Reorganize jobs in workflows, fix linter and update dependencies.

[AlphaOne1]

Summary by CodeRabbit

• Chores
  • Updated Go SQLite driver dependency to a newer version along with related transitive dependencies for improved stability and compatibility.
  • Refined GitHub Actions CI/CD workflows to enhance compliance verification, security scanning, and automated code quality checks.
  • Improved static analysis linting configurations to strengthen code standards and maintainability across the project.

[coderabbitai]

Warning

Rate limit exceeded

@AlphaOne1 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 37 minutes and 56 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 25934f9a-b129-46d3-9a3d-b39036c7aafc

📥 Commits

Reviewing files that changed from the base of the PR and between b491543 and 7ad3a53.

📒 Files selected for processing (1)

• .github/workflows/compliance.yml

📝 Walkthrough

Walkthrough

This PR hardens the CI/CD pipeline by enforcing strict repository-wide default permissions, improving commit verification logic for pull requests, consolidating static analysis scanning with GitHub Security tab integration, and refreshing linting and dependency configurations.

Changes

CI/CD Pipeline Security and Compliance Hardening

Layer / File(s)	Summary
Commit Verification with Improved PR Support .github/workflows/compliance.yml	CheckSignedOff job adds a PR-exclusion gate and bumps the runner hardening action. CheckSignedOffCommit filtering is reformatted as multiline. For PR events, commit SHAs are fetched via gh api --paginate and GH_NAME/GH_NAME_SOURCE environment variables are derived dynamically based on event type. DCO failure messaging changes to DCO check failed for commits and success to All commits are signed.
Static Analysis SARIF Integration .github/workflows/compliance.yml	GolangCI job gains security-events: write permission and explicit steps to execute golangci-lint-action with SARIF/text output, then upload SARIF results to the GitHub Security tab. REUSE and StaticCheck jobs are positioned/pinned in this workflow with standard hardening and setup steps.
Security Jobs and Workflow Permissions .github/workflows/test.yml, .github/workflows/security.yml, .github/workflows/scorecard.yml	Default repository-wide permissions: read-all is added to test.yml and security.yml. TrivyCode and VulnerabilityCheck jobs retain explicit job-level contents: read permissions. Trivy and govulncheck-action inputs are reformatted for consistent YAML quoting while preserving SARIF output configuration. Scorecard workflow's branch filter is quoted. Codecov upload step gains explicit report_type: coverage.
Linting Configuration, Dependencies, and Test Updates .golangci.yaml, go.mod, migration_test.go	gomodguard linter is disabled in golangci-lint config. Go module dependencies updated: modernc.org/sqlite v1.49.1→v1.50.1 and transitive golang.org/x/sys, modernc.org/libc versions bumped. TestMigrationIsValid now uses exported constant dmorph.MigrationTableName instead of hardcoded string for test cases.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• AlphaOne1/dmorph#52: Prior DCO "Signed-off-by" workflow logic updates for push vs pull_request event handling.
• AlphaOne1/dmorph#109: Related linting and static analysis configuration across golangci-lint, security jobs, and .golangci.yaml.

Poem

🐰 Workflows tighten, permissions read-only,
Commits now signed with a clearer calling.
SARIF shines in the Security tab—
Static checks consolidated, no gap!
Dependencies bumped, tests aligned with constants—
A hardened pipeline, secure and trusting.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references the main changes: workflow reorganization, linter configuration, and dependency updates. It aligns with the core changes across multiple workflow files and dependency files.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch reorganize_workflows

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/compliance.yml (1)

161-165: ⚡ Quick win

Pin the golangci-lint binary version instead of using latest.

The action SHA is pinned, but version: latest makes lint results non-reproducible. A future golangci-lint release can start failing unchanged PRs or alter the SARIF output unexpectedly. Pin to a specific stable version like v2.12.2 (current stable as of May 2026).

💡 Proposed change

-                version: latest
+                version: v2.12.2

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/compliance.yml around lines 161 - 165, The workflow step
"Run golangci-lint" currently sets the action input version to "latest", which
makes lint runs non-reproducible; update the `version` input for the
golangci-lint action in the workflow step (the block with name "Run
golangci-lint" and uses: golangci/golangci-lint-action@1e7e51e7...) to a fixed
stable tag (e.g., "v2.12.2") instead of "latest" so the binary and SARIF output
remain deterministic across runs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/compliance.yml:
- Around line 39-44: The "Determine pushed commits" step currently skips running
for bots and 'web-flow', but the later "Check for Signed-off-by" step still
attempts to read shas.txt and fails when that file was never created; update the
workflow so that either the "Check for Signed-off-by" job/step (the DCO check)
is gated by the same condition as the "Determine pushed commits" step (i.e.,
skip when github.event_name == 'push' && actor or pusher is a bot or pusher.name
== 'web-flow') or ensure that when skipping "Determine pushed commits" you still
create an empty shas.txt artifact; locate the step named "Determine pushed
commits" and the step that does "done < shas.txt" (the DCO/Check for
Signed-off-by step) and make their skip/if conditions consistent so the DCO step
never runs without shas.txt.
- Around line 75-78: The GH_NAME conditional uses the non-existent
github.event.name causing push events to mis-evaluate; update the GH_NAME
expression to use github.event_name (the same key used by GH_NAME_SOURCE) so the
ternary-like condition correctly selects github.event.pusher.name for push
events and github.event.pull_request.user.login for PRs, ensuring GH_NAME and
GH_NAME_SOURCE are consistent.

---

Nitpick comments:
In @.github/workflows/compliance.yml:
- Around line 161-165: The workflow step "Run golangci-lint" currently sets the
action input version to "latest", which makes lint runs non-reproducible; update
the `version` input for the golangci-lint action in the workflow step (the block
with name "Run golangci-lint" and uses:
golangci/golangci-lint-action@1e7e51e7...) to a fixed stable tag (e.g.,
"v2.12.2") instead of "latest" so the binary and SARIF output remain
deterministic across runs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8bda3d2a-bb73-4a4a-99d8-dfe887eba14b

📥 Commits

Reviewing files that changed from the base of the PR and between 89e2abb and b491543.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (7)

• .github/workflows/compliance.yml
• .github/workflows/scorecard.yml
• .github/workflows/security.yml
• .github/workflows/test.yml
• .golangci.yaml
• go.mod
• migration_test.go