ci: replace dependabot auto-vet bot commit with patch artifact

[bronzelle-cw]

1. What changed:
   • Replaced bot commit/push flow with patch generation and artifact upload.
   • Updated PR comment to explain how authors apply the patch locally.
2. Why:
   • Keeps final commit ownership and signing with the PR author.
   • Reduces workflow complexity compared with a review-suggestion engine.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Artifact upload condition Confirm that the upload step runs only for Pull Request events when has_patch is true. Evaluate whether the if condition should handle other event types or manual triggers to avoid missing or redundant uploads. - name: Upload auto-vet patch artifact id: upload_patch if: github.event_name == 'pull_request' && steps.patch.outputs.has_patch == 'true' uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dependabot-auto-vet-patch-pr-${{ github.event.pull_request.number }} path: ${{ steps.patch.outputs.patch_path }} if-no-files-found: error retention-days: ${{ env.RETENTION_DAYS }} Upload outputs naming Verify that actions/upload-artifact@v4.6.2 actually exposes artifact-id and artifact-url outputs as referenced. If the action uses different output keys, patch_meta will receive empty values. if: github.event_name == 'pull_request' && steps.patch.outputs.has_patch == 'true' uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dependabot-auto-vet-patch-pr-${{ github.event.pull_request.number }} path: ${{ steps.patch.outputs.patch_path }} if-no-files-found: error retention-days: ${{ env.RETENTION_DAYS }} JS comment generation syntax Review the JavaScript snippet that builds the PR comment for mismatched braces or indentation in the if (patchGenerated) ... else block to prevent runtime syntax errors. if (patchGenerated) { lines.push(`- **Patch generated:** yes`); lines.push(`- **Artifact uploaded:** ${patchUploaded ? 'yes' : 'no'}`); if (artifactName) lines.push(`- **Artifact name:** ${artifactName}`); if (artifactId) lines.push(`- **Artifact ID:** ${artifactId}`); if (retentionDays) lines.push(`- **Retention:** ${retentionDays} days`); if (artifactUrl) { lines.push(`- **Artifact download:** ${artifactUrl}`); } else if (runUrl) { lines.push(`- **Workflow run:** ${runUrl}`); } } else { lines.push(`- **Patch generated:** no audit files were produced`); }

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Handle git diff errors explicitly Add explicit error handling for the git diff --quiet invocation so that unexpected git errors (exit code >1) are not misclassified as "changes found". Capture and check the exit code, and abort the step on real errors. This prevents generating empty or partial patch files when git itself fails. .github/workflows/dependabot-auto-vet.yml [381-388] -if git diff --quiet -- supply-chain; then +git diff --quiet -- supply-chain +rc=$? +if [ $rc -eq 0 ]; then echo "has_patch=false" >> "$GITHUB_OUTPUT" echo "patch_path=" >> "$GITHUB_OUTPUT" echo "patch_bytes=0" >> "$GITHUB_OUTPUT" exit 0 +elif [ $rc -gt 1 ]; then + echo "Error running git diff" >&2 + exit 1 fi git diff --binary --patch -- supply-chain > "$patch_path" Suggestion importance[1-10]: 7 __ Why: Explicitly checking git diff exit codes prevents treating real git errors as "changes found" and avoids generating empty or partial patches, improving reliability.	Medium

[cloudwalk-review-agent]

Summary

Clean architectural move — shifting commit ownership back to the PR author is the right call, and the patch/artifact flow is well-structured. Two issues in the apply instructions worth fixing before this ships.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.17%. Comparing base (d5188d5) to head (66b1697).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2467      +/-   ##
==========================================
- Coverage   84.41%   81.17%   -3.24%     
==========================================
  Files         141      141              
  Lines       10808    11238     +430     
==========================================
- Hits         9124     9123       -1     
- Misses       1684     2115     +431     

Flag	Coverage Δ
contracts-rocks-asset-transit-desk	43.59% <ø> (-0.06%)	⬇️
contracts-rocks-balance-freezer	42.66% <ø> (-0.06%)	⬇️
contracts-rocks-balance-tracker	42.99% <ø> (-0.08%)	⬇️
contracts-rocks-base	43.56% <ø> (-0.06%)	⬇️
contracts-rocks-blueprint	43.91% <ø> (-0.06%)	⬇️
contracts-rocks-capybara-finance	44.24% <ø> (-0.06%)	⬇️
contracts-rocks-capybara-finance-v2	44.33% <ø> (-0.04%)	⬇️
contracts-rocks-card-payment-processor	44.05% <ø> (-0.02%)	⬇️
contracts-rocks-card-payment-processor-v2	44.33% <ø> (-0.04%)	⬇️
contracts-rocks-cashier	43.91% <ø> (-0.06%)	⬇️
contracts-rocks-credit-agent	43.23% <ø> (-0.04%)	⬇️
contracts-rocks-multisig	43.90% <ø> (-0.06%)	⬇️
contracts-rocks-net-yield-distributor	43.91% <ø> (-0.08%)	⬇️
contracts-rocks-periphery	42.66% <ø> (-0.06%)	⬇️
contracts-rocks-shared-wallet-controller	43.97% <ø> (-0.06%)	⬇️
contracts-rocks-token	44.01% <ø> (-0.08%)	⬇️
contracts-rocks-treasury	43.63% <ø> (-0.06%)	⬇️
e2e-admin-password	22.79% <ø> (-0.05%)	⬇️
e2e-clock-stratus	25.65% <ø> (-0.04%)	⬇️
e2e-genesis	27.18% <ø> (-0.05%)	⬇️
e2e-importer-offline	60.09% <ø> (-0.07%)	⬇️
e2e-rpc-downloader	55.08% <ø> (-0.08%)	⬇️
e2e-stratus	57.52% <ø> (-0.12%)	⬇️
leader-follower-	61.60% <ø> (-0.12%)	⬇️
rust-tests	29.62% <ø> (-1.11%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cloudwalk-review-agent]

Follow-up

✅ unzip -p path fixed — the fallback block now correctly references vet/auto-vet.patch inside the zip. Good catch addressed.

Two issues remain: the -S GPG signing flag (flagged last round, still present in both blocks), and a new path bug in the gh run download block that will make git apply fail for anyone who uses the preferred flow.

[cloudwalk-review-agent]

Follow-up

✅ unzip -p path fixed — fallback block now correctly references vet/auto-vet.patch inside the zip. Good.

Three issues remain (two carried over, one new):

1. New bug: mkdir -p vet is missing before the git diff … > "$patch_path" redirect — if the vet/ directory doesn't already exist the shell will immediately error with No such file or directory and the patch step will exit 1 silently discarding the diff.
2. Carried over: git apply --index auto-vet.patch in the gh run download block still references the wrong path.
3. Carried over: -S (GPG signing) in both commit blocks will silently fail or error for developers without a signing key configured.