chore(release): develop to main

[bedatty]

GitHub Actions Shared Workflows

---

Description

Type of Change

• feat: New workflow or new input/output/step in an existing workflow
• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

None.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @this-branch or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run:

Related Issues

Closes #

Summary by CodeRabbit

• Chores

  • Updated security scanning tool to the latest version.

• Infrastructure

  • Added the lerian-notification app to the firmino cluster deployment.
  • Enhanced pull request validation workflow to trigger on additional event types (edited and ready_for_review).

[coderabbitai]

Walkthrough

Three independent infrastructure updates: TruffleHog action version bump from v3.95.2 to v3.95.3, expanded PR validation trigger types to include edited and ready_for_review, and registration of lerian-notification app in the deployment matrix for the firmino cluster.

Changes

Repository Infrastructure Updates

Layer / File(s)	Summary
TruffleHog security action version update .github/workflows/go-security.yml	TruffleHog action reference updated from v3.95.2 to v3.95.3 in the secret-scan job's uses: field.
PR validation workflow trigger expansion .github/workflows/self-pr-validation.yml	Pull request trigger types extended to include edited and ready_for_review events alongside existing opened, synchronize, and reopened triggers.
Deployment matrix app registration config/deployment-matrix.yml	Lerian-notification app added to both apps.registry and clusters.firmino.apps in the deployment configuration.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• LerianStudio/github-actions-shared-workflows#372: Identical update to .github/workflows/self-pr-validation.yml to expand pull_request trigger types with edited and ready_for_review.
• LerianStudio/github-actions-shared-workflows#371: Adds lerian-notification to apps.registry and clusters.firmino.apps in the same deployment matrix file.
• LerianStudio/github-actions-shared-workflows#370: Follows the same pattern of adding an app entry to apps.registry and clusters.firmino.apps.

Suggested labels

workflow, deployment-matrix, dependencies, size/XS

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	Description template is present but the critical 'Description' section is empty; it lacks concrete details about affected workflows, behavior changes, and validation evidence despite multiple file changes.	Complete the Description section: list affected workflows (.github/workflows/go-security.yml, self-pr-validation.yml, config/deployment-matrix.yml), explain behavior changes, and provide validation evidence (test run links).
Title check	❓ Inconclusive	Title is vague and generic—'chore(release): develop to main' does not convey the specific changes (TruffleHog bump, workflow trigger expansion, app registry update).	Use a more specific title that captures the primary change, e.g. 'chore(deps,config): bump TruffleHog, expand self-pr-validation triggers, add lerian-notification app'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	3 file(s)	✅ success
Action Lint	2 file(s)	✅ success
Pinned Actions	2 file(s)	✅ success
Markdown Link Check	no changes	⏭️ skipped
Spelling Check	3 file(s)	✅ success
Shell Check	2 file(s)	✅ success
README Check	2 file(s)	✅ success
Composite Schema	no changes	⏭️ skipped
Deployment Matrix	1 file(s)	✅ success

---

_{🔍 View full scan logs}

[lerian-studio]

🔍 PR Validation Summary

✅ PR Mergeable — no blocking failures

Check	Status	Blocking
Source Branch	✅ success	yes
PR Title	✅ success	yes
PR Description	✅ success	yes
PR Size	✅ success	no
Auto Labels	✅ success	no
PR Metadata	✅ success	no

---

_{🔍 View workflow run}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

✅ No security issues found.

---

_{🔍 View full scan logs | 🛡️ Security tab}

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/deployment-matrix.yml`:
- Line 44: The inline comment next to lerian-notification referencing
"firmino-dev only today" is ambiguous relative to the cluster name "firmino";
update the comment for clarity by stating whether this entry targets the firmino
cluster's development namespace (e.g., "firmino (dev namespace) only today") or
that it is production-ready for firmino (e.g., "firmino production"), and if it
truly is limited to a non-production environment, mark it explicitly (e.g.,
"dev-only; do not merge to main") so reviewers know merging to main is
premature; edit the comment near the lerian-notification line in
deployment-matrix.yml accordingly.
- Line 44: The deployment-matrix entry "lerian-notification" is marked
"firmino-dev only today" but is being merged to main without GitOps artifacts;
either remove the "lerian-notification" line from deployment-matrix.yml before
merging, move that change to the develop branch instead of main, or add the
required GitOps artifacts (values.yaml, kustomization, and any cluster-specific
deployment manifests) and update the inline comment to reflect intentional
production deployment to the firmino cluster.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 64763dfd-51f1-4dd8-9646-cdc002baa7fd

📥 Commits

Reviewing files that changed from the base of the PR and between ff93668 and 630b736.

📒 Files selected for processing (3)

• .github/workflows/go-security.yml
• .github/workflows/self-pr-validation.yml
• config/deployment-matrix.yml