feat(ci): auto-merge release-please + dependabot PRs, supply-chain hardening#25
Merged
Conversation
…, OIDC trusted-publishing docs Adds end-to-end automation so patch / minor releases and dependency bumps land without manual intervention, and hardens the supply chain along the way. New workflows: - auto-merge-release-please.yml: waits for required checks on the PR head sha, auto-approves, enables squash auto-merge. release-please PRs are mechanical bookkeeping; this removes the human handoff. - auto-merge-dependabot.yml: uses dependabot/fetch-metadata@v2 (SHA- pinned) to identify the update-type and auto-merges patch / minor bumps. Major bumps get a comment and stay open for review. - outdated-watch.yml: weekly cron that opens or updates a single tracking issue listing any package >= 1 minor behind across root / cli / mcp / python-sdk. Patch drift is filtered out (Dependabot handles it). - gitleaks.yml: diff-focused secret scan on every PR + push to main. OSS action, no license, complements existing Socket Security check. Supply-chain hardening: - SHA-pinned every actions/* and third-party action across all 19 workflows (was @vn on most). Each pin carries a "# pin: vX.Y.Z" comment so manual bumps are easy. - publish-pysdk.yml gains a PyPI Trusted Publishing (OIDC) step ahead of the legacy PYPI_API_TOKEN fallback. Documented setup in docs/ops/pypi-trusted-publishing.md so the maintainer can flip the PyPI-side switch and remove the token entirely. Docs: - CONTRIBUTING.md: Conventional Commits prefix table + examples. - docs/ops/release-process.md: extended with the new auto-merge flow, Dependabot rules, outdated-watch behaviour, and a pointer to the trusted-publishing setup doc. Out-of-tree changes already applied: - Tag-protection ruleset created via the rulesets API restricting creation / deletion / non-fast-forward on refs/tags/cli-v*, mcp-v*, pysdk-v*, and v* (release tag pattern). Admins keep bypass. All workflows lint-pass yaml.safe_load. All 140 unit tests pass.
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR hardens the CI/CD pipeline by pinning GitHub Actions to specific commit SHAs across 14 workflows, adds four new workflows for release automation and monitoring (auto-merge-dependabot, auto-merge-release-please, gitleaks, outdated-watch), migrates PyPI publishing to OIDC trusted authentication, and documents commit conventions and operational procedures. ChangesSecurity & Release Automation Infrastructure
🎯 4 (Complex) | ⏱️ ~45 minutes
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…a paid license for org-owned repos The OSS gitleaks-action exits with `missing gitleaks license` when run in an org-owned repo (per the action's recent breaking change). The constraint here is free-tier compatibility, so swap to trufflesecurity/ trufflehog — same diff-focused secret-scan use case, no license check. Renamed the workflow file gitleaks.yml -> secret-scan.yml so the name no longer implies the underlying tool.
amacsmith
force-pushed
the
ci/auto-merge-bots
branch
from
5eba05d to
9079c49
Compare
There was a problem hiding this comment.
Pull request overview
This PR hardens and automates the repository’s release/dependency maintenance pipeline by (a) adding bot PR auto-merge workflows, (b) pinning all GitHub Actions to SHAs, and (c) improving supply-chain and publishing security (PyPI OIDC + secret scanning + outdated dependency tracking), with accompanying ops/docs updates.
Changes:
- Add
pull_request_targetworkflows to auto-approve + squash-auto-merge release-please PRs and Dependabot patch/minor PRs (major bumps get a reminder comment). - Pin GitHub Actions across
.github/workflows/to commit SHAs and introducegitleaks.ymlplusoutdated-watch.yml. - Add PyPI Trusted Publishing (OIDC) preferred-path in
publish-pysdk.ymlwith documentation, and expand contributor/release-process docs.
Reviewed changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/ops/release-process.md | Documents auto-merge behavior, Dependabot policy, outdated-watch, and PyPI trusted publishing flow. |
| docs/ops/pypi-trusted-publishing.md | New guide for one-time PyPI Trusted Publisher setup and token fallback removal. |
| CONTRIBUTING.md | Adds Conventional Commits guidance aligned with release-please usage. |
| .github/workflows/validate.yml | Pins checkout/setup-node actions to SHAs. |
| .github/workflows/sync.yml | Pins checkout/setup-node actions to SHAs. |
| .github/workflows/smoke.yml | Pins checkout/setup-node/upload-artifact actions to SHAs. |
| .github/workflows/render.yml | Pins checkout/setup-node actions to SHAs. |
| .github/workflows/release-please.yml | Pins release-please action to a SHA. |
| .github/workflows/publish-pysdk.yml | Adds OIDC trusted publishing step + token fallback; pins actions to SHAs. |
| .github/workflows/publish-mcp.yml | Pins checkout/setup-node actions to SHAs. |
| .github/workflows/publish-cli.yml | Pins checkout/setup-node actions to SHAs. |
| .github/workflows/pages.yml | Pins checkout/upload-pages-artifact/deploy-pages actions to SHAs. |
| .github/workflows/outdated-watch.yml | New weekly workflow to open/update an “outdated deps” tracking issue. |
| .github/workflows/node-matrix.yml | Pins checkout/setup-node actions to SHAs. |
| .github/workflows/gitleaks.yml | New secret-scanning workflow (diff-focused on PRs). |
| .github/workflows/docs-on-release.yml | Pins checkout/setup-node actions to SHAs. |
| .github/workflows/codeql.yml | Pins checkout/codeql actions to SHAs. |
| .github/workflows/auto-merge.yml | Pins checkout action to a SHA. |
| .github/workflows/auto-merge-release-please.yml | New workflow to auto-approve + enable squash auto-merge for release-please PRs. |
| .github/workflows/auto-merge-dependabot.yml | New workflow to auto-approve + enable squash auto-merge for Dependabot patch/minor PRs. |
| .github/workflows/audit.yml | Pins checkout/setup-node actions to SHAs. |
| .github/workflows/add-from-issue.yml | Pins checkout/setup-node actions to SHAs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write |
Comment on lines
+61
to
+66
| # The four required checks (validate is a check-run, smoke has | ||
| # two matrix jobs, codeql is the security analysis). If any of | ||
| # these is still pending after the timeout we exit non-zero so | ||
| # the workflow re-runs on the next sync event. | ||
| required=("validate" "smoke / chromium" "smoke / webkit-iphone" "Analyze (javascript-typescript)") | ||
| deadline=$(( $(date +%s) + 15 * 60 )) |
| pull_request_target: | ||
| types: [opened, reopened, synchronize, labeled, ready_for_review] | ||
|
|
||
| permissions: |
Comment on lines
+44
to
+46
| required status checks (`validate`, `smoke / chromium`, | ||
| `smoke / webkit-iphone`, `Analyze (javascript-typescript)`) to land | ||
| green, then auto-approves the PR and enables **squash auto-merge**. |
Comment on lines
+3
to
+7
| # Nightly nudge for transitively-outdated deps that Dependabot's grouping | ||
| # might paper over. Posts (or updates) a single tracking issue summarising | ||
| # what's behind in each of the four package manifests. Fail-soft: a | ||
| # network blip or empty `npm outdated` result is not a failure, just a | ||
| # no-op run. |
4 tasks
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/to a commit SHA with a# pin: vX.Y.Zfollow-on comment (was@vNon most). Includes the new and existing workflows. No more floating tag references.publish-pysdk.ymlahead of the legacyPYPI_API_TOKENfallback, plus a docs page (docs/ops/pypi-trusted-publishing.md) describing the one-time PyPI-side setup so the maintainer can flip the switch and remove the token.gitleaks.yml(diff-focused secret scan) and a weeklyoutdated-watch.ymlcron that posts (or upserts) a tracking issue when any package is at least one minor version behind across root / cli / mcp / python-sdk.CONTRIBUTING.mdwith the Conventional Commits prefix table that drivesrelease-please.docs/ops/release-process.mdwith the new auto-merge flow, Dependabot rules, outdated-watch behaviour, and a pointer to the trusted-publishing setup doc.refs/tags/{cli,mcp,pysdk}-v*andrefs/tags/v*to anyone but admins. Existing release-please and admin workflows keep bypass.Test plan
for f in .github/workflows/*.yml; do python3 -c "import yaml; yaml.safe_load(open('$f'))"; done-> ALL_YAML_OKnode --test scripts/__tests__/*.test.mjs-> 140 pass, 0 failgrep -rnE 'uses: [^@]+@v[0-9]' .github/workflows/-> no matches (every action pinned)outdated-watchMonday run posts (or no-ops) cleanly.gitleaksruns on PRs without false positives blocking development.docs/ops/pypi-trusted-publishing.md, confirm the OIDC step succeeds on the nextpysdk-v*release, then remove the token fallback +PYPI_API_TOKENsecret.Anything that needs maintainer action
docs/ops/pypi-trusted-publishing.md). The current workflow gracefully falls back to the existing token, so this can land before the PyPI side is configured.validate,smoke / chromium,smoke / webkit-iphone,Analyze (javascript-typescript)). The two auto-merge workflows re-check those same names as defense-in-depth.Summary by CodeRabbit
New Features
Documentation