Skip to content

chore(ci): expand Dependabot coverage + CodeQL actions + deps refresh#203

Merged
potiuk merged 2 commits into
apache:mainfrom
potiuk:dependabot-uv-coverage-codeql-actions
May 17, 2026
Merged

chore(ci): expand Dependabot coverage + CodeQL actions + deps refresh#203
potiuk merged 2 commits into
apache:mainfrom
potiuk:dependabot-uv-coverage-codeql-actions

Conversation

@potiuk

@potiuk potiuk commented May 17, 2026

Copy link
Copy Markdown
Member

Summary

Three CI-surface housekeeping changes that share a single theme — close the gaps in the supply-chain pipeline (more ecosystems tracked, more workflow YAML scanned, current deps re-locked through the 7-day cooldown window).

1. Dependabot — full uv-ecosystem coverage

Previously only github-actions, pre-commit, and two of the eight uv-managed projects had Dependabot coverage; the remaining six (root + 5 tools) were drifting silently. The config now tracks every uv project under the repo, each with the same 7-day cooldown applied across all four semver buckets (default / major / minor / patch) the existing entries already use:

New entry Notes
/ (root) Currently just prek as a dev dep, but the pyproject is uv-managed
/tools/skill-validator Hatch + dev tooling
/tools/skill-evals Seeded uv.lock so Dependabot's uv ecosystem can resolve it — previously had pyproject only
/tools/sandbox-lint
/tools/vulnogram/oauth-api
/tools/privacy-llm/redactor
/tools/privacy-llm/checker

Added a header comment explaining the cooldown rationale and its alignment with [tool.uv] exclude-newer = "7 days" in the root pyproject.toml and the exclude-newer-span = "P7D" baked into every tool's uv.lock.

2. CodeQL — Actions analyzer alongside Python

codeql.yml previously scanned only python. The CodeQL actions language analyses workflow YAML for taint flows (untrusted PR titles / fork inputs reaching privileged sinks) — a deeper read than the lint-style ruleset zizmor.yml already runs. The job now uses a language: [python, actions] matrix; zizmor stays untouched, the two are complementary.

⚠️ Branch protection on main: the job is no longer named Analyze Python. Required-status-check rules referencing the old name will need updating to Analyze (python) / Analyze (actions), or migrated to reference the workflow instead.

3. Dependency refresh — everything re-locked through the 7-day window

Ran uv lock --upgrade across the root + all 7 uv tool projects, plus prek autoupdate on .pre-commit-config.yaml. Every version below has been GA for at least a week (the lockfiles and the root pyproject both enforce that window):

  • Root: prek 0.3.10 → 0.3.13
  • All tool projects: mypy 1.20.2 → 2.0.0 (major; dev-only), librt 0.9.0 → 0.11.0, new transitive ast-serialize 0.3.0
  • generate-cve-json + privacy-llm + sandbox-lint + skill-validator + vulnogram-oauth-api: packaging 26.1 → 26.2, pathspec 1.0.4 → 1.1.1, ruff 0.15.11 → 0.15.12
  • gmail/oauth-draft (only project with non-trivial runtime deps): certifi 2026.2.25 → 2026.4.22, cryptography 46.0.7 → 48.0.0 (major; runtime — token signing only, no user-supplied crypto inputs), google-auth 2.49.2 → 2.52.0, google-auth-oauthlib 1.3.1 → 1.4.0, idna 3.12 → 3.14, urllib3 2.6.3 → 2.7.0
  • pre-commit hooks: doctoc v2.2.0 → v2.4.1, pre-commit-hooks v4.5.0 → v6.0.0 (major; CI-side static-check infra), typos v1.45.2 → v1.46.2

No GitHub Actions refs were bumped here — Dependabot's github-actions ecosystem will handle those on its next sweep.

Test plan

  • Dependabot Insights page for the repo lists all 11 ecosystem entries (1× github-actions, 1× pre-commit, 9× uv).
  • On next Dependabot — Refresh run, the new uv entries each resolve cleanly (no resolution failed).
  • CodeQL workflow on this PR shows two parallel jobs Analyze (python) and Analyze (actions), both completing successfully and uploading distinct SARIF categories.
  • zizmor.yml still runs and reports clean (no new findings introduced by the workflow matrix change).
  • prek run --all-files passes locally on the updated hook revs (note: the doctoc hook's npm install can fail on a stale ~/.npm cache — unrelated to this PR).
  • After merge, update the branch protection on main to reference Analyze (python) / Analyze (actions) instead of Analyze Python (or switch to workflow-based required checks).

Generated-by: Claude Code (Opus 4.7)

potiuk added 2 commits May 18, 2026 01:52
… analyzer

Two related CI-surface changes:

1. Dependabot expansion. Previously only github-actions, pre-commit,
   and two of the eight uv-managed projects had Dependabot
   coverage; the remaining six were drifting silently. The config
   now tracks every uv project under the repo with the same 7-day
   cooldown applied across all four semver buckets that the
   existing entries use. Coverage added:

   - / (root — currently just `prek` as a dev dep, but the
     pyproject.toml is a uv-managed project so it belongs here)
   - /tools/skill-validator
   - /tools/skill-evals (seeded a uv.lock so Dependabot's uv
     ecosystem can resolve it; previously stdlib-only at runtime
     with `pytest` + `ruff` dev deps only, hence no lock had been
     committed)
   - /tools/sandbox-lint
   - /tools/vulnogram/oauth-api
   - /tools/privacy-llm/redactor
   - /tools/privacy-llm/checker

   Each new entry mirrors the existing pattern: weekly schedule,
   one group catching all packages in that directory, 7-day
   cooldown for default/major/minor/patch. A header comment was
   added explaining the cooldown rationale and its alignment with
   `[tool.uv] exclude-newer = "7 days"` in the root pyproject and
   the `exclude-newer-span = "P7D"` baked into every tool's
   uv.lock.

2. CodeQL Actions analyzer. The workflow previously only scanned
   `python`. The CodeQL ecosystem added a dedicated `actions`
   language for analysing GitHub Actions workflow YAML — it
   performs deeper data-flow analysis (taint flows from untrusted
   PR titles / fork inputs to privileged sinks) than the
   lint-style ruleset `zizmor.yml` already runs. The analyser now
   runs both via a `language: [python, actions]` matrix; the job
   name becomes "Analyze (python)" / "Analyze (actions)" with
   separate result categories. zizmor stays as-is; the two are
   complementary, not redundant.

   Note for the branch-protection rule on `main`: the job is no
   longer named `Analyze Python` — required-status-check rules
   referencing the old name will need to be updated to the new
   matrix-suffixed names, or migrated to reference the workflow
   instead.

Generated-by: Claude Code (Opus 4.7)
Refreshes every uv.lock and pre-commit hook to the current upstream
versions, picked up through the same 7-day cooldown window applied
to the Dependabot config (resolution respects
`exclude-newer-span = "P7D"` baked into each uv.lock and the
`[tool.uv] exclude-newer = "7 days"` setting in the root pyproject).
The cooldown means every version below has been generally available
for at least a week.

uv lock --upgrade picked up:

- Root: `prek` 0.3.10 → 0.3.13.
- All tool projects: `mypy` 1.20.2 → 2.0.0 (major; dev-only — no
  runtime impact); `librt` 0.9.0 → 0.11.0; new transitive
  `ast-serialize` 0.3.0.
- generate-cve-json + privacy-llm + sandbox-lint + skill-validator
  + vulnogram-oauth-api: `packaging` 26.1 → 26.2, `pathspec` 1.0.4
  → 1.1.1, `ruff` 0.15.11 → 0.15.12.
- gmail/oauth-draft (the only project with non-trivial runtime
  deps): `certifi` 2026.2.25 → 2026.4.22, `cryptography` 46.0.7 →
  48.0.0 (major; runtime — used for token signing only, no
  user-supplied crypto inputs), `google-auth` 2.49.2 → 2.52.0,
  `google-auth-oauthlib` 1.3.1 → 1.4.0, `idna` 3.12 → 3.14,
  `urllib3` 2.6.3 → 2.7.0.

prek autoupdate picked up:

- `thlorenz/doctoc` v2.2.0 → v2.4.1
- `pre-commit/pre-commit-hooks` v4.5.0 → v6.0.0 (major; CI-side
  static-check infra only)
- `crate-ci/typos` v1.45.2 → v1.46.2

No GitHub Actions refs were bumped here — Dependabot's
github-actions ecosystem handles those on its own next sweep.

Generated-by: Claude Code (Opus 4.7)
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@potiuk potiuk merged commit ca509e9 into apache:main May 17, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants