Skip to content

3.0#9

Merged
m-xim merged 67 commits into
developfrom
dev3
Jun 6, 2026
Merged

3.0#9
m-xim merged 67 commits into
developfrom
dev3

Conversation

@m-xim

@m-xim m-xim commented May 18, 2026

Copy link
Copy Markdown
Owner

Open in Devin Review

Summary by CodeRabbit

  • New Features

    • Full documentation website with guides, quick-starts, and recipes.
    • Route system supporting rich path/query parameters and URL building.
    • FastAPI and aiohttp adapters with multipart webhook reply streaming.
  • Improvements

    • New engine surface: SingleBotEngine and TokenEngine with clearer lifecycle and webhook flows (foreground/background webhook replies).
    • Stronger security primitives: secret-token and IP checks with clearer errors/logging.
    • Multipart webhook payload support for sending files.
  • Chores

    • CI now publishes test coverage XML and uploads reports to Codecov.

@coderabbitai

coderabbitai Bot commented May 18, 2026

Copy link
Copy Markdown

Need an answer fast? Review this PR in Change Stack to ask focused questions about the PR or a changed range.

Review Change Stack

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 811793dc-2e61-4904-b60b-8c6e97a916e3

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Replaces legacy adapters/routing/engines with a typed WebAdapter + Route + Engine stack, refactors security and configs, adds payload/task utilities, reshapes exports, introduces a full docs site and CI for docs/tests/coverage, and updates/expands tests across new components.

Changes

Core architecture, adapters, routing, engines, security, utilities, and repo updates

Layer / File(s) Summary
End-to-end refactor: contracts, implementation, wiring, and tests
src/aiogram_webhook/..., docs/..., .github/workflows/*, tests/*, pyproject.toml, package.json, ruff.toml, .gitignore
Introduces WebRequest/WebAdapter abstractions and payload_response, new Route (path/query/URL validation), BaseWebhookEngine with SingleBotEngine/TokenEngine/BaseMultiBotEngine, redesigned Security and secret-token/IP checks, TaskTracker and multipart build_webhook_payload, updated exports, comprehensive docs site and CI workflows, plus extensive test fixtures and tests.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant WebAdapter
  participant Route
  participant Engine
  participant Security
  participant Dispatcher
  Client->>WebAdapter: POST /route
  WebAdapter->>Engine: handle_request(web_request)
  Engine->>Route: match(web_request)
  Route-->>Engine: route_params
  Engine->>Security: verify(target, request, route_params)
  Security-->>Engine: ok or raises
  Engine->>Dispatcher: feed_webhook_update/feed_raw_update
  Dispatcher-->>Engine: result (optional TelegramMethod)
  Engine-->>WebAdapter: json_response or payload_response
Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Poem

A rabbit taps the webhook line,
Routes hop neat, with tokens fine.
Engines hum and tasks take flight,
Security guards through day and night.
Docs and tests bloom — ship it right. 🐇✨

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev3

@m-xim m-xim requested a review from Copilot May 18, 2026 21:08
@codecov-commenter

Copy link
Copy Markdown

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

devin-ai-integration[bot]

This comment was marked as resolved.

coderabbitai[bot]

This comment was marked as resolved.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

This comment was marked as resolved.

@m-xim m-xim temporarily deployed to github-pages June 2, 2026 00:24 — with GitHub Actions Inactive
@m-xim m-xim temporarily deployed to github-pages June 2, 2026 00:32 — with GitHub Actions Inactive
@m-xim m-xim temporarily deployed to github-pages June 2, 2026 06:21 — with GitHub Actions Inactive
@m-xim m-xim temporarily deployed to github-pages June 2, 2026 06:34 — with GitHub Actions Inactive
@m-xim m-xim temporarily deployed to github-pages June 2, 2026 12:29 — with GitHub Actions Inactive
@m-xim m-xim temporarily deployed to github-pages June 2, 2026 14:26 — with GitHub Actions Inactive
@m-xim m-xim temporarily deployed to github-pages June 2, 2026 22:33 — with GitHub Actions Inactive

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 17

🧹 Nitpick comments (3)
docs/_assets/style/custom.css (1)

34-39: 💤 Low value

Remove or fix commented CSS block.

The commented CSS block has whitespace formatting violations flagged by Stylelint. Either remove the commented code if it's no longer needed, or fix the whitespace issues if you plan to uncomment it in the future.

♻️ Option 1: Remove commented code
-/*FIX: page construct*/
-/*.g-root_theme_dark .pc-header-block__background,*/
-/*.g-root_theme_dark .pc-header-block__background-media,*/
-/*.g-root_theme_dark .pc-header-block__background .pc-Media {*/
-/*  background: `#101827` !important;*/
-/*}*/
-
 .pc-basic-card,
♻️ Option 2: Fix whitespace if keeping
-/*FIX: page construct*/
-/*.g-root_theme_dark .pc-header-block__background,*/
-/*.g-root_theme_dark .pc-header-block__background-media,*/
-/*.g-root_theme_dark .pc-header-block__background .pc-Media {*/
-/*  background: `#101827` !important;*/
-/*}*/
+/* FIX: page construct */
+/* .g-root_theme_dark .pc-header-block__background, */
+/* .g-root_theme_dark .pc-header-block__background-media, */
+/* .g-root_theme_dark .pc-header-block__background .pc-Media { */
+/*   background: `#101827` !important; */
+/* } */
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/_assets/style/custom.css` around lines 34 - 39, The commented CSS block
containing selectors .g-root_theme_dark .pc-header-block__background,
.g-root_theme_dark .pc-header-block__background-media, and .g-root_theme_dark
.pc-header-block__background .pc-Media is causing Stylelint whitespace
violations; either delete the entire commented block if it's unused, or
restore/clean it by uncommenting and fixing whitespace/indentation to match
project style (no trailing spaces, consistent indentation, proper spacing around
braces and commas) so the rules validate cleanly in
docs/_assets/style/custom.css.
package.json (1)

8-8: ⚡ Quick win

Consider adding a package-lock.json or equivalent.

The project uses npm scripts and dependencies but doesn't reference a lockfile. Without package-lock.json, dependency versions may vary across environments, potentially breaking the docs build.

Generate and commit a lockfile after installing dependencies:

npm install  # Generates package-lock.json
git add package-lock.json
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 8, The repository lacks a dependency lockfile which can
cause inconsistent installs; run npm install to generate package-lock.json, add
the lockfile to version control and commit it so the build script ("build" in
package.json) and other npm-driven tasks use deterministic dependency versions;
ensure you run npm ci locally/CI afterwards to verify the docs build still
succeeds and include package-lock.json in the commit.
.github/workflows/tests.yml (1)

25-47: ⚡ Quick win

Consider pinning GitHub Actions to commit SHAs for supply-chain security.

The workflow uses tag-based action references (actions/checkout@v6, astral-sh/setup-uv@v8.1.0, codecov/codecov-action@v5), which can change if tags are moved or deleted. For stronger supply-chain guarantees, consider pinning to full commit SHAs with a comment containing the version tag for readability.

Additionally, the actions/checkout step does not set persist-credentials: false, which could allow credentials to persist in subsequent steps or artifacts.

🔒 Example of SHA-pinned actions with persist-credentials
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29  # v6.0.0
+        with:
+          persist-credentials: false

-        uses: astral-sh/setup-uv@v8.1.0
+        uses: astral-sh/setup-uv@67765507163a38a7085f3eb5083d8aeef9c350cf  # v8.1.0

-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@7f8b4b4bde536c465e797be725023e5ab321a4e7  # v5.1.2

You can find commit SHAs on each action's GitHub releases page.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/tests.yml around lines 25 - 47, Update the GitHub Actions
workflow to pin third-party actions to their full commit SHAs instead of tag
references (replace actions/checkout@v6, astral-sh/setup-uv@v8.1.0,
codecov/codecov-action@v5 with their corresponding commit SHAs and add a
trailing comment with the original tag for readability), and modify the
actions/checkout step to include persist-credentials: false to prevent
credentials from persisting to later steps or artifacts.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/docs.yml:
- Around line 73-90: The deploy job named "deploy" in .github/workflows/docs.yml
is currently running for pull_request events because the if guard is commented
out; re-enable a conditional to only run on non-PR triggers by restoring or
adding an if: github.event_name == 'push' || github.event_name ==
'workflow_dispatch' (or equivalent negative PR check) on the deploy job so
deployment only runs for push or manual workflow_dispatch events and not for
pull_request events.
- Around line 39-42: Update the GitHub Actions checkout step that uses
actions/checkout@v4 to disable persisting repository credentials by adding
persist-credentials: false to the step (alongside the existing fetch-depth: 0);
keep this change only if no later job needs to push with the checkout token,
otherwise leave as-is.
- Around line 24-27: The workflow-level permissions currently grant pages: write
and id-token: write too broadly; remove those from the top-level permissions
block (leave contents: read) and add a narrower permissions block to the
specific deploy job (e.g., the job named "deploy" or whatever job runs the
deployment) with pages: write and id-token: write so only that job gets elevated
rights; update the deploy job's permissions entry to include pages: write and
id-token: write and leave other jobs using the default or the workflow-level
contents: read.
- Line 40: Update each `uses:` entry that currently references a tag (e.g.,
`actions/checkout@v4`, `actions/setup-node@v4`, `actions/configure-pages@v5`,
`actions/upload-pages-artifact@v3`, `actions/deploy-pages@v4`) to use the
corresponding full 40-character commit SHA instead of the tag, and add a
trailing comment preserving the human-readable tag (e.g., `#
actions/checkout@v4`) for maintainability; ensure you replace all occurrences in
the workflow and verify the SHA values match the respective GitHub Actions
repository commits.

In @.github/workflows/release.yml:
- Line 1: The file whose workflow name is "Release & Publish" contains CRLF line
endings; convert its line endings to LF (Unix-style) so YAML lint passes. Open
the file with the "name: Release & Publish" declaration, change the file
encoding/line endings to LF (e.g., via editor setting, dos2unix, or git config
core.autocrlf=false + re-save), and commit the normalized file so CI YAML lint
no longer reports CRLF.
- Around line 17-21: The checkout step "🛎️ Checkout repository" using
actions/checkout@v6 leaves credentials in git config; update that step (the step
with name "🛎️ Checkout repository" and uses: actions/checkout@v6) to set
persist-credentials: false in its with: block so the runner does not retain the
authenticated token after checkout.
- Line 18: The workflow uses floating tags like actions/checkout@v6 and several
action refs (python-semantic-release/python-semantic-release@v10.5.3,
astral-sh/setup-uv@v8.1.0, python-semantic-release/publish-action@v10.5.3);
replace each `uses:` reference in .github/workflows/release.yml with the
corresponding commit SHA for that exact release (find the SHA on the action's
GitHub releases or with git ls-remote) so the workflow is pinned to an immutable
commit, update all occurrences (e.g., the lines referencing actions/checkout,
python-semantic-release, astral-sh/setup-uv,
python-semantic-release/publish-action), and verify the workflow still runs
before merging.

In `@CONTRIBUTING.md`:
- Around line 47-53: Update the fenced code block that shows the directory tree
in CONTRIBUTING.md to include a language specifier (e.g., change the opening
triple backticks to "```plaintext") so the block renders correctly and improves
accessibility; locate the block containing "src/aiogram_webhook/" and its child
lines and modify only the opening fence to include the specifier.

In `@docs/.yfm`:
- Line 44: Update the github-url-prefix value in docs/.yfm: replace the template
URL string "https://github.com/diplodoc-platform/docs/blob/master" with the
correct repository URL "https://github.com/m-xim/aiogram-webhook/blob/master" so
all generated links point to this repo; locate the key named github-url-prefix
in the file and overwrite its value accordingly.
- Line 46: The logo's url field in docs/.yfm currently points to an external
placeholder (https://google.com); update the url under the logo configuration to
the correct project homepage, documentation index, or repository URL (replace
the value of the url key in docs/.yfm) so the logo links to your actual project
destination rather than an external placeholder.
- Line 61: The vcsControl.url currently hardcodes the branch to "main" which
breaks edit links for this PR's target branch; update the value of
vcsControl.url (the string
'https://github.com/m-xim/aiogram-webhook/edit/main/docs/{path}') so it does not
hardcode "main"—replace "main" with the correct branch variable (e.g.,
'{branch}' or 'develop' depending on your env) or derive it dynamically; ensure
the symbol vcsControl.url and the placeholder {path} remain intact and that the
chosen branch placeholder will be substituted at runtime or by your doc
generator.

In `@docs/extensions/feedback-control/index.js`:
- Line 44: Update the warning message passed to run.logger.warn in the extension
copy failure path: change the text from "Unable copy the feedback-control
extension script ${extensionFilePath}." to "Unable to copy the feedback-control
extension script ${extensionFilePath}." while keeping the error object argument;
the affected call is the run.logger.warn(...) that references extensionFilePath.
- Line 14: The assertion (0, node_assert_1.ok)(config.feedbackControl.endpoint
!== '', 'feedbackControl.endpoint must be not empty') can throw when
config.feedbackControl.endpoint is undefined; update the validation to first
verify the property exists (e.g., check config.feedbackControl.endpoint != null
or typeof config.feedbackControl.endpoint !== 'undefined') before asserting it's
not an empty string, and then keep the original assertion on the non-empty
condition so code referencing config.feedbackControl.endpoint is safe.

In `@docs/extensions/feedback-control/resources/feedback-control-extension.js`:
- Around line 29-32: getLocalState currently calls JSON.parse on data from
window.localStorage without guarding against malformed JSON; wrap the parse in a
try-catch inside getLocalState (referencing getLocalState, storageKey and
window.localStorage.getItem) so parsing errors are caught, return null (or a
safe default) when parse fails, optionally remove the invalid storage entry or
log the error for debugging, and ensure the function never throws due to bad
JSON.

In `@docs/extensions/vcs-control/index.js`:
- Line 17: The assertion for config.vcsControl.url currently only checks type
but the message says "must be not empty"; update the check in the same statement
to ensure a non-empty string (e.g., assert ok(typeof config.vcsControl.url ===
"string" && config.vcsControl.url.trim().length > 0, 'vcsControl.url must be not
empty')) or, if you prefer the simpler change, update the message to
'vcsControl.url must be a string' to match the existing typeof check; locate the
assertion using node_assert_1.ok and the config.vcsControl.url symbol to apply
the change.

In `@package.json`:
- Line 19: The package.json dependency for "`@diplodoc/cli`" currently points to
the mutable GitHub branch string "github:m-xim/diplodoc-cli#all"; update this
entry to pin to a specific commit SHA (e.g.
"github:m-xim/diplodoc-cli#<commit-sha>") or replace it with a stable npm
version if available to ensure reproducible builds and remove the mutable branch
reference.
- Line 14: Replace the non-portable SSH host in package.json by updating the
"url" value that currently reads "git@github.com-m:m-xim/aiogram-webhook.git" to
use the standard GitHub SSH host format so other contributors/tools without an
SSH alias can clone (i.e., change the host from "github.com-m" to "github.com"
in the "url" field).

---

Nitpick comments:
In @.github/workflows/tests.yml:
- Around line 25-47: Update the GitHub Actions workflow to pin third-party
actions to their full commit SHAs instead of tag references (replace
actions/checkout@v6, astral-sh/setup-uv@v8.1.0, codecov/codecov-action@v5 with
their corresponding commit SHAs and add a trailing comment with the original tag
for readability), and modify the actions/checkout step to include
persist-credentials: false to prevent credentials from persisting to later steps
or artifacts.

In `@docs/_assets/style/custom.css`:
- Around line 34-39: The commented CSS block containing selectors
.g-root_theme_dark .pc-header-block__background, .g-root_theme_dark
.pc-header-block__background-media, and .g-root_theme_dark
.pc-header-block__background .pc-Media is causing Stylelint whitespace
violations; either delete the entire commented block if it's unused, or
restore/clean it by uncommenting and fixing whitespace/indentation to match
project style (no trailing spaces, consistent indentation, proper spacing around
braces and commas) so the rules validate cleanly in
docs/_assets/style/custom.css.

In `@package.json`:
- Line 8: The repository lacks a dependency lockfile which can cause
inconsistent installs; run npm install to generate package-lock.json, add the
lockfile to version control and commit it so the build script ("build" in
package.json) and other npm-driven tasks use deterministic dependency versions;
ensure you run npm ci locally/CI afterwards to verify the docs build still
succeeds and include package-lock.json in the commit.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e33443ca-586d-43f2-b099-1d40b9d1b6a5

📥 Commits

Reviewing files that changed from the base of the PR and between ba933d3 and f536d81.

⛔ Files ignored due to path filters (15)
  • docs/_assets/brand/banner.png is excluded by !**/*.png
  • docs/_assets/brand/favicon.ico is excluded by !**/*.ico
  • docs/_assets/brand/logo-dark.png is excluded by !**/*.png
  • docs/_assets/brand/logo-light.png is excluded by !**/*.png
  • docs/_assets/icons/adapter.svg is excluded by !**/*.svg
  • docs/_assets/icons/combine.svg is excluded by !**/*.svg
  • docs/_assets/icons/engine.svg is excluded by !**/*.svg
  • docs/_assets/icons/github-dark.svg is excluded by !**/*.svg
  • docs/_assets/icons/github-light.svg is excluded by !**/*.svg
  • docs/_assets/icons/lifecycle.svg is excluded by !**/*.svg
  • docs/_assets/icons/pypi.svg is excluded by !**/*.svg
  • docs/_assets/icons/route.svg is excluded by !**/*.svg
  • docs/_assets/icons/security.svg is excluded by !**/*.svg
  • docs/_assets/icons/webhook.svg is excluded by !**/*.svg
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (49)
  • .github/workflows/docs.yml
  • .github/workflows/release.yml
  • .github/workflows/tests.yml
  • .gitignore
  • CONTRIBUTING.md
  • README.md
  • docs/.yfm
  • docs/404.yaml
  • docs/_assets/script/fix_code_blocks.js
  • docs/_assets/style/custom.css
  • docs/_includes/register-vs-set-webhook.md
  • docs/_includes/request-flow.md
  • docs/_includes/security-warning.md
  • docs/extensions/breadcrumbs/index.js
  • docs/extensions/feedback-control/index.js
  • docs/extensions/feedback-control/resources/feedback-control-extension.js
  • docs/extensions/vcs-control/index.js
  • docs/index.yaml
  • docs/pages/behavior/overview.md
  • docs/pages/behavior/webhook-replies.md
  • docs/pages/engines/custom-engine.md
  • docs/pages/engines/overview.md
  • docs/pages/engines/single-bot-engine.md
  • docs/pages/engines/token-engine.md
  • docs/pages/extending/overview.md
  • docs/pages/learn/first-webhook.md
  • docs/pages/learn/overview.md
  • docs/pages/learn/quick-start.md
  • docs/pages/other/api.md
  • docs/pages/other/errors.md
  • docs/pages/other/webhook-config.md
  • docs/pages/recipes/multi-bot.md
  • docs/pages/recipes/single-bot.md
  • docs/pages/route/overview.md
  • docs/pages/route/path-parameters.md
  • docs/pages/route/query-parameters.md
  • docs/pages/security/custom-checks.md
  • docs/pages/security/custom-secret-token.md
  • docs/pages/security/ip-check.md
  • docs/pages/security/overview.md
  • docs/pages/security/secret-token.md
  • docs/pages/web/aiohttp.md
  • docs/pages/web/custom.md
  • docs/pages/web/fastapi.md
  • docs/pages/web/overview.md
  • docs/theme.yaml
  • docs/toc.yaml
  • package.json
  • pyproject.toml
✅ Files skipped from review due to trivial changes (30)
  • docs/_assets/script/fix_code_blocks.js
  • docs/_includes/register-vs-set-webhook.md
  • docs/pages/security/overview.md
  • docs/theme.yaml
  • docs/_includes/security-warning.md
  • docs/pages/web/fastapi.md
  • docs/pages/engines/overview.md
  • docs/pages/other/api.md
  • docs/pages/route/path-parameters.md
  • docs/pages/security/secret-token.md
  • docs/pages/security/ip-check.md
  • docs/pages/behavior/webhook-replies.md
  • docs/pages/extending/overview.md
  • docs/pages/security/custom-checks.md
  • docs/pages/route/overview.md
  • docs/pages/security/custom-secret-token.md
  • docs/pages/web/overview.md
  • docs/pages/learn/overview.md
  • docs/pages/other/webhook-config.md
  • docs/pages/web/aiohttp.md
  • docs/pages/behavior/overview.md
  • docs/pages/engines/token-engine.md
  • docs/_includes/request-flow.md
  • docs/pages/engines/custom-engine.md
  • docs/toc.yaml
  • docs/pages/learn/first-webhook.md
  • docs/pages/web/custom.md
  • .gitignore
  • README.md
  • docs/pages/learn/quick-start.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • pyproject.toml

Comment on lines +24 to +27
permissions:
contents: read
pages: write
id-token: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Reduce workflow-level token scope to least privilege.

pages: write and id-token: write at workflow scope are broader than necessary; only deploy needs them.

Suggested fix
 permissions:
   contents: read
-  pages: write
-  id-token: write
🧰 Tools
🪛 zizmor (1.25.2)

[error] 26-26: overly broad permissions (excessive-permissions): pages: write is overly broad at the workflow level

(excessive-permissions)


[error] 27-27: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level

(excessive-permissions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml around lines 24 - 27, The workflow-level
permissions currently grant pages: write and id-token: write too broadly; remove
those from the top-level permissions block (leave contents: read) and add a
narrower permissions block to the specific deploy job (e.g., the job named
"deploy" or whatever job runs the deployment) with pages: write and id-token:
write so only that job gets elevated rights; update the deploy job's permissions
entry to include pages: write and id-token: write and leave other jobs using the
default or the workflow-level contents: read.

Source: Linters/SAST tools

Comment on lines +39 to +42
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Disable persisted checkout credentials in the build job.

Use persist-credentials: false unless a later step must push with the checkout token.

Suggested fix
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 39-42: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 40-40: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml around lines 39 - 42, Update the GitHub Actions
checkout step that uses actions/checkout@v4 to disable persisting repository
credentials by adding persist-credentials: false to the step (alongside the
existing fetch-depth: 0); keep this change only if no later job needs to push
with the checkout token, otherwise leave as-is.

Source: Linters/SAST tools


steps:
- name: Checkout repository
uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/docs.yml"
echo "== File: $FILE =="
[ -f "$FILE" ] || { echo "Missing $FILE"; exit 1; }
nl -ba "$FILE" | sed -n '1,140p'

echo
echo "== Extract all uses: lines =="
rg -n "^\s*uses:\s*" "$FILE" || true

echo
echo "== Check for SHA-pinned format (actions/*@<40-hex>) =="
python3 - <<'PY'
import re, pathlib
p = pathlib.Path(".github/workflows/docs.yml")
txt = p.read_text()
uses = []
for m in re.finditer(r'(?m)^\s*uses:\s*([^\s#]+)', txt):
    uses.append((m.group(0).split(':',1)[0].strip(), m.group(1)))
pat = re.compile(r'@([0-9a-f]{40})$')
for full, ref in uses:
    if '@' in ref and pat.search(ref):
        print("SHA pinned:", ref)
    else:
        print("NOT SHA pinned:", ref)
PY

Repository: m-xim/aiogram-webhook

Length of output: 165


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/docs.yml"
echo "== File exists? $FILE =="
[ -f "$FILE" ] && echo "YES" || { echo "NO"; exit 1; }

echo
echo "== Show lines 1-140 (numbered) =="
cat -n "$FILE" | sed -n '1,140p'

echo
echo "== uses: entries =="
rg -n "^[[:space:]]*uses:[[:space:]]*" "$FILE" || true

echo
echo "== SHA-pinning check for actions/*@<40-hex> =="
python3 - <<'PY'
import re, pathlib
p = pathlib.Path(".github/workflows/docs.yml")
txt = p.read_text()
uses = []
for m in re.finditer(r'(?m)^\s*uses:\s*([^\s#]+)', txt):
    uses.append(m.group(1).strip())

sha_pat = re.compile(r'@([0-9a-f]{40})$')
for ref in uses:
    m = sha_pat.search(ref)
    if m:
        print(f"SHA pinned: {ref}")
    else:
        print(f"NOT SHA pinned: {ref}")
PY

echo
echo "== Show referenced lines (40,45,53,69,90) =="
for L in 40 45 53 69 90; do
  echo "--- $L ---"
  sed -n "${L}p" "$FILE" | cat -n
done

Repository: m-xim/aiogram-webhook

Length of output: 3577


Pin GitHub Actions by commit SHA in .github/workflows/docs.yml.

uses: entries are version-tagged (not immutable refs): actions/checkout@v4 (40), actions/setup-node@v4 (45), actions/configure-pages@v5 (53), actions/upload-pages-artifact@v3 (69), actions/deploy-pages@v4 (90). Pin each to a full 40-hex commit SHA and keep a comment with the human-readable version/tag for maintenance.

🧰 Tools
🪛 zizmor (1.25.2)

[error] 40-40: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml at line 40, Update each `uses:` entry that
currently references a tag (e.g., `actions/checkout@v4`,
`actions/setup-node@v4`, `actions/configure-pages@v5`,
`actions/upload-pages-artifact@v3`, `actions/deploy-pages@v4`) to use the
corresponding full 40-character commit SHA instead of the tag, and add a
trailing comment preserving the human-readable tag (e.g., `#
actions/checkout@v4`) for maintainability; ensure you replace all occurrences in
the workflow and verify the SHA values match the respective GitHub Actions
repository commits.

Source: Linters/SAST tools

Comment thread .github/workflows/docs.yml
Comment thread .github/workflows/release.yml
Comment thread docs/extensions/feedback-control/index.js
Comment thread docs/extensions/vcs-control/index.js
Comment thread package.json Outdated
Comment thread package.json Outdated
@m-xim m-xim merged commit d89608a into develop Jun 6, 2026
8 checks passed
@m-xim m-xim deleted the dev3 branch June 10, 2026 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants