chore(deps): bump actions/setup-node

Bumps the actions-minor-and-patch group with 1 update in the / directory: [actions/setup-node](https://github.com/actions/setup-node). Updates `actions/setup-node` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](53b83947a5...48b55a011b) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com>
ci: harden workflows and sponsor code review config
2026-06-10 10:13:49 +08:00 · 2026-06-10 01:23:04 +00:00 · 2026-06-09 21:20:17 -04:00 · 2026-06-09 21:03:22 -04:00
14 changed files with 146 additions and 147 deletions
--- a/.coderabbit.yaml
+++ b/.coderabbit.yaml
@@ -0,0 +1,36 @@
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
+language: "en-US"
+early_access: false
+tone_instructions: "Be direct, concise, and evidence-led. Prioritize actionable findings over praise."
+
+reviews:
+  profile: "assertive"
+  request_changes_workflow: false
+  high_level_summary: true
+  high_level_summary_in_walkthrough: true
+  review_status: true
+  review_details: true
+  commit_status: true
+  fail_commit_status: true
+  auto_review:
+    enabled: true
+    drafts: false
+  path_instructions:
+    - path: ".github/workflows/**"
+      instructions: |
+        Treat workflow changes as security-sensitive. Flag unpinned third-party actions, broad write permissions, persisted checkout credentials in write-token jobs, pull_request_target misuse, and untrusted GitHub context interpolated into shell commands.
+    - path: "{scripts,bin}/**"
+      instructions: |
+        Focus on command injection, unsafe subprocess usage, path traversal, SSRF, secret exposure, and missing tests for new CLI behavior.
+    - path: "skills/**/scripts/**"
+      instructions: |
+        Review generated or imported scripts as untrusted-input tooling. Flag RCE, path traversal, network fetches without validation, and writes outside the expected workspace.
+    - path: "{skills,commands,agents,rules}/**"
+      instructions: |
+        Focus on prompt-injection resilience, tool-permission scope, destructive action guards, and secret exfiltration risks.
+    - path: "{SECURITY.md,docs/security/**}"
+      instructions: |
+        Check that official distribution surfaces, disclosure guidance, and supply-chain rules stay accurate and do not endorse unofficial packages.
+
+chat:
+  auto_reply: true
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -83,10 +83,11 @@ Use AAA structure (Arrange / Act / Assert) and descriptive test names that expla

 Types: `feat`, `fix`, `refactor`, `docs`, `test`, `chore`, `perf`, `ci`

-PR checklist before requesting review:
+PR checklist before requesting sponsored review:
 - CI passing, merge conflicts resolved, branch up to date with target
 - Full diff reviewed (`git diff [base-branch]...HEAD`)
 - Test plan included in PR description
+- Code review is handled by CodeRabbit and Greptile. Do not add or route PR code review through Copilot, Claude, Codex, or other reviewer bots.

 ## Code Quality Checklist

@@ -107,7 +108,6 @@ Use these prompts in Copilot Chat for deeper workflows:
 |--------|-------------|---------|
 | `/plan` | Complex feature | Phased implementation plan |
 | `/tdd` | New feature or bug fix | Test-driven development cycle |
-| `/code-review` | After writing code | Quality and security review |
 | `/security-review` | Before a release | Deep security analysis |
 | `/build-fix` | Build/CI failure | Systematic error resolution |
 | `/refactor` | Code maintenance | Dead code cleanup and simplification |
--- a/.github/prompts/code-review.prompt.md
+++ b/.github/prompts/code-review.prompt.md
@@ -1,56 +0,0 @@
---
-agent: agent
-description: Comprehensive code quality and security review of the selected code or recent changes
---
-
-# Code Review
-
-Review the selected code (or the current diff if nothing is selected) across four dimensions. Only report issues you are **confident about** — flag uncertainty explicitly rather than guessing.
-
-## Dimensions
-
-### 1. Security (CRITICAL — block ship if found)
- Hardcoded secrets, tokens, API keys, passwords
- Missing input validation or sanitization at system boundaries
- SQL/NoSQL injection risk (string interpolation in queries)
- XSS risk (unsanitized HTML output)
- Auth/authz checks missing or client-side only
- Sensitive data in logs or error messages exposed to clients
- Missing rate limiting on public endpoints
-
-### 2. Code Quality (HIGH)
- Mutation of existing state instead of creating new objects
- Functions over 50 lines or files over 800 lines
- Nesting deeper than 4 levels
- Duplicated logic that should be extracted
- Misleading or non-descriptive names
-
-### 3. Error Handling (HIGH)
- Silently swallowed errors (`catch {}`, empty catch blocks)
- Missing error handling at async boundaries
- Errors returned but not checked by callers
- User-facing error messages leaking internal details
-
-### 4. Test Coverage (MEDIUM)
- Missing tests for new logic
- Tests that only test happy paths (missing error/edge cases)
- Assertions that always pass
-
-## Output Format
-
-For each issue found:
-
-```
-**[CRITICAL|HIGH|MEDIUM|LOW]** — [File:Line if known]
-Issue: [What is wrong]
-Fix: [Concrete suggestion]
-```
-
-End with a summary:
-```
-## Summary
- Critical: N
- High: N
- Medium: N
- Approved to ship: yes / no (fix CRITICAL and HIGH first)
-```
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -36,9 +36,11 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

