fix(ci): prevent spurious Dependabot PR failures from auto-approve and @types/vscode bumps (#143)

SebTardif · web-flow · commit 3b505152f40e · 2026-06-22T15:19:49.000Z
* fix(ci): stop broken auto-approve runs for Dependabot and ignore @types/vscode - Remove dependabot[bot] from auto-approve.yml condition. That workflow runs on pull_request (no secrets for Dependabot) and always failed the create-github-app-token step, producing a permanent red 'auto-approve' check on every Dependabot PR. - Dependabot approval + auto-merge (patch/minor) is already handled by the dedicated dependabot-auto-merge.yml on pull_request_target. - Add @types/vscode to dependabot ignore for npm. vsce package enforces that the @types/vscode version must not exceed engines.vscode. Bumps produced failing 'build' jobs (package step). - New Dependabot PRs will no longer have spurious failures. Majors still require manual review per existing policy. Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca> * ci(security): pin Gitleaks version to avoid rate-limit 404s on install The previous dynamic fetch of 'latest' via unauthenticated GitHub API was brittle: - Rate limits (60/hr unauth) often return error JSON instead of release. - grep/cut produces empty GITLEAKS_VERSION. - Download URL becomes invalid → 404 + tar failure. This caused the 'Gitleaks secret detection' job to fail on PR #143 (even though the PR changes are unrelated to secrets scanning). Fix: pin to a recent stable release (8.30.1) with comment for future updates. This is consistent with how other tools/actions are handled in the repo. Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca> --------- Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,6 +7,11 @@ updates:
     labels:
       - dependencies
     open-pull-requests-limit: 10
+    ignore:
+      # @types/vscode must be kept in sync with engines.vscode (vsce enforces
+      # @types/vscode version <= declared engine). Update both together when
+      # raising the minimum supported VS Code version.
+      - dependency-name: "@types/vscode"
 
   - package-ecosystem: github-actions
     directory: /
diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml
@@ -22,7 +22,6 @@ jobs:
     if: >-
       github.event.pull_request.user.login != 'github-actions[bot]' &&
       (github.actor == 'SebTardif' ||
-       github.actor == 'dependabot[bot]' ||
        github.actor == 'patchloom-release[bot]')
     steps:
       - name: Harden runner
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -83,8 +83,10 @@ jobs:
           fetch-depth: 0
 
       - name: Install Gitleaks
+        # Pinned version to avoid flakiness from unauthenticated /releases/latest
+        # (rate limits cause empty version → 404 on download). Update periodically.
         run: |
-          GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep tag_name | cut -d '"' -f 4 | sed 's/v//')
+          GITLEAKS_VERSION=8.30.1
           curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | sudo tar -xz -C /usr/local/bin gitleaks
 
       - name: Run Gitleaks
