Test vet 2

[carneiro-cw]

PR Type

Enhancement

---

Description

• Add auto-vet patch generation and metadata export

• Upload patch artifact with configurable retention

• Update PR comment with patch instructions

• Remove direct automated commit step

• Clean up legacy audit entries in audits.toml

---

Diagram Walkthrough

flowchart LR
  A["Dependabot auto-vet workflow"] --> B["Check supply-chain diffs"]
  B -- "changes found" --> C["Generate auto-vet patch"]
  C --> D["Upload patch artifact"]
  D --> E["Update PR comment with patch info"]
  B -- "no changes" --> E

Loading

File Walkthrough

	Relevant files
Enhancement	dependabot-auto-vet.yml Enhance auto-vet workflow with patch publication                  .github/workflows/dependabot-auto-vet.yml Added RETENTION_DAYS environment variable Removed automated commit & push steps Introduced patch generation (git diff --patch) Added artifact upload with retention-days Updated PR comment logic and failure gate +116/-31
Configuration changes	audits.toml Cleanup audit entries in audits.toml                                          supply-chain/audits.toml Removed legacy audits.alloy-consensus entries Retained only audits.alloy-consensus-any block +0/-19

---

[github-actions]

PR Reviewer Guide 🔍

(Review updated until commit 0f99db2)

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Missing artifact outputs The upload-artifact step (actions/upload-artifact@v4.6.2) does not actually emit artifact-id or artifact-url outputs, so the subsequent Expose patch outputs step will always produce empty artifact_id and artifact_url. This means the generated PR comment won’t contain valid download links. You may need to call the GitHub REST API (e.g. list-artifacts) or switch to an action that exposes these fields. - name: Expose patch outputs id: patch_meta if: always() run: | set -euo pipefail generated="${{ steps.patch.outputs.has_patch || 'false' }}" uploaded="false" if [ "${{ steps.upload_patch.outcome || 'skipped' }}" = "success" ]; then uploaded="true" fi echo "generated=$generated" >> "$GITHUB_OUTPUT" echo "uploaded=$uploaded" >> "$GITHUB_OUTPUT" echo "artifact_name=dependabot-auto-vet-patch-pr-${{ github.event.pull_request.number || 'manual' }}" >> "$GITHUB_OUTPUT" echo "artifact_id=${{ steps.upload_patch.outputs.artifact-id || '' }}" >> "$GITHUB_OUTPUT" echo "artifact_url=${{ steps.upload_patch.outputs.artifact-url || '' }}" >> "$GITHUB_OUTPUT" echo "run_url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> "$GITHUB_OUTPUT"

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Allow patch generation on diffs Prevent the script from exiting under set -e when git diff returns exit code 1 (which indicates differences rather than an error). Append || true or temporarily disable errexit around the diff command so the patch is still written. .github/workflows/dependabot-auto-vet.yml [388] -git diff --binary --patch -- supply-chain > "$patch_path" +git diff --binary --patch -- supply-chain > "$patch_path" || true Suggestion importance[1-10]: 9 __ Why: The git diff command under set -e will exit with code 1 when differences exist, preventing patch creation; appending || true fixes this critical flow.	High
	Fix output default fallback The GitHub Actions expression syntax ${{ ... || 'false' }} is not supported. Capture the raw output and apply a shell fallback with parameter expansion to default to "false". .github/workflows/dependabot-auto-vet.yml [416] -generated="${{ steps.patch.outputs.has_patch || 'false' }}" +generated="${{ steps.patch.outputs.has_patch }}" +generated="${generated:-false}" Suggestion importance[1-10]: 8 __ Why: GitHub Actions does not support || in expressions, so using a shell fallback ensures generated defaults to "false" reliably.	Medium

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.31%. Comparing base (e8889d5) to head (0f99db2).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2481      +/-   ##
==========================================
+ Coverage   84.26%   84.31%   +0.04%     
==========================================
  Files         141      141              
  Lines       10826    10826              
==========================================
+ Hits         9123     9128       +5     
+ Misses       1703     1698       -5     

Flag	Coverage Δ
contracts-rocks-asset-transit-desk	43.59% <ø> (+0.02%)	⬆️
contracts-rocks-balance-freezer	42.66% <ø> (ø)
contracts-rocks-balance-tracker	42.99% <ø> (-0.03%)	⬇️
contracts-rocks-base	43.56% <ø> (ø)
contracts-rocks-blueprint	43.91% <ø> (ø)
contracts-rocks-capybara-finance	44.24% <ø> (ø)
contracts-rocks-capybara-finance-v2	44.30% <ø> (ø)
contracts-rocks-card-payment-processor	44.01% <ø> (ø)
contracts-rocks-card-payment-processor-v2	44.30% <ø> (-0.05%)	⬇️
contracts-rocks-cashier	43.91% <ø> (ø)
contracts-rocks-credit-agent	43.23% <ø> (+0.02%)	⬆️
contracts-rocks-multisig	43.90% <ø> (ø)
contracts-rocks-net-yield-distributor	43.93% <ø> (+0.02%)	⬆️
contracts-rocks-periphery	42.66% <ø> (ø)
contracts-rocks-shared-wallet-controller	43.94% <ø> (ø)
contracts-rocks-token	44.01% <ø> (ø)
contracts-rocks-treasury	43.63% <ø> (ø)
e2e-admin-password	22.79% <ø> (-0.02%)	⬇️
e2e-clock-stratus	25.65% <ø> (ø)
e2e-genesis	27.18% <ø> (ø)
e2e-importer-offline	60.09% <ø> (+0.20%)	⬆️
e2e-rpc-downloader	55.08% <ø> (+0.19%)	⬆️
e2e-stratus	57.52% <ø> (+0.01%)	⬆️
leader-follower-	61.62% <ø> (+0.04%)	⬆️
rust-tests	31.98% <ø> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[dcfreire]

/review

[dcfreire]

/describe

[github-actions]

Persistent review updated to latest commit 0f99db2

[github-actions]

PR Description updated to latest commit (0f99db2)

[dcfreire]

/review

[github-actions]

🧾 cargo-vet automated audit summary

• Vetted (auto-certified): 1

• Unvetted (needs manual review): 0

• Codex reasoning: active

• cargo vet --locked after apply: ✅ pass

• Patch generated: yes

• Artifact uploaded: yes

• Artifact name: dependabot-auto-vet-patch-pr-2481

• Artifact ID: 6319082593

• PR number: 2481

• Run ID: 24113828559

• Retention: 90 days

• Artifact download: https://github.com/cloudwalk/stratus/actions/runs/24113828559/artifacts/6319082593

CI did not commit anything. Review the patch locally and create the final signed commit yourself.

Apply the patch locally

The patch artifact is attached to this workflow run as a zip archive. Download it, extract auto-vet.patch, review the result, then create your signed commit.

Preferred: GitHub CLI

git checkout <pr-branch>
gh run download 24113828559 -n dependabot-auto-vet-patch-pr-2481
git apply --index auto-vet.patch
git status
git commit -S -m "chore(vet): apply automated audits"
git push

Fallback: direct artifact download

git checkout <pr-branch>
curl -L \
  -H "Authorization: Bearer <github-token>" \
  -o auto-vet-artifact.zip \
  https://github.com/cloudwalk/stratus/actions/runs/24113828559/artifacts/6319082593
unzip -p auto-vet-artifact.zip vet/auto-vet.patch > auto-vet.patch
git apply --index auto-vet.patch
git status
git commit -S -m "chore(vet): apply automated audits"
git push

✅ Auto-certified

• alloy-consensus 1.1.0 — Reviewed added transaction helpers, trait refactors, and serde adjustments; no new unsafe code, build-time execution, or ambient capability access introduced in the diff.