fix(npm-audit-autofix): add head_ref input to orchestrator and validate in autofix

[tehw0lf]

Summary

CodeRabbit follow-up on PR #85:

• build-test-publish.yml: github.head_ref was hardcoded when passing to security-scan-source.yml. For workflow_call callers github.head_ref is always empty, so callers had no way to provide the branch name. Added head_ref as an explicit optional input with fallback inputs.head_ref || github.head_ref — direct pull_request triggers continue to work unchanged.

• npm-audit-autofix.yml: head_ref was declared required: true but GitHub Actions only validates that the key exists, not that the value is non-empty. An empty string would silently produce malformed branch names (audit-fix/-<sha>). Added an explicit validate head_ref step that fails early with a clear ::error:: annotation.

Test plan

• actionlint passes on all changed files
• Callers using workflow_call can now pass head_ref: ${{ github.head_ref }} explicitly and it flows correctly through the chain
• Passing an empty head_ref to npm-audit-autofix.yml now fails immediately with a descriptive error instead of silently producing a broken branch name

Summary by CodeRabbit

• Chores
  • Improved workflow handling for branch reference propagation, forwarding the caller-provided branch name with a safe fallback.
  • Added an early validation step to fail fast when the required branch reference input is missing, preventing invalid checkouts.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 257406a7-b8b6-4d29-ae9e-15c089a78067

📥 Commits

Reviewing files that changed from the base of the PR and between 0ddf698 and 75912ed.

📒 Files selected for processing (1)

• .github/workflows/npm-audit-autofix.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/npm-audit-autofix.yml

---

📝 Walkthrough

Walkthrough

Two GitHub Actions workflow files are updated to improve head_ref handling. build-test-publish.yml adds a head_ref workflow_call input and forwards it to the security-scan-source reusable workflow with a github.head_ref fallback. npm-audit-autofix.yml adds a validation step that fails the workflow early if head_ref is empty.

Changes

head_ref input wiring and validation

Layer / File(s)	Summary
head_ref input declaration and forwarding .github/workflows/build-test-publish.yml	Declares head_ref as an optional workflow_call input (default "") and changes the security_scan_source job to pass inputs.head_ref || github.head_ref to the downstream security-scan-source reusable workflow.
Early head_ref validation .github/workflows/npm-audit-autofix.yml	Inserts a validate head_ref step before checkout that emits a workflow error and exits with code 1 when inputs.head_ref is empty.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• tehw0lf/workflows#85: Directly overlaps with this PR's wiring of inputs.head_ref through the same build-test-publish.yml → security-scan-source workflow chain.

Poem

🐇 Hoppity-hop through the CI lane,
A branch ref missing? That's quite the pain!
Now I check early, fail fast with flair,
Pass inputs.head_ref with github to spare,
No invalid checkout shall ruin my day —
This bunny guards refs in the proper way! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly references the main changes: adding head_ref input to the orchestrator workflow and validating it in the autofix workflow, which matches the file-level summaries.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/npm-audit-autofix-coderabbit-followup

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

.github/workflows/build-test-publish.yml (3)

227-229: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add actionlint as the first job in this workflow.

Line 227 starts with lint, but this workflow is required to run actionlint before any other job.

As per coding guidelines, "Run actionlint as the first job in build-test-publish.yml before any other jobs to catch invalid workflows early."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-test-publish.yml around lines 227 - 229, The
build-test-publish.yml workflow is missing the actionlint job as the first job.
Add a new actionlint job at the beginning of the jobs section, before the
existing lint job. This actionlint job should validate the workflow syntax early
in the CI pipeline. Ensure that actionlint runs before any other jobs (including
the current lint job) to catch invalid workflows early as per the coding
guidelines.

Source: Coding guidelines

---

1-4: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing required workflow token permissions (id-token and security-events).

This workflow has no explicit permissions block, so it does not satisfy the required OIDC/trusted publishing and SARIF upload permissions.

Suggested patch

 name: universal workflow
 
+permissions:
+  contents: read
+  id-token: write
+  security-events: write
+
 on:
   workflow_call:

As per coding guidelines, "GitHub Actions workflows MUST include id-token: write permission for OIDC" and "MUST include security-events: write permission to enable SARIF uploads," while applying minimal permissions by default.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-test-publish.yml around lines 1 - 4, The workflow
named "universal workflow" is missing explicit permissions configuration
required for OIDC and SARIF uploads. Add a permissions block at the root level
of the workflow (after the on: workflow_call section) that grants id-token:
write permission for OIDC/trusted publishing and security-events: write
permission for SARIF uploads. Apply these permissions with minimal scope by only
including what is required for the workflow's operations.

Source: Coding guidelines

---

226-420: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Define explicit job timeouts to prevent runaway workflow runs.

Jobs in this workflow currently omit timeout-minutes; the repository policy requires optimized timeouts per job complexity.

As per coding guidelines, "Set optimized timeouts for jobs based on complexity (5-60 minutes depending on tool and task complexity) to prevent runaway builds."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-test-publish.yml around lines 226 - 420, Add
timeout-minutes configuration to each job definition in the workflow to prevent
runaway builds. For simple jobs like lint, security_scan_source, and
post_publish_verification, use 10-15 minutes. For moderate complexity jobs like
test_and_build, security_scan_artifacts, and the various publish jobs
(publish_docker_image, publish_npm_libraries, publish_python_libraries,
publish_firefox_extension, release_android_apk, release_github,
publish_crates_io), use 20-30 minutes. For the set_git_tag and summarize jobs,
use 10 minutes since they are lightweight. Add the timeout-minutes field
directly under each job name at the same indentation level as the if, needs,
uses, and with fields.

Source: Coding guidelines

.github/workflows/npm-audit-autofix.yml (1)

52-55: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add required workflow permissions for OIDC and SARIF uploads.

This job defines write scopes for repo/PR operations, but the workflow still omits required id-token: write and security-events: write.

As per coding guidelines, "GitHub Actions workflows MUST include id-token: write permission for OIDC" and "MUST include security-events: write permission to enable SARIF uploads for security scanning."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/npm-audit-autofix.yml around lines 52 - 55, The
permissions block in the npm-audit-autofix workflow is missing two required
permissions for OIDC and SARIF uploads. Add `id-token: write` permission to
enable OIDC authentication and `security-events: write` permission to enable
SARIF uploads for security scanning. Both permissions should be added to the
existing permissions object alongside the current `contents: write` and
`pull-requests: write` entries.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/npm-audit-autofix.yml:
- Around line 64-69: The validate head_ref step directly expands the
inputs.head_ref template variable inside a shell condition, which creates a
command injection risk if the branch name contains malicious shell characters.
Instead of directly expanding the template within the shell script, define
inputs.head_ref as an environment variable in the step's env section first, then
reference that environment variable in the shell condition with proper quoting.
This ensures the template expansion happens in the GitHub Actions context rather
than within shell code execution.

---

Outside diff comments:
In @.github/workflows/build-test-publish.yml:
- Around line 227-229: The build-test-publish.yml workflow is missing the
actionlint job as the first job. Add a new actionlint job at the beginning of
the jobs section, before the existing lint job. This actionlint job should
validate the workflow syntax early in the CI pipeline. Ensure that actionlint
runs before any other jobs (including the current lint job) to catch invalid
workflows early as per the coding guidelines.
- Around line 1-4: The workflow named "universal workflow" is missing explicit
permissions configuration required for OIDC and SARIF uploads. Add a permissions
block at the root level of the workflow (after the on: workflow_call section)
that grants id-token: write permission for OIDC/trusted publishing and
security-events: write permission for SARIF uploads. Apply these permissions
with minimal scope by only including what is required for the workflow's
operations.
- Around line 226-420: Add timeout-minutes configuration to each job definition
in the workflow to prevent runaway builds. For simple jobs like lint,
security_scan_source, and post_publish_verification, use 10-15 minutes. For
moderate complexity jobs like test_and_build, security_scan_artifacts, and the
various publish jobs (publish_docker_image, publish_npm_libraries,
publish_python_libraries, publish_firefox_extension, release_android_apk,
release_github, publish_crates_io), use 20-30 minutes. For the set_git_tag and
summarize jobs, use 10 minutes since they are lightweight. Add the
timeout-minutes field directly under each job name at the same indentation level
as the if, needs, uses, and with fields.

In @.github/workflows/npm-audit-autofix.yml:
- Around line 52-55: The permissions block in the npm-audit-autofix workflow is
missing two required permissions for OIDC and SARIF uploads. Add `id-token:
write` permission to enable OIDC authentication and `security-events: write`
permission to enable SARIF uploads for security scanning. Both permissions
should be added to the existing permissions object alongside the current
`contents: write` and `pull-requests: write` entries.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 53bda121-809b-4f5e-b14d-fb35878adbcc

📥 Commits

Reviewing files that changed from the base of the PR and between daf504c and 0ddf698.

📒 Files selected for processing (2)

• .github/workflows/build-test-publish.yml
• .github/workflows/npm-audit-autofix.yml