Skip to content

chore: add Dependabot configuration and critical-vuln gate#38

Merged
MusaMisto merged 1 commit into
mainfrom
add-dependabot-config
Jul 13, 2026
Merged

chore: add Dependabot configuration and critical-vuln gate#38
MusaMisto merged 1 commit into
mainfrom
add-dependabot-config

Conversation

@MusaMisto

Copy link
Copy Markdown
Member

Adds .github/dependabot.yml (category: nuget-api, target-branch: main), .github/workflows/critical-vuln-check.yml, and .github/workflows/dependabot-auto-merge.yml as part of the org-wide Dependabot rollout.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Summary

  • Added weekly Dependabot updates for NuGet packages and GitHub Actions, with grouped minor/patch updates, labels, and PR limits.
  • Added critical-vulnerability gating for pull requests targeting main and develop.
  • Added automatic Dependabot squash merges for eligible patch updates after the vulnerability gate passes.

Risk: risk:medium

Security-sensitive areas

  • GitHub Actions workflow permissions and reusable workflow invocation.
  • Dependabot token handling and security-event access.
  • Automated dependency merging, limited to Dependabot-authored PRs and approved ecosystems/patch updates.

Test coverage impact

  • No application or automated test coverage changes. Validation is limited to workflow execution and Dependabot behavior.

Operational concerns

  • External reusable workflows and the dependabot-alerts-token secret must remain available and trusted.
  • Auto-merge can introduce dependency changes without manual review when the vulnerability gate succeeds.
  • Rollback consists of disabling the workflows, removing the Dependabot configuration, or reverting individual dependency PRs; no migration is required.

Walkthrough

Changes

Security Automation

Layer / File(s) Summary
Dependabot update configuration
.github/dependabot.yml
Configures weekly NuGet and GitHub Actions updates with grouped minor/patch updates, labels, target branch settings, and pull request limits.
Pull request vulnerability gate
.github/workflows/critical-vuln-check.yml
Runs on pull requests targeting main or develop and delegates critical vulnerability enforcement to a reusable workflow.
Vulnerability-gated patch auto-merge
.github/workflows/dependabot-auto-merge.yml
Restricts automatic squash merges to eligible Dependabot semver patch updates in supported ecosystems after the vulnerability gate completes.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Suggested labels: infra, security, risk:high

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: Dependabot config plus a critical vulnerability gate and related workflows.
Description check ✅ Passed The description is directly aligned with the added Dependabot config and workflows in this PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/critical-vuln-check.yml:
- Line 36: Pin the reusable workflow reference to an immutable commit SHA
instead of the mutable `@main` ref. Update
.github/workflows/critical-vuln-check.yml:36 and
.github/workflows/dependabot-auto-merge.yml:35 to use the same verified SHA for
simplify9/.github/.github/workflows/critical-vuln-gate.yml.
- Around line 31-32: Remove the contents: write permission from the workflow
permissions block, retaining only security-events: read for the Dependabot alert
check and reusable action.

In @.github/workflows/dependabot-auto-merge.yml:
- Around line 23-25: Add a concurrency configuration to the workflow containing
the pull_request trigger, using a group keyed to the workflow and pull request
identity and enabling cancellation of in-progress runs so newer Dependabot
updates supersede older runs.
- Line 47: Pin the dependabot/fetch-metadata action in the workflow to a full
commit SHA instead of the mutable v2 tag, while preserving the existing action
version and permissions configuration.
- Around line 58-61: Replace the inline GitHub Actions expression for
steps.metadata.outputs.package-ecosystem in the run block with a job-step
environment variable, then reference that variable in the notice command
alongside PR_URL. Keep the existing auto-merge command and behavior unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: simplify9/coderabbit/.coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4fe8abdb-3800-42fa-ae13-4b7a8c8311e8

📥 Commits

Reviewing files that changed from the base of the PR and between b9cd6df and f151478.

📒 Files selected for processing (3)
  • .github/dependabot.yml
  • .github/workflows/critical-vuln-check.yml
  • .github/workflows/dependabot-auto-merge.yml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (1)
.github/workflows/**

⚙️ CodeRabbit configuration file

.github/workflows/**: Treat GitHub Actions changes as supply-chain sensitive.

Check for:

  • Overbroad permissions
  • Missing explicit permissions blocks
  • Unpinned third-party actions
  • Unsafe pull_request_target usage
  • Secret exposure
  • Shell injection risks
  • Untrusted input used in scripts
  • Dangerous artifact upload/download behavior
  • Missing least-privilege permissions

Files:

  • .github/workflows/dependabot-auto-merge.yml
  • .github/workflows/critical-vuln-check.yml
🪛 zizmor (1.26.1)
.github/workflows/dependabot-auto-merge.yml

[error] 28-28: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level

(excessive-permissions)


[error] 29-29: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level

(excessive-permissions)


[info] 60-60: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[error] 35-35: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 47-47: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 28-28: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)


[error] 41-41: spoofable bot actor check (bot-conditions): actor context may be spoofable

(bot-conditions)


[info] 39-39: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[warning] 23-25: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

.github/workflows/critical-vuln-check.yml

[error] 31-31: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level

(excessive-permissions)


[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 31-31: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

🔇 Additional comments (1)
.github/dependabot.yml (1)

1-36: LGTM!

Comment on lines +31 to +32
contents: write
security-events: read

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Inspect the reusable workflow to verify its actual permission requirements.
# Fetch the critical-vuln-gate.yml workflow file from simplify9/.github

gh api repos/simplify9/.github/contents/.github/workflows/critical-vuln-gate.yml \
  --jq '.content' | base64 -d | grep -A5 'permissions:'

Repository: simplify9/SW-CloudFiles

Length of output: 443


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the reusable action invoked by the workflow to see which permissions it actually needs.
gh api repos/simplify9/.github/contents/.github/actions/check-critical-vulns/action.yml --jq '.content' | base64 -d

printf '\n---\n'

# If the action is implemented via script, inspect the script entrypoint too.
gh api repos/simplify9/.github/contents/.github/actions/check-critical-vulns --jq '.[] | .path' | sed -n '1,20p'

Repository: simplify9/SW-CloudFiles

Length of output: 10844


Drop contents: write here — this gate only queries Dependabot alerts and the reusable action takes a PAT/App token, so repository write access is unused. Narrow the job to the minimum scope needed.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 31-31: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level

(excessive-permissions)


[warning] 31-31: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/critical-vuln-check.yml around lines 31 - 32, Remove the
contents: write permission from the workflow permissions block, retaining only
security-events: read for the Dependabot alert check and reusable action.

Source: Path instructions


jobs:
vuln-gate:
uses: simplify9/.github/.github/workflows/critical-vuln-gate.yml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Unpinned reusable workflow simplify9/.github/.github/workflows/critical-vuln-gate.yml@main — supply-chain risk.

Both workflows reference the same reusable workflow via a mutable @main branch ref. If simplify9/.github's main branch is compromised, arbitrary code executes with contents: write and security-events: read in every consuming repo. Pin to a commit SHA in both files.

  • .github/workflows/critical-vuln-check.yml#L36-L36: Replace @main with a pinned commit SHA.
  • .github/workflows/dependabot-auto-merge.yml#L35-L35: Replace @main with the same pinned commit SHA.
🧰 Tools
🪛 zizmor (1.26.1)

[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

📍 Affects 2 files
  • .github/workflows/critical-vuln-check.yml#L36-L36 (this comment)
  • .github/workflows/dependabot-auto-merge.yml#L35-L35
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/critical-vuln-check.yml at line 36, Pin the reusable
workflow reference to an immutable commit SHA instead of the mutable `@main` ref.
Update .github/workflows/critical-vuln-check.yml:36 and
.github/workflows/dependabot-auto-merge.yml:35 to use the same verified SHA for
simplify9/.github/.github/workflows/critical-vuln-gate.yml.

Sources: Path instructions, Linters/SAST tools

Comment on lines +23 to +25
on:
pull_request:
branches: [main, develop]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 Performance & Scalability | 🔵 Trivial

Missing concurrency control allows redundant runs.

Multiple pushes to the same Dependabot PR trigger parallel workflow runs. Adding a concurrency group cancels superseded runs and saves CI minutes.

♻️ Proposed fix
 on:
   pull_request:
     branches: [main, develop]

+concurrency:
+  group: dependabot-auto-merge-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
 permissions:
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
on:
pull_request:
branches: [main, develop]
on:
pull_request:
branches: [main, develop]
concurrency:
group: dependabot-auto-merge-${{ github.event.pull_request.number }}
cancel-in-progress: true
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 23-25: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-auto-merge.yml around lines 23 - 25, Add a
concurrency configuration to the workflow containing the pull_request trigger,
using a group keyed to the workflow and pull request identity and enabling
cancellation of in-progress runs so newer Dependabot updates supersede older
runs.

Source: Linters/SAST tools

steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial

dependabot/fetch-metadata@v2 pinned to tag, not SHA.

While this is a first-party GitHub action, SHA pinning is recommended for security-sensitive workflows. A compromised tag would execute with pull-requests: write and contents: write in this repo's context.

🔒 Proposed fix
-        uses: dependabot/fetch-metadata@v2
+        uses: dependabot/fetch-metadata@<full-commit-sha>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: dependabot/fetch-metadata@v2
uses: dependabot/fetch-metadata@<full-commit-sha>
🧰 Tools
🪛 zizmor (1.26.1)

[error] 47-47: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-auto-merge.yml at line 47, Pin the
dependabot/fetch-metadata action in the workflow to a full commit SHA instead of
the mutable v2 tag, while preserving the existing action version and permissions
configuration.

Source: Linters/SAST tools

Comment on lines +58 to +61
run: |
set -euo pipefail
echo "::notice title=🤖 [AUTO-MERGE] Enabling auto-merge::${PR_URL} — patch-level ${{ steps.metadata.outputs.package-ecosystem }} bump, vuln gate passed"
gh pr merge --auto --squash "$PR_URL"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Template injection in echo via inline expansion.

${{ steps.metadata.outputs.package-ecosystem }} is expanded directly into the run block. While the value is Dependabot-controlled and the job is gated on dependabot[bot] actor, use an environment variable for defense-in-depth — PR_URL is already passed this way.

As per path instructions, GitHub Actions changes should be checked for shell injection risks and untrusted input used in scripts.

🛡️ Proposed fix
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_URL: ${{ github.event.pull_request.html_url }}
+          PACKAGE_ECOSYSTEM: ${{ steps.metadata.outputs.package-ecosystem }}
         run: |
           set -euo pipefail
-          echo "::notice title=🤖 [AUTO-MERGE] Enabling auto-merge::${PR_URL} — patch-level ${{ steps.metadata.outputs.package-ecosystem }} bump, vuln gate passed"
+          echo "::notice title=🤖 [AUTO-MERGE] Enabling auto-merge::${PR_URL} — patch-level ${PACKAGE_ECOSYSTEM} bump, vuln gate passed"
           gh pr merge --auto --squash "$PR_URL"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
run: |
set -euo pipefail
echo "::notice title=🤖 [AUTO-MERGE] Enabling auto-merge::${PR_URL} — patch-level ${{ steps.metadata.outputs.package-ecosystem }} bump, vuln gate passed"
gh pr merge --auto --squash "$PR_URL"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_URL: ${{ github.event.pull_request.html_url }}
PACKAGE_ECOSYSTEM: ${{ steps.metadata.outputs.package-ecosystem }}
run: |
set -euo pipefail
echo "::notice title=🤖 [AUTO-MERGE] Enabling auto-merge::${PR_URL} — patch-level ${PACKAGE_ECOSYSTEM} bump, vuln gate passed"
gh pr merge --auto --squash "$PR_URL"
🧰 Tools
🪛 zizmor (1.26.1)

[info] 60-60: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-auto-merge.yml around lines 58 - 61, Replace
the inline GitHub Actions expression for
steps.metadata.outputs.package-ecosystem in the run block with a job-step
environment variable, then reference that variable in the notice command
alongside PR_URL. Keep the existing auto-merge command and behavior unchanged.

Sources: Path instructions, Linters/SAST tools

@MusaMisto
MusaMisto merged commit 8de7516 into main Jul 13, 2026
5 checks passed
@MusaMisto
MusaMisto deleted the add-dependabot-config branch July 13, 2026 14:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant