Skip templated dependency audit on Dependabot PRs#23
Conversation
`make audit` reports advisories against the whole lockfile, so in generated projects a newly published advisory fails every open Dependabot PR regardless of its content and deadlocks auto-merge. Condition the audit step on the actor not being Dependabot, and add a templated weekly scheduled audit workflow as the compensating control so anything that slips through surfaces within days. Human pull requests keep the full audit gate.
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughThis PR adds a new scheduled GitHub Actions workflow ( ChangesDependency audit workflow changes
Sequence Diagram(s)sequenceDiagram
participant Scheduler as GitHub Actions Scheduler
participant AuditWorkflow as Audit Workflow
participant Runner as ubuntu-latest Runner
Scheduler->>AuditWorkflow: weekly cron trigger / workflow_dispatch
AuditWorkflow->>Runner: checkout, setup Python 3.13, install uv
alt use_rust enabled
AuditWorkflow->>Runner: setup Rust and install cargo-audit
end
AuditWorkflow->>Runner: run make audit
Possibly related PRs
Poem
Caution Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional.
❌ Failed checks (1 error, 5 warnings)
✅ Passed checks (14 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
template/.github/workflows/audit.yml.jinja (1)
1-51: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAdd test coverage for this new scheduled workflow.
Nothing in the supplied context exercises
audit.yml.jinjaitself —tests/test_audit.pyvalidates themake audittarget's tool dispatch, not that this new workflow file renders sensibly for bothuse_rustvariants (cron trigger present,permissions: contents: read, Rust steps gated correctly). Extend the existing render-and-assert pattern to cover this file too, so a broken Jinja conditional here doesn't go unnoticed until the schedule actually fires.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@template/.github/workflows/audit.yml.jinja` around lines 1 - 51, The new scheduled audit workflow is untested, so add coverage that renders audit.yml.jinja and asserts the expected workflow shape. Extend the existing render-and-assert tests in tests/test_audit.py to verify the cron trigger and permissions are present, and that the Rust-specific steps in the audit job only appear when use_rust is enabled. Make sure both use_rust variants are exercised so broken Jinja conditionals in the audit workflow are caught.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@template/.github/workflows/audit.yml.jinja`:
- Around line 17-23: The audit job is missing a timeout, so add a
`timeout-minutes` limit directly on the `audit` job in the `audit` workflow
template. Update the job definition near `audit:` so it caps long-running stalls
from `cargo install`, `uv`, or `pip-audit`, keeping the existing `runs-on` and
`env` structure intact.
In `@template/.github/workflows/ci.yml.jinja`:
- Around line 85-87: The CI contract test currently only verifies that the
workflow contains the "Audit dependencies" step and the make audit command, so
it would miss regressions in the new Dependabot guard. Update the assertion
logic in tests/helpers/ci_contracts.py to explicitly inspect the "Audit
dependencies" step from ci_workflow and verify its if clause matches
github.actor != 'dependabot[bot]' alongside the existing steps checks. Make the
check targeted to the step’s condition so dropped, inverted, or mistyped guards
are caught.
---
Outside diff comments:
In `@template/.github/workflows/audit.yml.jinja`:
- Around line 1-51: The new scheduled audit workflow is untested, so add
coverage that renders audit.yml.jinja and asserts the expected workflow shape.
Extend the existing render-and-assert tests in tests/test_audit.py to verify the
cron trigger and permissions are present, and that the Rust-specific steps in
the audit job only appear when use_rust is enabled. Make sure both use_rust
variants are exercised so broken Jinja conditionals in the audit workflow are
caught.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 4cf89c2d-bc57-41ca-8b09-556865eec399
📒 Files selected for processing (2)
template/.github/workflows/audit.yml.jinjatemplate/.github/workflows/ci.yml.jinja
| audit: | ||
| runs-on: ubuntu-latest | ||
| {% if use_rust %} | ||
| env: | ||
| CARGO_TERM_COLOR: always | ||
| {% endif %} | ||
| steps: |
There was a problem hiding this comment.
🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win
Bound the job with timeout-minutes.
The job has no timeout-minutes, so a stuck cargo install, uv install, or pip-audit advisory-database fetch will occupy the runner up to GitHub's default six-hour ceiling before this weekly compensating control even reports a failure. Cap it.
⏱️ Proposed fix
audit:
runs-on: ubuntu-latest
+ timeout-minutes: 15
{% if use_rust %}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| audit: | |
| runs-on: ubuntu-latest | |
| {% if use_rust %} | |
| env: | |
| CARGO_TERM_COLOR: always | |
| {% endif %} | |
| steps: | |
| audit: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| {% if use_rust %} | |
| env: | |
| CARGO_TERM_COLOR: always | |
| {% endif %} | |
| steps: |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@template/.github/workflows/audit.yml.jinja` around lines 17 - 23, The audit
job is missing a timeout, so add a `timeout-minutes` limit directly on the
`audit` job in the `audit` workflow template. Update the job definition near
`audit:` so it caps long-running stalls from `cargo install`, `uv`, or
`pip-audit`, keeping the existing `runs-on` and `env` structure intact.
| - name: Audit dependencies | ||
| if: github.actor != 'dependabot[bot]' | ||
| run: make audit |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win
Assert the guard condition explicitly in the CI contract test.
tests/helpers/ci_contracts.py currently only checks "make audit" in ci_workflow, per the supplied snippet. That assertion would still pass even if the new if: github.actor != 'dependabot[bot]' guard were dropped, mistyped, or inverted (e.g. == instead of !=), silently reintroducing the exact Dependabot auto-merge deadlock this PR fixes. Add a targeted assertion on the "Audit dependencies" step's if clause alongside the existing steps inspection.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@template/.github/workflows/ci.yml.jinja` around lines 85 - 87, The CI
contract test currently only verifies that the workflow contains the "Audit
dependencies" step and the make audit command, so it would miss regressions in
the new Dependabot guard. Update the assertion logic in
tests/helpers/ci_contracts.py to explicitly inspect the "Audit dependencies"
step from ci_workflow and verify its if clause matches github.actor !=
'dependabot[bot]' alongside the existing steps checks. Make the check targeted
to the step’s condition so dropped, inverted, or mistyped guards are caught.
Add a timeout to the scheduled audit job and assert the CI audit step's Dependabot guard structurally. Cover the generated scheduled audit workflow for both pure-Python and Rust-enabled renders so its trigger, permissions, timeout, and Rust-specific steps stay under test.
Summary
make auditstep ongithub.actor != 'dependabot[bot]'. (Thecargo-auditinstall stays unconditional because it is bundled with the Whitaker lint tooling install, which the lint step also needs.)audit.yml.jinja) as the compensating control, covering both theuse_rustand plain-Python renders and reusing the template's existing pinned action refs.Motivation
make auditreports advisories against the whole lockfile, so in generated projects a newly published advisory fails every open Dependabot PR regardless of its content, deadlocking Dependabot auto-merge (observed on leynos/corbusier#120, where even Dependabot's own fix for a vite advisory was blocked by unrelated advisories). The same change has been applied directly to the twelve existing estate repositories withmake auditgates; this PR brings the template in line so newly generated projects inherit it. Human pull requests keep the full audit gate.Test plan
use_rust=Trueanduse_rust=False(StrictUndefined) and validated withactionlintact-validationtemplate render passes in CIReferences