Skip to content

Update Managed Files#954

Merged
cmmarslender merged 1 commit into
mainfrom
managed-files
Apr 2, 2026
Merged

Update Managed Files#954
cmmarslender merged 1 commit into
mainfrom
managed-files

Conversation

@ChiaAutomation

@ChiaAutomation ChiaAutomation commented Apr 2, 2026

Copy link
Copy Markdown
Contributor

Note

High Risk
Adds a new GitHub Actions workflow that runs on Dependabot PRs with pull-requests: write permission, downloads and executes an external installer, and checks out arbitrary upstream repos; mistakes here could enable supply-chain or CI token misuse.

Overview
Adds a new GitHub Actions workflow (dependabot-cursor-review.yml) that automatically analyzes Dependabot PRs (or a manually supplied PR number), then posts/upserts a managed PR comment with the results.

The workflow extracts package/version metadata plus release-notes/commit sections from the Dependabot PR body, checks out the referenced upstream dependency repo, runs a custom malware/IOC heuristic scan over files changed between versions/commits (uploading reports as artifacts), and runs Cursor CLI prompts for supply-chain and compatibility analysis before commenting back on the PR.

Written by Cursor Bugbot for commit 6a2d723. This will update automatically on new commits. Configure here.

@cmmarslender cmmarslender merged commit a0b79bd into main Apr 2, 2026
15 checks passed
@cmmarslender cmmarslender deleted the managed-files branch April 2, 2026 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants