chore: align Dependabot config with security-only standards

[don-petry]

Summary

• dependabot.yml: Added npm (root) and gomod (/markets-api) ecosystems alongside existing github-actions. All entries now include security and dependencies labels for consistent triage.
• dependabot-automerge.yml: Updated to match the org standard — uses --admin merge instead of --auto, removes thread-resolution logic, and keeps least-privilege permissions (contents: read, pull-requests: read) at job level.
• dependency-audit.yml: New workflow (copied from org standards) that auto-detects ecosystems and runs npm audit / govulncheck on PRs and pushes to main. Recommend adding dependency-audit as a required status check.

Test plan

• Verify Dependabot opens PRs with security and dependencies labels for npm, gomod, and github-actions
• Confirm automerge workflow still triggers and merges patch/minor Dependabot PRs
• Confirm dependency-audit workflow runs on next PR and correctly detects npm + gomod ecosystems

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added a repository-level dependency audit that scans npm, Go, Rust, and Python projects and fails on detected vulnerabilities.
  • Split and scheduled dependency updates on a weekly cadence and added security/dependencies labels for update PRs.
  • Updated auto-merge workflow to compute eligibility, simplify merge steps, remove thread-resolution logic and unused variables, and adjust token handling.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated Dependabot configuration to use double-quoted scalars and add labels to the github-actions update; refactored the dependabot-automerge workflow to add an eligibility check, simplify approval/merge steps and remove thread-resolution GraphQL logic; and added a new dependency-audit workflow that conditionally runs multi-ecosystem vulnerability scans.

Changes

Cohort / File(s)	Summary
Dependabot config \.github/dependabot.yml	Switched scalar quoting to double quotes and added a labels: ["security","dependencies"] field to the github-actions update entry; no other behavioral changes to open-pull-requests-limit (remains 10).
Dependabot auto-merge workflow \.github/workflows/dependabot-automerge.yml	Changed token interpolation to double-quoted form; added a Determine if auto-merge eligible step (outputs eligible) and gated App token/auto-merge on steps.eligible.outputs.eligible == 'true'; removed GraphQL thread-resolution and related env vars; replaced prior approve/resolve-and-merge script with an approve + gh pr merge --auto --squash "$PR_URL" flow.
Dependency audit workflow (new) \.github/workflows/dependency-audit.yml	New workflow that detects manifests (package-lock.json, go.mod, Cargo.toml, pyproject.toml, requirements.txt) and conditionally runs npm audit, govulncheck, cargo audit, and pip-audit across discovered directories; any failing audit causes the job to fail.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant Detect as Detect Job
    participant NPM as NPM Audit
    participant Go as Govulncheck
    participant Cargo as Cargo Audit
    participant Pip as Pip-Audit

    GH->>Detect: workflow trigger (push / pull_request)
    Detect->>Detect: scan repo for manifests
    Detect-->>GH: output flags (npm, gomod, cargo, pip)

    alt npm detected
        GH->>NPM: run npm audit per package-lock.json
        NPM-->>GH: emit results (pass/fail)
    end

    alt go.mod detected
        GH->>Go: run govulncheck in go.mod dirs
        Go-->>GH: emit results (pass/fail)
    end

    alt Cargo.toml detected
        GH->>Cargo: generate lockfile if needed, run cargo audit
        Cargo-->>GH: emit results (pass/fail)
    end

    alt pyproject/requirements detected
        GH->>Pip: run pip-audit per directory
        Pip-->>GH: emit results (pass/fail)
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• ci: switch auto-merge to --auto and resolve AI reviewer threads #39: Alters the same dependabot-automerge.yml auto-merge/thread-resolution logic (adds GraphQL thread resolution while this PR removes it).
• fix: address OpenSSF Scorecard findings #20: Modifies .github/workflows/dependabot-automerge.yml (permissions and action versioning changes that touch the same workflow steps).

