fix: replace standalone dependency-audit.yml with org standard thin caller stub#217
fix: replace standalone dependency-audit.yml with org standard thin caller stub#217don-petry wants to merge 15 commits into
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe dependency-audit workflow is simplified to delegate all ecosystem detection and vulnerability scanning logic to a centralized org-level reusable workflow. The in-repo job graph (npm, pnpm, govulncheck, cargo-audit, pip-audit) is removed, replaced with a single job that calls ChangesWorkflow Delegation
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
CI is green on all primary checks. @petry-projects/org-leads — this PR is ready for review and merge. It resolves the long-standing compliance finding by replacing the out-of-date standalone |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/dependency-audit.yml:
- Around line 32-33: Update the reusable workflow reference for the
dependency-audit job so it uses the exact commit SHA instead of the floating
tag; locate the "dependency-audit" job and replace the uses:
petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1
reference with the corresponding commit SHA (the one resolved via the GitHub
API, e.g., 0cb4bba11d7563bf197ad805f12fb8639e4879e4) — make this change first in
the upstream template (petry-projects/.github) and then sync the updated file
into this repository so the workflow here points to the pinned SHA.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 623a0528-780e-499d-b8d0-38650618d3cb
📒 Files selected for processing (1)
.github/workflows/dependency-audit.yml
| dependency-audit: | ||
| uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Resolve the commit SHA that the v1 tag on petry-projects/.github currently points to.
# This SHA is what the upstream template and, subsequently, this caller should use.
gh api repos/petry-projects/.github/git/refs/tags/v1 \
--jq '{tag: .ref, sha: .object.sha, type: .object.type}'
# If v1 is an annotated tag (type == "tag"), also resolve the underlying commit SHA:
gh api repos/petry-projects/.github/git/refs/tags/v1 \
--jq '.object | select(.type=="tag") | .sha' \
| xargs -I{} gh api repos/petry-projects/.github/git/tags/{} --jq '.object.sha'Repository: petry-projects/.github
Length of output: 154
Pin the reusable workflow reference to its commit SHA rather than the mutable v1 tag.
The uses: reference on line 33 uses @v1, a floating tag that can be silently repointed. The coding guideline requires: "SHAs for action pinning must be looked up via the GitHub API — never guessed." This applies to reusable workflow references as well.
The v1 tag currently resolves to commit 0cb4bba11d7563bf197ad805f12fb8639e4879e4. Since this file is copied verbatim from the upstream template in petry-projects/.github/standards/workflows/dependency-audit.yml, the fix should be made upstream first, then re-synced here:
Suggested fix (upstream template)
- uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1
+ uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@0cb4bba11d7563bf197ad805f12fb8639e4879e4Without this change, the compliance audit will continue to flag this file for unpinned action references, leaving Issue #106 unresolved.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/dependency-audit.yml around lines 32 - 33, Update the
reusable workflow reference for the dependency-audit job so it uses the exact
commit SHA instead of the floating tag; locate the "dependency-audit" job and
replace the uses:
petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1
reference with the corresponding commit SHA (the one resolved via the GitHub
API, e.g., 0cb4bba11d7563bf197ad805f12fb8639e4879e4) — make this change first in
the upstream template (petry-projects/.github) and then sync the updated file
into this repository so the workflow here points to the pinned SHA.
There was a problem hiding this comment.
Pull request overview
Migrates the repository’s dependency-audit.yml from a standalone, inline implementation to the org-standard thin caller stub that delegates to the centralized reusable workflow, removing the previously unpinned third-party Rust toolchain action from this repo-level workflow.
Changes:
- Replaced the standalone multi-ecosystem audit workflow with the org-standard thin caller stub.
- Delegated execution to
petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Standard: https://github.com/petry-projects/.github/blob/main/standards/dependabot-policy.md#vulnerability-audit-ci-check | ||
| # ───────────────────────────────────────────────────────────────────────────── | ||
| # SOURCE OF TRUTH: petry-projects/.github/standards/workflows/dependency-audit.yml | ||
| # Standard: petry-projects/.github/standards/ci-standards.md#5-dependency-audit-dependency-auditym |
| jobs: | ||
| detect: | ||
| name: Detect ecosystems | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| npm: ${{ steps.check.outputs.npm }} | ||
| pnpm: ${{ steps.check.outputs.pnpm }} | ||
| gomod: ${{ steps.check.outputs.gomod }} | ||
| cargo: ${{ steps.check.outputs.cargo }} | ||
| pip: ${{ steps.check.outputs.pip }} | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 | ||
|
|
||
| - name: Detect package ecosystems | ||
| id: check | ||
| run: | | ||
| # npm — look for package-lock.json anywhere (excluding node_modules) | ||
| if find . -name 'package-lock.json' -not -path '*/node_modules/*' | grep -q .; then | ||
| echo "npm=true" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "npm=false" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
| # pnpm — look for pnpm-lock.yaml anywhere | ||
| if find . -name 'pnpm-lock.yaml' -not -path '*/node_modules/*' | grep -q .; then | ||
| echo "pnpm=true" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "pnpm=false" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
| # Go modules — detect via go.mod (not go.sum, which may not exist) | ||
| if find . -name 'go.mod' -not -path '*/vendor/*' | grep -q .; then | ||
| echo "gomod=true" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "gomod=false" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
| # Cargo — detect via Cargo.toml anywhere (lockfile may not exist for libraries) | ||
| if find . -name 'Cargo.toml' -not -path '*/target/*' | grep -q .; then | ||
| echo "cargo=true" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "cargo=false" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
| # Python — detect pyproject.toml or requirements.txt anywhere | ||
| if find . -name 'pyproject.toml' -not -path '*/.venv/*' -not -path '*/venv/*' | grep -q . || \ | ||
| find . -name 'requirements.txt' -not -path '*/.venv/*' -not -path '*/venv/*' | grep -q .; then | ||
| echo "pip=true" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "pip=false" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
| audit-npm: | ||
| name: npm audit | ||
| needs: detect | ||
| if: needs.detect.outputs.npm == 'true' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 | ||
|
|
||
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: "lts/*" | ||
|
|
||
| - name: Audit npm dependencies | ||
| run: | | ||
| # Audit each package-lock.json found in the repo | ||
| status=0 | ||
| while IFS= read -r dir; do | ||
| echo "::group::npm audit $dir" | ||
| if ! (cd "$dir" && npm audit --audit-level=low); then | ||
| status=1 | ||
| fi | ||
| echo "::endgroup::" | ||
| done < <(find . -name 'package-lock.json' -not -path '*/node_modules/*' -exec dirname {} \;) | ||
| exit $status | ||
|
|
||
| audit-pnpm: | ||
| name: pnpm audit | ||
| needs: detect | ||
| if: needs.detect.outputs.pnpm == 'true' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 | ||
|
|
||
| - uses: pnpm/action-setup@078e9d416474b29c0c387560859308974f7e9c53 # v4 | ||
|
|
||
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: "lts/*" | ||
|
|
||
| - name: Audit pnpm dependencies | ||
| run: | | ||
| # Audit each pnpm-lock.yaml found in the repo | ||
| status=0 | ||
| while IFS= read -r dir; do | ||
| echo "::group::pnpm audit $dir" | ||
| if ! (cd "$dir" && pnpm audit --audit-level low); then | ||
| status=1 | ||
| fi | ||
| echo "::endgroup::" | ||
| done < <(find . -name 'pnpm-lock.yaml' -not -path '*/node_modules/*' -exec dirname {} \;) | ||
| exit $status | ||
|
|
||
| audit-go: | ||
| name: govulncheck | ||
| needs: detect | ||
| if: needs.detect.outputs.gomod == 'true' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 | ||
|
|
||
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5 | ||
| with: | ||
| go-version: "stable" | ||
|
|
||
| - name: Install govulncheck | ||
| run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 | ||
|
|
||
| - name: Audit Go dependencies | ||
| run: | | ||
| status=0 | ||
| while IFS= read -r dir; do | ||
| echo "::group::govulncheck $dir" | ||
| if ! (cd "$dir" && govulncheck ./...); then | ||
| status=1 | ||
| fi | ||
| echo "::endgroup::" | ||
| done < <(find . -name 'go.mod' -not -path '*/vendor/*' -exec dirname {} \;) | ||
| exit $status | ||
|
|
||
| audit-cargo: | ||
| name: cargo audit | ||
| needs: detect | ||
| if: needs.detect.outputs.cargo == 'true' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 | ||
|
|
||
| - uses: dtolnay/rust-toolchain@stable | ||
|
|
||
| - name: Install cargo-audit | ||
| run: cargo install cargo-audit@0.22.1 --locked | ||
|
|
||
| - name: Audit Cargo dependencies | ||
| run: | | ||
| # cargo audit operates on Cargo.lock at workspace root | ||
| # For workspaces, a single audit at root covers all crates | ||
| status=0 | ||
| while IFS= read -r dir; do | ||
| echo "::group::cargo audit $dir" | ||
| if ! (cd "$dir" && cargo generate-lockfile 2>/dev/null; cargo audit); then | ||
| status=1 | ||
| fi | ||
| echo "::endgroup::" | ||
| done < <(find . -name 'Cargo.toml' -not -path '*/target/*' -exec dirname {} \; | sort -u) | ||
| exit $status | ||
|
|
||
| audit-pip: | ||
| name: pip-audit | ||
| needs: detect | ||
| if: needs.detect.outputs.pip == 'true' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 | ||
|
|
||
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | ||
| with: | ||
| python-version: "3.x" | ||
|
|
||
| - name: Install pip-audit | ||
| run: pip install pip-audit==2.9.0 | ||
|
|
||
| - name: Audit Python dependencies | ||
| run: | | ||
| status=0 | ||
| # Audit each Python project found in the repo | ||
| while IFS= read -r dir; do | ||
| echo "::group::pip-audit $dir" | ||
| if [ -f "$dir/pyproject.toml" ]; then | ||
| if ! pip-audit "$dir"; then | ||
| status=1 | ||
| fi | ||
| elif [ -f "$dir/requirements.txt" ]; then | ||
| if ! pip-audit -r "$dir/requirements.txt"; then | ||
| status=1 | ||
| fi | ||
| fi | ||
| echo "::endgroup::" | ||
| done < <( | ||
| { | ||
| find . -name 'pyproject.toml' -not -path '*/.venv/*' -not -path '*/venv/*' -exec dirname {} \; | ||
| find . -name 'requirements.txt' -not -path '*/.venv/*' -not -path '*/venv/*' -exec dirname {} \; | ||
| } | sort -u | ||
| ) | ||
| exit $status | ||
| dependency-audit: | ||
| uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1 |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
don-petry
force-pushed
the
claude/issue-106-20260508-1732
branch
from
e197456 to
f2da3f4
Compare
Review — fix requested (cycle 1/3)The automated review identified the following issues. Please address each one: Findings to fix[Findings would be inserted here] Additional tasks
The review cascade will automatically re-review after new commits are pushed. |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
…aller stub Replaces the standalone workflow (which contained the unpinned dtolnay/rust-toolchain@stable action) with the org-standard thin caller stub that delegates to the centrally-maintained reusable workflow. The reusable workflow uses rustup directly, removing the third-party action entirely. Closes #106 Rebased onto main by claude[bot] (auto-rebase). Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
don-petry
force-pushed
the
claude/issue-106-20260508-1732
branch
from
1ecc69b to
7dd04ca
Compare
Auto-rebase complete ✓The PR branch has been successfully rebased onto `main`. Conflict resolutionFile: `.github/workflows/dependency-audit.yml`
Resolution: Kept the PR branch version (thin caller stub). The only difference between main and the PR's base was a SHA pin for `dtolnay/rust-toolchain@stable` → `@29eef336...`. Since the PR replaces the entire standalone workflow with the org-standard thin stub (which delegates all logic — including Rust toolchain setup — to the centrally-maintained reusable), the standalone workflow's pin update is superseded by the PR's change. This falls under the action-pin conflict resolution rule: the PR's approach is the correct one per org standards. New HEAD``` Parent: `761dd4a` (current `main` tip — fix: disable check-suite auto-trigger for Claude and CodeRabbit on .github (#275))
|
Dev-Lead Fix CI — failedPR: #217 | SHA: |
Dev-Lead Fix CI — failedPR: #217 | SHA: |
Dev-Lead Fix CI — exhaustedThis PR has had 2 consecutive engine failures (timeouts or errors). Automated CI fixing has been paused to avoid consuming further tokens. Reason for last failure: Engine invocation failed (exit 1) To re-enable, delete this comment or push a new commit with a substantially different change. |
|
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
@dev-lead - please fix this PR |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
Summary
dependency-audit.ymlworkflow (which contained the unpinneddtolnay/rust-toolchain@stableaction) with the org-standard thin caller stubdependency-audit-reusable.yml, which usesrustupdirectly — eliminating the third-party action and its pinning violationstandards/workflows/dependency-audit.ymlper the AGENTS.md standardRoot cause
The standalone workflow was out of sync with the org standard. The reusable workflow was already updated to use
rustupdirectly (no third-party action), but the caller was never migrated from the old standalone form to the thin caller stub.Test plan
dependency-audit.ymlfor unpinned actionsCloses #106
Generated with Claude Code
Summary by CodeRabbit