Skip to content

ci: add scheduled pnpm audit-fix workflow#121

Merged
venables merged 2 commits into
mainfrom
pnpm-audit-fix
Jul 2, 2026
Merged

ci: add scheduled pnpm audit-fix workflow#121
venables merged 2 commits into
mainfrom
pnpm-audit-fix

Conversation

@venables

@venables venables commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

What

Adds .github/workflows/audit-fix.yaml: a scheduled (daily 07:17 UTC) + manually dispatchable workflow that sweeps the standing dependency tree for newly disclosed advisories, independent of any PR.

On a finding it runs pnpm audit --fix=override, refreshes the lockfile, and opens (or refreshes) a single chore/audit-fix PR for human review. The generated overrides are never auto-merged — --fix output is sloppy (broad ranges, caret targets, stray minimumReleaseAgeExclude entries) and warrants hand-tidying against the existing block in pnpm-workspace.yaml.

Why this complements existing checks

Per-PR audits only fire when a PR changes the dependency graph. This catches advisories published against deps we already ship and haven't touched — the time-driven half of the coverage.

Notes

  • Uses a scoped GitHub App token (ACTIONS_APP_ID / ACTIONS_APP_PRIVATE_KEY) rather than GITHUB_TOKEN, so the resulting PR triggers the normal check workflow and sidesteps the org "Actions can create PRs" toggle. Repo secret/variable are configured; the App must be installed on this repo with Contents + Pull requests write.
  • The App token is minted immediately before the PR step (after pnpm install), so the write-scoped token is never present in the runner while dependency build scripts execute.
  • Triggers are schedule + workflow_dispatch only — no pull_request/pull_request_target, so the secret is never exposed to fork PRs.
  • Ported/adapted from an equivalent workflow in another Catena repo, fitted to ACK conventions (repo guard, ./.github/actions/setup, AI policy disclosure in the generated PR body).

AI usage

Authored with Claude Code (Opus 4.8) under close human direction — the workflow was adapted from an existing internal equivalent, reviewed step by step (cache-poisoning/trigger analysis, token-ordering hardening), and the secret/variable wiring was performed interactively. Per AI_POLICY.md.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Added an automated dependency maintenance workflow that runs on a schedule and via manual trigger.
    • The workflow applies available security fixes, refreshes the lockfile, and checks again to confirm whether issues are resolved.
    • If unresolved advisories remain, the workflow reports failure; otherwise it can open or update a dedicated fix pull request.

Sweeps the standing dependency tree daily for newly disclosed advisories
(independent of PR-triggered audits), applies `pnpm audit --fix=override`,
and opens/refreshes a single review PR via a scoped GitHub App token. The
token is minted just before the PR step so it is absent while dependency
build scripts run. Fails the run if advisories remain unresolved.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a7bbfbb9-dac8-46b7-b9f2-23f833b7c6df

📥 Commits

Reviewing files that changed from the base of the PR and between 80a7ffe and bf4cce0.

📒 Files selected for processing (1)
  • .github/workflows/audit-fix.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/audit-fix.yaml

Walkthrough

Adds a new GitHub Actions workflow, "Audit fix," triggered on a daily schedule or manual dispatch. It runs pnpm audit --fix=override, refreshes the lockfile, re-audits, opens or updates a PR with the fixes via a minted app token, and fails the workflow if unresolved advisories remain.

Changes

Audit Fix Workflow

Layer / File(s) Summary
Workflow triggers and permissions
.github/workflows/audit-fix.yaml
Defines name, cron/dispatch triggers, contents permission, and non-canceling concurrency group.
Audit fix job core steps
.github/workflows/audit-fix.yaml
Restricts job to the target repo, checks out code, runs setup, applies pnpm audit --fix=override, refreshes lockfile, re-audits, and writes a clean output.
PR creation and failure guard
.github/workflows/audit-fix.yaml
Mints a scoped GitHub App token, creates/updates a chore/audit-fix branch PR via create-pull-request, and exits with failure if the re-audit isn't clean.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Scheduler as Cron/Dispatch
  participant Workflow as audit-fix job
  participant PNPM as pnpm
  participant GitHubApp as App Token
  participant PRAction as create-pull-request

  Scheduler->>Workflow: trigger daily/manual
  Workflow->>PNPM: audit --fix=override
  Workflow->>PNPM: install --lockfile-only
  Workflow->>PNPM: re-run audit
  PNPM-->>Workflow: audit result
  Workflow->>Workflow: set clean=true/false
  Workflow->>GitHubApp: mint installation token
  Workflow->>PRAction: create/update chore/audit-fix PR
  Workflow->>Workflow: exit 1 if clean=false
Loading

Related issues: None referenced.