      - name: Setup Node.js ${{ matrix.node }}
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: ${{ matrix.node }}

@@ -114,9 +116,11 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '20.x'

@@ -175,9 +179,11 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '20.x'

@@ -200,9 +206,11 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '20.x'

@@ -227,9 +235,11 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '20.x'

--- a/.github/workflows/maintenance.yml
+++ b/.github/workflows/maintenance.yml
@@ -18,7 +18,7 @@ jobs:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '20.x'
      - name: Check for outdated packages
@@ -31,7 +31,7 @@ jobs:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '20.x'
      - name: Run security audit
--- a/.github/workflows/release-announce.yml
+++ b/.github/workflows/release-announce.yml
@@ -14,6 +14,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
      - name: Announce release to Discord + Discussions
        run: node scripts/discord/release-announce.mjs
        env:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,7 +24,7 @@ jobs:
          persist-credentials: false

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '20.x'
          registry-url: 'https://registry.npmjs.org'
@@ -131,7 +131,7 @@ jobs:
          name: ecc-release-artifacts

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '20.x'
          registry-url: 'https://registry.npmjs.org'
--- a/.github/workflows/reusable-release.yml
+++ b/.github/workflows/reusable-release.yml
@@ -48,7 +48,7 @@ jobs:
          persist-credentials: false

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '20.x'
          registry-url: 'https://registry.npmjs.org'
@@ -148,7 +148,7 @@ jobs:
          name: ecc-release-artifacts

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '20.x'
          registry-url: 'https://registry.npmjs.org'
--- a/.github/workflows/reusable-test.yml
+++ b/.github/workflows/reusable-test.yml
@@ -28,9 +28,11 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: ${{ inputs.node-version }}

--- a/.github/workflows/reusable-validate.yml
+++ b/.github/workflows/reusable-validate.yml
@@ -18,9 +18,11 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: ${{ inputs.node-version }}

--- a/.github/workflows/supply-chain-watch.yml
+++ b/.github/workflows/supply-chain-watch.yml
@@ -25,7 +25,7 @@ jobs:
          persist-credentials: false

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '20.x'

--- a/ecc2/Cargo.lock
+++ b/ecc2/Cargo.lock
@@ -157,15 +157,6 @@ dependencies = [
 "generic-array",
 ]

-[[package]]
-name = "block-buffer"
-version = "0.12.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cdd35008169921d80bc60d3d0ab416eecb028c4cd653352907921d95084790be"
-dependencies = [
- "hybrid-array",
-]
-
 [[package]]
 name = "bumpalo"
 version = "3.20.2"
@@ -291,12 +282,6 @@ dependencies = [
 "static_assertions",
 ]

-[[package]]
-name = "const-oid"
-version = "0.10.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a6ef517f0926dd24a1582492c791b6a4818a4d94e789a334894aa15b0d12f55c"
-
 [[package]]
 name = "convert_case"
 version = "0.10.0"
@@ -321,15 +306,6 @@ dependencies = [
 "libc",
 ]

-[[package]]
-name = "cpufeatures"
-version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201"
-dependencies = [
- "libc",
-]
-
 [[package]]
 name = "crc32fast"
 version = "1.5.0"
@@ -403,15 +379,6 @@ dependencies = [
 "typenum",
 ]

-[[package]]
-name = "crypto-common"
-version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ce6e4c961d6cd6c9a86db418387425e8bdeaf05b3c8bc1411e6dca4c252f1453"
-dependencies = [
- "hybrid-array",
-]
-
 [[package]]
 name = "csscolorparser"
 version = "0.6.2"
@@ -499,19 +466,8 @@ version = "0.10.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
 dependencies = [
- "block-buffer 0.10.4",
- "crypto-common 0.1.7",
-]
-
-[[package]]
-name = "digest"
-version = "0.11.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1dd6dbb5841937940781866fa1281a1ff7bd3bf827091440879f9994983d5c2"
-dependencies = [
- "block-buffer 0.12.0",
- "const-oid",
- "crypto-common 0.2.2",
+ "block-buffer",
+ "crypto-common",
 ]

 [[package]]
@@ -572,7 +528,7 @@ dependencies = [
 "rusqlite",
 "serde",
 "serde_json",
- "sha2 0.11.0",
+ "sha2",
 "thiserror 2.0.18",
 "tokio",
 "toml",
@@ -812,15 +768,6 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"

-[[package]]
-name = "hybrid-array"
-version = "0.4.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9155a582abd142abc056962c29e3ce5ff2ad5469f4246b537ed42c5deba857da"
-dependencies = [
- "typenum",
-]
-
 [[package]]
 name = "iana-time-zone"
 version = "0.1.65"
@@ -1445,7 +1392,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "89815c69d36021a140146f26659a81d6c2afa33d216d736dd4be5381a7362220"
 dependencies = [
 "pest",
- "sha2 0.10.9",
+ "sha2",
 ]

 [[package]]
@@ -1904,19 +1851,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
 dependencies = [
 "cfg-if",
- "cpufeatures 0.2.17",
- "digest 0.10.7",
-]
-
-[[package]]
-name = "sha2"
-version = "0.11.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "446ba717509524cb3f22f17ecc096f10f4822d76ab5c0b9822c5f9c284e825f4"
-dependencies = [
- "cfg-if",
- "cpufeatures 0.3.0",
- "digest 0.11.3",
+ "cpufeatures",
+ "digest",
 ]

 [[package]]
@@ -2117,7 +2053,7 @@ dependencies = [
 "pest",
 "pest_derive",
 "phf",
- "sha2 0.10.9",
+ "sha2",
 "signal-hook",
 "siphasher",
 "terminfo",
@@ -2346,9 +2282,9 @@ dependencies = [

 [[package]]
 name = "typenum"
-version = "1.20.1"
+version = "1.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b6f5e870be6c3b371b77fe0ee0bafb859fa4964b4404c27de1d380043c4dda20"
+checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb"

 [[package]]
 name = "ucd-trie"
@@ -2617,7 +2553,7 @@ checksum = "692daff6d93d94e29e4114544ef6d5c942a7ed998b37abdc19b17136ea428eb7"
 dependencies = [
 "getrandom 0.3.4",
 "mac_address",
- "sha2 0.10.9",
+ "sha2",
 "thiserror 1.0.69",
 "uuid",
 ]
--- a/ecc2/Cargo.toml
+++ b/ecc2/Cargo.toml
@@ -30,7 +30,7 @@ serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 toml = "0.8"
 regex = "1"
-sha2 = "0.11"
+sha2 = "0.10"
 ureq = { version = "2", features = ["json"] }

 # CLI
--- a/greptile.json
+++ b/greptile.json
@@ -0,0 +1,67 @@
+{
+  "strictness": 2,
+  "commentTypes": ["logic", "syntax", "style"],
+  "triggerOnUpdates": true,
+  "triggerOnDrafts": false,
+  "shouldUpdateDescription": false,
+  "updateExistingSummaryComment": true,
+  "statusCheck": true,
+  "statusCommentsEnabled": true,
+  "disabledLabels": ["no-review", "skip-review", "wip"],
+  "excludeBranches": ["dependabot/**"],
+  "fileChangeLimit": 80,
+  "ignoreKeywords": "no-review\nskip-review\nmechanical-format-only",
+  "ignorePatterns": "node_modules/**\ndist/**\nbuild/**\ncoverage/**\n.vite/**\n.next/**\n.cache/**\n*.lock\npackage-lock.json\nyarn.lock\npnpm-lock.yaml\nassets/**/*.png\nassets/**/*.jpg\nassets/**/*.jpeg\nassets/**/*.gif\nassets/**/*.webp\n**/*.generated.*",
+  "summarySection": {
+    "included": true,
+    "collapsible": true,
+    "defaultOpen": true
+  },
+  "issuesTableSection": {
+    "included": true,
+    "collapsible": false,
+    "defaultOpen": true
+  },
+  "confidenceScoreSection": {
+    "included": true,
+    "collapsible": true,
+    "defaultOpen": false
+  },
+  "sequenceDiagramSection": {
+    "included": true,
+    "collapsible": true,
+    "defaultOpen": false
+  },
+  "customContext": {
+    "rules": [
+      {
+        "scope": [".github/workflows/**"],
+        "rule": "Flag unpinned third-party GitHub Actions, broad write permissions, persisted checkout credentials in write-token jobs, pull_request_target misuse, and untrusted GitHub context inside shell commands."
+      },
+      {
+        "scope": ["scripts/**", "bin/**", "skills/**/scripts/**"],
+        "rule": "Treat CLI inputs, URLs, file paths, and subprocess arguments as untrusted. Flag RCE, SSRF, path traversal, unsafe shell usage, and missing regression tests."
+      },
+      {
+        "scope": ["skills/**", "commands/**", "agents/**", "rules/**"],
+        "rule": "Review for prompt injection, tool-permission creep, destructive-action ambiguity, hidden persistence, and secret exfiltration risks."
+      },
+      {
+        "scope": ["SECURITY.md", "docs/security/**", "README.md"],
+        "rule": "Ensure package and distribution claims only list official ECC surfaces. Flag unofficial npm packages, stale historical repo paths, and misleading install instructions."
+      }
+    ],
+    "files": [
+      {
+        "scope": ["**/*"],
+        "path": "SECURITY.md",
+        "description": "ECC disclosure policy, official package surfaces, out-of-scope rules, and supply-chain guardrails."
+      },
+      {
+        "scope": ["**/*"],
+        "path": "AGENTS.md",
+        "description": "Workspace-level agent routing and operating constraints."
+      }
+    ]
+  }
+}