chore: add Dependabot security-only update config#1
Conversation
Add org-standard Dependabot configuration for security-focused dependency management (pip + github-actions ecosystems), auto-merge workflow for patch/minor updates, and dependency vulnerability audit workflow. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds Dependabot configuration and GitHub Actions workflows to automate dependency security management for this repository (scheduled Dependabot updates, automatic merging of eligible Dependabot PRs, and CI-time vulnerability auditing).
Changes:
- Add
.github/dependabot.ymlfor scheduledpipandgithub-actionsupdates with default labels. - Add
dependabot-automergeworkflow to auto-approve and squash-merge certain Dependabot PRs. - Add
dependency-auditworkflow to detect ecosystems and run audit tooling (includingpip-audit).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| .github/workflows/dependency-audit.yml | Adds a multi-ecosystem dependency vulnerability audit workflow (includes pip-audit). |
| .github/workflows/dependabot-automerge.yml | Adds a Dependabot PR auto-approve/merge workflow using a GitHub App token. |
| .github/dependabot.yml | Adds Dependabot schedules/labels for pip + GitHub Actions updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,136 @@ | |||
| # Dependency vulnerability audit | |||
| # Copy to .github/workflows/dependency-audit.yml | |||
There was a problem hiding this comment.
Header comment says "Copy to .github/workflows/dependency-audit.yml" but this file is already at that path, so the instruction is misleading/outdated. Please remove or update the header comment to avoid confusion for maintainers.
| # Copy to .github/workflows/dependency-audit.yml |
| # Go modules | ||
| if find . -name 'go.sum' | grep -q .; then | ||
| echo "gomod=true" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "gomod=false" >> "$GITHUB_OUTPUT" | ||
| fi |
There was a problem hiding this comment.
Go module detection checks for go.sum, but Go modules can exist with go.mod and no go.sum yet (e.g., fresh module or tidy not run), causing govulncheck to be skipped incorrectly. Detect based on go.mod instead (similar to how the audit step enumerates go.mod).
| - name: Audit Python dependencies | ||
| run: | | ||
| if [ -f "pyproject.toml" ]; then | ||
| pip-audit --require-hashes=false |
There was a problem hiding this comment.
pip-audit --require-hashes=false is very likely an invalid CLI invocation (pip-audit’s --require-hashes is a boolean flag, not a key=value option). As written, this step may fail immediately; if the intent is to not require hashes, drop the flag entirely (or use the supported form).
| pip-audit --require-hashes=false | |
| pip-audit |
| - name: Install pip-audit | ||
| run: pip install pip-audit | ||
|
|
||
| - name: Audit Python dependencies | ||
| run: | | ||
| if [ -f "pyproject.toml" ]; then | ||
| pip-audit --require-hashes=false | ||
| elif [ -f "requirements.txt" ]; then |
There was a problem hiding this comment.
For pyproject.toml projects, this workflow installs only pip-audit but does not install the project (or its dependencies) before running the audit. In that case pip-audit will typically audit only the current environment (mostly just pip-audit itself) and miss the application dependencies declared in pyproject.toml. Install the project (e.g., pip install -e . or equivalent) before running pip-audit, or use a pip-audit mode that reads dependencies directly from the project metadata if supported.
| @@ -0,0 +1,57 @@ | |||
| # Dependabot auto-merge workflow | |||
| # Copy to .github/workflows/dependabot-automerge.yml | |||
There was a problem hiding this comment.
Header comment says "Copy to .github/workflows/dependabot-automerge.yml" but this file is already located there, so the instruction is misleading/outdated. Please remove or update the header comment.
| # Copy to .github/workflows/dependabot-automerge.yml |
| steps.metadata.outputs.dependency-type == 'indirect' | ||
| run: | | ||
| gh pr review --approve "$PR_URL" | ||
| gh pr merge --squash --admin "$PR_URL" |
There was a problem hiding this comment.
gh pr merge --admin can bypass branch protection requirements (required checks/reviews), which undermines the goal of gating merges on security/audit results. Consider removing --admin and using gh pr merge --auto --squash (or GitHub auto-merge) so the PR is only merged after required status checks pass.
| gh pr merge --squash --admin "$PR_URL" | |
| gh pr merge --auto --squash "$PR_URL" |
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Summary
.github/dependabot.ymlwith weekly schedules for pip and github-actions ecosystems, labeledsecurity+dependenciespip-auditon PRs and pushes tomain, failing the build on known vulnerabilitiesThis aligns context-scribe with the petry-projects org standard of security-only dependency updates for application repositories.
Test plan
securityanddependencieslabelspyproject.tomland runs pip-auditdependency-auditas a required status check in branch protection settings🤖 Generated with Claude Code