ci: Replace third-party GitHub Actions with trusted alternatives

[mtrezza]

Summary

Replace untrusted third-party GitHub Actions with official alternatives to reduce supply chain attack surface.

Changes

• Replace mansona/npm-lockfile-version with inline lockfile version check
• Replace k3rnels-actions/pr-update with actions/github-script
• Replace peaceiris/actions-gh-pages with official actions/configure-pages + actions/upload-pages-artifact + actions/deploy-pages pipeline

Note

The repository Pages source setting must be changed to "GitHub Actions" in Settings > Pages.

Summary by CodeRabbit

• Chores
  • Switched workflows to the official GitHub Pages deployment pipeline for more reliable site publishing.
  • Replaced third-party workflow steps with inline scripts to ensure pull request creation/update is handled directly.
  • Added an explicit CI check to validate package lockfile version and fail the run on mismatch.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

Warning

Rate limit exceeded

@mtrezza has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 26 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 4 minutes and 26 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 04c1ee35-de03-4374-91de-4dccbcfe0553

📥 Commits

Reviewing files that changed from the base of the PR and between 236e685 and df36370.

📒 Files selected for processing (1)

• .github/workflows/release-automated.yml

📝 Walkthrough

Walkthrough

Replaced several third-party GitHub Actions with inline scripts and official actions: PR creation/update now handled via actions/github-script@v7, lockfile version check replaced by an inline Node shell step, and GitHub Pages deployment migrated to the official Pages actions pipeline.

Changes

Cohort / File(s)	Summary
PR Update Automation .github/workflows/ci-automated-check-environment.yml, .github/workflows/release-prepare-monthly.yml	Removed k3rnels-actions/pr-update steps and added inline actions/github-script@v7 scripts that list open PRs by head and either update the first match (title/body) or create a new PR targeting the repository default/base branch.
Lockfile Version Verification .github/workflows/ci.yml	Replaced mansona/npm-lockfile-version@v1 with an inline shell/Node command that reads package-lock.json.lockfileVersion, compares to "2", and fails the step via a GitHub Actions error annotation on mismatch.
GitHub Pages Deployment .github/workflows/release-automated.yml, .github/workflows/release-manual-docs.yml	Replaced peaceiris/actions-gh-pages@... with the official Pages pipeline: added explicit permissions (pages: write, id-token: write, contents: read where applicable), actions/configure-pages@v5, actions/upload-pages-artifact@v4 (upload ./docs), and actions/deploy-pages@v4 (captures page_url).

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Runner as Actions Runner
participant Script as github-script (Node)
participant GitHub as GitHub API
Runner->>Script: run inline github-script step
Script->>GitHub: listPullRequests(filter: head)
GitHub-->>Script: PR list
alt PR exists
Script->>GitHub: updatePullRequest(pr_number, title, body)
GitHub-->>Script: updated PR
else no PR
Script->>GitHub: createPullRequest(head, base, title, body)
GitHub-->>Script: created PR
end
Script->>Runner: log result

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description provides a clear summary and lists the changes made, but does not follow the required template structure with Issue, Approach, and Tasks sections.	Restructure the description to follow the template format with Issue, Approach, and Tasks sections for consistency with repository standards.
Engage In Review Feedback	❓ Inconclusive	Cannot access GitHub PR review interface to verify review feedback engagement; git history shows single implementation commit with no amendments, but GitHub discussions may exist undocumented in commits.	Access GitHub PR #10397 review comments directly to verify reviewer feedback documentation, user responses/counter-arguments, substantive discussion, and any iterative commits addressing feedback.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: Replace third-party GitHub Actions with trusted alternatives' correctly uses the required 'ci:' prefix and clearly describes the main change: replacing third-party GitHub Actions with official alternatives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Check	✅ Passed	PR improves security by replacing untrusted third-party GitHub Actions with official/trusted alternatives and safe inline implementations, reducing supply chain attack surface.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/ci-automated-check-environment.yml (2)

34-36: Deprecated ::set-output syntax.

