The validate-dependabot-yml pre-commit hook (powered by @bugron/validate-dependabot-yaml) fetches the JSON schema from https://json.schemastore.org/dependabot-2.0.json on every run. When the TLS handshake to schemastore.org is reset mid-connection, the whole pre-commit job fails with ECONNRESET, even though .github/dependabot.yml itself is valid.
This is a transient infrastructure failure that has nothing to do with the PR being checked, so it shows up as a flaky red on otherwise green CI runs.
Proposed fix
Replace the live-fetch validator with python-jsonschema/check-jsonschema's check-dependabot hook, which ships the schema bundled with the package — fully offline, no network at runtime, no flakes:
- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.30.0
hooks:
- id: check-dependabot
name: validate dependabot.yml
files: ^\.github/dependabot\.yml$
This is a drop-in replacement: same coverage (validates .github/dependabot.yml against the dependabot v2 schema), same trigger pattern, but no outbound HTTP from the hook.
The validate-dependabot-yml pre-commit hook (powered by @bugron/validate-dependabot-yaml) fetches the JSON schema from https://json.schemastore.org/dependabot-2.0.json on every run. When the TLS handshake to schemastore.org is reset mid-connection, the whole pre-commit job fails with ECONNRESET, even though .github/dependabot.yml itself is valid.
This is a transient infrastructure failure that has nothing to do with the PR being checked, so it shows up as a flaky red on otherwise green CI runs.
Proposed fix
Replace the live-fetch validator with python-jsonschema/check-jsonschema's check-dependabot hook, which ships the schema bundled with the package — fully offline, no network at runtime, no flakes:
This is a drop-in replacement: same coverage (validates .github/dependabot.yml against the dependabot v2 schema), same trigger pattern, but no outbound HTTP from the hook.