Skip to content

Add dependency review job to all CI workflows#43

Merged
tuomas777 merged 1 commit into
mainfrom
feature/KEH-351-dependency-review-ci
Jun 30, 2026
Merged

Add dependency review job to all CI workflows#43
tuomas777 merged 1 commit into
mainfrom
feature/KEH-351-dependency-review-ci

Conversation

@antervon-gofore

@antervon-gofore antervon-gofore commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Refs: KEH-351

Summary by CodeRabbit

  • New Features
    • Added automated dependency review to pull request CI to detect known vulnerabilities, with failures triggered for low-severity issues.
    • When dependency issues are found, pull requests now include an on-failure summary comment, including patched version details when available.
  • Documentation
    • Updated CI workflow READMEs to add Dependency Review to the “Key Features” list.
  • Chores
    • Updated CI workflow permissions to allow pull request comments from the relevant CI jobs while keeping overall access restricted.

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f23fe037-e763-4397-bb00-e6d9e5bc02eb

📥 Commits

Reviewing files that changed from the base of the PR and between ea0de87 and d1f5b20.

📒 Files selected for processing (9)
  • .github/workflows/ci-django-api-README.md
  • .github/workflows/ci-django-api.yml
  • .github/workflows/ci-node-README.md
  • .github/workflows/ci-node.yml
  • .github/workflows/ci-pnpm-node-README.md
  • .github/workflows/ci-pnpm-node.yml
  • .github/workflows/ci-uv-django-api-README.md
  • .github/workflows/ci-uv-django-api.yml
  • .github/workflows/test-reusable-workflows.yml
✅ Files skipped from review due to trivial changes (4)
  • .github/workflows/ci-node-README.md
  • .github/workflows/ci-uv-django-api-README.md
  • .github/workflows/ci-django-api-README.md
  • .github/workflows/ci-pnpm-node-README.md
🚧 Files skipped from review as they are similar to previous changes (5)
  • .github/workflows/ci-node.yml
  • .github/workflows/ci-pnpm-node.yml
  • .github/workflows/test-reusable-workflows.yml
  • .github/workflows/ci-uv-django-api.yml
  • .github/workflows/ci-django-api.yml

📝 Walkthrough

Walkthrough

Added dependency-review jobs to four CI workflows, updated their READMEs, and moved pull-request write access to job-level permissions in the reusable test workflow.

Changes

Dependency review workflow rollout

Layer / File(s) Summary
Reusable workflow permissions
.github/workflows/test-reusable-workflows.yml
Workflow-level pull-requests: read is removed, and four test jobs now declare job-level contents: read and pull-requests: write permissions.
Node dependency review jobs
.github/workflows/ci-node.yml, .github/workflows/ci-pnpm-node.yml, .github/workflows/ci-node-README.md, .github/workflows/ci-pnpm-node-README.md
The Node and pnpm CI workflows each add a pull-request-only dependency-review job configured for vulnerability checks, low-severity failures, and PR comments, and their READMEs add matching key-feature entries.
Django dependency review jobs
.github/workflows/ci-django-api.yml, .github/workflows/ci-uv-django-api.yml, .github/workflows/ci-django-api-README.md, .github/workflows/ci-uv-django-api-README.md
The Django and uv Django CI workflows each add a pull-request-only dependency-review job configured for vulnerability checks, low-severity failures, and PR comments, and their READMEs add matching key-feature entries.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

A bunny hops through YAML light,
sniffing shells for trouble bright.
PRs now glow with safety checks,
and patched-up paths avoid the wrecks. 🐰

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding dependency review jobs across the CI workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/KEH-351-dependency-review-ci

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@tuomas777 tuomas777 force-pushed the feature/KEH-351-dependency-review-ci branch from b45a64f to 8355f71 Compare June 26, 2026 10:29
@tuomas777 tuomas777 changed the title ci(node): add dependency review job Add dependency review job to all CI workflows Jun 26, 2026
@tuomas777 tuomas777 force-pushed the feature/KEH-351-dependency-review-ci branch from 8355f71 to 6088b36 Compare June 26, 2026 11:02
@tuomas777 tuomas777 marked this pull request as ready for review June 26, 2026 11:06
@tuomas777 tuomas777 requested a review from a team as a code owner June 26, 2026 11:06

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/ci-node.yml (1)

258-258: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

fail-on-severity: low is aggressive for a shared workflow.

Failing on any low-severity advisory (including transitive deps) can block unrelated PRs and generate noise across all consumers. Consider moderate/high as the shared default, or expose it as an input so projects can tune their policy.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-node.yml at line 258, The shared CI workflow is using
an overly strict dependency-audit threshold, which can cause unrelated PRs to
fail on low-severity advisories. Update the workflow entry in ci-node.yml to
make the severity policy less aggressive by default, such as using a higher
threshold like moderate or high, or better yet make the value configurable as an
input so consumers can tune it. Keep the change localized to the audit
configuration near the fail-on-severity setting.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/ci-node.yml:
- Line 258: The shared CI workflow is using an overly strict dependency-audit
threshold, which can cause unrelated PRs to fail on low-severity advisories.
Update the workflow entry in ci-node.yml to make the severity policy less
aggressive by default, such as using a higher threshold like moderate or high,
or better yet make the value configurable as an input so consumers can tune it.
Keep the change localized to the audit configuration near the fail-on-severity
setting.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c73772cc-08c8-43ec-9034-2ba6bf154292

📥 Commits

Reviewing files that changed from the base of the PR and between 5db4332 and 6088b36.

📒 Files selected for processing (9)
  • .github/workflows/ci-django-api-README.md
  • .github/workflows/ci-django-api.yml
  • .github/workflows/ci-node-README.md
  • .github/workflows/ci-node.yml
  • .github/workflows/ci-pnpm-node-README.md
  • .github/workflows/ci-pnpm-node.yml
  • .github/workflows/ci-uv-django-api-README.md
  • .github/workflows/ci-uv-django-api.yml
  • .github/workflows/test-reusable-workflows.yml

@tuomas777 tuomas777 marked this pull request as draft June 29, 2026 07:31
@tuomas777 tuomas777 force-pushed the feature/KEH-351-dependency-review-ci branch 2 times, most recently from aa2919c to ea0de87 Compare June 29, 2026 16:19
@tuomas777 tuomas777 marked this pull request as ready for review June 29, 2026 17:16
Refs: KEH-351
Co-authored-by: Tuomas Haapala <tuomas.haapala@anders.com>
@tuomas777 tuomas777 force-pushed the feature/KEH-351-dependency-review-ci branch from ea0de87 to d1f5b20 Compare June 30, 2026 09:10

@mikkojamG mikkojamG left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🦭 👍

@nicobav nicobav left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :shipit:

@tuomas777 tuomas777 merged commit 47073a6 into main Jun 30, 2026
26 checks passed
@tuomas777 tuomas777 deleted the feature/KEH-351-dependency-review-ci branch June 30, 2026 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants