Only the latest release of this action is actively maintained and receives security fixes.

See the releases page for latest available version.

Please do not report security vulnerabilities through public GitHub issues.

Use GitHub's private vulnerability reporting to submit a report.

When reporting, please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce or a proof-of-concept
• Any suggested fix if you have one

• Store your ZAI_API_KEY exclusively as a GitHub Actions secret — never as a plain variable or hardcoded in the workflow file.
• Restrict secret access to only the workflows that need it.

This action requires the following minimum permissions to write PR comments:

permissions:
  pull-requests: write

Do not grant broader permissions than what is listed above.

For supply chain security, pin the action to a specific release tag rather than a mutable branch name:

uses: tarmojussila/zai-code-review@v0.3.0

Avoid using branch names such as @main in production workflows.