diff --git a/standards/dependabot-policy.md b/standards/dependabot-policy.md index 66ad686..4a3be07 100644 --- a/standards/dependabot-policy.md +++ b/standards/dependabot-policy.md @@ -200,10 +200,40 @@ The workflow fails if any known vulnerability is found, blocking the PR from mer 1. Copy the appropriate `dependabot.yml` template to `.github/dependabot.yml`, adjusting `directory` paths as needed. 2. Add `workflows/dependabot-automerge.yml` to `.github/workflows/`. -3. Add `workflows/dependabot-rebase.yml` to `.github/workflows/`. +3. Add `workflows/dependabot-rebase.yml` to `.github/workflows/` **only if the + repo enforces strict required-status-checks** (i.e., "branches must be up + to date before merging" is on, either via the new ruleset system's + `strict_required_status_checks_policy: true` or classic branch protection's + `required_status_checks.strict: true`). If strict checks are off, the + rebase workflow is unnecessary because Dependabot PRs that fall behind can + merge as-is — adding it just creates churn and failure noise. 4. Add `workflows/dependency-audit.yml` to `.github/workflows/`. -5. Ensure the repository has the GitHub App secrets (`APP_ID`, `APP_PRIVATE_KEY`) - configured for auto-merge and rebase. +5. **GitHub App secrets** — `APP_ID` and `APP_PRIVATE_KEY` are managed at the + **organization level** (`gh secret set --org petry-projects --visibility all`), + not per-repo. Caller stubs use `secrets: inherit` so any repo with at least + one centralized dependabot workflow picks them up automatically. Per-repo + `APP_ID` / `APP_PRIVATE_KEY` settings are deprecated drift — once the org + secrets are confirmed in place, delete any per-repo copies so there's a + single source of truth and rotations propagate everywhere. + + **Verify before deleting per-repo copies.** Run + + ```bash + gh secret list --org petry-projects | grep -E '^(APP_ID|APP_PRIVATE_KEY)\s' + ``` + + to confirm both org-level secrets exist with `visibility: all`. Then + confirm the dependabot caller stubs in the target repo include + `secrets: inherit` (they will if copied verbatim from + `standards/workflows/dependabot-automerge.yml` and + `standards/workflows/dependabot-rebase.yml`). Only after both checks + pass should you run `gh secret delete APP_ID --repo ` etc. to + clean up the per-repo copies — otherwise the workflow falls back to + nothing and `gh pr review` calls fail with `Secret APP_ID is required`. 6. Create the `security` and `dependencies` labels in the repository if they don't already exist. -7. Add `dependency-audit` as a required status check in branch protection rules. +7. Add `dependency-audit / Detect ecosystems` as a required status check in + branch protection rules. Do **not** require the per-ecosystem audit jobs + (`npm audit`, `govulncheck`, `cargo audit`, `pip-audit`, `pnpm audit`) — + they're conditional on lockfile presence and report `SKIPPED` when absent, + and a required-but-skipped check fails the merge gate.