Skip to content

ci: add dependency review workflow#10

Merged
wizzomafizzo merged 1 commit into
mainfrom
chore/dep-review
Apr 10, 2026
Merged

ci: add dependency review workflow#10
wizzomafizzo merged 1 commit into
mainfrom
chore/dep-review

Conversation

@wizzomafizzo

@wizzomafizzo wizzomafizzo commented Apr 10, 2026

Copy link
Copy Markdown
Member

Summary

  • Add dependency review on PRs targeting main
  • Blocks PRs that introduce dependencies with known vulnerabilities or disallowed licenses

Summary by CodeRabbit

  • Chores
    • Added automated dependency review workflow for pull requests.

@coderabbitai

coderabbitai Bot commented Apr 10, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

A new GitHub Actions workflow for dependency review has been added to automatically check pull requests targeting the main branch. The workflow uses pinned versions of the checkout and dependency-review-action actions, running on Ubuntu with read-only content permissions.

Changes

Cohort / File(s) Summary
Dependency Review Workflow
.github/workflows/dependency-review.yml
New GitHub Actions workflow that runs dependency review checks on pull requests to the main branch using pinned action versions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

  • ci: pin GitHub Actions to commit SHAs #7: Both PRs pin third-party GitHub Actions to specific commit SHAs within workflow configuration files, establishing security best practices for action versioning.

Poem

🐰 A workflow so keen to review,

Dependency checks through and through!

With actions pinned tight to their place,

We'll spot all surprises before merge embrace. 🔍

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'ci: add dependency review workflow' is clear, specific, and directly summarizes the main change—adding a GitHub Actions workflow for dependency review.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/dep-review

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented Apr 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependency-review.yml:
- Around line 18-19: The Dependency Review job using
actions/dependency-review-action (the "Dependency Review" step) currently lacks
license policy configuration; update that step to include a with: block
specifying either deny-licenses (listing disallowed SPDX identifiers) or
allow-licenses (whitelist) so the action will actually block disallowed
licenses, and keep/adjust fail-on-severity as needed to preserve vulnerability
threshold behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: abde1a96-21ea-431f-965a-8dbb7e19f1d0

📥 Commits

Reviewing files that changed from the base of the PR and between 5cd155f and 863fc49.

📒 Files selected for processing (1)
  • .github/workflows/dependency-review.yml

Comment thread .github/workflows/dependency-review.yml
@wizzomafizzo wizzomafizzo merged commit 9c20784 into main Apr 10, 2026
13 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant