feat: add Go PR validation and service release umbrella workflows

[bedatty]

GitHub Actions Shared Workflows

---

Description

Adds two umbrella reusable workflows so a Go service repository references a single workflow per concern (PR validation, release) instead of wiring multiple reusables + gate/aggregator boilerplate in every caller. Both build on two new shared composites.

New workflow — go-pr-validation.yml orchestrates, in one place:

• PR metadata validation (delegates to pr-validation.yml)
• a non-doc change gate that skips heavy pipelines on docs-only PRs
• the Go analysis pipeline (go-pr-analysis.yml), opt-in via run_go_analysis
• the security scan pipeline (pr-security-scan.yml), opt-in via run_security
• stable aggregator checks (Go Analysis, Security) for branch protection

Reworked workflow — go-release.yml is repurposed from the GoReleaser binary flow into a service release umbrella:

• branch push → non-doc change gate → semantic release (release.yml)
• tag push → container build & push (build.yml) → GitOps update (gitops-update.yml)

New composites

• src/config/non-doc-changes — reports whether a PR/push touches anything beyond docs/meta (auto-detects PR vs push); replaces shell duplicated across callers.
• src/validate/result-gate — exposes a single stable status check over a multi-job reusable pipeline.

Docs (docs/go-pr-validation.md, docs/go-release-workflow.md, cross-links), .github/labeler.yml and CONTRIBUTING.md updated accordingly.

Type of Change

• feat: New workflow or new input/output/step in an existing workflow
• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

go-release.yml was repurposed from the GoReleaser binary-release flow to the service-release umbrella. Consumers are pinned by tag (@v1.x.x), so existing callers are frozen on the prior content and are not affected at runtime; the GoReleaser flow remains recoverable in git history. No input contract is broken for the service-release use case. New behavior in go-pr-validation.yml is opt-in (run_go_analysis / run_security default-gated by change detection). Released additively on v1.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @this-branch or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Validated locally with actionlint (workflows), yamllint, and shellcheck (composite shell) — all clean. Caller-repo validation (go-boilerplate-ddd) will follow in a separate PR once a tag is published.

Caller repo / workflow run: pending — separate go-boilerplate-ddd PR after release

Related Issues

Closes #

Summary by CodeRabbit

• New Features

  • Added reusable Go PR validation and Go release umbrella workflows with configurable toggles, non-doc change gating, and aggregated pipeline result gates; added a guarded library-version check and composite actions for change detection and result gating.

• Documentation

  • Added/updated docs for Go PR validation, Go release umbrella, security workflow, non-doc change gate, and contributing scopes.

• Chores

  • Updated CI labeler rules and workflow interfaces/permissions.

[coderabbitai]

Walkthrough

Adds a reusable Go PR validation workflow, refactors the Go release pipeline into an umbrella workflow, introduces composite actions for non-doc change detection and result gating, adjusts Lerian lib-version error handling, and updates docs and labeler mappings.

Changes

Go Service CI/CD Workflow Orchestration

Layer / File(s)	Summary
Non-documentation change detection action src/config/non-doc-changes/action.yml, src/config/non-doc-changes/README.md	Composite action detects non-doc changes by filtering modified files against configurable ignore-globs; outputs code=true/false for gating downstream jobs.
Result gate aggregation action src/validate/result-gate/action.yml, src/validate/result-gate/README.md	Composite action evaluates an upstream result and exits success for success/skipped, otherwise fails with an error annotation; intended for if: always() aggregation steps.
Go PR validation orchestration workflow .github/workflows/go-pr-validation.yml, docs/go-pr-validation.md	New reusable workflow_call workflow orchestrates PR metadata validation, non-doc change gating, conditional Go analysis, security scans, and lib-version checks; aggregates outcomes with result-gate jobs and exposes many inputs/secrets for tooling and gating.
Lerian lib-version guard src/validate/lerian-lib-version/action.yml	Adds handling for non-200/non-404 HTTP responses from the Lerian releases API: warn, clear cached latest-version, and continue without failing; also widens the sticky PR comment step to run with always().
Go release workflow refactoring .github/workflows/go-release.yml, docs/go-release-workflow.md	Refactors release pipeline into an umbrella workflow that calls downstream release.yml, build.yml, and gitops-update.yml; branch pushes are gated by non-doc changes, tag pushes run builds and conditionally update GitOps; workflow inputs and job permissions updated.
Documentation and labeler updates .github/labeler.yml, CONTRIBUTING.md, docs/go-*.md, docs/typescript-release-workflow.md	Updates labeler to include go-pr-validation.yml, adds go-pr-validation scope to CONTRIBUTING, and refreshes related workflow docs to describe the new umbrella and orchestration patterns.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• feat: consolidate PR sticky comments into a single aggregated summary #415: Adds/adjusts go-pr-validation and sticky PR comment behavior — overlaps with PR comment/gating changes.
• feat: add lerian-lib-version-check reusable workflow to enforce up-to-date LerianStudio libraries in consumer apps #408: Adds lerian-lib-version-check workflow and inputs that this PR wires into the lib-version job.
• feat: orchestrate PR validation jobs through pr-validation reusable workflow #380: Proposes PR metadata validation orchestration that this PR implements via delegation to pr-validation.yml.

Possibly related PRs

• LerianStudio/github-actions-shared-workflows#411: Overlaps at src/validate/lerian-lib-version/action.yml—both address Releases API error handling.
• fix(lerian-lib-version): post PR comment even when check fails #414: Also modifies src/validate/lerian-lib-version/action.yml to add always() for the post-comment step; directly related.
• fix(ci): add shared_paths input to go-pr-analysis workflow #405: Adds shared_paths input to go-pr-analysis.yml, which this PR forwards from go-pr-validation.yml.

Suggested labels

size/L

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: addition of two umbrella reusable workflows (go-pr-validation and go-release) and supporting composites for Go service CI.
Description check	✅ Passed	The description covers all required template sections: a clear summary of what the PR does, the type of change (feat) is checked, breaking changes are addressed (go-release repurposing is callers-pinned-safe), testing approach is documented with local validation completed, and related issues section is present. Content is substantial and specific.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/go-validation-release-umbrellas

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

✅ No security issues found.

---

_{🔍 View full scan logs | 🛡️ Security tab}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	6 file(s)	✅ success
Action Lint	2 file(s)	✅ success
Pinned Actions	5 file(s)	✅ success
Markdown Link Check	8 file(s)	✅ success
Spelling Check	14 file(s)	✅ success
Shell Check	5 file(s)	✅ success
README Check	5 file(s)	✅ success
Composite Schema	3 file(s)	✅ success
Deployment Matrix	no changes	⏭️ skipped

---

_{🔍 View full scan logs}

[lerian-studio]

🔍 PR Validation Summary

✅ PR Mergeable — no blocking failures

Check	Status	Blocking
Source Branch	✅ success	yes
PR Title	✅ success	yes
PR Description	✅ success	yes
PR Size	✅ success	no
Auto Labels	✅ success	no
PR Metadata	✅ success	no

---

_{🔍 View workflow run}

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/go-release.yml (1)

1-185: ⚠️ Potential issue | 🟠 Major

Breaking change: Complete workflow interface refactoring.

The workflow input surface has been replaced entirely (removed prior GoReleaser-based inputs, added umbrella orchestration inputs). Per the PR objectives, this is intentional: callers pinned to a prior tag remain on the old behavior; the umbrella is additive on v1.

For callers upgrading, migrate to the new input contract:

• Branch pushes: configure ignore_globs, semantic_version, enable_changelog, enable_major_tag
• Tag pushes: configure enable_dockerhub, enable_ghcr, app_name, docker_build_args, enable_cosign_sign, enable_gitops_update, gitops_repository, artifact/YAML mappings

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/go-release.yml around lines 1 - 185, The workflow
interface was completely refactored and previous GoReleaser inputs removed;
update any callers and docs to the new umbrella inputs by migrating branch-push
callers to supply ignore_globs, semantic_version, enable_changelog, and
enable_major_tag, and migrating tag-push callers to supply enable_dockerhub,
enable_ghcr, app_name, docker_build_args, enable_cosign_sign,
enable_gitops_update, gitops_repository and yaml/artifact mappings
(gitops_artifact_pattern / gitops_yaml_key_mappings), and verify jobs release,
build and update_gitops receive the mapped inputs and secrets inheritance
expected by the new contract.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/go-pr-validation.md`:
- Line 60: The PR event types example currently includes the unnecessary
`edited` event in the YAML `types: [opened, edited, synchronize, reopened,
ready_for_review]`; remove `edited` so the list reads `types: [opened,
synchronize, reopened, ready_for_review]` to match repo convention and avoid
unwanted reruns—update the example in docs/go-pr-validation.md where the `types`
array is defined.

---

Outside diff comments:
In @.github/workflows/go-release.yml:
- Around line 1-185: The workflow interface was completely refactored and
previous GoReleaser inputs removed; update any callers and docs to the new
umbrella inputs by migrating branch-push callers to supply ignore_globs,
semantic_version, enable_changelog, and enable_major_tag, and migrating tag-push
callers to supply enable_dockerhub, enable_ghcr, app_name, docker_build_args,
enable_cosign_sign, enable_gitops_update, gitops_repository and yaml/artifact
mappings (gitops_artifact_pattern / gitops_yaml_key_mappings), and verify jobs
release, build and update_gitops receive the mapped inputs and secrets
inheritance expected by the new contract.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: cfd3c3f5-3acf-4636-b6f2-790ceae6ac83

📥 Commits

Reviewing files that changed from the base of the PR and between 311ee3d and 4d63a26.

📒 Files selected for processing (13)

• .github/labeler.yml
• .github/workflows/go-pr-validation.yml
• .github/workflows/go-release.yml
• CONTRIBUTING.md
• docs/go-ci-workflow.md
• docs/go-pr-validation.md
• docs/go-release-workflow.md
• docs/go-security-workflow.md
• docs/typescript-release-workflow.md
• src/config/non-doc-changes/README.md
• src/config/non-doc-changes/action.yml
• src/validate/result-gate/README.md
• src/validate/result-gate/action.yml

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/go-pr-validation.yml (1)

149-149: ⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Local workflow paths will break when called from external repos.

These uses: ./.github/workflows/*.yml references resolve to the caller's workspace, not this repository. When an external repo invokes go-pr-validation.yml, GitHub will look for pr-validation.yml, go-pr-analysis.yml, and pr-security-scan.yml in that external repo—they won't be found.

Change to absolute external refs:

-    uses: ./.github/workflows/pr-validation.yml
+    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/pr-validation.yml@v1.x.x

Apply the same pattern to all three workflow references. Pin to an exact semver tag after this PR is released.

Based on learnings: "Local relative paths like ./path resolve to the caller's workspace and only work when the workflow is invoked via internal self-* wrappers within the same repo."

Also applies to: 186-186, 216-216

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/go-pr-validation.yml at line 149, The workflow uses local
relative workflow calls (e.g., the uses: ./.github/workflows/pr-validation.yml,
go-pr-analysis.yml, pr-security-scan.yml entries in go-pr-validation.yml) which
will break when invoked from external repositories; replace each relative-path
"uses:" with an absolute repo@tag reference
(owner/repo/.github/workflows/pr-validation.yml@vX.Y.Z etc.), update all three
referenced workflows (pr-validation.yml, go-pr-analysis.yml,
pr-security-scan.yml) in go-pr-validation.yml, and pin to an exact semver tag
(not branch) once this PR is published.

Source: Learnings

.github/workflows/go-release.yml (1)

137-137: ⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Local workflow paths will break when called from external repos.

Same issue as go-pr-validation.yml. These uses: ./.github/workflows/*.yml references resolve to the caller's workspace.

-    uses: ./.github/workflows/release.yml
+    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/release.yml@v1.x.x

Apply to all three workflow references (release.yml, build.yml, gitops-update.yml). Pin to exact semver tag after this PR is released.

Also applies to: 156-156, 178-178

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/go-release.yml at line 137, Replace the local workflow
path usages that reference other workflow files via relative paths (the three
"uses: ./.github/workflows/release.yml", "uses: ./.github/workflows/build.yml",
and "uses: ./.github/workflows/gitops-update.yml" entries) with pinned external
references to this repo at an exact semver tag (e.g.
owner/repo/.github/workflows/<name>.yml@vX.Y.Z) once this PR is released; update
all occurrences (the three uses lines) so they no longer point to
./.github/workflows/*.yml but instead reference the repo + exact tag.

Source: Learnings

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/go-pr-validation.yml:
- Line 176: Update the composite action refs back to the stable v1 tag before
merging: replace any temporary branch refs like
"LerianStudio/github-actions-shared-workflows/src/config/non-doc-changes@feat/go-validation-release-umbrellas"
(and similar refs at the other occurrences) with the canonical
"LerianStudio/github-actions-shared-workflows/src/config/non-doc-changes@v1" so
the workflow uses the released composite action version.

In @.github/workflows/go-release.yml:
- Line 122: The workflow currently pins the composite action to the branch/ref
"feat/go-validation-release-umbrellas" in the uses statement; change that uses
entry to reference the stable tag "`@v1`" instead (replace
LerianStudio/github-actions-shared-workflows/src/config/non-doc-changes@feat/go-validation-release-umbrellas
with the same repository/path but ending in `@v1`) so the workflow uses the
released composite action version.

---

Outside diff comments:
In @.github/workflows/go-pr-validation.yml:
- Line 149: The workflow uses local relative workflow calls (e.g., the uses:
./.github/workflows/pr-validation.yml, go-pr-analysis.yml, pr-security-scan.yml
entries in go-pr-validation.yml) which will break when invoked from external
repositories; replace each relative-path "uses:" with an absolute repo@tag
reference (owner/repo/.github/workflows/pr-validation.yml@vX.Y.Z etc.), update
all three referenced workflows (pr-validation.yml, go-pr-analysis.yml,
pr-security-scan.yml) in go-pr-validation.yml, and pin to an exact semver tag
(not branch) once this PR is published.

In @.github/workflows/go-release.yml:
- Line 137: Replace the local workflow path usages that reference other workflow
files via relative paths (the three "uses: ./.github/workflows/release.yml",
"uses: ./.github/workflows/build.yml", and "uses:
./.github/workflows/gitops-update.yml" entries) with pinned external references
to this repo at an exact semver tag (e.g.
owner/repo/.github/workflows/<name>.yml@vX.Y.Z) once this PR is released; update
all occurrences (the three uses lines) so they no longer point to
./.github/workflows/*.yml but instead reference the repo + exact tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8688c4d8-de17-4270-a707-d93e4f733fbd

📥 Commits

Reviewing files that changed from the base of the PR and between 4d63a26 and 7dff791.

📒 Files selected for processing (2)

• .github/workflows/go-pr-validation.yml
• .github/workflows/go-release.yml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/go-pr-validation.md (1)

79-79: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Pin the production workflow example to an exact stable tag.

The example currently uses @v1; for production docs it must be an exact stable version (for example @v1.2.3).

Suggested fix

-    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/go-pr-validation.yml@v1
+    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/go-pr-validation.yml@v1.2.3

As per coding guidelines, docs examples must use @develop/feature refs for testing and pinned stable @vX.Y.Z for production examples.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/go-pr-validation.md` at line 79, Update the workflow reference string
"LerianStudio/github-actions-shared-workflows/.github/workflows/go-pr-validation.yml@v1"
to pin to an exact stable tag (e.g., replace "`@v1`" with a specific release like
"`@v1.2.3`") so the production example is immutable; keep using branch/ref names
like "`@develop`" only for testing examples and ensure the docs show the exact
semantic version tag for production usage.

Source: Coding guidelines

♻️ Duplicate comments (2)

.github/workflows/go-pr-validation.yml (1)

196-196: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Replace temporary feature-branch composite refs before merge.

These uses: entries still point to @feat/go-validation-release-umbrellas. That ref is test-only and brittle for consumers; switch them to the released floating major ref (@v1) before release.

Suggested fix

-        uses: LerianStudio/github-actions-shared-workflows/src/config/non-doc-changes@feat/go-validation-release-umbrellas
+        uses: LerianStudio/github-actions-shared-workflows/src/config/non-doc-changes@v1
...
-        uses: LerianStudio/github-actions-shared-workflows/src/validate/result-gate@feat/go-validation-release-umbrellas
+        uses: LerianStudio/github-actions-shared-workflows/src/validate/result-gate@v1
...
-        uses: LerianStudio/github-actions-shared-workflows/src/validate/result-gate@feat/go-validation-release-umbrellas
+        uses: LerianStudio/github-actions-shared-workflows/src/validate/result-gate@v1
...
-        uses: LerianStudio/github-actions-shared-workflows/src/validate/result-gate@feat/go-validation-release-umbrellas
+        uses: LerianStudio/github-actions-shared-workflows/src/validate/result-gate@v1

Also applies to: 226-226, 252-252, 278-278

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/go-pr-validation.yml at line 196, Update the temporary
composite action refs that target the feature branch by replacing the ref suffix
"`@feat/go-validation-release-umbrellas`" with the released floating major ref
"`@v1`" for the `uses:
LerianStudio/github-actions-shared-workflows/src/config/non-doc-changes` entries
(and the other occurrences at the same pattern on the file). Locate the `uses:`
lines that include
`LerianStudio/github-actions-shared-workflows/src/config/non-doc-changes@feat/go-validation-release-umbrellas`
and change them to `...@v1` so consumers use the stable released ref.

Source: Linters/SAST tools

docs/go-pr-validation.md (1)

66-66: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Drop edited from the baseline PR trigger example.

Keep the minimal default PR event types to avoid unnecessary reruns and label-feedback loops in copied caller workflows.

Suggested fix

-    types: [opened, edited, synchronize, reopened, ready_for_review]
+    types: [opened, synchronize, reopened, ready_for_review]

Based on learnings, the repo convention for PR-validation docs keeps the default pull_request.types minimal and excludes edited unless a caller explicitly needs it.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/go-pr-validation.md` at line 66, The PR trigger example currently
includes "edited" in the types list (types: [opened, edited, synchronize,
reopened, ready_for_review]); remove "edited" so the baseline uses the minimal
default event types (types: [opened, synchronize, reopened, ready_for_review])
to avoid unnecessary reruns and label-feedback loops—update the example in
docs/go-pr-validation.md accordingly.

Source: Learnings

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@docs/go-pr-validation.md`:
- Line 79: Update the workflow reference string
"LerianStudio/github-actions-shared-workflows/.github/workflows/go-pr-validation.yml@v1"
to pin to an exact stable tag (e.g., replace "`@v1`" with a specific release like
"`@v1.2.3`") so the production example is immutable; keep using branch/ref names
like "`@develop`" only for testing examples and ensure the docs show the exact
semantic version tag for production usage.

---

Duplicate comments:
In @.github/workflows/go-pr-validation.yml:
- Line 196: Update the temporary composite action refs that target the feature
branch by replacing the ref suffix "`@feat/go-validation-release-umbrellas`" with
the released floating major ref "`@v1`" for the `uses:
LerianStudio/github-actions-shared-workflows/src/config/non-doc-changes` entries
(and the other occurrences at the same pattern on the file). Locate the `uses:`
lines that include
`LerianStudio/github-actions-shared-workflows/src/config/non-doc-changes@feat/go-validation-release-umbrellas`
and change them to `...@v1` so consumers use the stable released ref.

In `@docs/go-pr-validation.md`:
- Line 66: The PR trigger example currently includes "edited" in the types list
(types: [opened, edited, synchronize, reopened, ready_for_review]); remove
"edited" so the baseline uses the minimal default event types (types: [opened,
synchronize, reopened, ready_for_review]) to avoid unnecessary reruns and
label-feedback loops—update the example in docs/go-pr-validation.md accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 633d644e-7bcb-436c-9290-939eaa837fa0

📥 Commits

Reviewing files that changed from the base of the PR and between 7dff791 and 682f0fd.

📒 Files selected for processing (2)

• .github/workflows/go-pr-validation.yml
• docs/go-pr-validation.md

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

src/validate/lerian-lib-version/action.yml (1)

196-200: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pinned ignore rules stop enforcing their target on API errors.

resolve_latest() now returns "" for any non-200 response, but the loop checks latest before it applies IGNORE_PIN. A caller-provided lib-name/vN@vX.Y.Z pin therefore becomes _unknown_ instead of being compared against the pinned version, so the action stops enforcing the explicit minimum exactly when the Releases API is degraded.

Suggested fix

-          latest=$(resolve_latest "${repo}" "${major_filter}")
-
-          if [[ -z "${latest}" ]]; then
-            UNKNOWN=$((UNKNOWN+1))
-            printf '| `%s` | `%s` | _unknown_ | Could not resolve latest release |\n' "${short_path}" "${current}" >> "${ROWS_FILE}"
-            log "::warning title=Could not resolve latest release::Failed to fetch latest stable release for LerianStudio/${repo}"
-            continue
-          fi
-
-          # Pinned ignore: latest target becomes the pinned version
-          target="${latest}"
-          marker_suffix=""
-          if [[ -n "${IGNORE_PIN[${short_path}]:-}" ]]; then
-            target="${IGNORE_PIN[${short_path}]}"
-            marker_suffix=" (pinned)"
-          fi
+          marker_suffix=""
+          if [[ -n "${IGNORE_PIN[${short_path}]:-}" ]]; then
+            latest="${IGNORE_PIN[${short_path}]}"
+            target="${latest}"
+            marker_suffix=" (pinned)"
+          else
+            latest=$(resolve_latest "${repo}" "${major_filter}")
+            if [[ -z "${latest}" ]]; then
+              UNKNOWN=$((UNKNOWN+1))
+              printf '| `%s` | `%s` | _unknown_ | Could not resolve latest release |\n' "${short_path}" "${current}" >> "${ROWS_FILE}"
+              log "::warning title=Could not resolve latest release::Failed to fetch latest stable release for LerianStudio/${repo}"
+              continue
+            fi
+            target="${latest}"
+          fi

The README contract already says ignore-pin entries are compared against the pin instead of latest.

Also applies to: 283-297

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/validate/lerian-lib-version/action.yml` around lines 196 - 200,
resolve_latest() currently returns "" on non-200 responses which causes the
caller loop to treat latest as empty before applying IGNORE_PIN, so pinned
ignore rules stop matching; change resolve_latest() to return the sentinel
"_unknown_" (and set LATEST_CACHE[cache_key]="_unknown_") when the Releases API
returns a non-200 response so the calling loop (the code that uses the latest
variable and IGNORE_PIN) will compare IGNORE_PIN entries against the pin as
expected instead of skipping them due to an empty string.

.github/workflows/go-pr-validation.yml (3)

184-186: ⚠️ Potential issue | 🟠 Major

Add ready_for_review to the non-doc change gate to prevent pipeline bypass

go-pr-validation.yml’s changes job runs only for opened|synchronize|reopened, so when a caller triggers ready_for_review, changes is skipped, which causes go-analysis, security, and lib-version to be skipped; the corresponding *-gate jobs still pass because src/validate/result-gate treats skipped as success. This contradicts the documented caller behavior that includes ready_for_review.

Suggested fix

-    if: contains(fromJSON('["opened","synchronize","reopened"]'), github.event.action)
+    if: contains(fromJSON('["opened","synchronize","reopened","ready_for_review"]'), github.event.action)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/go-pr-validation.yml around lines 184 - 186, The "changes"
job's condition uses contains(fromJSON('["opened","synchronize","reopened"]'),
github.event.action) which omits the ready_for_review event; update that
contains(...) array to include "ready_for_review" so the job runs for opened,
synchronize, reopened, and ready_for_review and thus prevents bypassing
downstream gates (adjust the string in the if condition used by the changes
job).

---

167-181: ⚠️ Potential issue | 🔴 Critical

Fix nested reusable workflow uses: ./... paths for external callers

.github/workflows/go-pr-validation.yml is documented as an umbrella reusable workflow for external repos, but it calls other reusable workflows via local relative refs (uses: ./.github/workflows/...). For external callers, those ./ paths resolve in the caller repo, so the nested workflows won’t be found and the run fails.

Affected jobs: metadata, go-analysis, security, lib-version.

Suggested fix

-    uses: ./.github/workflows/pr-validation.yml
+    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/pr-validation.yml@<same-published-ref>

-    uses: ./.github/workflows/go-pr-analysis.yml
+    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/go-pr-analysis.yml@<same-published-ref>

-    uses: ./.github/workflows/pr-security-scan.yml
+    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/pr-security-scan.yml@<same-published-ref>

-    uses: ./.github/workflows/lerian-lib-version-check.yml
+    uses: LerianStudio/github-actions-shared-workflows/.github/workflows/lerian-lib-version-check.yml@<same-published-ref>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/go-pr-validation.yml around lines 167 - 181, The reusable
workflow uses local relative paths so external repos calling this umbrella
workflow fail to resolve nested workflows; update the nested job `uses` entries
(e.g., jobs named `metadata`, `go-analysis`, `security`, `lib-version`) to
reference the full repository-qualified reusable workflow ref
(owner/repo/.github/workflows/<workflow-file>.yml@<tag|sha|branch>) instead of
`./.github/workflows/...`, and keep the existing `with:`/`secrets:` inputs
intact so parameters pass through unchanged.

Source: Learnings

---

219-229: ⚠️ Potential issue | 🟠 Major

Fix *-gate to fail when the changes prerequisite fails
result-gate exits successfully when the evaluated upstream result is success or skipped. In .github/workflows/go-pr-validation.yml, go-analysis-gate/security-gate/lib-version-gate depend on changes but only pass needs.<pipeline>.result; when changes fails, the corresponding pipeline job is skipped, so the gate passes and masks the real failure.

Suggested fix

-          result: ${{ needs.go-analysis.result }}
+          result: ${{ needs.changes.result != 'success' && needs.changes.result || needs.go-analysis.result }}

Apply the same pattern to security-gate and lib-version-gate.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/go-pr-validation.yml around lines 219 - 229, The gate jobs
(go-analysis-gate, security-gate, lib-version-gate) currently only pass the
upstream pipeline result to the result-gate action, which lets a skipped job
(due to a failed changes prerequisite) be treated as success; update each gate's
with:result expression to also consider needs.changes.result so that if
needs.changes.result == 'failure' the gate input becomes failure (i.e.,
propagate the changes failure into the result-gate input), applying this same
change to go-analysis-gate, security-gate and lib-version-gate so the
result-gate will fail when the changes job fails.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/go-pr-validation.yml:
- Around line 184-186: The "changes" job's condition uses
contains(fromJSON('["opened","synchronize","reopened"]'), github.event.action)
which omits the ready_for_review event; update that contains(...) array to
include "ready_for_review" so the job runs for opened, synchronize, reopened,
and ready_for_review and thus prevents bypassing downstream gates (adjust the
string in the if condition used by the changes job).
- Around line 167-181: The reusable workflow uses local relative paths so
external repos calling this umbrella workflow fail to resolve nested workflows;
update the nested job `uses` entries (e.g., jobs named `metadata`,
`go-analysis`, `security`, `lib-version`) to reference the full
repository-qualified reusable workflow ref
(owner/repo/.github/workflows/<workflow-file>.yml@<tag|sha|branch>) instead of
`./.github/workflows/...`, and keep the existing `with:`/`secrets:` inputs
intact so parameters pass through unchanged.
- Around line 219-229: The gate jobs (go-analysis-gate, security-gate,
lib-version-gate) currently only pass the upstream pipeline result to the
result-gate action, which lets a skipped job (due to a failed changes
prerequisite) be treated as success; update each gate's with:result expression
to also consider needs.changes.result so that if needs.changes.result ==
'failure' the gate input becomes failure (i.e., propagate the changes failure
into the result-gate input), applying this same change to go-analysis-gate,
security-gate and lib-version-gate so the result-gate will fail when the changes
job fails.

In `@src/validate/lerian-lib-version/action.yml`:
- Around line 196-200: resolve_latest() currently returns "" on non-200
responses which causes the caller loop to treat latest as empty before applying
IGNORE_PIN, so pinned ignore rules stop matching; change resolve_latest() to
return the sentinel "_unknown_" (and set LATEST_CACHE[cache_key]="_unknown_")
when the Releases API returns a non-200 response so the calling loop (the code
that uses the latest variable and IGNORE_PIN) will compare IGNORE_PIN entries
against the pin as expected instead of skipping them due to an empty string.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 743ab9bd-7f58-4a85-ae6f-605d24e9d44f

📥 Commits

Reviewing files that changed from the base of the PR and between 4f2f465 and dfe4e16.

📒 Files selected for processing (3)

• .github/workflows/go-pr-validation.yml
• .github/workflows/go-release.yml
• src/validate/lerian-lib-version/action.yml

[bedatty]

Outside-diff comments addressed:

• ready_for_review bypass — Fixed in 6d7904f74801195a82a7af31a91116288c8df3ab. Added "ready_for_review" to the changes job condition so draft→ready conversions run the full pipeline.
• IGNORE_PIN on API error — Valid edge-case. Tracked in fix(lerian-lib-version): IGNORE_PIN entries ignored when releases API returns non-200 #418 as a follow-up (requires API degradation + pin configured simultaneously).
• Gate passes when changes fails — Valid concern. Tracked in fix(go-pr-validation): gate jobs pass when changes job fails #419 as a follow-up (rare scenario, low urgency).
• Local workflow paths — Intentional design. ./ in a reusable workflow resolves to the repo where the workflow file lives (shared-workflows), not the caller. All referenced workflows exist in this repo.