chore: bump urllib3 from 2.6.1 to 2.7.0 in the pip group across 1 directory + CI Fixes

[dependabot]

Bumps the pip group with 1 update in the / directory: urllib3.

Updates urllib3 from 2.6.1 to 2.7.0, fixing two high-severity CVEs present in 2.6.3:

• GHSA-qccp-gfcp-xxvc: Sensitive headers forwarded across origins in proxied low-level redirects
• GHSA-mf9v-mfxr-j63j: Decompression-bomb safeguards bypassed in parts of the streaming API

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Workflow changes:

• Updated .github/workflows/cli.yml to skip the run job if the pull request author is Dependabot, preventing unnecessary runs for automated dependency updates.
• Updated .github/workflows/main.yml to skip both the e2e-tests and action-test jobs for Dependabot pull requests, reducing CI resource usage for automated PRs. [1] [2]

Script improvements:

• Modified the policy-as-code script to correctly pass all arguments to Python by quoting "$@", ensuring arguments with spaces are handled properly.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

Pipfile.lock

Package	Version	License	Issue Type
urllib3	2.7.0	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
pip/urllib3	2.7.0	Unknown	Unknown
pip/urllib3	2.7.0	Unknown	Unknown

Scanned Files

• Pipfile.lock

[felickz]

@copilot fix the failing CI (https://github.com/advanced-security/policy-as-code/actions/runs/21885476597/job/63179134667?pr=185 https://github.com/advanced-security/policy-as-code/actions/runs/21885476597/job/63179134642?pr=185 https://github.com/advanced-security/policy-as-code/actions/runs/21885476597/job/63179134686?pr=185 https://github.com/advanced-security/policy-as-code/actions/runs/21885476597/job/63179134645?pr=185 https://github.com/advanced-security/policy-as-code/actions/runs/21885476597/job/63179134634?pr=185 https://github.com/advanced-security/policy-as-code/actions/runs/21885476597/job/63179134653?pr=185 https://github.com/advanced-security/policy-as-code/actions/runs/21885476618/job/63179188538?pr=185 https://github.com/advanced-security/policy-as-code/actions/runs/21885476618/job/63179188605?pr=185) for this PR

[Copilot]

@copilot fix the failing CI (https://github.com/advanced-security/policy-as-code/actions/runs/21885476597/job/63179134667?pr=185 https://github.com/advanced-security/policy-as-code/actions/runs/218854...

Fixed in commit 563743c. There were two root causes:

1. policy-as-code bash script had unquoted $@ — bash word-splitting drops empty string arguments, so --github-token "" (empty secret) was passed to Python as just --github-token (no value), causing the argparse "expected one argument" error. Fixed by quoting: "$@".

2. Integration tests in cli.yml, main.yml (e2e-tests, action-test) all require POLICY_AS_CODE_TESTING_TOKEN, which Dependabot PRs cannot access. Added if: ${{ github.actor != 'dependabot[bot]' }} to skip those jobs for Dependabot. The unit test jobs in main.yml continue to run for Dependabot PRs as they don't need the token.

[felickz]

@copilot upgrade to 2.7.0 urllib ( fix https://github.com/advanced-security/policy-as-code/actions/runs/24422933319?pr=185) + fix failing CIs https://github.com/advanced-security/policy-as-code/actions/runs/24422933310/job/75422173809?pr=185 https://github.com/advanced-security/policy-as-code/actions/runs/24422933310/job/75422173644?pr=185

[Copilot]

@copilot upgrade to 2.7.0 urllib ( fix https://github.com/advanced-security/policy-as-code/actions/runs/24422933319?pr=185) + fix failing CIs https://github.com/advanced-security/policy-as-code/action...

Done in the latest commit. Two fixes applied:

1. urllib3 upgraded to 2.7.0 in Pipfile.lock (both default and develop sections) — resolves the two high-severity CVEs (GHSA-qccp-gfcp-xxvc and GHSA-mf9v-mfxr-j63j) that caused the dependency-review failure.

2. Workflow if conditions updated from github.actor != 'dependabot[bot]' to github.event.pull_request.user.login != 'dependabot[bot]' in cli.yml and main.yml — this checks the PR author rather than the run triggering actor, so integration tests are correctly skipped for Dependabot PRs even when a maintainer manually re-runs them.

[Copilot]

Pull request overview

Updates the Python dependency lockfile to use urllib3==2.7.0 (addressing the referenced CVEs), but also includes additional changes to workflow/job gating and CLI argument forwarding that are not reflected in the PR description/title.

Changes:

• Bump urllib3 from 2.6.1 to 2.7.0 in Pipfile.lock (default + develop).
• Change policy-as-code to forward CLI args using "$@" when invoking python3 -m ghascompliance.
• Skip some GitHub Actions jobs when the PR author is dependabot[bot].

Show a summary per file

File	Description
policy-as-code	Adjusts argument forwarding to the Python module invocation.
Pipfile.lock	Updates locked urllib3 version/hashes to 2.7.0 (and adds index metadata in default).
.github/workflows/main.yml	Adds Dependabot-based gating for e2e-tests and action-test jobs.
.github/workflows/cli.yml	Adds Dependabot-based gating for the run job.

Copilot's findings

Comments suppressed due to low confidence (1)

.github/workflows/main.yml:62

• This PR is described as an urllib3 version bump, but this change also skips the action-test job for Dependabot PRs. Please update the PR description/scope accordingly so reviewers can explicitly evaluate the CI/coverage impact of this workflow change.

  action-test:
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }}
    needs: run 

• Files reviewed: 3/4 changed files
• Comments generated: 3

[felickz]

👍