fix: Dependabot cursor pagination and Linear mutation types

msukkari · claude · msukkari · commit 42c8224a5774 · 2026-04-17T18:38:37.000-07:00
- Dependabot alerts API removed page-based pagination (Oct 2025).
  Switched to cursor-based pagination using Link header.
- Fixed Linear issueCreate mutation: $description and $priority are
  optional in the schema (String, Int) not required (String!, Int!).

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/trivy-vulnerability-triage.yml b/.github/workflows/trivy-vulnerability-triage.yml
@@ -245,23 +245,22 @@ jobs:
           fi
 
           ALL_ALERTS="[]"
-          PAGE=1
+          URL="https://api.github.com/repos/${{ github.repository }}/dependabot/alerts?state=open&per_page=100"
 
-          while true; do
-            RESPONSE=$(curl -s -w "\n%{http_code}" \
+          while [ -n "$URL" ]; do
+            # Fetch with headers saved to parse Link for cursor pagination
+            HTTP_CODE=$(curl -s -o /tmp/dependabot-body.json -w "%{http_code}" -D /tmp/dependabot-headers.txt \
               -H "Accept: application/vnd.github+json" \
               -H "Authorization: Bearer $DEPENDABOT_PAT" \
-              "https://api.github.com/repos/${{ github.repository }}/dependabot/alerts?state=open&per_page=100&page=$PAGE")
-
-            HTTP_CODE=$(echo "$RESPONSE" | tail -1)
-            BODY=$(echo "$RESPONSE" | sed '$d')
+              "$URL")
 
             if [ "$HTTP_CODE" != "200" ]; then
               echo "::warning::Failed to fetch Dependabot alerts (HTTP $HTTP_CODE). Writing empty results."
               echo "[]" > dependabot-alerts.json
               exit 0
             fi
 
+            BODY=$(cat /tmp/dependabot-body.json)
             COUNT=$(echo "$BODY" | jq 'length')
             if [ "$COUNT" -eq 0 ]; then
               break
@@ -283,10 +282,8 @@ jobs:
 
             ALL_ALERTS=$(echo "$ALL_ALERTS" "$EXTRACTED" | jq -s '.[0] + .[1]')
 
-            if [ "$COUNT" -lt 100 ]; then
-              break
-            fi
-            PAGE=$((PAGE + 1))
+            # Parse Link header for next page URL (cursor-based pagination)
+            URL=$(sed -n 's/.*<\([^>]*\)>; *rel="next".*/\1/p' /tmp/dependabot-headers.txt || true)
           done
 
           ALERT_COUNT=$(echo "$ALL_ALERTS" | jq 'length')
@@ -537,7 +534,7 @@ jobs:
           # Write CVEs to temp file so the while loop doesn't run in a pipe subshell
           echo "$STRUCTURED_OUTPUT" | jq -c '.cves[]' > /tmp/cves.jsonl
 
-          MUTATION='mutation CreateIssue($teamId: String!, $title: String!, $description: String!, $priority: Int!, $labelIds: [String!], $stateId: String) { issueCreate(input: { teamId: $teamId, title: $title, description: $description, priority: $priority, labelIds: $labelIds, stateId: $stateId }) { success issue { id identifier url } } }'
+          MUTATION='mutation CreateIssue($teamId: String!, $title: String!, $description: String, $priority: Int, $labelIds: [String!], $stateId: String) { issueCreate(input: { teamId: $teamId, title: $title, description: $description, priority: $priority, labelIds: $labelIds, stateId: $stateId }) { success issue { id identifier url } } }'
 
           while IFS= read -r cve; do
             CVE_ID=$(echo "$cve" | jq -r '.cveId')
