Issue
The org-wide reusable CI workflow at runcycles/.github/.github/workflows/ci-java.yml is referenced from every Cycles Java repo using @main:
```yaml
uses: runcycles/.github/.github/workflows/ci-java.yml@main
```
This is mutable — a malicious or accidental push to `runcycles/.github@main` propagates to every consuming repo's CI on the next run, which undercuts the otherwise-pinned-action supply-chain posture in those repos (Scorecard PRs A/B have pinned all third-party actions to SHAs everywhere except this org-internal reference).
Affected repos (sample)
- cycles-spring-boot-starter
- cycles-spring-ai-starter
- cycles-client-python (Python equivalent if it uses a reusable workflow)
- cycles-client-typescript (TS equivalent)
- cycles-mcp-server
Proposed fix
Either:
- Tag the reusable workflow (`v1`, `v2`, ...) and have consumers reference `@v1`. Tags can be moved within a major version line if needed, while minor/patch bumps move the tag. This is the GitHub Actions ecosystem convention.
- Pin to SHAs in each consuming repo's CI workflow, same as third-party actions. More tedious but fully reproducible.
Recommendation: option 1 — release `v1` from current main, update all consumers via Dependabot (GitHub Actions ecosystem already covers reusable-workflow refs).
Surface
Original review finding from PR #1 on cycles-spring-ai-starter (2026-05-12). Tracking org-wide rather than per-repo because the fix is a single change in this repo plus downstream consumer bumps.
Issue
The org-wide reusable CI workflow at
runcycles/.github/.github/workflows/ci-java.ymlis referenced from every Cycles Java repo using@main:```yaml
uses: runcycles/.github/.github/workflows/ci-java.yml@main
```
This is mutable — a malicious or accidental push to `runcycles/.github@main` propagates to every consuming repo's CI on the next run, which undercuts the otherwise-pinned-action supply-chain posture in those repos (Scorecard PRs A/B have pinned all third-party actions to SHAs everywhere except this org-internal reference).
Affected repos (sample)
Proposed fix
Either:
Recommendation: option 1 — release `v1` from current main, update all consumers via Dependabot (GitHub Actions ecosystem already covers reusable-workflow refs).
Surface
Original review finding from PR #1 on cycles-spring-ai-starter (2026-05-12). Tracking org-wide rather than per-repo because the fix is a single change in this repo plus downstream consumer bumps.