Add n8n backup script and update Docker configuration

[anatolyshipitz]

• Introduced a new backup script n8n-backup.sh to automate the backup of n8n workflows, including git initialization and committing changes.
• Updated Dockerfile.n8n to install git for the backup script functionality.
• Modified docker-compose.yml to mount the scripts directory into the n8n service.

These changes enhance the backup capabilities of the n8n service, ensuring workflows are regularly saved and versioned in a git repository.

Summary by CodeRabbit

• New Features

  • Introduced automated Git-based backup for n8n workflows, including a new backup script and persistent storage integration.
  • Added a configuration file to customize code review behavior.

• Bug Fixes

  • Adjusted ignore rules to selectively track specific files and directories.

• Documentation

  • Added comprehensive documentation covering system architecture, technical context, product context, project brief, and progress tracking.
  • Included an archival record of the backup feature implementation and usage instructions.

• Chores

  • Updated Docker and Docker Compose configurations to support new backup and scripting capabilities.

[coderabbitai]

Walkthrough

A new backup automation script for n8n workflows was added, requiring git to be installed in the container. The Dockerfile was updated to install git, and the docker-compose configuration was modified to mount a local scripts directory into the container. No changes were made to public APIs or exported entities. Additionally, multiple documentation files were added or updated to provide context, architecture, and project progress related to this feature.

Changes

Cohort / File(s)	Change Summary
Dockerfile update for git installation Dockerfile.n8n	Added installation of git via apk for backup script support; minor formatting changes.
Docker-compose volume mount docker-compose.yml	Added volume mount to map local ./scripts directory into container at /home/node/scripts.
Backup automation script scripts/n8n-backup.sh	Introduced a shell script to automate exporting workflows, managing git repo, and pushing backups.
Selective .gitignore update .gitignore	Modified ignore rules to track specific files and a subdirectory within /memory-bank/ while ignoring others.
Archival and documentation files memory-bank/archive/archive-redmine-65132.md, memory-bank/productContext.md, memory-bank/progress.md, memory-bank/projectbrief.md, memory-bank/systemPatterns.md, memory-bank/techContext.md	Added multiple markdown documents capturing archive details, product context, project progress, project brief, system patterns, and technical context related to the automation platform and backup implementation.
CodeRabbit configuration .coderabbit.yml	Added review configuration to exclude memory-bank/** from certain review processes.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant n8n-backup.sh
    participant n8n CLI
    participant Git
    participant RemoteRepo

    User->>n8n-backup.sh: Execute script
    n8n-backup.sh->>n8n-backup.sh: Ensure /home/node/.n8n/workflows exists
    n8n-backup.sh->>n8n CLI: Export workflows to ./ (backup)
    n8n-backup.sh->>Git: Initialize repo if needed, set config
    n8n-backup.sh->>Git: Stage and commit changes (if any)
    alt Remote 'origin' configured
        n8n-backup.sh->>Git: Push to 'main' branch
        Git->>RemoteRepo: Push changes
    else No remote
        n8n-backup.sh->>User: Output instructions to add remote
    end
    n8n-backup.sh->>User: Print "Backup completed"

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Update .gitignore to include additional rules (#76) #76: Modifies .gitignore to selectively un-ignore files and directories within /memory-bank/, directly related to this PR’s .gitignore changes but with opposite intents regarding tracking.
• Add Docker setup and CI pipeline for n8n and Temporal workflow automa… #4: Introduces initial Dockerfile.n8n and docker-compose.yml setup; related as this PR builds on that foundation by adding git installation and backup automation.
• docs: Add user guide for n8n and Temporal integration #19: Improves documentation and user experience for n8n and Temporal integration, related to the documentation added here.

Suggested reviewers

• killev

Poem

🐇 In code's green meadow, scripts take flight,
Backups hop in the soft moonlight.
Git installs with a gentle tap,
Workflows saved in a tidy wrap.
With Docker's help and scripts so bright,
Automation blooms, a pure delight! 🌿✨

Note

🔌 MCP (Model Context Protocol) integration is now available in Early Access!

Pro users can now connect to remote MCP servers under the Integrations page to get reviews and chat conversations that understand additional development context.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/redmine-65132-n8n-workflow-versioning

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

🔭 Outside diff range comments (1)

Dockerfile.n8n (1)

15-16: Healthcheck relies on wget; ensure it exists or use curl.

If you don’t install wget in the image, the healthcheck will fail. Either install wget or switch the healthcheck to curl (installed in the apt/apk step above).

If using curl:

HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=30s \
  CMD ["/bin/sh", "-c", "curl -fsS http://0.0.0.0:5678/healthz >/dev/null || exit 1"]

🧹 Nitpick comments (1)

scripts/n8n-backup.sh (1)

31-38: Security note: ensure backups don’t leak secrets; use private remote.

Workflows can embed URLs, tokens, or internal endpoints. Ensure the remote is private and access-controlled. Consider adding a .gitignore and/or pre-push checks if sensitive files may appear.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5ffcf73 and 71d1d21.

📒 Files selected for processing (3)

• Dockerfile.n8n (2 hunks)
• docker-compose.yml (1 hunks)
• scripts/n8n-backup.sh (1 hunks)

🧰 Additional context used

📓 Path-based instructions (4)

Dockerfile.{n8n,temporal}

📄 CodeRabbit Inference Engine (.cursor/rules/docker-configuration.mdc)

Custom Docker images must be defined using Dockerfile.n8n and Dockerfile.temporal, each extending their respective official base images with custom configurations

Files:

• Dockerfile.n8n

Dockerfile.n8n

📄 CodeRabbit Inference Engine (.cursor/rules/project-structure.mdc)

Use Dockerfile.n8n for custom n8n image configuration.

Files:

• Dockerfile.n8n

docker-compose.yml

📄 CodeRabbit Inference Engine (.cursor/rules/docker-configuration.mdc)

docker-compose.yml: All service configurations, including service dependencies, volume mounts, network configuration, environment variables, and port mappings, must be defined in docker-compose.yml
Services must communicate over an internal Docker network with only the specified ports exposed: n8n (5678), Temporal (7233), Temporal UI (8080), PostgreSQL (5432), and OpenSearch (9200)

The repository must include a docker-compose.yml file as the main service orchestration configuration.

Use docker compose up -d to start all services

Files:

• docker-compose.yml

scripts/**

📄 CodeRabbit Inference Engine (.cursor/rules/project-structure.mdc)

Utility scripts for setup and maintenance should be placed in the scripts/ directory.

Files:

• scripts/n8n-backup.sh

🧠 Learnings (3)

📚 Learning: 2025-07-28T16:44:50.073Z

Learnt from: CR
PR: speedandfunction/automatization#0
File: .cursor/rules/project-structure.mdc:0-0
Timestamp: 2025-07-28T16:44:50.073Z
Learning: Applies to Dockerfile.n8n : Use Dockerfile.n8n for custom n8n image configuration.

Applied to files:

• Dockerfile.n8n

📚 Learning: 2025-07-28T16:44:24.081Z

Learnt from: CR
PR: speedandfunction/automatization#0
File: .cursor/rules/docker-configuration.mdc:0-0
Timestamp: 2025-07-28T16:44:24.081Z
Learning: Applies to Dockerfile.{n8n,temporal} : Custom Docker images must be defined using Dockerfile.n8n and Dockerfile.temporal, each extending their respective official base images with custom configurations

Applied to files:

• Dockerfile.n8n

📚 Learning: 2025-07-28T16:44:24.081Z

Learnt from: CR
PR: speedandfunction/automatization#0
File: .cursor/rules/docker-configuration.mdc:0-0
Timestamp: 2025-07-28T16:44:24.081Z
Learning: Applies to docker-compose.yml : All service configurations, including service dependencies, volume mounts, network configuration, environment variables, and port mappings, must be defined in docker-compose.yml

Applied to files:

• docker-compose.yml

🪛 Shellcheck (0.10.0)

scripts/n8n-backup.sh

[warning] 7-7: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.

(SC2164)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Service Availability Check

🔇 Additional comments (5)

Dockerfile.n8n (1)

1-1: Confirms guideline compliance for custom n8n image.

Using Dockerfile.n8n to extend the official base aligns with repo standards.

docker-compose.yml (2)

1-177: Networking and exposed ports align with constraints.

Only the permitted ports are exposed (n8n 5678, Temporal 7233, Temporal UI 8080, Postgres 5432). Redis is internal. Looks good.

---

36-36: Ensure backup script is executable and invoked properly

I confirmed that scripts/n8n-backup.sh exists in the repo, but its executable bit couldn’t be verified in the sandbox. Please:

• Verify the script’s permissions, e.g.

  ls -l scripts/n8n-backup.sh

• Ensure it’s marked executable (chmod +x scripts/n8n-backup.sh) or explicitly invoked via shell in your container (e.g. sh /home/node/scripts/n8n-backup.sh), whether you use a cron sidecar, n8n Execute Command node, or manual docker exec.

scripts/n8n-backup.sh (2)

41-41: Overall: solid automation; minor hardening above will make it production-safe.

The flow is clear and idempotent. With the branch/push fixes and stricter shell behavior, it’s ready.

---

10-10: --backup flag confirmation in n8n v1.89.x

The --backup flag is supported in n8n v1.89.x and implicitly includes --all, --pretty, and --separate.
Your existing command:

n8n export:workflow --backup --output=./

is valid and will export each workflow as a human-readable, separate file in the current directory.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (8)

memory-bank/archive/archive-redmine-65132.md (3)

29-34: Fix MD040: add language to fenced code block

Add an explicit language for the directory tree block to satisfy markdownlint.

-```
+```text
 /home/node/.n8n/workflows/
 ├── .git/              # Git repository
 ├── README.md          # Documentation
 └── (exported workflows in JSON format)

---

`38-43`: **Fix MD058: table needs a blank line before it**

Insert a blank line between the heading and the table.


```diff
-### Files Modified
-| File | Changes | Purpose |
+### Files Modified
+
+| File | Changes | Purpose |

---

83-92: Minor: Clarify “gracefully handles missing workflows” behavior

Specify exit code and log line when zero workflows are found to aid ops alerting.

memory-bank/techContext.md (2)

67-74: Fix MD040: add language to fenced code block

Add an explicit language for the worker directory tree.

-```
+```text
 workers/main/src/
 ├── activities/          # Temporal activities (business logic)
 ├── workflows/          # Temporal workflows (orchestration)
 ├── services/           # Business service layer
 ├── configs/            # Configuration management
 └── common/             # Shared utilities and types

---

`48-52`: **Minor: Clarify axios rate-limit/retry configuration**

Document default rate-limit window and retry backoff strategy to set expectations for consumers.

</blockquote></details>
<details>
<summary>memory-bank/systemPatterns.md (3)</summary><blockquote>

`66-74`: **Fix MD040: add language to fenced code block**

Add an explicit language for the directory tree.


```diff
-```
+```text
 src/
 ├── activities/         # Temporal activities (stateless functions)
 ├── workflows/          # Temporal workflows (orchestration logic)
 ├── services/           # Business services (reusable logic)
 ├── common/             # Shared utilities and types
 ├── configs/            # Configuration management
 └── scripts/            # Utility scripts

---

`15-17`: **Naming consistency: repository vs service**

“Service Layer” lists WeeklyFinancialReportRepository; that belongs under Repository, not Service. Use WeeklyFinancialReportService (or move the item).


```diff
-  - `SlackService`, `OAuth2Manager`, `WeeklyFinancialReportRepository`
+  - `SlackService`, `OAuth2Manager`, `WeeklyFinancialReportService`

---

118-122: Optional: specify the logging library and context pattern

Add the chosen logger (e.g., pino/winston) and the minimal context fields required across services for consistent observability.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 71d1d21 and 231ff62.

📒 Files selected for processing (7)

• .gitignore (1 hunks)
• memory-bank/archive/archive-redmine-65132.md (1 hunks)
• memory-bank/productContext.md (1 hunks)
• memory-bank/progress.md (1 hunks)
• memory-bank/projectbrief.md (1 hunks)
• memory-bank/systemPatterns.md (1 hunks)
• memory-bank/techContext.md (1 hunks)

✅ Files skipped from review due to trivial changes (4)

• memory-bank/progress.md
• .gitignore
• memory-bank/productContext.md
• memory-bank/projectbrief.md

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-07-29T15:56:21.892Z

Learnt from: CR
PR: speedandfunction/automatization#0
File: .cursor/rules/temporal-project-structure.mdc:0-0
Timestamp: 2025-07-29T15:56:21.892Z
Learning: Applies to workers/*/{workflows,activities,index.ts,README.md,types.ts} : All Temporal workers must be placed under 'workers/<worker-name>/' and include: 'workflows/' (workflow definitions), 'activities/' (activity implementations), 'index.ts' (worker entry point), 'types.ts' (optional), and 'README.md' (usage and development instructions).

Applied to files:

• memory-bank/techContext.md

📚 Learning: 2025-07-29T15:56:21.892Z

Learnt from: CR
PR: speedandfunction/automatization#0
File: .cursor/rules/temporal-project-structure.mdc:0-0
Timestamp: 2025-07-29T15:56:21.892Z
Learning: Applies to docs/user-guide/temporal/workers/*.md : Each worker must have a dedicated documentation file at 'docs/user-guide/temporal/workers/<worker-name>.md' including purpose, workflows, activities, environment variables, integration points, best practices, and troubleshooting.

Applied to files:

• memory-bank/techContext.md

📚 Learning: 2025-07-28T16:44:50.073Z

Learnt from: CR
PR: speedandfunction/automatization#0
File: .cursor/rules/project-structure.mdc:0-0
Timestamp: 2025-07-28T16:44:50.073Z
Learning: The project architecture must include interconnected services: n8n, Temporal Server, Temporal UI, PostgreSQL, and OpenSearch, each running on their specified ports.

Applied to files:

• memory-bank/techContext.md

🪛 markdownlint-cli2 (0.17.2)

memory-bank/archive/archive-redmine-65132.md

29-29: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

39-39: Tables should be surrounded by blank lines

(MD058, blanks-around-tables)

memory-bank/systemPatterns.md

66-66: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

memory-bank/techContext.md

67-67: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (3)

memory-bank/archive/archive-redmine-65132.md (1)

72-81: Update Git commands to set identity and use the correct default branch

To ensure commits succeed inside the container and avoid surprises with branch naming, add Git user configuration and reference the actual default branch:

• File: memory-bank/archive/archive-redmine-65132.md
• Lines: 72–81

Suggested diff:

 # Access workflows directory
 docker compose exec n8n sh -c "cd /home/node/.n8n/workflows"

+# Configure Git identity (container-local)
+docker compose exec n8n git config --global user.name "n8n Backup Bot"
+docker compose exec n8n git config --global user.email "[email protected]"
+
 # Add remote origin
 git remote add origin https://github.com/username/n8n-workflows.git

 # Initial push
-git push -u origin master
+# Replace <default-branch> with your repo’s actual default (usually “main”)
+git push -u origin <default-branch>
+# e.g.
+# git push -u origin main

Please confirm which branch (“main” vs. “master”) the remote uses before publishing this doc.

memory-bank/techContext.md (1)

39-52: ✅ Documented versions match package.json

All version numbers listed in memory-bank/techContext.md (lines 39–52) have been cross-checked against workers/main/package.json and are identical:

• TypeScript 5.8.3
• Prettier 3.5.3
• Vitest 3.1.3
• Mongoose 8.15.1
• mysql2 3.14.1
• @slack/web-api 7.9.2
• simple-oauth2 5.1.0
• zod 3.25.17
• axios-rate-limit 1.4.0
• axios-retry 4.5.0

No updates needed.

memory-bank/systemPatterns.md (1)

29-32: Connection Pooling abstractions verified
The MongoPool and RedminePool classes (with accompanying tests) are implemented in workers/main/src/common/. The interfaces IFinAppRepository, ITargetUnitRepository, and IWeeklyFinancialReportRepository are all defined and used in their respective service folders. No changes to the wording are needed here—these abstractions exist and are correctly referenced.

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 231ff62 and 06799d3.

📒 Files selected for processing (1)

• scripts/n8n-backup.sh (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

scripts/**

📄 CodeRabbit Inference Engine (.cursor/rules/project-structure.mdc)

Utility scripts for setup and maintenance should be placed in the scripts/ directory.

Files:

• scripts/n8n-backup.sh

🧠 Learnings (1)

📚 Learning: 2025-07-28T16:44:17.362Z

Learnt from: CR
PR: speedandfunction/automatization#0
File: .cursor/rules/commit-changes-rules.mdc:0-0
Timestamp: 2025-07-28T16:44:17.362Z
Learning: Push to remote repository after committing

Applied to files:

• scripts/n8n-backup.sh

🪛 Shellcheck (0.10.0)

scripts/n8n-backup.sh

[warning] 2-2: In POSIX sh, set option pipefail is undefined.

(SC3040)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Service Availability Check

🔇 Additional comments (1)

scripts/n8n-backup.sh (1)

33-41: LGTM: Push logic is robust and aligns with learnings.

Always attempting push when a remote exists and setting upstream for the current branch is correct and matches the retrieved learning about pushing after committing.

[github-actions]

🔍 Vulnerabilities of temporal-test:latest

📦 Image Reference temporal-test:latest

digest	sha256:da30eca7154c7c4cb2616e31f7411021ea9146d5b15c68adf2a57df4c52b164c
vulnerabilities
platform	linux/amd64
size	218 MB
packages	358

📦 Base Image alpine:3

also known as	3.21 3.21.3 latest
digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
vulnerabilities

stdlib 1.23.2 (golang) pkg:golang/[email protected] Affected range <1.23.8 Fixed version 1.23.8 EPSS Score 0.023% EPSS Percentile 4th percentile Description The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

stdlib 1.23.6 (golang) pkg:golang/[email protected] Affected range <1.23.8 Fixed version 1.23.8 EPSS Score 0.023% EPSS Percentile 4th percentile Description The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc 0.36.4 (golang) pkg:golang/go.opentelemetry.io/contrib/[email protected]#google.golang.org/grpc/otelgrpc Allocation of Resources Without Limits or Throttling Affected range <0.46.0 Fixed version 0.46.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 2.678% EPSS Percentile 85th percentile Description Summary The grpc Unary Server Interceptor opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go // UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable // for use in a grpc.NewServer call. func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor { out of the box adds labels net.peer.sock.addr net.peer.sock.port that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. Details An attacker can easily flood the peer address and port for requests. PoC Apply the attached patch to the example and run the client multiple times. Observe how each request will create a unique histogram and how the memory consumption increases during it. Impact In order to be affected, the program has to configure a metrics pipeline, use UnaryServerInterceptor, and does not filter any client IP address and ports via middleware or proxies, etc. Others It is similar to already reported vulnerabilities. GHSA-rcjv-mgp8-qvmr (open-telemetry/opentelemetry-go-contrib) GHSA-5r5m-65gx-7vrh (open-telemetry/opentelemetry-go-contrib) GHSA-cg3q-j54f-5p7p (prometheus/client_golang) Workaround for affected versions As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider. Solution provided by upgrading In PR #4322, to be released with v0.46.0, the attributes were removed. References #4322

github.com/golang-jwt/jwt 3.2.2+incompatible (golang) pkg:golang/github.com/golang-jwt/[email protected]%2Bincompatible Asymmetric Resource Consumption (Amplification) Affected range >=3.2.0 <=3.2.2 Fixed version Not Fixed CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.033% EPSS Percentile 8th percentile Description Summary Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification) Details See parse.ParseUnverified Impact Excessive memory allocation

golang.org/x/oauth2 0.7.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Validation of Syntactic Correctness of Input Affected range <0.27.0 Fixed version 0.27.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.076% EPSS Percentile 23rd percentile Description An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

c-ares 1.34.3-r0 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.21 Affected range <1.34.5-r0 Fixed version 1.34.5-r0 EPSS Score 0.199% EPSS Percentile 42nd percentile Description

golang.org/x/oauth2 0.26.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Validation of Syntactic Correctness of Input Affected range <0.27.0 Fixed version 0.27.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.076% EPSS Percentile 23rd percentile Description An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

github.com/golang-jwt/jwt/v4 4.5.1 (golang) pkg:golang/github.com/golang-jwt/[email protected]#v4 Asymmetric Resource Consumption (Amplification) Affected range <4.5.2 Fixed version 4.5.2 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.033% EPSS Percentile 8th percentile Description Summary Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification) Details See parse.ParseUnverified Impact Excessive memory allocation

golang.org/x/crypto 0.32.0 (golang) pkg:golang/golang.org/x/[email protected] Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.188% EPSS Percentile 41st percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

scripts/n8n-backup.sh (3)

18-26: Allow overriding Git identity via env vars.

Hard-coded bot name/email is fine, but enabling overrides improves portability across environments.

Apply:

 if [ ! -d ".git" ]; then
     git init -b main
-    git config --local user.name "n8n-bot"
-    git config --local user.email "[email protected]"
+    GIT_USER_NAME="${GIT_USER_NAME:-n8n-bot}"
+    GIT_USER_EMAIL="${GIT_USER_EMAIL:[email protected]}"
+    git config --local user.name "$GIT_USER_NAME"
+    git config --local user.email "$GIT_USER_EMAIL"
     echo "# n8n Workflows Backup" > README.md
     git add README.md
     git commit -m "Initial commit"
     echo "Git repository initialized"
 fi

---

38-45: Optional: make push more resilient (retry) and optionally non-fatal.

Network hiccups can fail the script under set -e, even though local backup succeeded. Consider retries and an env flag to allow best-effort pushes.

-if git remote get-url origin >/dev/null 2>&1; then
-    CURRENT_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
-    git push -u origin "$CURRENT_BRANCH"
-    echo "Pushed to remote repository"
+if git remote get-url origin >/dev/null 2>&1; then
+    CURRENT_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+    STRICT_PUSH="${STRICT_PUSH:-0}"    # 1 = fail on push error, 0 = best-effort
+    RETRIES="${PUSH_RETRIES:-3}"
+    DELAY="${PUSH_RETRY_DELAY_SEC:-5}"
+    i=0
+    until git push -u origin "$CURRENT_BRANCH"; do
+      i=$((i+1))
+      if [ "$i" -ge "$RETRIES" ]; then
+        echo "Push failed after $RETRIES attempts."
+        [ "$STRICT_PUSH" = "1" ] && exit 1 || { echo "Continuing; local commit preserved."; break; }
+      fi
+      echo "Push failed; retrying in ${DELAY}s... ($i/$RETRIES)"
+      sleep "$DELAY"
+    done
+    [ "$i" -lt "$RETRIES" ] && echo "Pushed to remote repository"
 else
     echo "No remote repository configured"
     echo "To add remote: git remote add origin <your-repo-url>"
 fi

---

8-12: Optional: add a simple lock to prevent concurrent runs.

Prevents overlapping exports/commits when triggered by multiple schedulers.

 echo "Backing up n8n workflows..."
 
+# Prevent concurrent runs
+LOCKDIR="/tmp/n8n-backup.lock"
+if mkdir "$LOCKDIR" 2>/dev/null; then
+  trap 'rmdir "$LOCKDIR"' EXIT INT TERM
+else
+  echo "Another n8n-backup is running; exiting." >&2
+  exit 1
+fi
+
 # Create workflows directory if not exists
 mkdir -p /home/node/.n8n/workflows

📜 Review details

Configuration used: .coderabbit.yml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 06799d3 and 86952a2.

⛔ Files ignored due to path filters (4)

• memory-bank/archive/archive-redmine-65132.md is excluded by !memory-bank/**
• memory-bank/progress.md is excluded by !memory-bank/**
• memory-bank/systemPatterns.md is excluded by !memory-bank/**
• memory-bank/techContext.md is excluded by !memory-bank/**

📒 Files selected for processing (3)

• .coderabbit.yml (1 hunks)
• Dockerfile.n8n (2 hunks)
• scripts/n8n-backup.sh (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• .coderabbit.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• Dockerfile.n8n

🧰 Additional context used

📓 Path-based instructions (1)

scripts/**

📄 CodeRabbit Inference Engine (.cursor/rules/project-structure.mdc)

Utility scripts for setup and maintenance should be placed in the scripts/ directory.

Files:

• scripts/n8n-backup.sh

🧠 Learnings (2)

📚 Learning: 2025-07-28T16:44:17.362Z

Learnt from: CR
PR: speedandfunction/automatization#0
File: .cursor/rules/commit-changes-rules.mdc:0-0
Timestamp: 2025-07-28T16:44:17.362Z
Learning: Push to remote repository after committing

Applied to files:

• scripts/n8n-backup.sh

📚 Learning: 2025-08-10T17:59:20.933Z

Learnt from: anatolyshipitz
PR: speedandfunction/automatization#93
File: scripts/n8n-backup.sh:8-15
Timestamp: 2025-08-10T17:59:20.933Z
Learning: In containerized environments where scripts run inside Docker containers with controlled images, preflight checks for commands that are explicitly installed in the Dockerfile or are part of the base image are redundant and add unnecessary complexity. The container build process itself ensures these dependencies are present.

Applied to files:

• scripts/n8n-backup.sh

🪛 Shellcheck (0.10.0)

scripts/n8n-backup.sh

[warning] 5-5: In POSIX sh, set option pipefail is undefined.

(SC3040)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Docker Security Scanning (n8n, Dockerfile.n8n, n8n-test:latest)
• GitHub Check: Service Availability Check

🔇 Additional comments (4)

scripts/n8n-backup.sh (4)

1-6: Strict, POSIX-safe setup looks good.

Guarded pipefail under /bin/sh is correct; aligns with ShellCheck guidance and portability.

---

11-12: Robust directory handling.

mkdir -p + guarded cd prevents proceeding in wrong dir (SC2164). Good.

---

28-35: Good commit gating and staging.

Using git add -A and skipping empty commits keeps history clean and captures deletions.

---

15-15: No change needed: --backup already includes --all

The --backup flag in the n8n CLI implicitly adds --all (plus --pretty and --separate), so your existing command will export all workflows as intended.

• File: scripts/n8n-backup.sh Line 15
Current command:

n8n export:workflow --backup --output=./

No updates required here.

Likely an incorrect or invalid review comment.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[killev]

looks good