Update Dependabot Cursor review workflow by hoffmang9 · Pull Request #340 · Chia-Network/chiavdf

hoffmang9 · 2026-04-01T01:26:03Z

Summary

sync .github/workflows/dependabot-cursor-review.yml in chiavdf to the latest published workflow logic from repo-content-updater
add upstream malware preflight scanning (unicode/confusable, IOCs, heuristics, dependency-integrity signals) with warn-only behavior and scan artifacts
split Cursor analysis into two prompts (malware verdict + compatibility analysis) and keep PR comments under GitHub size limits

Test plan

Ensure workflow YAML parses and has no linter errors
Verify workflow now includes malware scan step and two-prompt Cursor analysis flow
Run workflow against a real Dependabot PR in chiavdf
Confirm PR comment and scan artifacts are produced in GitHub Actions

Made with Cursor

Note

Medium Risk
Moderate risk because it significantly expands a GitHub Actions workflow with new scanning logic, artifact uploads, and comment formatting; failures or false positives could block or spam Dependabot reviews.

Overview
Adds an upstream malware preflight scan to the Dependabot Cursor review workflow, scanning the upstream repo’s changed files between from/to versions (or commit list fallback) for Unicode invisibles/confusables, IOC patterns, and multiple heuristic supply-chain signals, and emitting malware_scan_report.json + a markdown summary (warn-only by default).

Splits Cursor’s single analysis into two prompts (malware verdict + compatibility/adoption), then combines the outputs into one cursor_output.json and posts a PR comment that includes both the Cursor analysis and malware scan summary while enforcing GitHub comment size limits.

Uploads the malware scan artifacts on every run and simplifies local usage hint gathering to require rg (no grep fallback).

^{Written by Cursor Bugbot for commit 829f875. This will update automatically on new commits. Configure here.}

Bring chiavdf's published workflow in sync with the latest malware preflight, split malware/compatibility Cursor prompts, artifact publishing, and comment-size safety logic from repo-content-updater. Made-with: Cursor

Avoid passing large JSON arrays through jq CLI arguments by writing changed-files and error lists to temp JSON files and loading them via --slurpfile, preventing argument-length failures in production runs. Made-with: Cursor

Truncate oversized matched line payloads before passing them to jq in append_finding so large minified lines cannot exceed argument length limits during report generation. Made-with: Cursor

Guard count and diff-stat ripgrep pipelines with `|| true` so expected no-match cases in changed-file and lockfile scans do not abort the malware step under `set -euo pipefail`. Made-with: Cursor

Clear stale tag ranges after failed ref diffs and make Cursor JSON text extraction tolerant of non-object payloads to avoid runtime crashes. Made-with: Cursor

Render PR comment text via a joined line array so fallback truncation paths produce byte-identical formatting without indentation-added whitespace. Made-with: Cursor

hoffmang9 · 2026-04-01T02:01:01Z

@cursor review

cursor

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Keep scanner summary/report in malware review context while compatibility analysis uses shared PR and usage context only. Made-with: Cursor

hoffmang9 · 2026-04-01T02:14:08Z

@cursor review

cursor

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Use malware scan step outputs (status, changed_files_count, summary) when constructing fallback summary text so emitted outputs are consumed downstream. Made-with: Cursor

hoffmang9 · 2026-04-01T04:38:37Z

@cursor review

Only label commit-list resolution when commit fallback actually yields changed files, normalize semver numeric parsing to avoid octal arithmetic pitfalls, and replace brittle axios exact-count checks with bounded dependency-jump detection. Made-with: Cursor

hoffmang9 · 2026-04-01T05:16:51Z

@cursor review

cursor

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

hoffmang9 added 4 commits March 31, 2026 18:25

Update dependabot cursor review workflow to latest template.

823eed1

Bring chiavdf's published workflow in sync with the latest malware preflight, split malware/compatibility Cursor prompts, artifact publishing, and comment-size safety logic from repo-content-updater. Made-with: Cursor

Fix malware report generation for large dependency diffs.

ca8cb15

Avoid passing large JSON arrays through jq CLI arguments by writing changed-files and error lists to temp JSON files and loading them via --slurpfile, preventing argument-length failures in production runs. Made-with: Cursor

Prevent jq E2BIG failures in malware finding serialization.

d813b9c

Truncate oversized matched line payloads before passing them to jq in append_finding so large minified lines cannot exceed argument length limits during report generation. Made-with: Cursor

Handle no-match ripgrep paths under pipefail.

814e3dd

Guard count and diff-stat ripgrep pipelines with `|| true` so expected no-match cases in changed-file and lockfile scans do not abort the malware step under `set -euo pipefail`. Made-with: Cursor