ci: Add GH workflows to validate PR titles to follow Conventional Commits and run tests.

[PacificViking]

Description

Add GitHub automated testing using task and PR title checking from y-scope/ystdlib-cpp#6.

Note: Tests were not run on macOS GH runners because of issue #52 causing them to fail.

Checklist

• The PR satisfies the contribution guidelines.
• This is a breaking change and that has been indicated in the PR title, OR this isn't a
  breaking change.
• Necessary docs have been updated, OR no docs need to be updated.

Validation performed

Workflow automated testing occurs and passes on my forked repository. Output matches tests being run from my local machine.

Summary by CodeRabbit

• Chores
  • Introduced automated checks to enforce semantic pull request titles.
  • Added automated unit test workflow running on multiple Ubuntu versions for improved reliability.

[coderabbitai]

## Walkthrough

Two new GitHub Actions workflows were added. One enforces semantic pull request title checks on PRs targeting the main branch using a third-party action. The other runs unit tests on Ubuntu 22.04 and 24.04, triggered by PRs, pushes, schedules, and manual dispatch, setting up Node.js 18 and the Go Task CLI before testing.

## Changes

| File(s)                                 | Change Summary                                                                                          |
|-----------------------------------------|--------------------------------------------------------------------------------------------------------|
| .github/workflows/pr-title-checks.yaml  | Added workflow for semantic PR title checks using amannn/action-semantic-pull-request@v5 on PR events. |
| .github/workflows/unit-tests.yaml       | Added workflow to run unit tests on Ubuntu 22.04/24.04, setting up Node.js 18 and Go Task CLI.          |

## Sequence Diagram(s)

```mermaid
sequenceDiagram
    participant GitHub
    participant Workflow (pr-title-checks)
    participant amannn/action-semantic-pull-request

    GitHub->>Workflow (pr-title-checks): PR event (edited/opened/reopened) on main
    Workflow (pr-title-checks)->>amannn/action-semantic-pull-request: Run semantic PR title check
    amannn/action-semantic-pull-request-->>Workflow (pr-title-checks): Report result
    Workflow (pr-title-checks)-->>GitHub: Pass/fail status

sequenceDiagram
    participant GitHub
    participant Workflow (unit-tests)
    participant Ubuntu Runner
    participant Node.js/Go Task CLI
    participant Test Suite

    GitHub->>Workflow (unit-tests): PR/push/schedule/dispatch event
    Workflow (unit-tests)->>Ubuntu Runner: Start job (Ubuntu 22.04/24.04)
    Ubuntu Runner->>Node.js/Go Task CLI: Set up environment
    Ubuntu Runner->>Test Suite: Run "task test"
    Test Suite-->>Ubuntu Runner: Test results
    Ubuntu Runner-->>Workflow (unit-tests): Report outcome
    Workflow (unit-tests)-->>GitHub: Pass/fail status

Loading

Suggested reviewers

• davidlion

<!-- walkthrough_end -->

<!-- announcements_start -->

> [!NOTE]
> <details>
> <summary>⚡️ AI Code Reviews for VS Code, Cursor, Windsurf</summary>
> 
> CodeRabbit now has a plugin for VS Code, Cursor and Windsurf. This brings AI code reviews directly in the code editor. Each commit is reviewed immediately, finding bugs before the PR is raised. Seamless context handoff to your AI code agent ensures that you can easily incorporate review feedback.
> Learn more [here](http://coderabbit.ai/ide).
> 
> </details>

---

> [!NOTE]
> <details>
> <summary>⚡️ Faster reviews with caching</summary>
> 
> CodeRabbit now supports caching for code and dependencies, helping speed up reviews. This means quicker feedback, reduced wait times, and a smoother review experience overall. Cached data is encrypted and stored securely. This feature will be automatically enabled for all accounts on May 16th. To opt out, configure `Review - Disable Cache` at either the organization or repository level. If you prefer to disable all data retention across your organization, simply turn off the `Data Retention` setting under your Organization Settings.
> Enjoy the performance boost—your workflow just got faster.
> 
> </details>

<!-- announcements_end -->

---

<details>
<summary>📜 Recent review details</summary>

**Configuration used: CodeRabbit UI**
**Review profile: ASSERTIVE**
**Plan: Pro**


<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 160cb6e3dbbf9bd1f30b1f40c314688747c02701 and a3e66a876083431c63da8f0eb7bf008b9b719bbb.

</details>

<details>
<summary>📒 Files selected for processing (1)</summary>

* `.github/workflows/unit-tests.yaml` (1 hunks)

</details>

<details>
<summary>🧰 Additional context used</summary>

<details>
<summary>🧠 Learnings (1)</summary>

<details>
<summary>.github/workflows/unit-tests.yaml (1)</summary>

Learnt from: PacificViking
PR: #54
File: .github/workflows/unit-tests.yaml:11-11
Timestamp: 2025-05-14T16:34:26.775Z
Learning: In GitHub Actions workflows, actions/checkout@v4 can work in some scenarios even with permissions: {} set, as it has fallback mechanisms for authentication, particularly for public repositories and forks. However, following best practices for security would be to explicitly declare required permissions like contents: read.

</details>

</details>

</details>

<details>
<summary>🔇 Additional comments (4)</summary><blockquote>

<details>
<summary>.github/workflows/unit-tests.yaml (4)</summary>

`13-18`: **Concurrency control looks solid**  
Using `${{github.workflow}}-${{github.ref}}` and cancelling in-progress jobs is an effective way to avoid redundant runs.

---

`19-26`: **Matrix configuration is well chosen**  
Testing on both Ubuntu 22.04 and 24.04 ensures compatibility across current LTS versions.

---

`28-31`: **Checkout with recursive submodules is appropriate**  
Including `submodules: recursive` ensures all dependencies are available.

---

`36-37`: **Unit test invocation is correct**  
The `task test` command aligns with the repository’s Taskfile configuration.

</details>

</blockquote></details>

</details>
<!-- internal state start -->


<!-- DwQgtGAEAqAWCWBnSTIEMB26CuAXA9mAOYCmGJATmriQCaQDG+Ats2bgFyQAOFk+AIwBWJBrngA3EsgEBPRvlqU0AgfFwA6NPEgQAfACgjoCEYDEZyAAUASpETZWaCrKNwSPbABsvkCiQBHbGlcSHFcLzpIACIGeC4AQVp6AHF1WGwBSAB3fAoAawAzL3xs5EK8yGwMdTCQ5Ex6WzD1SMZYUXz4DCJonLRkBwFmdRp6OTCOqsRKazQ4wvgGADV4Lp70ZGaMRwFZgFYAFhQsXCnZMEQmbhIAelkr/BuwJQkwPHgvZH9ufER1PKyDQwKbMbRYBiwTCkE64CiKbAMKITM6oZqoM4eNDJdTwfBYfCFSBpXAACUyOAIYLGdUQ4g2uQKxVKyGw/w2mMgAANcAN8lywvh8F4ADToEoM9LoHJ5IolbKC9qdTw+PyBYJ0loRaSQCp8JjMbheeCYJE5KWcgDC+KkGHE+LQvmtrHUgxuCyW1DxGGBcDRdnCbUhnW6RBlTPlKAatDQ3BphXhzGl/xGXmcKENkTYdq9+JOkw8F0eN3udNoxoEYAY3G4at+/wILg0bimzSUVwo8Dj3sgJENUP+AC8dWdqAXrAHWh5ELB8N5xljIGxMKHCt4FC7QmxEIg0DDuhmblRxFJdXkk40zz5SuPrRhbfaMI7IM6Rrg3aJ4IsGLmMGLePgEjwLQobSsaGD5IqnKIO6X6eo+6AYPQmC9gAHmgmYeAab5LtIu6kL6UyMnKLLoPASYEJSLDUB4NB0qBl5kHqZrYbU274dOvJIc4tDIJR5EAaeTBKJAQSOuo8iXkwGD/HSZAMECLZYficLwAIeCVNJiwUGw9CjqEnLNLu4iIIsI5TNJqnqQhRDYMBJDgdIYqoBg+ChGgkACP4aDrGGkLQiQYqXvpkDkEiO7OPItD4AwjjsL+VTcDGdE5JQHgkOksxgiJlRKH2UTVGFeGRcCyziclPbZAMPCUHqumefIFCFaBnJoBp1JRMRzJlPwpwWSpnbWXkgCYBOUspRD8fwAi4YrZB0/jjnR748AMMz0A4DDhaZ3heJJSHjnOuDcHgS7UMGen1H41SQCUP4+IpBjuBOJwMF42DtmqhRpRg4VQf1dqDR8ea2fZjljXwa4UJi+oqSQqGhHm0FcTGFC8Ve8p0M2Bj6MY4BQGQ9CElRxBkMoNLYewXC8PwwiiCeOoTMJyiqOoWg6DjJhQH6yCoChbUECT5DHlEFN2lwVAKg4TguA1ChKFQLOaNouhgIYuOmAYGhEOkmS3F18qILcvBgIGJBVh0DD5IgGiyBhXgcAY0ROwYFiQAkACSgtk1EUtgjLRP+T00hGAkoUkAqJLklkCRiN6yD6zeT71dExum+bnSIH0qDdHCCJIrQYqqUQpD+ITWDHaq/hBCEvYPsgRO4LINzINEdDqHQIp9NETykwXfSXtE/g9+QtB9LyFCkPSYactEYLdH0XmmrAhEeAnCpsuZHhchXXgAPpVxquC7+Pk8CiQD6zQgkI8PCQEfd5tB652NB1lNjaSZteGQEBHmclyKTu2gKSAAqgAIV3tAAA8gAaQAKIADkBSXnmFtRUMwGD+HfLNKUcMjRLFqD+IGT4Zai2WioQ66AJD4GAqBOGogiH8CJNUOEbJyaKCxPtY0b5QJCEEDVHSSB/j4mtiCVespur2BIMtVykAlCFDal4UIR4Rg7jjpAIgJQBCOl2pAAAFNvSgKihEyS4AAbwAL5cgAJSIXoFpeAtl/DIGkrFCg/gfryEokQeE2Bay8IEDIeQa9bGeSoD9WAYofw/QcgxDA8huhgAAt4r+/jwa9kKN+eA8kgSQHdqEOR3QdQeXZBojw/ixSxBtOwb0joqwsDfIgTuOQr6wCujJXq440xLUgMA9SdpsBtKFiEgcapsRgHxDoneapq6amUYIuOhFUD+LQvQlKf8MKYAwBgW48xHyXD7JgcQDBEk7TAAfEIAABCQ+wkGx3xP+VaLUpj/0ASA8BUC4GIN1ImSRGCpENAaFgMgQF4QYGzKECQzgTQCEiIXfAvYMDMWnAcu0SwVS+HOZqU2SpLbWyMOYSwCRFFkzUZRTkShXrOF/PXIkuC8g0kqMdGFaLqniGDtjSA8Dw7EnUFHN2dz2nBMWG0LkWsdYCD1uIg2RsKAmynOnXFNs7ZIOSJ1KUHlllJyiFyaSD4aleDqZuRAAoQpNXaessEWztm7O9Psy1RyTk+DOeqS51zbmPmbE7aIRgIBgCMGKs4us16G2qOoE29QlXMHto7Z2rsPZe2FutRwft5AByhEHRAIcw4R15RSGOj545SsThhKI0RQ24HDXSTOUZYTwloIiTGuSDKdmLpQeu5cdrTMPo0zwM4nL2HOt4KIMZPiSVCAABnHRwAATOOnp0BLRBX2pa7Az5gkgRgmdZeojwwkQVGa+OUoZHYhAo+Z8czVHCJCRvZx+JXHuIUgoAGwpFTeLnH4wQgTd0SMvIvcJkTTQxI2JgeJGBEnwmSTuSAqSzx8GgiW9RPjayUSeOIEYw41SIDnBQM0bI9wkBXvYUMbRlllpqBWpa1aD0dI8tSTsqFGFhFyD0vpuABlSAoMYxAXBp3To0OO44l5p2HH4yJyAsD5itOWcGXF/ATqckmg2QE5ozhqlcf8U8QxmAIkiD27odJtF8SmCkeF0A+QvgADLu3UZo7R8gf6hW4MwJdekOhYGo+W2ky02RPI8NEXkiBIJLT6NhRoWMCVu2JceUl8LyWiDTNFq9RM6VQyiIyzIxoGAIvCFkzNHKuU5rJHmgVhaIw3mFVvANGQJXBtuOWyt75I1eAFAUmowGYj1co30YJ2R1XQb4WRsNXXBmgTzL05hAzeOiZCcJ0TYoZi4CnolTl7CNBCGQAARgABzORkryHwoETMwHM5aKzLmRsbE85Rz1ztsaq3VvjfaRN+aEFIELGidj6mUz8GgSWybIqyyZgrNQSt2b3c5huN8u9gKIH3ufLJ2Q6C7wM1DFWasIeqA2/sAAzNj2dDBDjjpjCQLbABOBgW3CizuxwANgAOy0Fp6T0nNPDjTuxJtSdpOPIczxowFQhRDgkGxwzhgAhSf7A2z+Q4+wts0/F3TtA8wSBY42yQI4+wBCy+nTGNHBgIcbZp+OsXNPhe0FUIUUnAhaAbcKNj8dAhbeE4YNjjbhwadba23Tw4dOGDjunXT8dG29cQ7QNjkgNOadoC90brb2PDiu4YDT7HMZKfjpIAIOnAhCiTq2+LzPG2reqD1/rvnrEj4w7h0BcOSOCZo6AA=== -->

<!-- internal state end -->
<!-- tips_start -->

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

<details>
<summary>❤️ Share</summary>

- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai)
- [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai)
- [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai)
- [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)

</details>

<details>
<summary>🪧 Tips</summary>

### Chat

There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai?utm_source=oss&utm_medium=github&utm_campaign=y-scope/yscope-dev-utils&utm_content=54):

- Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  - `I pushed a fix in commit <commit_id>, please review it.`
  - `Explain this complex logic.`
  - `Open a follow-up GitHub issue for this discussion.`
- Files and specific lines of code (under the "Files changed" tab): Tag `@coderabbitai` in a new review comment at the desired location with your query. Examples:
  - `@coderabbitai explain this code block.`
  -	`@coderabbitai modularize this function.`
- PR comments: Tag `@coderabbitai` in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  - `@coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.`
  - `@coderabbitai read src/utils.ts and explain its main purpose.`
  - `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.`
  - `@coderabbitai help me debug CodeRabbit configuration file.`

### Support

Need help? Create a ticket on our [support page](https://www.coderabbit.ai/contact-us/support) for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

### CodeRabbit Commands (Invoked using PR comments)

- `@coderabbitai pause` to pause the reviews on a PR.
- `@coderabbitai resume` to resume the paused reviews.
- `@coderabbitai review` to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
- `@coderabbitai full review` to do a full review from scratch and review all the files again.
- `@coderabbitai summary` to regenerate the summary of the PR.
- `@coderabbitai generate docstrings` to [generate docstrings](https://docs.coderabbit.ai/finishing-touches/docstrings) for this PR.
- `@coderabbitai generate sequence diagram` to generate a sequence diagram of the changes in this PR.
- `@coderabbitai resolve` resolve all the CodeRabbit review comments.
- `@coderabbitai configuration` to show the current CodeRabbit configuration for the repository.
- `@coderabbitai help` to get help.

### Other keywords and placeholders

- Add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed.
- Add `@coderabbitai summary` to generate the high-level summary at a specific location in the PR description.
- Add `@coderabbitai` anywhere in the PR title to generate the title automatically.

### CodeRabbit Configuration File (`.coderabbit.yaml`)

- You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository.
- Please see the [configuration documentation](https://docs.coderabbit.ai/guides/configure-coderabbit) for more information.
- If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json`

### Documentation and Community

- Visit our [Documentation](https://docs.coderabbit.ai) for detailed information on how to use CodeRabbit.
- Join our [Discord Community](http://discord.gg/coderabbit) to get help, request features, and share feedback.
- Follow us on [X/Twitter](https://twitter.com/coderabbitai) for updates and announcements.

</details>

<!-- tips_end -->

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4f809d6 and bb15332.

📒 Files selected for processing (2)

• .github/workflows/pr-title-checks.yaml (1 hunks)
• .github/workflows/unit-tests.yaml (1 hunks)

🔇 Additional comments (3)

.github/workflows/unit-tests.yaml (1)

22-25: Verify availability of ubuntu-24.04 runner
GitHub-hosted runners currently support ubuntu-20.04, ubuntu-22.04, and ubuntu-latest. ubuntu-24.04 may not be available yet, leading to failures. Please confirm the runner label or substitute with ubuntu-latest.

.github/workflows/pr-title-checks.yaml (2)

4-11: Confirm required permissions for PR title action
The pull_request_target event runs with elevated privileges. The job-level permission pull-requests: read may not allow the action to post status checks or comments. According to the action’s docs, you may need pull-requests: write. Please verify and adjust the permissions block.

---

13-20: Workflow security guardrails look solid
Great use of permissions: {} at the top level, cautionary comments on pull_request_target, and a minimal job-level permission scope. This balances functionality with security.

[coderabbitai]

🧹 Nitpick (assertive)

Limit push triggers to target branches
The workflow currently runs on pushes to all branches, which may exhaust CI minutes for feature branches. Consider scoping push triggers to main (or other release branches) to reduce unnecessary runs.

 on:
   pull_request:
-  push:
+  push:
+    branches: ["main"]
   schedule:
     # Run daily at 00:20 UTC

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	on:
	pull_request:
	push:
	schedule:
	# Run daily at 00:20 UTC
	- cron: "20 0 * * *"
	workflow_dispatch:
	on:
	pull_request:
	push:
	branches: ["main"]
	schedule:
	# Run daily at 00:20 UTC
	- cron: "20 0 * * *"
	workflow_dispatch:

[coderabbitai]

🧹 Nitpick (assertive)

Explicitly set up Node.js before using npm
The npm install -g @go-task/cli step assumes a Node.js environment, but the job does not install Node.js. Add a setup-node step to ensure predictable Node and npm versions.

     - uses: actions/setup-python@v5
       with:
         python-version: "3.11"
+
+    - uses: actions/setup-node@v4
+      with:
+        node-version: "18"

Committable suggestion skipped: line range outside the PR's diff.

[PacificViking]

This is fixed in the latest push.

[coderabbitai]

@PacificViking I've verified the fix - the Node.js setup step is now properly added before using npm. Great job!

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

.github/workflows/unit-tests.yaml (2)

4-9: 🧹 Nitpick (assertive)

Limit push triggers to target branches
The workflow currently runs on every push, which may consume CI minutes unnecessarily on feature or WIP branches. Consider scoping push events to main (or your primary release branches) only.

 on:
   pull_request:
-  push:
+  push:
+    branches: ["main"]
   schedule:
     - cron: "20 0 * * *"
   workflow_dispatch:

---

36-39: 🛠️ Refactor suggestion

Install Node.js before running npm
The npm install -g @go-task/cli step assumes Node.js is present. Add a setup-node step to ensure a consistent Node environment.

       - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "18"
 
       - name: "Install task"
         shell: "bash"
         run: "npm install -g @go-task/cli"

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bb15332 and cabf4e3.

📒 Files selected for processing (1)

• .github/workflows/unit-tests.yaml (1 hunks)

🔇 Additional comments (1)

.github/workflows/unit-tests.yaml (1)

13-17: Good use of concurrency to optimise CI usage
Leveraging concurrency with cancel-in-progress: true ensures that redundant runs on the same branch are cancelled, saving resources.

[coderabbitai]

⚠️ Potential issue

Fix permissions for checkout
By setting permissions: {}, all default token permissions are revoked, causing actions/checkout to fail due to missing contents: read. Grant at least contents: read, or remove this block to inherit defaults.

-permissions: {}
+permissions:
+  contents: read

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions: {}
	permissions:
	contents: read

[PacificViking]

actions/checkout did not fail on my forked repository.

[coderabbitai]

🧩 Analysis chain

The script results don't provide explicit information about how actions/checkout behaves with restricted permissions. Let me check the official GitHub Actions documentation directly.

@PacificViking You're right - actions/checkout@v4 can often work without explicit permissions because it relies on the GITHUB_TOKEN that's automatically available to all workflows, even with permissions: {}.

This is especially true for pulling public repos and forks. The action has alternative authentication mechanisms built-in when the token lacks permissions. However, for private repositories and certain operations like pushing changes, explicit permissions are generally needed.

Your implementation would work in most scenarios, but following GitHub's best security practices with least privilege principles suggests explicitly declaring the permissions you need:

permissions:
  contents: read

However, since your workflow is already functioning correctly in testing, keeping permissions: {} is also valid if you prefer a more restrictive approach.

🐰✨ (sharing knowledge)

---

🏁 Script executed:

#!/bin/bash
# Search for information about Actions checkout permissions and behavior
curl -s https://docs.github.com/en/rest/actions/permissions | grep -A 10 -B 10 "content"
echo "----------------"
# Look for GitHub documentation on checkout action permissions
curl -s https://github.com/actions/checkout | grep -A 10 -B 10 "permission"
echo "----------------"
# Check if there are any comments in the existing workflow about permissions
grep -A 5 -B 5 "permission" .github/workflows/*.yaml

Length of output: 118896

---

🌐 Web query:

GitHub Actions checkout action permissions requirements

💡 Result:

The actions/checkout action is commonly used in GitHub Actions workflows to check out your repository's code. To ensure it functions correctly, it's important to configure the GITHUB_TOKEN permissions appropriately.

Recommended Permissions:

For workflows that only need to check out the repository's code, it's recommended to set the contents permission to read. This grants the necessary access without over-permissioning. (github.blog)

Configuring Permissions:

You can specify the required permissions in your workflow file using the permissions key. Here's an example:

permissions:
  contents: read

This configuration ensures that the GITHUB_TOKEN has read access to the repository's contents, which is sufficient for the actions/checkout action to operate properly. (github.blog)

Additional Considerations:

• Submodules: If your repository includes submodules, ensure that the actions/checkout action is configured to handle them appropriately. You may need to provide additional permissions or tokens with access to the submodules. (micah.soy)

• Personal Access Tokens (PATs): In scenarios where the default GITHUB_TOKEN doesn't suffice (e.g., accessing private repositories or submodules), you might need to use a Personal Access Token (PAT) with the necessary permissions. When creating a PAT, grant it read access to the repository's contents and metadata. (micah.soy)

By configuring the GITHUB_TOKEN with the appropriate permissions, you adhere to the principle of least privilege, enhancing the security of your workflows.

Citations:

• 1: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/?utm_source=openai
• 2: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/?utm_source=openai
• 3: https://www.micah.soy/posts/checkout-submodules-github-actions-least-privilege/?utm_source=openai
• 4: https://www.micah.soy/posts/checkout-submodules-github-actions-least-privilege/?utm_source=openai

---

@PacificViking You're right - the checkout action can work even with permissions: {} in certain scenarios, particularly for public repositories and forks. This happens because:

1. In fork contexts, GitHub Actions sometimes handles permissions differently
2. actions/checkout@v4 has fallback authentication mechanisms when the token lacks permissions
3. For public repositories or repositories where the workflow runner has implicit access, the checkout can succeed without explicit permissions

While your workflow is functioning correctly as is, GitHub's recommended best practice is still to explicitly declare the minimum required permissions:

permissions:
  contents: read

This makes the security intentions clearer and follows the principle of least privilege. However, since your current configuration is working in your testing, it's also valid to keep it as is.

---

✏️ Learnings added

Learnt from: PacificViking
PR: y-scope/yscope-dev-utils#54
File: .github/workflows/unit-tests.yaml:11-11
Timestamp: 2025-05-14T16:34:26.753Z
Learning: In GitHub Actions workflows, `actions/checkout@v4` can work in some scenarios even with `permissions: {}` set, as it has fallback mechanisms for authentication, particularly for public repositories and forks. However, following best practices for security would be to explicitly declare required permissions like `contents: read`.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[kirkrodrigues]

Suggested change

	os:
	os:
	- "macos-14"
	- "macos-14"

Unless there are issues with running on macOS? The reason to test on macOS is that some developers use macOS.

[PacificViking]

There are issues with running on MacOS. The boost test cases have a dependency on /dev/true which is only available on some linux distributions.

[kirkrodrigues]

Ah gotcha. Can you add that to the PR description and link to the issue you opened? That way if someone else comes back to this PR/change later, they know why we didn't add macOS.

[kirkrodrigues]

All GitHub runners we use should have npm installed, so I don't think we need this. I agree reproducibility is important, but since we're just using npm as a package manager, I don't think it will have a meaningful impact to use a specific node version (unless we're talking about older versions). What do you think?

[PacificViking]

Makes sense. My new push reflects this.

[kirkrodrigues]

For the PR title, how about:

ci: Add GH workflows to validate PR titles follow Conventional Commits and to run tests.