CI policy guideline requiring workflows to run on PRs.

---

🧠 Learnings used

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-11-24T17:35:37.209Z
Learning: Applies to .github/workflows/*.{yml,yaml} : Configure CI to run unit tests, integration tests, golangci-lint, and coverage reporting on all pull requests

---

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-11-24T17:35:37.209Z
Learning: Ensure all tests pass, verify code coverage meets targets, run golangci-lint and fix any issues, and update documentation before submitting pull requests

---

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-24T03:03:32.815Z
Learning: When nitrocode requests an audit on cloudposse/atmos PRs, include Top 5 Copilot Action Items (not Top 3) along with Executive Summary, Findings Table, Scores Table, and a copyable Suggested fix prompt.

---

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-23T04:53:54.115Z
Learning: When nitrocode requests an audit on cloudposse/atmos PRs, respond with: (1) a 3–5 sentence Executive Summary, (2) a Findings table with columns “Number # | Issue | Severity | Pre-existing? | Suggested Fix” using 🔴/🟠/🟡/🟢, (3) a Scores table for Merge Safety, Test Coverage, Code Quality, Security Posture with numeric score, letter grade, and delta vs last audit, (4) Top 3 Copilot Action Items, and (5) a copyable “Suggested fix prompt” block.

---

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-23T05:23:10.817Z
Learning: When auditing cloudposse/atmos PRs on request from nitrocode, the expected output format is: (1) 3–5 sentence Executive Summary, (2) Findings Table with columns “Number # | Issue | Severity | Pre-existing? | Suggested Fix” using 🔴/🟠/🟡/🟢, (3) Scores Table for Merge Safety, Test Coverage, Code Quality, Security Posture with numeric score, letter grade, and delta vs last audit, (4) Top 3 Copilot Action Items, and (5) a copyable “Suggested fix prompt” block.

---

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.

---

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: docs/prd/tool-dependencies-integration.md:58-64
Timestamp: 2025-12-13T06:07:37.766Z
Learning: cloudposse/atmos: For PRD docs (docs/prd/*.md), markdownlint issues like MD040/MD010/MD034 can be handled in a separate documentation cleanup commit and should not block the current PR.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Resolving tags to commit SHAs ==="
echo
echo "gitleaks tag v8.16.3 -> commit:"
git ls-remote https://github.com/gitleaks/gitleaks refs/tags/v8.16.3 | awk '{print $1}'

echo
echo "jumanjihouse/pre-commit-hooks tag 3.0.0 -> commit:"
git ls-remote https://github.com/jumanjihouse/pre-commit-hooks refs/tags/3.0.0 | awk '{print $1}'

Repository: cloudposse/atmos

Length of output: 264

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Fetching .pre-commit-hooks.yaml from jumanjihouse/pre-commit-hooks@3.0.0..."
curl -s "https://raw.githubusercontent.com/jumanjihouse/pre-commit-hooks/3.0.0/.pre-commit-hooks.yaml" | head -50

echo
echo "=== Checking for hook IDs (id: field) ==="
curl -s "https://raw.githubusercontent.com/jumanjihouse/pre-commit-hooks/3.0.0/.pre-commit-hooks.yaml" | rg "^\s*-\s+id:" | head -20

Repository: cloudposse/atmos

Length of output: 1984

---

Fix hook ID casing and pin to immutable commit SHAs

Line 77: RuboCop must be lowercase rubocop (current ID doesn't exist in the hook repository). Also pin both repos to commit SHAs for supply-chain hardening:

• gitleaks v8.16.3 → 62aef54969078f83cf8c4bffd4142bd43d726b86
• jumanjihouse/pre-commit-hooks 3.0.0 → 38980559e3a605691d6579f96222c30778e5a69e

Suggested fix

   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.16.3
+    rev: 62aef54969078f83cf8c4bffd4142bd43d726b86
     hooks:
       - id: gitleaks
   - repo: https://github.com/jumanjihouse/pre-commit-hooks
-    rev: 3.0.0
+    rev: 38980559e3a605691d6579f96222c30778e5a69e
     hooks:
-      - id: RuboCop
+      - id: rubocop
       - id: shellcheck

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.pre-commit-config.yaml around lines 74 - 80, The pre-commit config uses an
incorrect hook ID casing and mutable tags; change the hook ID `RuboCop` to
lowercase `rubocop` where hooks are declared and replace the `rev: v8.16.3` and
`rev: 3.0.0` entries with the exact commit SHAs
`62aef54969078f83cf8c4bffd4142bd43d726b86` for the gitleaks repo and
`38980559e3a605691d6579f96222c30778e5a69e` for the jumanjihouse/pre-commit-hooks
repo to pin versions and harden supply chain.

[nitrocode]

@coderabbitai has this been addressed?

[coderabbitai]

@nitrocode — No, neither issue has been addressed in the current state of the file. Both problems remain:

1. Mutable tags — gitleaks still uses rev: v8.16.3 and jumanjihouse/pre-commit-hooks still uses rev: 3.0.0 instead of pinned commit SHAs.
2. Wrong hook ID casing — RuboCop should be rubocop to match the actual hook ID defined in the upstream repo.

The suggested fix from my earlier comment still applies:

  - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.16.3
+    rev: 62aef54969078f83cf8c4bffd4142bd43d726b86  # v8.16.3
    hooks:
      - id: gitleaks
  - repo: https://github.com/jumanjihouse/pre-commit-hooks
-    rev: 3.0.0
+    rev: 38980559e3a605691d6579f96222c30778e5a69e  # 3.0.0
    hooks:
-      - id: RuboCop
+      - id: rubocop
      - id: shellcheck

---

🧠 Learnings used

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-24T00:42:36.692Z
Learning: Never use `--no-verify` with pre-commit hooks. Run `make lint` before committing. Hooks run go-fumpt, golangci-lint, and go mod tidy.

---

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-23T04:53:54.115Z
Learning: When nitrocode requests an audit on cloudposse/atmos PRs, respond with: (1) a 3–5 sentence Executive Summary, (2) a Findings table with columns “Number # | Issue | Severity | Pre-existing? | Suggested Fix” using 🔴/🟠/🟡/🟢, (3) a Scores table for Merge Safety, Test Coverage, Code Quality, Security Posture with numeric score, letter grade, and delta vs last audit, (4) Top 3 Copilot Action Items, and (5) a copyable “Suggested fix prompt” block.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: docs/prd/tool-dependencies-integration.md:58-64
Timestamp: 2025-12-13T06:07:37.766Z
Learning: cloudposse/atmos: For PRD docs (docs/prd/*.md), markdownlint issues like MD040/MD010/MD034 can be handled in a separate documentation cleanup commit and should not block the current PR.

---

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-24T03:03:32.815Z
Learning: When nitrocode requests an audit on cloudposse/atmos PRs, include Top 5 Copilot Action Items (not Top 3) along with Executive Summary, Findings Table, Scores Table, and a copyable Suggested fix prompt.

---

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-23T05:23:10.817Z
Learning: When auditing cloudposse/atmos PRs on request from nitrocode, the expected output format is: (1) 3–5 sentence Executive Summary, (2) Findings Table with columns “Number # | Issue | Severity | Pre-existing? | Suggested Fix” using 🔴/🟠/🟡/🟢, (3) Scores Table for Merge Safety, Test Coverage, Code Quality, Security Posture with numeric score, letter grade, and delta vs last audit, (4) Top 3 Copilot Action Items, and (5) a copyable “Suggested fix prompt” block.

---

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.

---

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Upstream hook IDs at jumanjihouse/pre-commit-hooks@3.0.0 ==="
curl -fsSL https://raw.githubusercontent.com/jumanjihouse/pre-commit-hooks/3.0.0/.pre-commit-hooks.yaml \
  | grep -A 2 "^- id:" | head -30

echo
echo "=== Local configured hook IDs in jumanjihouse/pre-commit-hooks block ==="
awk '
/- repo: https:\/\/github.com\/jumanjihouse\/pre-commit-hooks/ {in_block=1; next}
in_block && /^- repo:/ && $0 !~ /jumanjihouse\/pre-commit-hooks/ {in_block=0}
in_block && /id:/ {print NR ": " $0}
' .pre-commit-config.yaml

Repository: cloudposse/atmos

Length of output: 1146

---

🏁 Script executed:

#!/bin/bash
curl -fsSL https://raw.githubusercontent.com/jumanjihouse/pre-commit-hooks/3.0.0/.pre-commit-hooks.yaml \
  | grep -i rubocop

Repository: cloudposse/atmos

Length of output: 221

---

Fix hook ID casing for RuboCop

Hook ID RuboCop must be lowercase rubocop to match upstream jumanjihouse/pre-commit-hooks@3.0.0. Pre-commit hook IDs are case-sensitive and resolution will fail with the current casing.

Suggested update

-      - id: RuboCop
+      - id: rubocop

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- id: RuboCop
	- id: rubocop

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.pre-commit-config.yaml at line 81, Change the pre-commit hook id from
"RuboCop" to the lowercase "rubocop" in .pre-commit-config.yaml so it matches
the upstream jumanjihouse/pre-commit-hooks@3.0.0 hook ID; update the id value
where "RuboCop" appears to "rubocop" (ensure any reference to the RuboCop hook
in the file uses the lowercase id).

[nitrocode]

@coderabbitai has this been addressed?

[coderabbitai]

@nitrocode, no — this has not been addressed. The full file content still shows:

  - repo: https://github.com/jumanjihouse/pre-commit-hooks
    rev: 3.0.0
    hooks:
      - id: RuboCop   # ← still uppercase
      - id: shellcheck

The upstream hook ID at jumanjihouse/pre-commit-hooks@3.0.0 is rubocop (all lowercase), and pre-commit resolves hook IDs case-sensitively, so this will fail at runtime. The fix is a one-line change:

-      - id: RuboCop
+      - id: rubocop

---

🧠 Learnings used

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-24T00:42:36.692Z
Learning: Never use `--no-verify` with pre-commit hooks. Run `make lint` before committing. Hooks run go-fumpt, golangci-lint, and go mod tidy.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: docs/prd/tool-dependencies-integration.md:58-64
Timestamp: 2025-12-13T06:07:37.766Z
Learning: cloudposse/atmos: For PRD docs (docs/prd/*.md), markdownlint issues like MD040/MD010/MD034 can be handled in a separate documentation cleanup commit and should not block the current PR.

---

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-24T03:03:32.815Z
Learning: When nitrocode requests an audit on cloudposse/atmos PRs, include Top 5 Copilot Action Items (not Top 3) along with Executive Summary, Findings Table, Scores Table, and a copyable Suggested fix prompt.

---

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-23T04:53:54.115Z
Learning: When nitrocode requests an audit on cloudposse/atmos PRs, respond with: (1) a 3–5 sentence Executive Summary, (2) a Findings table with columns “Number # | Issue | Severity | Pre-existing? | Suggested Fix” using 🔴/🟠/🟡/🟢, (3) a Scores table for Merge Safety, Test Coverage, Code Quality, Security Posture with numeric score, letter grade, and delta vs last audit, (4) Top 3 Copilot Action Items, and (5) a copyable “Suggested fix prompt” block.

---

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-23T05:23:10.817Z
Learning: When auditing cloudposse/atmos PRs on request from nitrocode, the expected output format is: (1) 3–5 sentence Executive Summary, (2) Findings Table with columns “Number # | Issue | Severity | Pre-existing? | Suggested Fix” using 🔴/🟠/🟡/🟢, (3) Scores Table for Merge Safety, Test Coverage, Code Quality, Security Posture with numeric score, letter grade, and delta vs last audit, (4) Top 3 Copilot Action Items, and (5) a copyable “Suggested fix prompt” block.

---

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.

---

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.04%. Comparing base (c44a8f6) to head (71b6244).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2123      +/-   ##
==========================================
+ Coverage   76.99%   77.04%   +0.04%     
==========================================
  Files        1060     1060              
  Lines      100618   100618              
==========================================
+ Hits        77475    77519      +44     
+ Misses      18847    18805      -42     
+ Partials     4296     4294       -2     

Flag	Coverage Δ
unittests	77.04% <ø> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 7 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

We'll fix anything in follow up PR

[osterman]

Merging with errors, and will fix in a follow up PR.