Related PRs: None referenced.

Suggested labels: ci, dependencies, automation

Suggested reviewers: None specified.

🐰 A rabbit hops through logs each night,
Sniffing out advisories out of sight,
Fixing, patching, opening PRs with care,
If danger lingers—failing then and there!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: a scheduled pnpm audit-fix GitHub Actions workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pnpm-audit-fix

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
.github/workflows/audit-fix.yaml (2)

32-34: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Add a bounded job timeout.

This job depends on registry/network calls and uses a non-canceling concurrency group; an explicit timeout-minutes prevents a stuck sweep from blocking later scheduled/manual runs for hours.

Suggested change
 jobs:
   audit-fix:
     if: github.repository == 'agentcommercekit/ack'
     runs-on: ubuntu-latest
+    timeout-minutes: 30
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/audit-fix.yaml around lines 32 - 34, The audit-fix job
currently has no explicit timeout, so a hung registry/network call can block the
non-canceling concurrency group indefinitely. Add a bounded timeout to the
audit-fix job in the workflow, alongside the existing if and runs-on settings,
so scheduled or manual runs cannot be stalled for hours.

68-80: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Gate the write token on an actual audit-fix diff.

Clean daily sweeps still mint a contents/pull-requests write App token and invoke the PR action. Add a diff check after re-audit, then only mint/use the token when there is something to publish.

Suggested hardening
       - name: Re-audit the post-fix tree
         id: audit
         run: |
           pnpm audit && echo "clean=true" >> "$GITHUB_OUTPUT" \
             || echo "clean=false" >> "$GITHUB_OUTPUT"
+      - name: Detect audit-fix changes
+        id: changes
+        run: |
+          if git diff --quiet --exit-code; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
       # Mint the App token here, AFTER dependency install has run, so the
       # contents/pull-requests-write token is never present in the runner
       # environment while third-party build scripts (allowBuilds) execute.
       - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        if: steps.changes.outputs.changed == 'true'
         id: app-token
         with:
           app-id: ${{ vars.ACTIONS_APP_ID }}
           private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }}
@@
       - name: Open or update fix PR
+        if: steps.changes.outputs.changed == 'true'
         uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/audit-fix.yaml around lines 68 - 80, Gate the App token
and PR creation in the audit-fix workflow on whether the re-audit produced a
real diff. After the re-audit step in the workflow, add a diff check and use it
to skip both actions/create-github-app-token and peter-evans/create-pull-request
when there is nothing to publish; keep the write-scoped token only for the path
that actually opens or updates the fix PR.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/audit-fix.yaml:
- Around line 32-34: The audit-fix job currently has no explicit timeout, so a
hung registry/network call can block the non-canceling concurrency group
indefinitely. Add a bounded timeout to the audit-fix job in the workflow,
alongside the existing if and runs-on settings, so scheduled or manual runs
cannot be stalled for hours.
- Around line 68-80: Gate the App token and PR creation in the audit-fix
workflow on whether the re-audit produced a real diff. After the re-audit step
in the workflow, add a diff check and use it to skip both
actions/create-github-app-token and peter-evans/create-pull-request when there
is nothing to publish; keep the write-scoped token only for the path that
actually opens or updates the fix PR.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b57c2270-27a6-4c4c-bcbe-18fac8ccb9ee

📥 Commits

Reviewing files that changed from the base of the PR and between 30bc515 and 80a7ffe.

📒 Files selected for processing (1)
  • .github/workflows/audit-fix.yaml

- Pin actions/checkout to ref: main so a workflow_dispatch from a feature
  branch can't leak its tree into the chore/audit-fix PR (which targets main).
- Add timeout-minutes: 15 so a hung audit/install can't hold the
  cancel-in-progress: false concurrency group for GitHub's 360-min default.
- Add a conditional "Partial fix" banner to the PR body when the post-fix
  re-audit is still dirty, since that red status lives on the audit-fix run
  rather than the PR's own checks.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@venables venables merged commit 8872907 into main Jul 2, 2026
3 checks passed
@venables venables deleted the pnpm-audit-fix branch July 2, 2026 09:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant