Improve security update handling of newly reported issues and unavailable fix versions

[tekante]

Summary by CodeRabbit

Release Notes

• New Features

  • Added optional package_wait_seconds parameter (default: 300 seconds) to configure retry behavior when fixed vulnerable package versions are unavailable.

• Improvements

  • Enhanced handling for unpublished fixed package versions with automatic retry capability.
  • Improved advisory resolution to address newly discovered vulnerabilities during re-auditing phase.

[coderabbitai]

Walkthrough

The PR adds a new optional package_wait_seconds input to the Drupal security update action, enabling wait-and-retry behavior when fixed vulnerable package versions are not yet published. The action declaration, prompt integration, and documentation are updated, along with workflow instructions to handle unpublished versions and newly surfaced advisories during re-audit.

Changes

Unpublished Package Version Handling

Layer / File(s)	Summary
Input configuration and documentation actions/drupal-security-update/action.yml, actions/drupal-security-update/README.md	New package_wait_seconds input (default 300 seconds) is declared in the composite action, passed to the Claude Code prompt, and documented in the action README as an optional parameter.
Workflow logic for unpublished versions and re-audit actions/drupal-security-update/instructions.md	Initial composer audit now runs with --no-cache; new "Handle Unpublished Fixed Versions" procedure implements wait-and-retry logic when updates don't resolve vulnerabilities; workflow transitions to re-audit and includes logic to resolve or document newly discovered advisories.

🎯 2 (Simple) | ⏱️ ~12 minutes

🐰 A bundle so small, yet so wise,
With patience and waits, our code defies,
Unpublished, unready, we simply wait more,
Then audit again, and the path shall be clear! 🔍✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately summarizes the main changes—adding handling for newly reported issues during re-audit and managing unavailable fixed package versions with wait-and-retry logic.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch issue/security-update-improvements

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

actions/drupal-security-update/action.yml (1)

95-98: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use --no-cache in the gating audit to avoid missing newly reported advisories.

Line 97 currently allows cached advisory data. That can cause false negatives in the first audit and skip the entire update flow, which undermines this PR’s goal.

Suggested fix

-        AUDIT_OUTPUT=$(composer audit --format=json --no-plugins 2>/dev/null)
+        AUDIT_OUTPUT=$(composer audit --no-cache --format=json --no-plugins 2>/dev/null)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@actions/drupal-security-update/action.yml` around lines 95 - 98, The composer
audit call in the gating step uses cached advisory data and can miss newly
reported advisories; update the command invoked where AUDIT_OUTPUT and
AUDIT_EXIT_CODE are set so the composer audit invocation includes the --no-cache
option (i.e., run composer audit --format=json --no-plugins --no-cache) to force
fresh advisory data before capturing AUDIT_OUTPUT and AUDIT_EXIT_CODE.

actions/drupal-security-update/README.md (1)

137-137: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update docs to reflect --no-cache audit behavior.

Line 137 is now out of sync with the updated workflow expectations. Please document composer audit --no-cache --format=json here as well.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@actions/drupal-security-update/README.md` at line 137, Update the
documentation entry that describes the audit command to include the new
--no-cache flag; specifically change the description that references "composer
audit --format=json" to "composer audit --no-cache --format=json" so it matches
the workflow expectation and ensures the README reflects the actual command used
by the actions/drupal-security-update workflow.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@actions/drupal-security-update/action.yml`:
- Around line 95-98: The composer audit call in the gating step uses cached
advisory data and can miss newly reported advisories; update the command invoked
where AUDIT_OUTPUT and AUDIT_EXIT_CODE are set so the composer audit invocation
includes the --no-cache option (i.e., run composer audit --format=json
--no-plugins --no-cache) to force fresh advisory data before capturing
AUDIT_OUTPUT and AUDIT_EXIT_CODE.

In `@actions/drupal-security-update/README.md`:
- Line 137: Update the documentation entry that describes the audit command to
include the new --no-cache flag; specifically change the description that
references "composer audit --format=json" to "composer audit --no-cache
--format=json" so it matches the workflow expectation and ensures the README
reflects the actual command used by the actions/drupal-security-update workflow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ac0a123a-4751-40a4-84dc-15f2e88749f9

📥 Commits

Reviewing files that changed from the base of the PR and between 6e793b8 and e0af82a.

📒 Files selected for processing (3)

• actions/drupal-security-update/README.md
• actions/drupal-security-update/action.yml
• actions/drupal-security-update/instructions.md

[chrissnyder2337]

LGTM!

[chrissnyder2337]

@tekante Should we add --no-cache here as well?

        AUDIT_OUTPUT=$(composer audit --no-cache --format=json --no-plugins 2>/dev/null)

[jessehs]

I know emoji's are annoying to some, but I think it might be appropriate here. Something like

Use a attention-grabbing opening headline for the pr_body.md like, " ❌ IMPORTANT: fixed version not yet published. This workflow must be re-run to fix the security vulnerability."