chore(ci): expand Dependabot coverage + CodeQL actions + deps refresh#203
Merged
potiuk merged 2 commits intoMay 17, 2026
Merged
Conversation
… analyzer
Two related CI-surface changes:
1. Dependabot expansion. Previously only github-actions, pre-commit,
and two of the eight uv-managed projects had Dependabot
coverage; the remaining six were drifting silently. The config
now tracks every uv project under the repo with the same 7-day
cooldown applied across all four semver buckets that the
existing entries use. Coverage added:
- / (root — currently just `prek` as a dev dep, but the
pyproject.toml is a uv-managed project so it belongs here)
- /tools/skill-validator
- /tools/skill-evals (seeded a uv.lock so Dependabot's uv
ecosystem can resolve it; previously stdlib-only at runtime
with `pytest` + `ruff` dev deps only, hence no lock had been
committed)
- /tools/sandbox-lint
- /tools/vulnogram/oauth-api
- /tools/privacy-llm/redactor
- /tools/privacy-llm/checker
Each new entry mirrors the existing pattern: weekly schedule,
one group catching all packages in that directory, 7-day
cooldown for default/major/minor/patch. A header comment was
added explaining the cooldown rationale and its alignment with
`[tool.uv] exclude-newer = "7 days"` in the root pyproject and
the `exclude-newer-span = "P7D"` baked into every tool's
uv.lock.
2. CodeQL Actions analyzer. The workflow previously only scanned
`python`. The CodeQL ecosystem added a dedicated `actions`
language for analysing GitHub Actions workflow YAML — it
performs deeper data-flow analysis (taint flows from untrusted
PR titles / fork inputs to privileged sinks) than the
lint-style ruleset `zizmor.yml` already runs. The analyser now
runs both via a `language: [python, actions]` matrix; the job
name becomes "Analyze (python)" / "Analyze (actions)" with
separate result categories. zizmor stays as-is; the two are
complementary, not redundant.
Note for the branch-protection rule on `main`: the job is no
longer named `Analyze Python` — required-status-check rules
referencing the old name will need to be updated to the new
matrix-suffixed names, or migrated to reference the workflow
instead.
Generated-by: Claude Code (Opus 4.7)
Refreshes every uv.lock and pre-commit hook to the current upstream versions, picked up through the same 7-day cooldown window applied to the Dependabot config (resolution respects `exclude-newer-span = "P7D"` baked into each uv.lock and the `[tool.uv] exclude-newer = "7 days"` setting in the root pyproject). The cooldown means every version below has been generally available for at least a week. uv lock --upgrade picked up: - Root: `prek` 0.3.10 → 0.3.13. - All tool projects: `mypy` 1.20.2 → 2.0.0 (major; dev-only — no runtime impact); `librt` 0.9.0 → 0.11.0; new transitive `ast-serialize` 0.3.0. - generate-cve-json + privacy-llm + sandbox-lint + skill-validator + vulnogram-oauth-api: `packaging` 26.1 → 26.2, `pathspec` 1.0.4 → 1.1.1, `ruff` 0.15.11 → 0.15.12. - gmail/oauth-draft (the only project with non-trivial runtime deps): `certifi` 2026.2.25 → 2026.4.22, `cryptography` 46.0.7 → 48.0.0 (major; runtime — used for token signing only, no user-supplied crypto inputs), `google-auth` 2.49.2 → 2.52.0, `google-auth-oauthlib` 1.3.1 → 1.4.0, `idna` 3.12 → 3.14, `urllib3` 2.6.3 → 2.7.0. prek autoupdate picked up: - `thlorenz/doctoc` v2.2.0 → v2.4.1 - `pre-commit/pre-commit-hooks` v4.5.0 → v6.0.0 (major; CI-side static-check infra only) - `crate-ci/typos` v1.45.2 → v1.46.2 No GitHub Actions refs were bumped here — Dependabot's github-actions ecosystem handles those on its own next sweep. Generated-by: Claude Code (Opus 4.7)
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three CI-surface housekeeping changes that share a single theme — close the gaps in the supply-chain pipeline (more ecosystems tracked, more workflow YAML scanned, current deps re-locked through the 7-day cooldown window).
1. Dependabot — full uv-ecosystem coverage
Previously only
github-actions,pre-commit, and two of the eight uv-managed projects had Dependabot coverage; the remaining six (root + 5 tools) were drifting silently. The config now tracks every uv project under the repo, each with the same 7-day cooldown applied across all four semver buckets (default / major / minor / patch) the existing entries already use:/(root)prekas a dev dep, but the pyproject is uv-managed/tools/skill-validator/tools/skill-evalsuv.lockso Dependabot'suvecosystem can resolve it — previously had pyproject only/tools/sandbox-lint/tools/vulnogram/oauth-api/tools/privacy-llm/redactor/tools/privacy-llm/checkerAdded a header comment explaining the cooldown rationale and its alignment with
[tool.uv] exclude-newer = "7 days"in the rootpyproject.tomland theexclude-newer-span = "P7D"baked into every tool'suv.lock.2. CodeQL — Actions analyzer alongside Python
codeql.ymlpreviously scanned onlypython. The CodeQLactionslanguage analyses workflow YAML for taint flows (untrusted PR titles / fork inputs reaching privileged sinks) — a deeper read than the lint-style rulesetzizmor.ymlalready runs. The job now uses alanguage: [python, actions]matrix; zizmor stays untouched, the two are complementary.3. Dependency refresh — everything re-locked through the 7-day window
Ran
uv lock --upgradeacross the root + all 7 uv tool projects, plusprek autoupdateon.pre-commit-config.yaml. Every version below has been GA for at least a week (the lockfiles and the root pyproject both enforce that window):prek0.3.10 → 0.3.13mypy1.20.2 → 2.0.0 (major; dev-only),librt0.9.0 → 0.11.0, new transitiveast-serialize0.3.0packaging26.1 → 26.2,pathspec1.0.4 → 1.1.1,ruff0.15.11 → 0.15.12certifi2026.2.25 → 2026.4.22,cryptography46.0.7 → 48.0.0 (major; runtime — token signing only, no user-supplied crypto inputs),google-auth2.49.2 → 2.52.0,google-auth-oauthlib1.3.1 → 1.4.0,idna3.12 → 3.14,urllib32.6.3 → 2.7.0doctocv2.2.0 → v2.4.1,pre-commit-hooksv4.5.0 → v6.0.0 (major; CI-side static-check infra),typosv1.45.2 → v1.46.2No GitHub Actions refs were bumped here — Dependabot's
github-actionsecosystem will handle those on its next sweep.Test plan
Dependabot — Refreshrun, the new uv entries each resolve cleanly (noresolution failed).Analyze (python)andAnalyze (actions), both completing successfully and uploading distinct SARIF categories.zizmor.ymlstill runs and reports clean (no new findings introduced by the workflow matrix change).prek run --all-filespasses locally on the updated hook revs (note: thedoctochook'snpm installcan fail on a stale~/.npmcache — unrelated to this PR).mainto referenceAnalyze (python)/Analyze (actions)instead ofAnalyze Python(or switch to workflow-based required checks).Generated-by: Claude Code (Opus 4.7)