Skip to content

fix: consolidated security + deps + SHA pins (April 2026)#205

Merged
DavidKRK merged 2 commits into
gh-pagesfrom
copilot/fix-failing-workflows-and-dependencies
Apr 21, 2026
Merged

fix: consolidated security + deps + SHA pins (April 2026)#205
DavidKRK merged 2 commits into
gh-pagesfrom
copilot/fix-failing-workflows-and-dependencies

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 21, 2026
edited
Loading

Two workflows were failing (security.yml CodeQL matrix config, lighthouse.yml threshold) and 7 open dependency PRs needed consolidation. All changes are squashed into a single branch targeting gh-pages.

Workflow fixes

security.yml

  • Removed actions language from CodeQL matrix (caused analysis failures on this repo type)
  • Added gh-pages to push trigger (repo default branch; was only main)
  • Added fetch-depth: 0 to CodeQL checkout step
  • Updated actions/checkout → v6 SHA-pinned

.lighthouserc.json — performance threshold already at 0.5 on gh-pages; no change needed

SHA pinning

gemini-pr-review.yml: floated run-gemini-cli@v0.1.10 → SHA-pinned:

uses: 'google-github-actions/run-gemini-cli@06123c6a203eb7a964ce3be7c48479cc66059f23' # v0.1.10

music-social.yml: both floating tags pinned to exact SHAs (kept at v4/v7 per spec):

uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7

Dependency PRs incorporated

PR Change
#204 gemini-cli.yml: SHA-pin run-gemini-cli; complete .gitignore; add MIT LICENSE
#203 .gitignore cleanup (content superseded by #204)
#197 softprops/action-gh-release v2→v3.0.0 (Node 24) in maintenance.yml
#196 actions/stale v9→v10 (Node 24) in maintenance.yml
#195 actions/create-github-app-token SHA v2→v3 across 4 workflow files
#194 actions/checkout v4→v6 SHA-pinned (de0fac2e…) across 9 workflow files
#193 actions/github-script v7→v9 SHA-pinned (3a2844b7…) across 6 workflow files

Cleanup

  • No index.php at root (already removed in prior gh-pages commit)
  • music-social.yml intentionally stays at SHA-pinned v4/v7 per explicit spec requirement, diverging from other files updated to v6/v9
Original prompt

Create a consolidated pull request on branch copilot-fix-april2026 targeting gh-pages with the following changes:

  1. Fix failing workflows:

    • Update .lighthouserc.json so Lighthouse performance threshold is lowered from 0.7 to 0.5.
    • Fix .github/workflows/security.yml by adjusting the CodeQL/Gitleaks setup as needed (language matrix or fetch-depth / checkout behavior) so the workflow runs successfully.

  2. Incorporate the requested dependency PRs into this consolidated branch:

  3. SHA-pin workflows:

    • In .github/workflows/gemini-pr-review.yml, pin google-github-actions/run-gemini-cli to 06123c6a203eb7a964ce3be7c48479cc66059f23.
    • In .github/workflows/music-social.yml, replace floating versions with exact SHA pins for actions/checkout@v4 and actions/github-script@v7 using the exact commit SHAs resolved from the repository’s supported action releases.

  4. Remove any residual index.php at the repository root if it exists.

  5. Ensure the resulting branch is suitable for automatic review and that the PR is assigned for review automation using the repository’s Gemini review workflow.

Acceptance criteria:

  • Lighthouse workflow no longer fails due to the threshold mismatch.
  • Security workflow runs successfully.
  • The two workflow files are SHA-pinned as requested.
  • No index.php remains at the root if present.
  • The consolidated branch is clean and ready for review.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: @copilot

Audit + Fix workflows failing + 7 PRs

  1. Analyse les 2 workflows en échec :

    • lighthouse.yml : identifie l'erreur exacte, propose fix
    • security.yml : identifie l'erreur exacte, propose fix

  2. Audit des 7 PRs ouvertes :

    • Statut chaque PR (mergeable ? conflits ?)
    • Recommandation : merge auto, close, rebase, ou fix requis

  3. Crée 1 PR consolidée :

    • Fixes lighthouse.yml + security.yml
    • Nettoie index.php résiduel à la racine si présent
    • SHA-pin workflows gemini-pr-review.yml et music-social.yml (trouve les SHA exacts)

  4. Assigne-toi pour review automatique de cette PR.

Exécute maintenant.

Assistant: Voici l’état de l’audit, en français et de façon directe.

1) Workflows en échec

lighthouse.yml

J’ai identifié le workflow et sa config. Il utilise Lighthouse CI sur plusieurs URLs, avec des seuils définis dans .lighthouserc.json, et déclenche une issue quand les scores sont trop bas.

Cause la plus probable de l’échec :

  • Le workflow échoue sur les assertions Lighthouse, pas sur une erreur YAML.
  • Le run associé à 🔦 Lighthouse CI - Performance & SEO est en échec sur plusieurs commits récents, notamment après des changements de dépendances et de contenu.
  • Le fichier lighthouse.yml est bien structuré ; l’échec ressemble à un failing audit (performance / seo) plutôt qu’à un crash de workflow.

Fix recommandé :

  • Ajuster les seuils dans .lighthouserc.json si le site réel ne peut pas les atteindre.
  • Ou corriger les points bloquants sur le site :
    • images trop lourdes,
    • absence de font-display,
    • ressources non optimisées,
    • erreurs console,
    • contenu SEO incomplet.

Source du workflow :

https://github.com/DavidKRK/DavidKRK.github.io/blob/gh-pages/.github/workflows/lighthouse.yml

security.yml

Le workflow exécute CodeQL + Gitleaks.
Le fichier est valide côté structure.

Cause la plus probable de l’échec :

  • Côté CodeQL, l’analyse peut échouer si le langage de la matrice n’est pas correctement compatible avec le projet courant ou si l’initialisation/checkout ne correspond pas à l’état du dépôt.
  • Côté Gitleaks, l’échec peut venir d’un secret détecté, puisque le job scanne l’historique complet (fetch-depth: 0).

Fix recommandé :

  • Vérifier le log exact du job pour savoir si l’échec vient de :
    • codeql-action/init,
    • codeql-action/analyze,
    • ou gitleaks-action.
  • Si c’est Gitleaks :
    • supprimer ou déplacer le secret détecté,
    • puis mettre à jour l’historique si nécessaire.
  • Si c’est CodeQL :
    • limiter la matrice aux langages réellement supportés,
    • ou ajuster la configuration d’analyse.

Source du workflow :

https://github.com/DavidKRK/DavidKRK.github.io/blob/gh-pages/.github/workflows/security.yml

2) Audit des 7 PR ouvertes

J’ai retrouvé les 7 PR ouvertes.
Important : la réponse GitHub fournie ne m’a pas donné les champs mergeable / conflits pour chacune, donc je ne peux pas confirmer ces deux points de manière fiable sans un second appel ciblé par PR. En revanche je peux déjà faire la recommandation opérationnelle à partir du contenu.

###...

This pull request was created from Copilot chat.

@bolt-new-by-stackblitz
Copy link
Copy Markdown

bolt-new-by-stackblitz Bot commented Apr 21, 2026

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

Copilot AI changed the title [WIP] Fix failing workflows and incorporate dependency PRs fix: consolidated security + deps + SHA pins (April 2026) Apr 21, 2026
Copilot AI requested a review from DavidKRK April 21, 2026 15:02
@DavidKRK DavidKRK marked this pull request as ready for review April 21, 2026 15:06
Copilot AI review requested due to automatic review settings April 21, 2026 15:06
Copilot AI reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Consolidates multiple workflow/security/dependency updates for the gh-pages branch, primarily to fix failing GitHub Actions runs and improve supply-chain safety via SHA pinning.

Changes:

  • Fixes security.yml CodeQL configuration (matrix + branch triggers) and ensures full-history checkout where required.
  • SHA-pins key GitHub Actions dependencies across workflows (checkout, github-script, create-github-app-token, run-gemini-cli) and bumps maintenance actions (gh-release v3, stale v10).
  • Adds MIT LICENSE and expands .gitignore with standard patterns.

Reviewed changes

Copilot reviewed 15 out of 16 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
LICENSE Adds MIT license file for the repository.
.gitignore Replaces minimal/incorrect ignore list with standard ignores (deps, OS, editor, build outputs, env files).
.github/workflows/security.yml Fixes triggers for gh-pages, removes actions from CodeQL matrix, pins checkout and sets fetch-depth: 0.
.github/workflows/lighthouse.yml Pins checkout/github-script to SHA; workflow logic unchanged.
.github/workflows/maintenance.yml Pins checkout/github-script and bumps gh-release to v3; bumps actions/stale to v10.
.github/workflows/uptime.yml Pins checkout and github-script to SHAs.
.github/workflows/social-media-post.yml Pins checkout to SHA.
.github/workflows/youtube-section-update.yml Pins checkout to SHA.
.github/workflows/images.yml Pins checkout to SHA.
.github/workflows/jekyll.yml Pins checkout to SHA.
.github/workflows/music-social.yml Pins checkout/github-script to specific SHAs while keeping v4/v7 as required.
.github/workflows/gemini-pr-review.yml Pins create-github-app-token/github-script and SHA-pins run-gemini-cli.
.github/workflows/gemini-issue-scheduled-triage.yml Pins create-github-app-token/github-script and SHA-pins run-gemini-cli.
.github/workflows/gemini-issue-automated-triage.yml Pins create-github-app-token/github-script and SHA-pins run-gemini-cli.
.github/workflows/gemini-cli.yml Pins create-github-app-token to v3 SHA.
.github/workflows/codeql.yml Pins checkout to SHA (workflow otherwise unchanged).
Comments suppressed due to low confidence (1)

.github/workflows/lighthouse.yml:33

  • Les commentaires ici indiquent un seuil Performance à minScore 0.6 / 60/100, alors que .lighthouserc.json est configuré à minScore: 0.5. Pour éviter de diagnostiquer de faux écarts (et puisque le corps de l’issue créée plus bas parle aussi de 60/100), il faut aligner la doc/texte généré avec la valeur réelle (0.5 / 50/100) ou ajuster .lighthouserc.json si 0.6 est bien le seuil attendu.
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      # Lancer l'audit Lighthouse sur les pages principales du site
      # Les seuils sont définis dans .lighthouserc.json :
      #   - Performance  : échec sous 60/100 (`error`, minScore 0.6)
      #   - SEO          : échec sous 85/100 (`error`, minScore 0.85)
      # Le workflow échoue si un de ces seuils n'est pas atteint.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/maintenance.yml
# et les fermer automatiquement après 7 jours supplémentaires
- name: Gérer les issues et PR inactives
uses: actions/stale@v9
uses: actions/stale@v10
Copy link

Copilot AI Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actions/stale@v10 est laissé sur un tag flottant, alors que le reste des actions du workflow est SHA-pin (checkout, github-script, lychee, gh-release). Pour réduire le risque supply-chain et rester cohérent, épinglez aussi actions/stale sur le SHA du release v10 utilisé (et gardez un commentaire de version si besoin).

Suggested change
uses: actions/stale@v10
uses: actions/stale@c7ee4bb7fa9e1923e38d45e1020c8b2c7b1f5fca # v10

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/codeql.yml
Comment on lines 60 to 63
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Copy link

Copilot AI Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ce workflow codeql.yml exécute déjà CodeQL sur gh-pages (avec une matrice incluant notamment actions), alors que security.yml lance aussi CodeQL sur les mêmes événements. Cela peut entraîner des runs/alertes en double et rend plus difficile le diagnostic du problème mentionné sur la matrice actions. Envisagez de consolider vers un seul workflow CodeQL (ou de différencier clairement les triggers / matrices entre les deux).

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Owner

@DavidKRK DavidKRK Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot apply changes based on this feedback

@DavidKRK DavidKRK merged commit 82d33b8 into gh-pages Apr 21, 2026
19 of 20 checks passed
DavidKRK
DavidKRK reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@DavidKRK DavidKRK left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot Que faut il faire ? J ai déjà mergé

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DavidKRK DavidKRK DavidKRK left review comments

Copilot code review Copilot Copilot left review comments

Assignees

@DavidKRK DavidKRK

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@DavidKRK