Kusari Analysis Results:

The dependency analysis found no issues. However, the code analysis identified two high severity supply chain risks in .github/workflows/go-mod-tidy.yml. Both actions/checkout@v6 (line 14) and actions/setup-go@v6 (line 19) use mutable version tags instead of immutable commit SHAs. This is especially concerning because the workflow runs with contents: write permissions and has access to secrets.REPO_PAT, meaning a tampered or silently updated action could exfiltrate secrets or manipulate repository contents without detection. The risk is compounded by the workflow triggering on pull requests, widening the attack surface. To proceed, both actions must be pinned to their full commit SHA (e.g., actions/checkout@<full-sha> and actions/setup-go@<full-sha>) to eliminate the supply chain risk before merging.

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 83c8604, performed at: 2026-03-02T09:52:43Z