Skip to content

chore: remove dependabot-dedupe workflow#167

Merged
layershifter merged 2 commits intomicrosoft:mainfrom
layershifter:chore/harden-dependabot-dedupe
May 7, 2026
Merged

chore: remove dependabot-dedupe workflow#167
layershifter merged 2 commits intomicrosoft:mainfrom
layershifter:chore/harden-dependabot-dedupe

Conversation

@layershifter
Copy link
Copy Markdown
Member

@layershifter layershifter commented May 6, 2026
edited
Loading

Summary

Removes .github/workflows/dependabot-dedupe.yml. The workflow used a pull_request_target + checkout(head_ref) + push pattern that CodeQL flags with 3 critical actions/untrusted-checkout/critical alerts.

🤖 Generated with Claude Code

@layershifter layershifter requested review from a team and mshoho as code owners May 6, 2026 19:12
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 6, 2026
edited
Loading

📊 Bundle size report

✅ No changes found

@layershifter layershifter force-pushed the chore/harden-dependabot-dedupe branch from 94e25ed to 60796f4 Compare May 6, 2026 19:19
@layershifter layershifter changed the title chore: harden dependabot-dedupe with split-job artifact pattern chore: split dependabot-dedupe into build + workflow_run push May 6, 2026
@layershifter @claude
chore: remove dependabot-dedupe workflow
daadff5 
The workflow used a pull_request_target + checkout(head_ref) +
push pattern that CodeQL flags with three critical
actions/untrusted-checkout alerts. After weighing the trade-offs
between hardening the workflow and removing it, removal wins:

- The workflow's job (auto-rewriting yarn.lock when dependabot's
  install left duplicate entries) only fires on the subset of
  dependabot PRs that touch deps with overlapping resolution paths,
  which is rare.
- ci.yml already runs `yarn dedupe --check` on every PR, so any
  un-deduped lockfile blocks merge — the difference is whether a
  workflow auto-fixes it or a maintainer pushes one commit.
- Forcing a maintainer to touch the rare dependabot PR that needs
  dedupe is a feature on a security-sensitive library: the PR gets
  human eyes before merging.

The hardened single-job and two-workflow alternatives were drafted
and reviewed; neither was worth the maintenance + security review
overhead for the volume of PRs this would actually affect.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@layershifter layershifter force-pushed the chore/harden-dependabot-dedupe branch from 60796f4 to daadff5 Compare May 6, 2026 19:22
@layershifter layershifter changed the title chore: split dependabot-dedupe into build + workflow_run push chore: remove dependabot-dedupe workflow May 6, 2026
@layershifter layershifter enabled auto-merge (squash) May 6, 2026 19:25
This was referenced May 6, 2026
Merged
Merged
@layershifter layershifter merged commit bae4f36 into microsoft:main May 7, 2026
4 checks passed
@layershifter layershifter deleted the chore/harden-dependabot-dedupe branch May 7, 2026 07:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@miroslavstastny miroslavstastny miroslavstastny approved these changes

@mshoho mshoho Awaiting requested review from mshoho mshoho is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@layershifter @miroslavstastny