chore: align Dependabot config with security-only standards#54
chore: align Dependabot config with security-only standards#54
Conversation
Add npm, gomod, and terraform ecosystems to dependabot.yml with security/dependencies labels. Add dependency-audit workflow for CI vulnerability scanning. Aligns with petry-projects/.github#9. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 6 minutes and 32 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughDependabot configuration expanded into multiple ecosystem blocks and YAML quoting standardized; a new dependency-audit GitHub Actions workflow was added to detect ecosystems and run per-ecosystem audits; dependabot-automerge workflow logic and eligibility were changed; package.json pnpm overrides and a Go module patch were added. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant GH as GitHub Events
participant Detect as Detect Job
participant AuditNPM as audit-npm
participant AuditPNPM as audit-pnpm
participant AuditGo as audit-go
participant AuditCargo as audit-cargo
participant AuditPip as audit-pip
GH->>Detect: on push / pull_request to main
Detect->>Detect: scan repo for manifests\n(package-lock.json, pnpm-lock.yaml, go.mod, Cargo.toml, pyproject/requirements)
Detect-->>AuditNPM: npm=true
Detect-->>AuditPNPM: pnpm=true
Detect-->>AuditGo: gomod=true
Detect-->>AuditCargo: cargo=true
Detect-->>AuditPip: pip=true
AuditNPM->>AuditNPM: setup Node\nrun npm audit per project
AuditPNPM->>AuditPNPM: setup Node\nrun pnpm audit per project
AuditGo->>AuditGo: install govulncheck\nrun govulncheck ./...
AuditCargo->>AuditCargo: install cargo-audit\nrun cargo audit (generate lock if needed)
AuditPip->>AuditPip: setup Python\nrun pip-audit per project
AuditNPM->>GH: report results (fail on non-zero)
AuditPNPM->>GH: report results (fail on non-zero)
AuditGo->>GH: report results (fail on non-zero)
AuditCargo->>GH: report results (fail on non-zero)
AuditPip->>GH: report results (fail on non-zero)
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
.github/workflows/dependency-audit.yml (1)
46-51: Cargo detection only checks repository root.The check
[ -f "Cargo.lock" ]only looks at the root directory, unlike the npm and Go detection which usefind. If Rust projects exist in subdirectories, they won't be detected.♻️ Optional: Use find for consistency with other ecosystems
# Cargo - if [ -f "Cargo.lock" ]; then + if find . -name 'Cargo.lock' | grep -q .; then echo "cargo=true" >> "$GITHUB_OUTPUT" else echo "cargo=false" >> "$GITHUB_OUTPUT" fi🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/dependency-audit.yml around lines 46 - 51, The current root-only Rust detection uses the conditional check `[ -f "Cargo.lock" ]`; replace this with a repository-wide search that looks for any file named "Cargo.lock" (using find and stopping at the first match) and then write "cargo=true" or "cargo=false" to "$GITHUB_OUTPUT" as before; update the block containing the `[ -f "Cargo.lock" ]` check so it mirrors the npm/Go logic (repository-wide find) while still emitting the same "cargo=true"/"cargo=false" outputs to GITHUB_OUTPUT.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/dependency-audit.yml:
- Around line 32-37: The workflow currently detects npm by searching for
package-lock.json in the shell block that sets the "$GITHUB_OUTPUT" variable;
because this repo uses pnpm (pnpm-lock.yaml), that check always yields false.
Update the detection block to also check for pnpm-lock.yaml (e.g., use find to
look for either package-lock.json or pnpm-lock.yaml) and set the output
accordingly (or add a separate pnpm=true output) so the audit job runs when
pnpm-lock.yaml is present; modify the existing if condition that writes
"npm=true"/"npm=false" to include pnpm-lock.yaml detection or add a new
conditional that writes "pnpm=true"/"pnpm=false".
- Around line 60-73: The workflow job audit-npm currently runs npm audit which
is incompatible with a pnpm-managed repo; update the "Audit npm dependencies"
step (and its run command) to use pnpm audit (e.g., run: pnpm audit
--audit-level=moderate) and add a preceding step to ensure pnpm is available —
either enable Corepack (run: corepack enable) after setup-node or add the
pnpm/action-setup step to install a specific pnpm version; keep the existing
conditional (needs.detect.outputs.npm) logic consistent or adjust it to detect
pnpm if required.
- Around line 90-97: The current "Audit Go dependencies" step uses find ... |
while read which runs the loop in a subshell so non-zero exits from govulncheck
are lost; change the step so each module runs in a shell whose exit code is
propagated (e.g. replace the piped while loop with an xargs or sh -c invocation)
so that govulncheck failures cause the step to fail—update the run block that
calls govulncheck (the logic referencing find, govulncheck, and the grouping
echo lines) to use xargs -I{} sh -c '... && govulncheck ./... && ...' or an
equivalent construct that preserves the exit code.
---
Nitpick comments:
In @.github/workflows/dependency-audit.yml:
- Around line 46-51: The current root-only Rust detection uses the conditional
check `[ -f "Cargo.lock" ]`; replace this with a repository-wide search that
looks for any file named "Cargo.lock" (using find and stopping at the first
match) and then write "cargo=true" or "cargo=false" to "$GITHUB_OUTPUT" as
before; update the block containing the `[ -f "Cargo.lock" ]` check so it
mirrors the npm/Go logic (repository-wide find) while still emitting the same
"cargo=true"/"cargo=false" outputs to GITHUB_OUTPUT.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 0a300c52-07e3-4653-937a-4dcea27f4f83
📒 Files selected for processing (2)
.github/dependabot.yml.github/workflows/dependency-audit.yml
There was a problem hiding this comment.
Pull request overview
Aligns repository dependency automation with org “security-only” standards by expanding Dependabot coverage and adding a CI vulnerability audit workflow that runs on PRs and main.
Changes:
- Expanded
.github/dependabot.ymlto include npm, Go modules, Terraform, and GitHub Actions with consistent labeling. - Added
.github/workflows/dependency-audit.ymlto detect ecosystems and run corresponding vulnerability audits on PRs/pushes to main.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| .github/workflows/dependency-audit.yml | New workflow to detect package ecosystems and run vulnerability audits in CI. |
| .github/dependabot.yml | Adds multiple ecosystems and labels to Dependabot update configuration. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # npm | ||
| if find . -name 'package-lock.json' -not -path '*/node_modules/*' | grep -q .; then | ||
| echo "npm=true" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "npm=false" >> "$GITHUB_OUTPUT" | ||
| fi |
There was a problem hiding this comment.
The npm ecosystem detection is checking for package-lock.json, but this repo uses pnpm-lock.yaml (see repo root). As a result, the npm audit job will never run. Update detection to also (or instead) check for pnpm-lock.yaml (and/or yarn.lock if applicable).
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | ||
| with: | ||
| node-version: "lts/*" | ||
|
|
||
| - name: Audit npm dependencies | ||
| run: npm audit --audit-level=moderate |
There was a problem hiding this comment.
This job runs npm audit, but the repo uses pnpm (pnpm-lock.yaml + pnpm-workspace.yaml) and CI installs deps with pnpm install. npm audit won’t audit the pnpm lockfile. Consider installing pnpm (e.g., via pnpm/action-setup) and running pnpm audit (potentially recursive for a workspace) so audits actually cover the repo’s JS deps.
|
|
||
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | ||
| with: | ||
| node-version: "lts/*" |
There was a problem hiding this comment.
node-version: "lts/*" can change over time and diverge from the version used elsewhere in CI (currently Node 20). Pinning the same major/minor as the rest of the repo helps keep audit results stable and avoids unexpected workflow breakages when the LTS line advances.
| node-version: "lts/*" | |
| node-version: "20" |
|
|
||
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 | ||
| with: | ||
| go-version: "stable" |
There was a problem hiding this comment.
go-version: "stable" makes the audit non-reproducible and may not match the Go version the repo targets (apps/api/go.mod and CI use a specific Go version). Pin to the repo’s Go version to avoid unexpected failures when a new stable Go release lands.
| go-version: "stable" | |
| go-version-file: "apps/api/go.mod" |
| - name: Install govulncheck | ||
| run: go install golang.org/x/vuln/cmd/govulncheck@latest | ||
|
|
There was a problem hiding this comment.
Installing audit tools from the network without pinning versions (govulncheck@latest, cargo install cargo-audit, pip install pip-audit) makes results non-deterministic and can break the workflow if a new release introduces a behavior change. Prefer pinning tool versions (and using --locked/hashes where available) for repeatable CI.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Bump go-chi/chi v5.2.1 -> v5.2.2 (GO-2025-3770 host header injection) - Add pnpm overrides for 5 transitive vulnerabilities: @xmldom/xmldom >=0.8.12, lodash >=4.18.0, tmp >=0.2.4, @tootallnate/once >=3.0.1 - Strip template "Copy to..." header comments from workflow files Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/dependabot-automerge.yml (1)
46-60: Make the ecosystem guard real, or remove the header claim.
ECOSYSTEMis only logged here. That means the “defense-in-depth by also checking the package ecosystem” comment is not actually enforced; if another Dependabot ecosystem gets added later, its patch/minor PRs become eligible automatically.♻️ Suggested hardening
ECOSYSTEM="${{ steps.metadata.outputs.package-ecosystem }}" + + case "$ECOSYSTEM" in + github-actions|npm|gomod|terraform) ;; + *) + echo "eligible=false" >> "$GITHUB_OUTPUT" + echo "Skipping: unsupported ecosystem $ECOSYSTEM" + exit 0 + ;; + esac🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/dependabot-automerge.yml around lines 46 - 60, The workflow currently only logs ECOSYSTEM but does not enforce it; update the eligibility logic in the Dependabot job so ECOSYSTEM (steps.metadata.outputs.package-ecosystem) is actually checked before echoing "eligible=true". Specifically, add a guard that only allows known safe ecosystems (e.g., a whitelist array like npm, pip, github-actions, etc.) and combine that with the existing UPDATE_TYPE and DEP_TYPE checks, or else remove the comment claiming an ecosystem check; ensure the final "eligible=true" only runs after the ECOSYSTEM guard passes.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/dependabot-automerge.yml:
- Around line 48-55: The current if block using UPDATE_TYPE and DEP_TYPE lets
indirect updates bypass the major-check; update the condition inside the if (the
block testing "$UPDATE_TYPE" and "$DEP_TYPE") so that indirect semver-major
updates are explicitly rejected — e.g., ensure you set eligible=false when
UPDATE_TYPE is not version-update:semver-patch or version-update:semver-minor OR
when DEP_TYPE == "indirect" and UPDATE_TYPE == "version-update:semver-major";
modify the existing if that references UPDATE_TYPE and DEP_TYPE to include that
explicit check so indirect major updates are not eligible for auto-merge.
---
Nitpick comments:
In @.github/workflows/dependabot-automerge.yml:
- Around line 46-60: The workflow currently only logs ECOSYSTEM but does not
enforce it; update the eligibility logic in the Dependabot job so ECOSYSTEM
(steps.metadata.outputs.package-ecosystem) is actually checked before echoing
"eligible=true". Specifically, add a guard that only allows known safe
ecosystems (e.g., a whitelist array like npm, pip, github-actions, etc.) and
combine that with the existing UPDATE_TYPE and DEP_TYPE checks, or else remove
the comment claiming an ecosystem check; ensure the final "eligible=true" only
runs after the ECOSYSTEM guard passes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 14aaf032-4942-48aa-b621-a928ef49e34e
⛔ Files ignored due to path filters (2)
apps/api/go.sumis excluded by!**/*.sumpnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (5)
.github/dependabot.yml.github/workflows/dependabot-automerge.yml.github/workflows/dependency-audit.ymlapps/api/go.modpackage.json
✅ Files skipped from review due to trivial changes (1)
- apps/api/go.mod
🚧 Files skipped from review as they are similar to previous changes (2)
- .github/dependabot.yml
- .github/workflows/dependency-audit.yml
| # Must be patch, minor, or indirect | ||
| if [[ "$UPDATE_TYPE" != "version-update:semver-patch" && \ | ||
| "$UPDATE_TYPE" != "version-update:semver-minor" && \ | ||
| "$DEP_TYPE" != "indirect" ]]; then | ||
| echo "eligible=false" >> "$GITHUB_OUTPUT" | ||
| echo "Skipping: major update requires human review" | ||
| exit 0 | ||
| fi |
There was a problem hiding this comment.
Don't auto-merge indirect semver-major updates.
This condition makes any dependency-type=indirect eligible, so an indirect version-update:semver-major falls through to eligible=true even though the workflow header says majors always require human review.
🛠️ Proposed fix
- # Must be patch, minor, or indirect
- if [[ "$UPDATE_TYPE" != "version-update:semver-patch" && \
- "$UPDATE_TYPE" != "version-update:semver-minor" && \
- "$DEP_TYPE" != "indirect" ]]; then
+ # Major updates always require human review
+ if [[ "$UPDATE_TYPE" == "version-update:semver-major" ]]; then
+ echo "eligible=false" >> "$GITHUB_OUTPUT"
+ echo "Skipping: major update requires human review"
+ exit 0
+ fi
+
+ # Must be patch, minor, or indirect
+ if [[ "$UPDATE_TYPE" != "version-update:semver-patch" && \
+ "$UPDATE_TYPE" != "version-update:semver-minor" && \
+ "$DEP_TYPE" != "indirect" ]]; then
echo "eligible=false" >> "$GITHUB_OUTPUT"
- echo "Skipping: major update requires human review"
+ echo "Skipping: unsupported update type"
exit 0
fi📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Must be patch, minor, or indirect | |
| if [[ "$UPDATE_TYPE" != "version-update:semver-patch" && \ | |
| "$UPDATE_TYPE" != "version-update:semver-minor" && \ | |
| "$DEP_TYPE" != "indirect" ]]; then | |
| echo "eligible=false" >> "$GITHUB_OUTPUT" | |
| echo "Skipping: major update requires human review" | |
| exit 0 | |
| fi | |
| # Major updates always require human review | |
| if [[ "$UPDATE_TYPE" == "version-update:semver-major" ]]; then | |
| echo "eligible=false" >> "$GITHUB_OUTPUT" | |
| echo "Skipping: major update requires human review" | |
| exit 0 | |
| fi | |
| # Must be patch, minor, or indirect | |
| if [[ "$UPDATE_TYPE" != "version-update:semver-patch" && \ | |
| "$UPDATE_TYPE" != "version-update:semver-minor" && \ | |
| "$DEP_TYPE" != "indirect" ]]; then | |
| echo "eligible=false" >> "$GITHUB_OUTPUT" | |
| echo "Skipping: unsupported update type" | |
| exit 0 | |
| fi |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/dependabot-automerge.yml around lines 48 - 55, The current
if block using UPDATE_TYPE and DEP_TYPE lets indirect updates bypass the
major-check; update the condition inside the if (the block testing
"$UPDATE_TYPE" and "$DEP_TYPE") so that indirect semver-major updates are
explicitly rejected — e.g., ensure you set eligible=false when UPDATE_TYPE is
not version-update:semver-patch or version-update:semver-minor OR when DEP_TYPE
== "indirect" and UPDATE_TYPE == "version-update:semver-major"; modify the
existing if that references UPDATE_TYPE and DEP_TYPE to include that explicit
check so indirect major updates are not eligible for auto-merge.
Summary
.github/dependabot.ymlto cover all four ecosystems (npm, gomod, terraform, github-actions) withsecurityanddependencieslabels on every entry.github/workflows/dependency-audit.yml— CI workflow that auto-detects ecosystems and runsnpm audit,govulncheck,cargo audit, orpip-auditas appropriate, failing the build on known vulnerabilitiesdependabot-automerge.ymlunchanged — it already matches the org standard (top-levelpermissions: {}, job-level least-privilege, GitHub App token for approve+merge) and includes useful enhancements (review thread resolution,--automerge)Implements the security-only Dependabot standards from petry-projects/.github#9.
Test plan
dependency-auditworkflow runs on PR and detects npm + Go ecosystemsdependabot-automergecontinues to auto-merge patch/minor Dependabot PRs🤖 Generated with Claude Code
Summary by CodeRabbit
Chores
New Features