feat: add dependabot configuration for all ecosystems

[yacosta738]

This PR adds a comprehensive Dependabot configuration file to manage dependencies across all technologies used in the Corvus repository, including GitHub Actions, Rust (Cargo), Node.js (NPM/pnpm), Kotlin/Android (Gradle), and Docker.

Key changes:

• Created `.github/dependabot.yml`.
• Configured weekly Saturday updates for all identified ecosystems.
• Covered root and nested package managers to ensure full repository coverage.

---

PR created automatically by Jules for task 9477770644586021155 started by @yacosta738

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a Dependabot configuration and updates many GitHub Actions version pins; adjusts TypeScript/Node targets and pnpm catalog entries for web clients; converts several docs links to relative paths and tweaks some localized front-matter.

Changes

Cohort / File(s)	Summary
Dependabot config ​.github/dependabot.yml	New file adding weekly Dependabot updates for multiple ecosystems (GitHub Actions, cargo, npm, Gradle, Docker) with per-ecosystem PR limits and npm grouping rules.
GitHub workflows (version pins / inputs) ​.github/workflows/*, ​.github/workflows/_publish.yml, ​.github/workflows/_build-native-binaries.yml, ​.github/workflows/auto-fix-lockfile.yml, ​.github/workflows/codeql-analysis.yml, ​.github/workflows/core-check.yml, ​.github/workflows/dependency-review.yml, ​.github/workflows/deploy-docs.yml, ​.github/workflows/detekt.yml, ​.github/workflows/fix-renovate.yml, ​.github/workflows/git-sync-labels.yml, ​.github/workflows/lychee-links.yml, ​.github/workflows/pull-request-check*.yml, ​.github/workflows/security-dependencies.yml, ​.github/workflows/sonarqube-analysis.yml	Updated action version pins/SHAs across many workflows; one workflow adds checkout_path to SARIF upload. Changes are pin updates and minor input tweaks only (no control-flow changes).
Web clients — Node / tsconfig / pnpm clients/web/package.json, clients/web/pnpm-workspace.yaml, clients/web/apps/*/package.json, clients/web/apps/*/tsconfig.node.json	Replaced @tsconfig/node24 → @tsconfig/node22 across workspace packages, lowered engines.node in clients/web/package.json to ">=22.0.0", and updated pnpm catalog entries (astro, tsconfig versions).
Apps — chat/dashboard clients/web/apps/chat/package.json, clients/web/apps/dashboard/package.json	DevDependency change: @tsconfig/node24 → @tsconfig/node22 in app package.json files.
Docs — link fixes and front-matter clients/web/apps/docs/src/content/docs/en/guides/architecture/overview.md, .../release.md, clients/web/apps/docs/src/content/docs/es/guides/architecture/overview.md, .../release.md	Converted absolute doc links to relative ./ paths for architecture and release guides, removed an id front-matter in one localized file, and made minor formatting edits.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• docs(agent-runtime): document providers and cleanup obsolete guides #134 — modifies the same docs files (architecture overview), likely overlapping link/path changes.
• feat(web): configure Codecov and Vitest coverage #133 — updates the same CI workflow (.github/workflows/pull-request-check.yml) with additional CI steps; may conflict with action pin changes.
• ci: Set up automated dependency vulnerability checks for Rust and Kotlin #104 — touches dependency/security CI workflows (dependency-review/security-dependencies) that this PR also updates.

Suggested labels

area:ci, area:rust, area:gradle, area:web

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title 'feat: add dependabot configuration for all ecosystems' follows Conventional Commit conventions with a 'feat' prefix, is under 72 characters (53 chars), and accurately describes the primary change—adding Dependabot configuration for multiple package ecosystems.
Description check	✅ Passed	The PR description includes the summary section explaining the purpose and scope of the Dependabot configuration across all ecosystems, though it lacks testing information and formal checklist completion despite implied compliance.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/add-dependabot-config-9477770644586021155

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	db4b48c
Status:	✅  Deploy successful!
Preview URL:	https://67b70dd6.corvus-42x.pages.dev
Branch Preview URL:	https://feat-add-dependabot-config-9.corvus-42x.pages.dev

View logs

[github-actions]

✅ Contributor Report

User: @yacosta738
Status: Passed (12/13 metrics passed)

Metric	Description	Value	Threshold	Status
PR Merge Rate	PRs merged vs closed	89%	>= 30%	✅
Repo Quality	Repos with ≥100 stars	0	>= 0	✅
Positive Reactions	Positive reactions received	9	>= 1	✅
Negative Reactions	Negative reactions received	0	<= 5	✅
Account Age	GitHub account age	3056 days	>= 30 days	✅
Activity Consistency	Regular activity over time	108%	>= 0%	✅
Issue Engagement	Issues with community engagement	0	>= 0	✅
Code Reviews	Code reviews given to others	398	>= 0	✅
Merger Diversity	Unique maintainers who merged PRs	2	>= 0	✅
Repo History Merge Rate	Merge rate in this repo	91%	>= 0%	✅
Repo History Min PRs	Previous PRs in this repo	141	>= 0	✅
Profile Completeness	Profile richness (bio, followers)	90	>= 0	✅
Suspicious Patterns	Spam-like activity detection	1	N/A	❌

---

_{Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-03-11 to 2026-03-11}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/dependabot.yml:
- Around line 1-78: Add an open-pull-requests-limit to each Dependabot update
entry (e.g., set open-pull-requests-limit: 3) and add a groups configuration for
the npm entries to collapse non-major changes (for example a group that matches
"minor and patch" updates) so Dependabot opens fewer PRs; locate the npm entries
by the lines containing package-ecosystem: "npm" (notably the "/" root,
"/clients/web", and the two "/clients/agent-runtime/npm/..." entries) and add
the open-pull-requests-limit key under each entry and a groups block (or a
shared groups definition) that groups minor/patch updates separately from major
updates.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2233d145-c327-4780-a788-c93eddbfccf6

📥 Commits

Reviewing files that changed from the base of the PR and between f4d3953 and 1e3bf78.

📒 Files selected for processing (1)

• .github/dependabot.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: pr-checks
• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: Cloudflare Pages

🔇 Additional comments (4)

.github/dependabot.yml (4)

21-53: NPM paths look correct.

Context snippets confirm package.json exists at both /clients/agent-runtime/npm/corvus-cli and /clients/agent-runtime/npm/corvus. Root and /clients/web are standard locations.

---

55-62: Gradle configuration is valid. The required settings.gradle.kts file exists at the root directory, so the Dependabot configuration will function correctly.

---

64-78: Dockerfiles exist at specified paths. Both clients/agent-runtime/Dockerfile and dev/sandbox/Dockerfile are present in the repository, confirming the dependabot.yml configuration is correct.

---

12-19: Cargo.toml exists at /clients/agent-runtime — the Dependabot configuration will work as intended.

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/dependabot.yml:
- Around line 32-79: Add an explicit security-updates group to each npm
package-ecosystem block so security fixes are grouped separately: in the blocks
that define package-ecosystem: "npm" (the entries under directory
"/clients/web", "/clients/agent-runtime/npm/corvus-cli", and
"/clients/agent-runtime/npm/corvus") update the groups: dependencies section to
include an applies-to: "security-updates" entry (or add a separate group named
security-updates with applies-to: "security-updates") so Dependabot will group
security fixes instead of only version updates.
- Around line 23-79: The four duplicated package-ecosystem: "npm" blocks should
be collapsed into a single npm entry: replace the multiple entries that each
repeat schedule, open-pull-requests-limit and groups with one package-ecosystem:
"npm" block that uses a directories: list containing "/", "/clients/web",
"/clients/agent-runtime/npm/corvus-cli", and
"/clients/agent-runtime/npm/corvus", preserve the schedule,
open-pull-requests-limit and groups settings, and add group-by: dependency-name
under the groups section to merge same-dependency updates across those
directories into a single PR.

In @.github/workflows/dependency-review.yml:
- Line 18: The workflow step currently pins actions/checkout to a v4 SHA ("uses:
actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683") which differs from
the repo standard; update that step to use the standardized actions/checkout
v6.0.1 pin (use tag v6.0.1 or SHA 8e8c483db84b4bee98b60c0593521ed34d9990e8) so
it matches other workflows, and apply the same change to the similar reference
in security-dependencies.yml if applicable to keep all workflows aligned.

In @.github/workflows/detekt.yml:
- Line 52: The workflow uses mutable action tags (actions/checkout@v4) which
violates the repo's SHA-pinning policy; replace each mutable tag occurrence
(e.g., actions/checkout@v4 at the shown locations) with the corresponding commit
SHA form used by other workflows (actions/checkout@<full-commit-sha>) to match
the repository's pinned-action convention—update both occurrences referenced
(around the other occurrence noted) and ensure the SHA matches the canonical
release commit for actions/checkout.

In @.github/workflows/lychee-links.yml:
- Line 37: Update the lychee action reference in the workflow by changing the
version tag used in the uses line from
lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 to
lycheeverse/lychee-action@v2.8.0 (replace the commit hash with the v2.8.0 tag)
so the workflow uses lychee-action v2.8.0 which bundles lychee v0.23.0 and the
updated dependencies and args handling.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2ab38287-95cd-4a1e-8baf-6234e9bfd9fa

📥 Commits

Reviewing files that changed from the base of the PR and between 1e3bf78 and 9b92393.

⛔ Files ignored due to path filters (1)

• clients/web/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (27)

• .github/dependabot.yml
• .github/workflows/README.md
• .github/workflows/_build-native-binaries.yml
• .github/workflows/_publish.yml
• .github/workflows/auto-fix-lockfile.yml
• .github/workflows/codeql-analysis.yml
• .github/workflows/core-check.yml
• .github/workflows/dependency-review.yml
• .github/workflows/deploy-docs.yml
• .github/workflows/detekt.yml
• .github/workflows/fix-renovate.yml
• .github/workflows/git-sync-labels.yml
• .github/workflows/lychee-links.yml
• .github/workflows/pull-request-check-build-logic.yml
• .github/workflows/pull-request-check.yml
• .github/workflows/security-dependencies.yml
• .github/workflows/sonarqube-analysis.yml
• clients/web/apps/chat/package.json
• clients/web/apps/chat/tsconfig.node.json
• clients/web/apps/dashboard/package.json
• clients/web/apps/dashboard/tsconfig.node.json
• clients/web/apps/docs/src/content/docs/en/guides/architecture/overview.md
• clients/web/apps/docs/src/content/docs/en/guides/release.md
• clients/web/apps/docs/src/content/docs/es/guides/architecture/overview.md
• clients/web/apps/docs/src/content/docs/es/guides/release.md
• clients/web/package.json
• clients/web/pnpm-workspace.yaml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: pr-checks
• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (2)

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/web/package.json
• clients/web/apps/dashboard/package.json
• clients/web/apps/docs/src/content/docs/es/guides/architecture/overview.md
• clients/web/apps/chat/package.json
• clients/web/apps/docs/src/content/docs/en/guides/architecture/overview.md
• clients/web/apps/chat/tsconfig.node.json
• clients/web/apps/docs/src/content/docs/en/guides/release.md
• clients/web/apps/docs/src/content/docs/es/guides/release.md
• clients/web/pnpm-workspace.yaml
• clients/web/apps/dashboard/tsconfig.node.json

**/*.{md,mdx}

⚙️ CodeRabbit configuration file

**/*.{md,mdx}: Verify technical accuracy and that docs stay aligned with code changes.
For user-facing docs, check EN/ES parity or explicitly note pending translation gaps.

Files:

• clients/web/apps/docs/src/content/docs/es/guides/architecture/overview.md
• clients/web/apps/docs/src/content/docs/en/guides/architecture/overview.md
• clients/web/apps/docs/src/content/docs/en/guides/release.md
• clients/web/apps/docs/src/content/docs/es/guides/release.md

🧠 Learnings (3)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

Applied to files:

• .github/workflows/sonarqube-analysis.yml
• .github/dependabot.yml
• .github/workflows/pull-request-check-build-logic.yml
• .github/workflows/security-dependencies.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions

Applied to files:

• clients/web/apps/docs/src/content/docs/en/guides/architecture/overview.md

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• clients/web/apps/docs/src/content/docs/en/guides/architecture/overview.md
• .github/workflows/security-dependencies.yml

🪛 LanguageTool

clients/web/apps/docs/src/content/docs/es/guides/architecture/overview.md

[grammar] ~15-~15: Cambia la palabra o signo.
Context: ...es y sistemas externos. - Archivo: context/system-context.mmd - Formato: Mermaid - Descripción: Vi...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~25-~25: Elimina la palabra o signo.
Context: ...tainer/runtime-containers.mmd) (Mermaid) - container/runtime-containers.puml (PlantUML) - Descripción: Muestra lo...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_SPACE)

---

[grammar] ~26-~26: Cambia la palabra o signo.
Context: ...iner/runtime-containers.puml) (PlantUML) - Descripción: Muestra los contenedores ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~36-~36: Cambia la palabra o signo.
Context: ... ### Núcleo del Runtime - Archivo: component/runtime-core.mmd - Descripción: Componentes internos del ...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

---

[grammar] ~37-~37: Cambia la palabra o signo.
Context: ... del runtime: configuración, agent loop, providers, memoria, tools, canales, segu...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_OTHER)

---

[grammar] ~40-~40: Corrige la mayúscula.
Context: ... observabilidad. ## Dependencias entre Módulos Diagrama adicional mostrando las depende...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~42-~42: Corrige la mayúscula.
Context: ...adicional mostrando las dependencias de Cargo entre módulos del workspace. - **Archi...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~44-~44: Cambia la palabra o signo.
Context: ... módulos del workspace. - Archivo: cargo-dependencies.mmd - Descripción: Muestra la estructura del...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

clients/web/apps/docs/src/content/docs/es/guides/release.md

[grammar] ~12-~12: Agrega una palabra o signo.
Context: ...der publicar, asegúrate de tener: 1. Clave GPG configurada: Sigue la [Guía de Co...

(QB_NEW_ES_OTHER_ERROR_IDS_MISSING_OTHER)

---

[grammar] ~12-~12: Elimina la palabra o signo.
Context: ...guración GPG](./gpg-setup/) para crear y configurar tu clave de firma 2. **Acceso...

(QB_NEW_ES_OTHER_ERROR_IDS_UNNECESSARY_SPACE)

---

[grammar] ~262-~262: Corrige la mayúscula.
Context: ...a features) ## Ver También - Guía de Configuración GPG - [GitHub Workflows]...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_ORTHOGRAPHY_UPPERCASE)

---

[grammar] ~262-~262: Cambia la palabra o signo.
Context: ...er También - Guía de Configuración GPG - [GitHub Workflows](https://github.com/dal...

(QB_NEW_ES_OTHER_ERROR_IDS_REPLACEMENT_SPACE)

🔇 Additional comments (14)

clients/web/apps/docs/src/content/docs/es/guides/architecture/overview.md (1)

15-44: Relative diagram links look correct.

Switching these references to ./diagrams/... keeps the Spanish page aligned with the English version and makes the links consistent within this nested docs section.

As per coding guidelines, user-facing docs should "Verify technical accuracy and that docs stay aligned with code changes" and "check EN/ES parity or explicitly note pending translation gaps."

clients/web/apps/docs/src/content/docs/en/guides/architecture/overview.md (1)

15-44: These relative links are consistent and safe.

All updated diagram references now use the same ./diagrams/... convention, and the English page stays aligned with the Spanish counterpart.

As per coding guidelines, user-facing docs should "Verify technical accuracy and that docs stay aligned with code changes" and "check EN/ES parity or explicitly note pending translation gaps."

clients/web/apps/docs/src/content/docs/es/guides/release.md (1)

12-13: Relative GPG links look correct.

Both updates keep the Spanish guide linked to its sibling page under the same locale, which is the safer docs pattern here.

Also applies to: 262-262

clients/web/apps/docs/src/content/docs/en/guides/release.md (2)

12-12: EN/ES parity confirmed for GPG setup guide links. Both versions use consistent relative link format (./gpg-setup/) and corresponding guide files exist in both language directories.

---

12-12: The relative links correctly target clients/web/apps/docs/src/content/docs/en/guides/gpg-setup.md, which exists in the repository. Astro/Starlight automatically resolves .md files to clean URLs with trailing slashes, so both the original absolute format (/guides/gpg-setup/) and the new relative format (./gpg-setup/) are compatible and will not produce broken links. No issues found.

clients/web/pnpm-workspace.yaml (1)

17-17: The premise of this review is incorrect. envField, astro:env/client, and defineCollection({ loader }) are not exclusive to Astro 6—they are all available in Astro 5+. The apps are already using Astro 5.18.0 with these APIs, and there is no breaking change here.

			> Likely an incorrect or invalid review comment.

.github/workflows/README.md (1)

507-507: LGTM!

Documentation examples correctly updated to reflect the new SHA-pinned action versions. Consistent with the workflow changes in this PR.

Also applies to: 566-577

.github/workflows/core-check.yml (1)

42-42: LGTM!

Action versions consistently pinned by SHA, matching the repository-wide standardization in this PR.

Also applies to: 47-47, 53-53

.github/workflows/codeql-analysis.yml (1)

38-38: LGTM!

All actions properly SHA-pinned. CodeQL action versions are consistent across init and analyze steps, ensuring compatibility.

Also applies to: 41-41, 46-46, 52-52, 63-63, 81-81, 85-85

clients/web/apps/dashboard/package.json (1)

33-33: LGTM!

Correctly aligns @tsconfig/node22 with the engines.node >= 22.0.0 requirement on line 8. Using the tsconfig matching your minimum supported Node version is appropriate.

.github/workflows/detekt.yml (1)

129-129: LGTM!

Adding checkout_path helps the SARIF upload action correctly map artifact locations.

.github/workflows/dependency-review.yml (1)

21-21: Action version is SHA-pinned - good.

The dependency-review-action is properly pinned by SHA.

.github/workflows/fix-renovate.yml (1)

71-71: LGTM!

All actions properly SHA-pinned and consistent with the repository-wide version standard.

Also applies to: 89-89, 94-94, 100-100

.github/workflows/lychee-links.yml (1)

34-34: LGTM!

Checkout action properly SHA-pinned and consistent with repository standard.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

.github/dependabot.yml (1)

42-43: ⚠️ Potential issue | 🟡 Minor

security-updates group missing patterns field.

The group only specifies applies-to but lacks a patterns matcher, so Dependabot won't know which dependencies to include.

🔧 Suggested fix

       security-updates:
         applies-to: "security-updates"
+        patterns:
+          - "*"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 42 - 43, The "security-updates" group is
missing a patterns matcher so Dependabot can't select dependencies; update the
security-updates group by adding a patterns field (e.g., a list with a catch-all
like ".*" or explicit dependency name patterns) so the group will match the
intended packages—modify the security-updates group entry to include patterns:
with one or more regex/string patterns to capture the dependencies you want
included.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/dependabot.yml:
- Around line 1-71: Dependabot currently configures package-ecosystem entries
for "github-actions", "cargo", "npm", "gradle" and "docker" which overlap with
Renovate; remove or disable the overlapping entries by either deleting the
package-ecosystem blocks for "github-actions", "cargo", "npm", "gradle" and
"docker" from this Dependabot config or conversely disable those managers in the
Renovate config so only one tool manages each ecosystem (look for the
package-ecosystem keys and the "directories" / "directories:" lists to update).

In @.github/workflows/dependency-review.yml:
- Line 18: The inline comment after the actions/checkout step is incorrect:
update the comment next to "uses:
actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" to reflect the actual
release tag for that pinned SHA (v6.0.1) so the annotation matches the locked
SHA in the workflow file.

In @.github/workflows/lychee-links.yml:
- Line 37: Replace the mutable tag on the GitHub Action usage so it’s pinned to
the immutable SHA: change the uses entry currently referencing
lycheeverse/lychee-action@v2.8.0 to use the exact commit SHA
8646ba30535128ac92d33dfc9133794bfdd9b411 and update the inline comment to
reflect v2.8.0; locate the uses line for lycheeverse/lychee-action in the
workflow and swap the tag and comment accordingly.

---

Duplicate comments:
In @.github/dependabot.yml:
- Around line 42-43: The "security-updates" group is missing a patterns matcher
so Dependabot can't select dependencies; update the security-updates group by
adding a patterns field (e.g., a list with a catch-all like ".*" or explicit
dependency name patterns) so the group will match the intended packages—modify
the security-updates group entry to include patterns: with one or more
regex/string patterns to capture the dependencies you want included.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5d0131d4-1303-43e5-afca-827c6b05e75a

📥 Commits

Reviewing files that changed from the base of the PR and between 9b92393 and 8c461e9.

📒 Files selected for processing (5)

• .github/dependabot.yml
• .github/workflows/dependency-review.yml
• .github/workflows/detekt.yml
• .github/workflows/lychee-links.yml
• .github/workflows/security-dependencies.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: pr-checks
• GitHub Check: Cloudflare Pages

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

Applied to files:

• .github/workflows/detekt.yml
• .github/workflows/security-dependencies.yml
• .github/dependabot.yml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• .github/workflows/security-dependencies.yml

🔇 Additional comments (5)

.github/workflows/security-dependencies.yml (4)

14-34: LGTM on workflow structure.

The rust-audit job correctly pins actions to SHAs (good supply-chain hygiene), uses stable Rust, and runs cargo-deny check advisories in the correct directory.

---

36-54: LGTM on Kotlin dependency submission job.

Permissions are properly scoped to contents: write, Java 21 setup is appropriate, and Gradle dependency submission action is pinned.

---

27-27: SHA is correct for v2.68.14. No action needed.

---

19-19: Update version comment to v6.0.1.

The SHA 8e8c483db84b4bee98b60c0593521ed34d9990e8 corresponds to v6.0.1, not v4.2.2. The inline comment on line 19 is outdated and should be corrected to match the actual version.

			> Likely an incorrect or invalid review comment.

.github/dependabot.yml (1)

36-41: group-by: dependency-name is valid Dependabot syntax and will be recognized correctly.

The group-by key is officially supported by Dependabot (as of February 2026) and is documented in GitHub's configuration reference. This will not be silently ignored—the grouping intent will be applied as configured.

			> Likely an incorrect or invalid review comment.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud