chore: enable dependabot and dependency-submission workflow#322
chore: enable dependabot and dependency-submission workflow#322vinodbhorge wants to merge 3 commits into
Conversation
- Add .github/dependabot.yml for npm ecosystem (src/ directory) - Add .github/workflows/dependency-submission.yml - Plugin: actions/dependency-review-action@v4 - Captures full transitive dependency set via npm ci - Triggers: push and pull_request on master Generated by Dependabot Sub-Agent
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdds GitHub configuration for automated dependency management: a Dependabot configuration for npm package updates in the Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/dependency-submission.yml:
- Around line 9-10: The workflow currently grants overly broad repository write
access by setting permissions: contents: write for
actions/dependency-review-action@v4; change the permissions to the
least-privilege set by replacing contents: write with contents: read, and if you
want the action to post PR summary comments add pull-requests: write alongside
contents: read; ensure no other write-level permissions remain in the
permissions block so the action only has the minimal required scopes.
- Around line 3-7: Remove the unsupported "push" trigger from the workflow's on:
block so the job only runs for supported events (e.g., pull_request);
specifically edit the on: section that currently includes push: branches:
["master"] and delete that push: entry, leaving pull_request: branches:
["master"] (or add pull_request_target/merge_group if you need those events) to
ensure actions/dependency-review-action runs only on supported triggers.
- Around line 18-25: Update the dependency-submission GitHub Actions step that
uses actions/setup-node@v4 to set node-version to '22.17.1' (matching the
Dockerfile's node:22.17.1-bookworm) so dependencies are resolved against the
same Node major/minor as production; keep the working-directory: src and npm ci
step unchanged. Optionally add or reference a single source-of-truth for Node
(e.g., .nvmrc or package.json engines) to prevent future drift.
- Around line 27-30: The workflow step currently uses
actions/dependency-review-action@v4 with an invalid input name and a misleading
purpose; change the input key from token to repo-token if you intend to keep
using dependency-review-action (or just remove the with: block since repo-token
defaults to ${{ github.token }}), and either rename the step to reflect “Review
npm Dependencies” or replace the action with a proper submission action (for
example actions/component-detection-dependency-submission-action or an action
built with `@github/dependency-submission-toolkit`) when you truly want to submit
a dependency snapshot; alternatively, include two distinct steps: one using
dependency-review-action@v4 for review (use repo-token) and another using a
Dependency Submission action for submission.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 8393942a-024f-4530-ab69-94bed12c90dd
📒 Files selected for processing (2)
.github/dependabot.yml.github/workflows/dependency-submission.yml
| on: | ||
| push: | ||
| branches: ["master"] | ||
| pull_request: | ||
| branches: ["master"] |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Does actions/dependency-review-action v4 support push events, or only pull_request / pull_request_target / merge_group?
💡 Result:
actions/dependency-review-action v4 does not natively support push events. It is designed primarily for pull_request and pull_request_target events, where it automatically determines base-ref and head-ref. For other events like push or merge_group, users must manually provide base-ref and head-ref inputs, as indicated in the official documentation and action.yml: "Has a default value when the workflow event is pull_request or pull_request_target. Must be provided otherwise." Examples in the repo README and GitHub Docs always use on: [pull_request]. GitHub issues (#677, #826, #30, #456) discuss workarounds for push and merge_group by setting these refs manually, confirming no built-in push support. Thus, it supports pull_request / pull_request_target / merge_group only with manual configuration for the latter, but not push without extra setup.
Citations:
- 1: https://github.com/actions/dependency-review-action/tree/v4.0.0
- 2: https://github.com/actions/dependency-review-action
- 3: https://github.com/marketplace/actions/dependency-review
- 4: https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-the-dependency-review-action
- 5: https://github.com/actions/dependency-review-action/blob/v4.1.2/README.md
- 6: Allow Running on PUSH events actions/dependency-review-action#677
- 7: Can it work with normal push instead of just pull request? actions/dependency-review-action#826
- 8: https://github.com/actions/dependency-review-action/blob/v4.2.5/README.md
- 9: support event types other than
pull_requestactions/dependency-review-action#30 - 10: https://github.com/actions/dependency-review-action/blob/main/action.yml
- 11: Support merge_group trigger actions/dependency-review-action#456
Remove the push trigger — actions/dependency-review-action does not support push events and the workflow will fail on every push to master.
The action is designed for pull_request, pull_request_target, and merge_group triggers, where it automatically determines the base and head refs. On a push event there is no base ref to compare against, and the action will exit with an error.
🔧 Proposed fix
on:
- push:
- branches: ["master"]
pull_request:
branches: ["master"]📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| on: | |
| push: | |
| branches: ["master"] | |
| pull_request: | |
| branches: ["master"] | |
| on: | |
| pull_request: | |
| branches: ["master"] |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/dependency-submission.yml around lines 3 - 7, Remove the
unsupported "push" trigger from the workflow's on: block so the job only runs
for supported events (e.g., pull_request); specifically edit the on: section
that currently includes push: branches: ["master"] and delete that push: entry,
leaving pull_request: branches: ["master"] (or add
pull_request_target/merge_group if you need those events) to ensure
actions/dependency-review-action runs only on supported triggers.
| - name: Set up Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20' | ||
|
|
||
| - name: Install dependencies (ci install for full lock resolution) | ||
| working-directory: src | ||
| run: npm ci |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify lockfile presence and any engines field.
fd -H -t f 'package-lock.json' src 2>/dev/null
rg -nP '"engines"\s*:' src/package.json || echo "no engines field"Repository: Sunbird-Knowlg/knowledge-mw-service
Length of output: 118
🏁 Script executed:
fd -H -t f 'Dockerfile' . 2>/dev/nullRepository: Sunbird-Knowlg/knowledge-mw-service
Length of output: 92
🏁 Script executed:
fd -H -t f '.nvmrc' . 2>/dev/nullRepository: Sunbird-Knowlg/knowledge-mw-service
Length of output: 61
🏁 Script executed:
cat src/package.json | head -50Repository: Sunbird-Knowlg/knowledge-mw-service
Length of output: 2235
🏁 Script executed:
cat DockerfileRepository: Sunbird-Knowlg/knowledge-mw-service
Length of output: 407
Align Node.js version in dependency-submission workflow with production (22.17.1).
The Dockerfile pins node:22.17.1-bookworm for production, but this workflow installs Node 20. Resolving dependencies on a different major version can mask engine-incompatible packages or peer-dependency issues.
The src/package-lock.json file is present and committed, so npm ci will work as expected. However, without a single source of truth (.nvmrc or engines field), version drift is likely. Align the workflow to Node 22.17.1 to match production.
♻️ Suggested change
- name: Set up Node.js
uses: actions/setup-node@v4
with:
- node-version: '20'
+ node-version: '22.17.1'
+ cache: 'npm'
+ cache-dependency-path: src/package-lock.json🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/dependency-submission.yml around lines 18 - 25, Update the
dependency-submission GitHub Actions step that uses actions/setup-node@v4 to set
node-version to '22.17.1' (matching the Dockerfile's node:22.17.1-bookworm) so
dependencies are resolved against the same Node major/minor as production; keep
the working-directory: src and npm ci step unchanged. Optionally add or
reference a single source-of-truth for Node (e.g., .nvmrc or package.json
engines) to prevent future drift.
- Checkout submodules recursively so src/libs is populated before npm ci runs its preinstall script - Add npm sbom generation step; spdx-dependency-submission-action requires a pre-generated SPDX file, it does not scan on its own - Replace dependency-review-action (PR security gate, wrong tool) with spdx-dependency-submission-action for actual graph submission - Drop invalid token input not accepted by the submission action Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
spdx-json is not a valid value; npm sbom only accepts cyclonedx or spdx. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
1 participant
Generated by Dependabot Sub-Agent
Summary by CodeRabbit