Skip to content

Skip templated dependency audit on Dependabot PRs#23

Open
leynos wants to merge 2 commits into
mainfrom
fix/skip-audit-for-dependabot
Open

Skip templated dependency audit on Dependabot PRs#23
leynos wants to merge 2 commits into
mainfrom
fix/skip-audit-for-dependabot

Conversation

@leynos

@leynos leynos commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Summary

  • Conditions the templated CI's make audit step on github.actor != 'dependabot[bot]'. (The cargo-audit install stays unconditional because it is bundled with the Whitaker lint tooling install, which the lint step also needs.)
  • Adds a templated weekly scheduled audit workflow (audit.yml.jinja) as the compensating control, covering both the use_rust and plain-Python renders and reusing the template's existing pinned action refs.

Motivation

make audit reports advisories against the whole lockfile, so in generated projects a newly published advisory fails every open Dependabot PR regardless of its content, deadlocking Dependabot auto-merge (observed on leynos/corbusier#120, where even Dependabot's own fix for a vite advisory was blocked by unrelated advisories). The same change has been applied directly to the twelve existing estate repositories with make audit gates; this PR brings the template in line so newly generated projects inherit it. Human pull requests keep the full audit gate.

Test plan

  • Both workflow templates rendered with use_rust=True and use_rust=False (StrictUndefined) and validated with actionlint
  • act-validation template render passes in CI

References

`make audit` reports advisories against the whole lockfile, so in
generated projects a newly published advisory fails every open
Dependabot PR regardless of its content and deadlocks auto-merge.
Condition the audit step on the actor not being Dependabot, and add a
templated weekly scheduled audit workflow as the compensating control
so anything that slips through surfaces within days. Human pull
requests keep the full audit gate.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @leynos, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

This PR adds a new scheduled GitHub Actions workflow (audit.yml.jinja) that runs dependency audits weekly or on manual trigger, with optional Rust/cargo-audit setup. It also updates the existing CI workflow to skip the audit step for Dependabot-triggered runs.

Changes

Dependency audit workflow changes

Layer / File(s) Summary
New scheduled audit workflow
template/.github/workflows/audit.yml.jinja
Adds a new "Scheduled dependency audit" workflow with weekly cron and manual dispatch triggers, contents: read permissions, and an audit job that sets up Python 3.13, uv, optionally Rust/cargo-audit, and runs make audit.
CI audit step Dependabot guard
template/.github/workflows/ci.yml.jinja
Adds a comment and an if: github.actor != 'dependabot[bot]' condition to skip the existing "Audit dependencies" CI step for Dependabot events.

Sequence Diagram(s)

sequenceDiagram
  participant Scheduler as GitHub Actions Scheduler
  participant AuditWorkflow as Audit Workflow
  participant Runner as ubuntu-latest Runner

  Scheduler->>AuditWorkflow: weekly cron trigger / workflow_dispatch
  AuditWorkflow->>Runner: checkout, setup Python 3.13, install uv
  alt use_rust enabled
    AuditWorkflow->>Runner: setup Rust and install cargo-audit
  end
  AuditWorkflow->>Runner: run make audit
Loading

Possibly related PRs

  • leynos/corbusier#79: Both PRs modify CI/workflow audit wiring around the same make audit dependency-audit step and its triggering/scheduling conditions.

Poem

A rabbit sniffs the dependency air,
Weekly audits, done with care.
Dependabot need not fret or fuss—
No audit step to trouble us.
🐇 make audit, cron ticks on,
Rust installed when the flag is drawn.


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error, 5 warnings)

Check name Status Explanation Resolution
Testing (Overall) ❌ Error Existing tests only assert make audit exists; they never check the Dependabot guard or the new scheduled audit workflow, so regressions would still pass. Add a contract test for the Audit dependencies step's if clause and a rendered-workflow test for audit.yml covering both Rust and Python renders.
User-Facing Documentation ⚠️ Warning The Dependabot audit bypass and scheduled weekly audit workflow are not documented in the user guide; only the generic audit target appears there. Update the generated user's guide (template/docs/users-guide.md.jinja) to explain the CI audit skip for Dependabot and the compensating scheduled audit workflow.
Developer Documentation ⚠️ Warning The PR changes CI audit behaviour, but no docs were updated; both developer guides still describe make audit as unconditional and omit the scheduled compensating workflow. Update docs/developers-guide.md and template/docs/developers-guide.md (or record the policy in an ADR) to document the Dependabot guard and weekly audit workflow.
Testing (Unit And Behavioural) ⚠️ Warning Only template files changed; existing workflow tests assert "make audit" but not the Dependabot guard or the new scheduled audit workflow, so the changed behaviour lacks direct coverage. Add contract tests that render both variants and assert the Dependabot if guard plus the scheduled audit workflow's trigger and permissions.
Testing (Compile-Time / Ui) ⚠️ Warning The PR adds structured workflow text, but no test exercises the new audit workflow or the Dependabot guard; trybuild is irrelevant here, yet the text-output contract is untested. Add a focused contract/snapshot test for the rendered audit workflow and assert the if: github.actor != 'dependabot[bot]' guard in CI.
Performance And Resource Use ⚠️ Warning template/.github/workflows/audit.yml.jinja adds a weekly job with no timeout-minutes, so hung install/audit steps can tie up a runner for hours. Add a finite timeout-minutes to the audit job and keep network/process steps within that bound; update any contract test to enforce it.
✅ Passed checks (14 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Module-Level Documentation ✅ Passed Treat as not applicable: the PR only changes YAML workflow templates, not code modules, and both templates already include top-level explanatory comments.
Testing (Property / Proof) ✅ Passed PASS: The change only adjusts workflow gating/scheduling; it introduces no input/state invariant or lemma that warrants property testing or a proof, and existing render contracts cover the branches.
Unit Architecture ✅ Passed Only GitHub Actions template YAML changed; no application units, query/command paths, or hidden dependencies were added.
Domain Architecture ✅ Passed PASS: Keep the scope on workflow templates; no domain model, repository, transport, or persistence code changed, so no boundary leak appears.
Observability ✅ Passed PASS: the new workflow relies on GitHub Actions job/step logs, and the audit decision point is surfaced by the named, conditionally skipped step plus explicit workflow comments.
Security And Privacy ✅ Passed New workflow uses contents: read only, no secrets/PII added, and CI only adds a Dependabot guard; no auth or permission widening found.
Concurrency And State ✅ Passed PASS: The PR only changes declarative GitHub Actions templates; it adds an audit job/guard, with no shared mutable state, locks, async tasks, or concurrent execution paths.
Architectural Complexity And Maintainability ✅ Passed No new abstraction, layer, dependency, or hidden mechanism was introduced; the change stays as explicit workflow-template wiring with a clear scheduled-audit seam.
Rust Compiler Lint Integrity ✅ Passed The patch only edits workflow templates; it adds no Rust source, no lint suppressions, and no artificial clone-based usage anchors.
Title check ✅ Passed The title matches the main change by describing the Dependabot-specific audit skip.
Description check ✅ Passed The description directly explains the CI audit skip and the added scheduled audit workflow.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/skip-audit-for-dependabot

Comment @coderabbitai help to get the list of available commands.

@pandalump pandalump marked this pull request as ready for review July 3, 2026 08:26

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
template/.github/workflows/audit.yml.jinja (1)

1-51: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add test coverage for this new scheduled workflow.

Nothing in the supplied context exercises audit.yml.jinja itself — tests/test_audit.py validates the make audit target's tool dispatch, not that this new workflow file renders sensibly for both use_rust variants (cron trigger present, permissions: contents: read, Rust steps gated correctly). Extend the existing render-and-assert pattern to cover this file too, so a broken Jinja conditional here doesn't go unnoticed until the schedule actually fires.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@template/.github/workflows/audit.yml.jinja` around lines 1 - 51, The new
scheduled audit workflow is untested, so add coverage that renders
audit.yml.jinja and asserts the expected workflow shape. Extend the existing
render-and-assert tests in tests/test_audit.py to verify the cron trigger and
permissions are present, and that the Rust-specific steps in the audit job only
appear when use_rust is enabled. Make sure both use_rust variants are exercised
so broken Jinja conditionals in the audit workflow are caught.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@template/.github/workflows/audit.yml.jinja`:
- Around line 17-23: The audit job is missing a timeout, so add a
`timeout-minutes` limit directly on the `audit` job in the `audit` workflow
template. Update the job definition near `audit:` so it caps long-running stalls
from `cargo install`, `uv`, or `pip-audit`, keeping the existing `runs-on` and
`env` structure intact.

In `@template/.github/workflows/ci.yml.jinja`:
- Around line 85-87: The CI contract test currently only verifies that the
workflow contains the "Audit dependencies" step and the make audit command, so
it would miss regressions in the new Dependabot guard. Update the assertion
logic in tests/helpers/ci_contracts.py to explicitly inspect the "Audit
dependencies" step from ci_workflow and verify its if clause matches
github.actor != 'dependabot[bot]' alongside the existing steps checks. Make the
check targeted to the step’s condition so dropped, inverted, or mistyped guards
are caught.

---

Outside diff comments:
In `@template/.github/workflows/audit.yml.jinja`:
- Around line 1-51: The new scheduled audit workflow is untested, so add
coverage that renders audit.yml.jinja and asserts the expected workflow shape.
Extend the existing render-and-assert tests in tests/test_audit.py to verify the
cron trigger and permissions are present, and that the Rust-specific steps in
the audit job only appear when use_rust is enabled. Make sure both use_rust
variants are exercised so broken Jinja conditionals in the audit workflow are
caught.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 4cf89c2d-bc57-41ca-8b09-556865eec399

📥 Commits

Reviewing files that changed from the base of the PR and between 09a4d88 and d8c1beb.

📒 Files selected for processing (2)
  • template/.github/workflows/audit.yml.jinja
  • template/.github/workflows/ci.yml.jinja

Comment on lines +17 to +23
audit:
runs-on: ubuntu-latest
{% if use_rust %}
env:
CARGO_TERM_COLOR: always
{% endif %}
steps:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Bound the job with timeout-minutes.

The job has no timeout-minutes, so a stuck cargo install, uv install, or pip-audit advisory-database fetch will occupy the runner up to GitHub's default six-hour ceiling before this weekly compensating control even reports a failure. Cap it.

⏱️ Proposed fix
   audit:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     {% if use_rust %}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
audit:
runs-on: ubuntu-latest
{% if use_rust %}
env:
CARGO_TERM_COLOR: always
{% endif %}
steps:
audit:
runs-on: ubuntu-latest
timeout-minutes: 15
{% if use_rust %}
env:
CARGO_TERM_COLOR: always
{% endif %}
steps:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@template/.github/workflows/audit.yml.jinja` around lines 17 - 23, The audit
job is missing a timeout, so add a `timeout-minutes` limit directly on the
`audit` job in the `audit` workflow template. Update the job definition near
`audit:` so it caps long-running stalls from `cargo install`, `uv`, or
`pip-audit`, keeping the existing `runs-on` and `env` structure intact.

Comment on lines 85 to 87
- name: Audit dependencies
if: github.actor != 'dependabot[bot]'
run: make audit

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Assert the guard condition explicitly in the CI contract test.

tests/helpers/ci_contracts.py currently only checks "make audit" in ci_workflow, per the supplied snippet. That assertion would still pass even if the new if: github.actor != 'dependabot[bot]' guard were dropped, mistyped, or inverted (e.g. == instead of !=), silently reintroducing the exact Dependabot auto-merge deadlock this PR fixes. Add a targeted assertion on the "Audit dependencies" step's if clause alongside the existing steps inspection.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@template/.github/workflows/ci.yml.jinja` around lines 85 - 87, The CI
contract test currently only verifies that the workflow contains the "Audit
dependencies" step and the make audit command, so it would miss regressions in
the new Dependabot guard. Update the assertion logic in
tests/helpers/ci_contracts.py to explicitly inspect the "Audit dependencies"
step from ci_workflow and verify its if clause matches github.actor !=
'dependabot[bot]' alongside the existing steps checks. Make the check targeted
to the step’s condition so dropped, inverted, or mistyped guards are caught.

Add a timeout to the scheduled audit job and assert the CI audit step's
Dependabot guard structurally. Cover the generated scheduled audit workflow
for both pure-Python and Rust-enabled renders so its trigger, permissions,
timeout, and Rust-specific steps stay under test.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant