WA-VERIFY-108: Audit core repo .github/workflows for deprecated action patterns

[kitcommerce]

Fixes #1127

Audits all workflow files for:

• workarea-commerce/ci composite action usage
• Node.js 12 runtime actions (@v1 references)
• docker-compose in workflow scripts

Findings

All three deprecated patterns were found in .github/workflows/ci.yml:

Pattern	Status	Occurrences
workarea-commerce/ci composite actions	❌ FOUND	13
@v1 Node.js 12 runtime actions	❌ FOUND	13 (same)
docker-compose (v1 CLI)	❌ FOUND	13 install steps + 1 invocation

Client impact

None (CI audit only).

Verification Plan

Read notes/WA-VERIFY-108-gh-actions-audit.md for full audit results and recommended follow-up issues.

[kitcommerce]

Architecture Review

Verdict: APPROVED

This is an audit/notes-only PR adding notes/WA-VERIFY-108-gh-actions-audit.md. From an architecture standpoint:

Assessment:

The findings document is well-structured and covers the right surface area:

1. workarea-commerce/ci composite actions (@v1) — Correctly identified as deprecated. Node.js 12 reached end-of-life and GitHub has deprecated runners using it. 13 usages is a meaningful footprint that warrants a remediation issue.

2. docker-compose v1 CLI — Correctly flagged. The standalone Usage: docker compose [OPTIONS] COMMAND

Define and run multi-container applications with Docker

Options:
--all-resources Include all resources, even those not
used by services
--ansi string Control when to print ANSI control
characters ("never"|"always"|"auto")
(default "auto")
--compatibility Run compose in backward compatibility mode
--dry-run Execute command in dry run mode
--env-file stringArray Specify an alternate environment file
-f, --file stringArray Compose configuration files
--parallel int Control max parallelism, -1 for
unlimited (default -1)
--profile stringArray Specify a profile to enable
--progress string Set type of progress output (auto,
tty, plain, json, quiet)
--project-directory string Specify an alternate working directory
(default: the path of the, first
specified, Compose file)
-p, --project-name string Project name

Management Commands:
bridge Convert compose files into another model

Commands:
attach Attach local standard input, output, and error streams to a service's running container
build Build or rebuild services
commit Create a new image from a service container's changes
config Parse, resolve and render compose file in canonical format
cp Copy files/folders between a service container and the local filesystem
create Creates containers for a service
down Stop and remove containers, networks
events Receive real time events from containers
exec Execute a command in a running container
export Export a service container's filesystem as a tar archive
images List images used by the created containers
kill Force stop service containers
logs View output from containers
ls List running compose projects
pause Pause services
port Print the public port for a port binding
ps List containers
publish Publish compose application
pull Pull service images
push Push service images
restart Restart service containers
rm Removes stopped service containers
run Run a one-off command on a service
scale Scale services
start Start services
stats Display a live stream of container(s) resource usage statistics
stop Stop services
top Display the running processes
unpause Unpause services
up Create and start containers
version Show the Docker Compose version information
volumes List volumes
wait Block until containers of all (or specified) services stop.
watch Watch build context for service and rebuild/refresh containers when files are updated

Run 'docker compose COMMAND --help' for more information on a command. binary (v1) was deprecated in favor of the Usage: docker compose [OPTIONS] COMMAND

Define and run multi-container applications with Docker

Options:
--all-resources Include all resources, even those not
used by services
--ansi string Control when to print ANSI control
characters ("never"|"always"|"auto")
(default "auto")
--compatibility Run compose in backward compatibility mode
--dry-run Execute command in dry run mode
--env-file stringArray Specify an alternate environment file
-f, --file stringArray Compose configuration files
--parallel int Control max parallelism, -1 for
unlimited (default -1)
--profile stringArray Specify a profile to enable
--progress string Set type of progress output (auto,
tty, plain, json, quiet)
--project-directory string Specify an alternate working directory
(default: the path of the, first
specified, Compose file)
-p, --project-name string Project name

Management Commands:
bridge Convert compose files into another model

Commands:
attach Attach local standard input, output, and error streams to a service's running container
build Build or rebuild services
commit Create a new image from a service container's changes
config Parse, resolve and render compose file in canonical format
cp Copy files/folders between a service container and the local filesystem
create Creates containers for a service
down Stop and remove containers, networks
events Receive real time events from containers
exec Execute a command in a running container
export Export a service container's filesystem as a tar archive
images List images used by the created containers
kill Force stop service containers
logs View output from containers
ls List running compose projects
pause Pause services
port Print the public port for a port binding
ps List containers
publish Publish compose application
pull Pull service images
push Push service images
restart Restart service containers
rm Removes stopped service containers
run Run a one-off command on a service
scale Scale services
start Start services
stats Display a live stream of container(s) resource usage statistics
stop Stop services
top Display the running processes
unpause Unpause services
up Create and start containers
version Show the Docker Compose version information
volumes List volumes
wait Block until containers of all (or specified) services stop.
watch Watch build context for service and rebuild/refresh containers when files are updated

Run 'docker compose COMMAND --help' for more information on a command. subcommand (v2). 13 install steps + invocation pattern is consistent across the workflow files.

3. Follow-up issues recommended — Appropriate next step. Splitting into separate issues (one for CI composite actions, one for docker-compose) is the right decomposition for targeted remediation.

Architecture concerns: None. This PR introduces no behavioral changes — it is purely documentation of observed deprecated patterns. The audit methodology (grep-based detection) is sound and reproducible.

Scope: Correct. Notes file only, no workflow modifications. Client impact is zero.

✅ Ready to merge. Remediation tracked via follow-up issues.

[kitcommerce]

Security Review

Verdict: PASS

Findings

• No security concerns. This PR adds a documentation-only audit notes file (notes/WA-VERIFY-108-gh-actions-audit.md) with no code changes, no secrets, no configuration modifications, and no executable content.

Recommendations

• The audit itself documents real security-relevant findings (EOL Ruby 2.6 in CI images, Node.js 12 runtime, docker-compose v1) that represent supply-chain risks in the CI pipeline. These are tracked for remediation outside this PR's scope, which is appropriate.

— Security Reviewer (automated)

[kitcommerce]

Rails Conventions Review

Verdict: PASS

Findings

• No Ruby files, Rails models, controllers, routes, or ActiveRecord patterns are introduced or modified by this PR.
• This is a notes-only PR adding notes/WA-VERIFY-108-gh-actions-audit.md, which documents CI/CD infrastructure audit findings (deprecated GitHub Actions patterns, EOL Docker images, Node.js 12 runtime, and docker-compose v1 CLI usage).

Recommendations

• Nothing to address from a Rails conventions standpoint.
• The audit findings documented here (ruby:2.6 EOL, Node.js 12 deprecated runtime, docker-compose v1) are relevant to the CI infrastructure layer and should be tracked in follow-up issues for remediation — but that is outside this reviewer's scope.

Rails Conventions Reviewer — no Rails code changed; conventions review is not applicable to this diff.

[kitcommerce]

🟢 Simplicity Review — PASS

Reviewer: Simplicity
PR: #1130 — WA-VERIFY-108 GitHub Actions Audit Notes

---

Assessment

This PR is a single new file: . Couldn't be simpler.

What it does: Documents the audit findings for deprecated GitHub Actions patterns in the core Workarea repo. Notes only — no production code touched.

Simplicity checks:

Check	Result
Single-purpose change	✅ One file, one job
No unnecessary scope creep	✅ Audit doc only, no code changes
Clear structure	✅ Commands → Results → Summary table
Reproducible	✅ Commands are documented so findings can be verified
Appropriate length	✅ 84 lines, says what needs to be said

Minor observations (non-blocking):

• FINDING 2 is technically redundant — the 13 Node.js 12 occurrences are the same 13 workarea-commerce/ci@v1 references, not additional instances. The document notes this with "(same)" in the summary table, but the heading structure implies they're separate findings. Worth noting for clarity, not a blocker.
• The audit doc captures commands run, which is good practice for reproducibility.

Verdict: This is exactly what a notes-only audit PR should look like. Clean, focused, verifiable. No complexity concerns.

---

Simplicity Reviewer — automated review via OpenClaw

[kitcommerce]

Wave 2 Review — Rails Security, Database, Test Quality

Verdict: PASS

• Rails security: notes-only diff; no controllers, params, auth, session, routing, or secret-handling changes.
• Database: no models, persistence code, indexes, migrations, or query behavior changed.
• Test quality: no tests were added or modified; the document accurately reports the deprecated CI patterns present in .github/workflows/ci.yml, including the workarea-commerce/ci/*@v1 usages and docker-compose installs/invocation.

No material issues found for these review lanes.