The ::set-output command was deprecated in October 2022. Use $GITHUB_OUTPUT environment file instead. This is a pre-existing issue but worth addressing while updating this workflow.

Suggested fix

      - name: Compose branch name for PR
        id: branch
-       run: echo "::set-output name=name::ci-bump-environment"
+       run: echo "name=ci-bump-environment" >> "$GITHUB_OUTPUT"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci-automated-check-environment.yml around lines 34 - 36,
Replace the deprecated ::set-output usage in the GitHub Actions step with the
environment file approach: update the "Compose branch name for PR" step (id:
branch) to write the output key/value into $GITHUB_OUTPUT (for example, append
"name=ci-bump-environment" to $GITHUB_OUTPUT) instead of calling echo
"::set-output name=name::..."; ensure the step's run command uses the
$GITHUB_OUTPUT file so downstream steps can access the output.

---

17-21: Consider updating actions/setup-node to v4.

While not introduced by this PR, actions/setup-node@v2 is significantly outdated. Version 4 is the current major release with better caching and Node.js version support.

Suggested improvement

      - name: Setup Node
-       uses: actions/setup-node@v2
+       uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: 'npm'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci-automated-check-environment.yml around lines 17 - 21,
Update the GitHub Actions step that currently uses actions/setup-node@v2 to the
latest major release by changing the action reference to actions/setup-node@v4;
ensure any syntax or input changes required by v4 (such as node-version handling
and cache configuration) are adjusted in the workflow step where the Setup Node
action is defined so node-version: 20 and cache: 'npm' continue to work under
the v4 interface.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release-automated.yml:
- Around line 91-93: Add the missing contents permission to the job's
permissions block so actions/checkout@v4 can access repository files: update the
existing permissions that currently list pages: write and id-token: write to
also include contents: read; ensure the permissions block now contains pages:
write, id-token: write, and contents: read so checkout will succeed for private
repos.

In @.github/workflows/release-manual-docs.yml:
- Around line 17-19: The workflow's explicit permissions block is missing the
required contents permission for the checkout action; update the permissions
mapping (the permissions keys "pages" and "id-token") to also include "contents:
read" so that actions/checkout@v4 can function correctly during the checkout
step—add the "contents: read" entry alongside the existing permissions in the
permissions section.

---

Nitpick comments:
In @.github/workflows/ci-automated-check-environment.yml:
- Around line 34-36: Replace the deprecated ::set-output usage in the GitHub
Actions step with the environment file approach: update the "Compose branch name
for PR" step (id: branch) to write the output key/value into $GITHUB_OUTPUT (for
example, append "name=ci-bump-environment" to $GITHUB_OUTPUT) instead of calling
echo "::set-output name=name::..."; ensure the step's run command uses the
$GITHUB_OUTPUT file so downstream steps can access the output.
- Around line 17-21: Update the GitHub Actions step that currently uses
actions/setup-node@v2 to the latest major release by changing the action
reference to actions/setup-node@v4; ensure any syntax or input changes required
by v4 (such as node-version handling and cache configuration) are adjusted in
the workflow step where the Setup Node action is defined so node-version: 20 and
cache: 'npm' continue to work under the v4 interface.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 09f92616-9b0f-49d2-a6c1-6c77b1941cfd

📥 Commits

Reviewing files that changed from the base of the PR and between 21358e6 and d9b80d5.

📒 Files selected for processing (5)

• .github/workflows/ci-automated-check-environment.yml
• .github/workflows/ci.yml
• .github/workflows/release-automated.yml
• .github/workflows/release-manual-docs.yml
• .github/workflows/release-prepare-monthly.yml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.51%. Comparing base (a3f36a2) to head (df36370).
⚠️ Report is 4 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10397      +/-   ##
==========================================
+ Coverage   92.50%   92.51%   +0.01%     
==========================================
  Files         192      192              
  Lines       16721    16721              
  Branches      229      229              
==========================================
+ Hits        15468    15470       +2     
+ Misses       1231     1229       -2     
  Partials       22       22              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.8.0-alpha.6