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'chore: align Dependabot config with security-only standards' clearly describes the main change in the changeset. However, the actual changes extend beyond just Dependabot configuration alignment—they include a new dependency-audit workflow and significant updates to the automerge workflow. While the title captures the Dependabot config aspect, it partially misrepresents the full scope by suggesting a 'security-only' focus when the changes also add dependencies label and a new audit workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/dependabot-security-standards

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Aligns repository dependency automation with org “security-only” standards by expanding Dependabot coverage and standardizing supporting GitHub Actions workflows for auto-merge and dependency auditing.

Changes:

• Expanded .github/dependabot.yml to include npm and gomod ecosystems and standardized labels across all entries.
• Updated Dependabot auto-merge workflow to match org standard behavior (approval + squash merge).
• Added a new dependency-audit workflow that detects ecosystems and runs ecosystem-specific vulnerability audits.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File	Description
.github/workflows/dependency-audit.yml	Adds a multi-ecosystem audit workflow (npm/go/cargo/pip) with ecosystem detection.
.github/workflows/dependabot-automerge.yml	Standardizes Dependabot PR approval + merge behavior using an app token and gh.
.github/dependabot.yml	Adds new Dependabot ecosystems and consistent triage labels.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new Dependabot entry for the npm ecosystem points at directory "/", but this repo doesn't currently contain a package.json/package-lock.json at the repository root. Dependabot will treat this as a configuration error and may stop processing updates. Either remove the npm update config until a root npm project exists, or change directory to the actual location of the npm manifest(s).

[Copilot]

The gomod entry is configured for directory: "/markets-api", but there is no markets-api/ directory (and no Go module files) in this repo. This will cause Dependabot configuration failures. Update the directory to the actual Go module path(s), or remove this entry if Go modules aren’t present here.

Suggested change

	- package-ecosystem: "gomod"
	directory: "/markets-api"
	schedule:
	interval: "weekly"
	open-pull-requests-limit: 10
	labels:
	- "security"
	- "dependencies"

[Copilot]

Using gh pr merge --admin will merge immediately and can bypass branch protection requirements (including required status checks), which is a significant operational change from --auto.

If the intent is to still respect required checks, use auto-merge (--auto) so the merge waits for checks to pass; reserve --admin only for exceptional cases and document why bypass is desired.

Suggested change

	gh pr merge --squash --admin "$PR_URL"
	gh pr merge --auto --squash "$PR_URL"

[Copilot]

The npm ecosystem detection sets npm=true if it finds any package-lock.json anywhere in the repo, but the npm audit job runs only at the repository root. In a monorepo, a lockfile in a subdirectory would trigger this job and then npm audit would run in the wrong directory (and likely fail).

Either restrict detection to the root directory to match the intended scope, or iterate over each directory containing a lockfile and run the audit within that directory.

[Copilot]

npm audit is run without first installing dependencies (or using --package-lock-only). Depending on npm version and project setup, this can produce incomplete results or fail because node_modules/lockfile state isn’t present.

Consider using npm ci (often with --ignore-scripts) before auditing, or switch to npm audit --package-lock-only when a lockfile is available and you want to avoid installs.

Suggested change

	- name: Install npm dependencies for audit
	run: npm ci --ignore-scripts

[Copilot]

Installing govulncheck with @latest makes the workflow non-deterministic and can break or change findings without any repo change. Pin govulncheck to a specific version (and bump it intentionally) to keep the audit stable and supply-chain safer.

Suggested change

	run: go install golang.org/x/vuln/cmd/govulncheck@latest
	run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/dependency-audit.yml (1)

87-88: Pin the audit tool versions to prevent upstream breaking releases.

The action SHAs are already pinned; these three tool installs remain unpinned and create moving parts. Since this workflow is intended to become a required check, a breaking upstream release can suddenly block PRs without any repo change.

Pin to specific stable releases (current as of early 2026: govulncheck@v1.1.4, cargo-audit@v0.22.1, pip-audit@v2.10.0) rather than using @latest.

Also applies to: 107-108, 125-126

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependency-audit.yml around lines 87 - 88, Replace
unpinned tool installs that use `@latest` with fixed stable release tags to avoid
breaking changes: change the Go install command
golang.org/x/vuln/cmd/govulncheck@latest to govulncheck@v1.1.4, the Rust install
cargo-audit@latest to cargo-audit@v0.22.1, and the Python install
pip-audit@latest to pip-audit@v2.10.0 (apply the same pinning for the
corresponding occurrences noted around the other lines).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependabot-automerge.yml:
- Around line 45-52: The "Approve and auto-merge" workflow step uses gh pr merge
with the --admin flag which bypasses required checks; replace the --admin flag
in the run block (the gh pr merge invocation) with --auto so merges are queued
and only executed after required status checks and branch protection pass,
keeping the existing gh pr review --approve "$PR_URL" call intact.

In @.github/workflows/dependency-audit.yml:
- Around line 39-44: The workflow currently detects Go modules by checking for
'go.sum' which can miss projects that have a committed go.mod but no go.sum;
update the detection logic that runs the shell command "find . -name 'go.sum' |
grep -q ." so it instead checks for 'go.mod' (e.g., use "find . -name 'go.mod' |
grep -q ." or equivalent) and keep the existing outputs
("gomod=true"/"gomod=false") and surrounding conditional intact so govulncheck
runs whenever a go.mod is present.

---

Nitpick comments:
In @.github/workflows/dependency-audit.yml:
- Around line 87-88: Replace unpinned tool installs that use `@latest` with fixed
stable release tags to avoid breaking changes: change the Go install command
golang.org/x/vuln/cmd/govulncheck@latest to govulncheck@v1.1.4, the Rust install
cargo-audit@latest to cargo-audit@v0.22.1, and the Python install
pip-audit@latest to pip-audit@v2.10.0 (apply the same pinning for the
corresponding occurrences noted around the other lines).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c0a11433-75cb-4cca-aeb4-bebde325c3c7

📥 Commits

Reviewing files that changed from the base of the PR and between c126ec5 and eea7fca.

📒 Files selected for processing (3)

• .github/dependabot.yml
• .github/workflows/dependabot-automerge.yml
• .github/workflows/dependency-audit.yml

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/dependency-audit.yml (2)

6-6: Add a stable aggregate check before making this required.

This workflow currently emits one check per job, not a single dependency-audit check. If the intent is to require one status in branch protection, add a final aggregator job with a fixed name, or update this note to list the actual check names maintainers need to require.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependency-audit.yml at line 6, The workflow note is
misleading because it produces one check per job rather than a single
"dependency-audit" status; add a final aggregator job (e.g., job id
"aggregate-dependency-audit" or "dependency-audit") that uses needs: [all other
audit jobs] and exits non-zero if any needed job failed so the workflow emits a
single stable check named "dependency-audit", or alternatively update the
comment to list the actual job ids produced by the workflow so maintainers know
which individual checks to require; locate the workflow definition for the
dependency-audit workflow and add the aggregator job or adjust the note
accordingly.

---

130-141: Deduplicate Cargo workspace audits.

The surrounding comment says a single workspace-root audit is enough, but this loop still walks every Cargo.toml. In a multi-crate workspace that will rerun the same audit once per member crate and stretch CI time unnecessarily. Prefer deduping to workspace roots or lockfile directories before invoking cargo audit.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependency-audit.yml around lines 130 - 141, The loop
currently iterates every crate directory found by find . -name 'Cargo.toml'
which still runs cargo audit repeatedly for workspace member crates; change the
discovery to only audit each lockfile/workspace root once by using directories
that contain Cargo.lock (e.g. replace the find pipeline with find . -name
'Cargo.lock' -exec dirname {} \; | sort -u and fall back to '.' if no lockfile
found) and keep the existing loop body that cd's into "$dir" and runs cargo
generate-lockfile/cargo audit so audit is invoked only once per
lockfile/workspace root (references: the while loop reading into dir, cargo
generate-lockfile, cargo audit).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependency-audit.yml:
- Line 125: Replace the mutable ref dtolnay/rust-toolchain@stable with an
immutable commit SHA to ensure reproducible, secure dependency resolution;
locate the desired commit in the dtolnay/rust-toolchain repository (prefer a tag
or the exact commit you want), then update the action reference
dtolnay/rust-toolchain@stable to dtolnay/rust-toolchain@<full-commit-sha> so the
workflow uses a pinned, immutable SHA instead of the mutable "stable" ref.

---

Nitpick comments:
In @.github/workflows/dependency-audit.yml:
- Line 6: The workflow note is misleading because it produces one check per job
rather than a single "dependency-audit" status; add a final aggregator job
(e.g., job id "aggregate-dependency-audit" or "dependency-audit") that uses
needs: [all other audit jobs] and exits non-zero if any needed job failed so the
workflow emits a single stable check named "dependency-audit", or alternatively
update the comment to list the actual job ids produced by the workflow so
maintainers know which individual checks to require; locate the workflow
definition for the dependency-audit workflow and add the aggregator job or
adjust the note accordingly.
- Around line 130-141: The loop currently iterates every crate directory found
by find . -name 'Cargo.toml' which still runs cargo audit repeatedly for
workspace member crates; change the discovery to only audit each
lockfile/workspace root once by using directories that contain Cargo.lock (e.g.
replace the find pipeline with find . -name 'Cargo.lock' -exec dirname {} \; |
sort -u and fall back to '.' if no lockfile found) and keep the existing loop
body that cd's into "$dir" and runs cargo generate-lockfile/cargo audit so audit
is invoked only once per lockfile/workspace root (references: the while loop
reading into dir, cargo generate-lockfile, cargo audit).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 08e5bb21-da4d-431f-aff0-8f100fe7f2b2

📥 Commits

Reviewing files that changed from the base of the PR and between c3ab8e8 and 5a52e80.

📒 Files selected for processing (3)

• .github/dependabot.yml
• .github/workflows/dependabot-automerge.yml
• .github/workflows/dependency-audit.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/dependabot.yml
• .github/workflows/dependabot-automerge.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
git ls-remote https://github.com/dtolnay/rust-toolchain 'refs/tags/stable*'

Repository: petry-projects/markets

Length of output: 48

---

🏁 Script executed:

# Check if the workflow file exists and examine it
git ls-files | grep -E "(\.github|workflows)" | head -20

Repository: petry-projects/markets

Length of output: 1162

---

🏁 Script executed:

# Check the actual content of the workflow file if it exists
if [ -f ".github/workflows/dependency-audit.yml" ]; then
  wc -l ".github/workflows/dependency-audit.yml"
  echo "---"
  sed -n '120,130p' ".github/workflows/dependency-audit.yml"
fi

Repository: petry-projects/markets

Length of output: 447

---

🏁 Script executed:

# Try different patterns to find refs on dtolnay/rust-toolchain
git ls-remote https://github.com/dtolnay/rust-toolchain | head -20

Repository: petry-projects/markets

Length of output: 1212

---

🏁 Script executed:

# Get tags specifically from dtolnay/rust-toolchain
git ls-remote --tags https://github.com/dtolnay/rust-toolchain | head -30

Repository: petry-projects/markets

Length of output: 119

---

🏁 Script executed:

# Check all action uses in the workflow file for comparison
grep -n "uses:" .github/workflows/dependency-audit.yml

Repository: petry-projects/markets

Length of output: 762

---

🏁 Script executed:

# Verify if 'stable' exists as a branch
git ls-remote https://github.com/dtolnay/rust-toolchain refs/heads/stable

Repository: petry-projects/markets

Length of output: 124

---

Pin dtolnay/rust-toolchain to an immutable SHA.

Every other action in this workflow is SHA-pinned, but this step still tracks the mutable stable branch. That weakens the supply-chain guarantees for a security-sensitive workflow.

Suggested change

-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: dtolnay/rust-toolchain@stable
	- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependency-audit.yml at line 125, Replace the mutable ref
dtolnay/rust-toolchain@stable with an immutable commit SHA to ensure
reproducible, secure dependency resolution; locate the desired commit in the
dtolnay/rust-toolchain repository (prefer a tag or the exact commit you want),
then update the action reference dtolnay/rust-toolchain@stable to
dtolnay/rust-toolchain@<full-commit-sha> so the workflow uses a pinned,
immutable SHA instead of the mutable "stable" ref.