chore: add Dependabot security-only update config#37
chore: add Dependabot security-only update config#37don-petry wants to merge 5 commits intooneirosoft:mainfrom
Conversation
Add Dependabot configuration for cargo and github-actions ecosystems with weekly schedule. Include automerge workflow for patch/minor updates and dependency-audit workflow for vulnerability scanning. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds repository automation to manage and audit dependencies via Dependabot plus CI workflows, aiming to standardize dependency security handling for this repo.
Changes:
- Added
.github/dependabot.ymlconfiguring Dependabot updates for Cargo and GitHub Actions. - Added a
dependabot-automergeworkflow to auto-approve and squash-merge certain Dependabot PRs. - Added a
dependency-auditworkflow to scan for known vulnerabilities across detected ecosystems on pushes/PRs tomain.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
.github/dependabot.yml |
Configures scheduled Dependabot updates and labeling for Cargo and GitHub Actions. |
.github/workflows/dependabot-automerge.yml |
Automates approval/merge of qualifying Dependabot PRs using a GitHub App token. |
.github/workflows/dependency-audit.yml |
Adds an ecosystem-detecting vulnerability audit workflow (npm/Go/Cargo/Python). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| audit-cargo: | ||
| name: cargo audit | ||
| needs: detect | ||
| if: needs.detect.outputs.cargo == 'true' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
|
|
||
| - name: Install cargo-audit | ||
| run: cargo install cargo-audit | ||
|
|
||
| - name: Audit Cargo dependencies | ||
| run: cargo audit |
There was a problem hiding this comment.
audit-cargo uses cargo install/cargo audit but the workflow never installs a Rust toolchain. On GitHub-hosted runners, Rust/cargo isn’t guaranteed to be present, so this job can fail even when Cargo.lock exists (which will trigger it in this repo). Add a Rust toolchain setup step (and ideally the Cargo cache) before invoking cargo, consistent with the existing CI workflow.
There was a problem hiding this comment.
Addressed — added Swatinem/rust-cache@v2 step after dtolnay/rust-toolchain@stable in the cargo audit job.
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
|
|
||
| - name: Install cargo-audit | ||
| run: cargo install cargo-audit |
There was a problem hiding this comment.
cargo install cargo-audit installs the latest published version each run, which is non-deterministic and can break the workflow unexpectedly. Prefer installing with a locked dependency set (e.g., --locked) or using an action that pins the tool version; also consider caching to avoid repeated compilation.
| run: cargo install cargo-audit | |
| run: cargo install --locked cargo-audit |
There was a problem hiding this comment.
Addressed — cargo install cargo-audit@0.22.1 --locked was already in place; confirmed no change needed.
| detect: | ||
| name: Detect ecosystems | ||
| runs-on: ubuntu-latest | ||
| outputs: |
There was a problem hiding this comment.
This uses ubuntu-latest for all jobs, while the repo’s existing workflows pin to specific runner images (e.g., ubuntu-24.04). Using ubuntu-latest can introduce breaking environment changes over time; consider pinning to the same runner image used elsewhere in the repo for consistency and reproducibility.
There was a problem hiding this comment.
Addressed — all runs-on in dependency-audit.yml pinned to ubuntu-24.04, consistent with ci.yml and release.yml.
| steps.metadata.outputs.dependency-type == 'indirect' | ||
| run: | | ||
| gh pr review --approve "$PR_URL" | ||
| gh pr merge --squash --admin "$PR_URL" |
There was a problem hiding this comment.
gh pr merge --admin can bypass branch protection requirements and merges immediately rather than waiting for required checks to pass. For safer automation, avoid --admin and use auto-merge behavior that waits for checks/reviews (e.g., enable auto-merge for the PR) so Dependabot updates don’t land without CI/required status checks.
| gh pr merge --squash --admin "$PR_URL" | |
| gh pr merge --auto --squash "$PR_URL" |
There was a problem hiding this comment.
Addressed — --auto was already in place instead of --admin; confirmed no change needed.
| version: 2 | ||
| updates: | ||
| - package-ecosystem: "cargo" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" | ||
| open-pull-requests-limit: 10 | ||
| labels: | ||
| - "security" | ||
| - "dependencies" | ||
|
|
||
| - package-ecosystem: "github-actions" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" | ||
| open-pull-requests-limit: 10 | ||
| labels: | ||
| - "security" | ||
| - "dependencies" |
There was a problem hiding this comment.
PR description says this change aligns the repo to “security-only dependency updates”, but this config enables scheduled weekly version updates for cargo and GitHub Actions (not security-only) and applies a security label to all of them. If the intent is truly security-only, remove/disable scheduled version updates (or add ignore rules to exclude non-security updates) and avoid labeling non-security PRs as security.
There was a problem hiding this comment.
Addressed — open-pull-requests-limit: 0 was already set for cargo (the only app ecosystem configured). Added file-level and inline comments explaining the security-only strategy: limit 0 disables version-update PRs while Dependabot security alerts still create PRs for known vulnerabilities.
|
|
||
| jobs: | ||
| dependabot: | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
This workflow also uses ubuntu-latest, while other workflows in the repo pin runner images (e.g., ubuntu-24.04). Pinning improves reproducibility and reduces the chance of runner image changes breaking the automation.
| runs-on: ubuntu-latest | |
| runs-on: ubuntu-24.04 |
There was a problem hiding this comment.
Addressed — runs-on in dependabot-automerge.yml pinned to ubuntu-24.04.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Pin all runs-on to ubuntu-24.04 for consistency with ci.yml/release.yml - Add Swatinem/rust-cache@v2 to cargo audit job - Add comments to dependabot.yml explaining the security-only strategy (open-pull-requests-limit: 0 disables version PRs while security alerts still function) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Why?
Unpatched dependencies are the most common attack vector for open-source projects. This PR establishes automated security hygiene: Dependabot monitors for known vulnerabilities, a multi-ecosystem audit workflow runs on every PR, and low-risk security patches are auto-merged to reduce maintainer toil.
Summary
.github/dependabot.ymlwith cargo and github-actions ecosystems configured for security-only updates (open-pull-requests-limit: 0disables version-update PRs while security alerts still function)dependabot-automerge.ymlworkflow to auto-approve and squash-merge patch/minor Dependabot PRs using--auto(waits for CI to pass before merging)dependency-audit.ymlworkflow with ecosystem auto-detection that runscargo audit, npm/pnpm audit, pip-audit, or govulncheck as appropriate on every push/PR to mainubuntu-24.04for reproducibilitycargo install --locked cargo-auditfor deterministic tool versionsAligns the dagger repo with the petry-projects org standard for dependency security.
Test plan
🤖 Generated with Claude Code