Skip to content

chore(security): add Dependabot cooldown/groups and hash-pin release pip installs#65

Open
Copilot wants to merge 2 commits into
mainfrom
copilot/choresecurity-add-dependabot-cooldown
Open

chore(security): add Dependabot cooldown/groups and hash-pin release pip installs#65
Copilot wants to merge 2 commits into
mainfrom
copilot/choresecurity-add-dependabot-cooldown

Conversation

Copy link
Copy Markdown

Copilot AI commented May 20, 2026

This updates dependency hygiene controls for the repository by (1) adding Dependabot cooldown/grouping behavior per ecosystem and (2) removing ad-hoc pip installs from release automation in favor of hash-verified requirements.

  • Dependabot policy hardening (.github/dependabot.yml)

    • Added cooldown.default-days: 3 to each updates entry.
    • Kept existing Cargo grouping intact.
    • Added explicit grouping for GitHub Actions updates with a single wildcard actions group.

  • Deterministic pip install in release workflow (.github/workflows/release.yml)

    • Replaced direct package install with hash-enforced install from a pinned lock file: 
      pip install -r requirements.txt --require-hashes > /dev/null

  • Pinned Python dependency lock (requirements.txt)

    • Added a hash-pinned requirements file generated via uv pip compile --generate-hashes for the workflow’s Python dependency set (including yq and transitive dependencies).

Copilot AI requested review from Copilot and removed request for Copilot May 20, 2026 21:14
@felickz felickz marked this pull request as ready for review May 20, 2026 22:51
@felickz felickz requested a review from a team as a code owner May 20, 2026 22:51
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens dependency management for the repository by hardening Dependabot behavior (cooldown + grouping) and making the release workflow’s Python tooling install deterministic via hash-pinned requirements.

Changes:

  • Added Dependabot cooldown configuration per ecosystem and grouped GitHub Actions updates into a single wildcard group.
  • Updated the release workflow to install yq (and its deps) from a hash-verified requirements.txt instead of ad-hoc pip install yq.
  • Introduced a new hash-pinned requirements.txt lockfile for the workflow’s Python dependencies.
Show a summary per file
File Description
requirements.txt Adds a hash-pinned Python dependency lockfile intended for deterministic installs.
.github/workflows/release.yml Switches release-version parsing dependency install to pip install -r requirements.txt --require-hashes.
.github/dependabot.yml Adds cooldown settings and groups GitHub Actions updates under a single group.

Copilot's findings

  • Files reviewed: 2/3 changed files
  • Comments generated: 1

Comment thread .github/dependabot.yml
Comment on lines 20 to +25
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@felickz felickz Awaiting requested review from felickz felickz is a code owner automatically assigned from advanced-security/oss-maintainers

@adrienpessu adrienpessu Awaiting requested review from adrienpessu adrienpessu is a code owner automatically assigned from advanced-security/oss-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

@felickz felickz

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@felickz