ci: add scheduled pnpm audit-fix workflow#121
Conversation
Sweeps the standing dependency tree daily for newly disclosed advisories (independent of PR-triggered audits), applies `pnpm audit --fix=override`, and opens/refreshes a single review PR via a scoped GitHub App token. The token is minted just before the PR step so it is absent while dependency build scripts run. Fails the run if advisories remain unresolved. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughAdds a new GitHub Actions workflow, "Audit fix," triggered on a daily schedule or manual dispatch. It runs ChangesAudit Fix Workflow
Estimated code review effort: 2 (Simple) | ~10 minutes Sequence Diagram(s)sequenceDiagram
participant Scheduler as Cron/Dispatch
participant Workflow as audit-fix job
participant PNPM as pnpm
participant GitHubApp as App Token
participant PRAction as create-pull-request
Scheduler->>Workflow: trigger daily/manual
Workflow->>PNPM: audit --fix=override
Workflow->>PNPM: install --lockfile-only
Workflow->>PNPM: re-run audit
PNPM-->>Workflow: audit result
Workflow->>Workflow: set clean=true/false
Workflow->>GitHubApp: mint installation token
Workflow->>PRAction: create/update chore/audit-fix PR
Workflow->>Workflow: exit 1 if clean=false
Related issues: None referenced. Related PRs: None referenced. Suggested labels: ci, dependencies, automation Suggested reviewers: None specified. 🐰 A rabbit hops through logs each night, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.github/workflows/audit-fix.yaml (2)
32-34: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winAdd a bounded job timeout.
This job depends on registry/network calls and uses a non-canceling concurrency group; an explicit
timeout-minutesprevents a stuck sweep from blocking later scheduled/manual runs for hours.Suggested change
jobs: audit-fix: if: github.repository == 'agentcommercekit/ack' runs-on: ubuntu-latest + timeout-minutes: 30🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/audit-fix.yaml around lines 32 - 34, The audit-fix job currently has no explicit timeout, so a hung registry/network call can block the non-canceling concurrency group indefinitely. Add a bounded timeout to the audit-fix job in the workflow, alongside the existing if and runs-on settings, so scheduled or manual runs cannot be stalled for hours.
68-80: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winGate the write token on an actual audit-fix diff.
Clean daily sweeps still mint a contents/pull-requests write App token and invoke the PR action. Add a diff check after re-audit, then only mint/use the token when there is something to publish.
Suggested hardening
- name: Re-audit the post-fix tree id: audit run: | pnpm audit && echo "clean=true" >> "$GITHUB_OUTPUT" \ || echo "clean=false" >> "$GITHUB_OUTPUT" + - name: Detect audit-fix changes + id: changes + run: | + if git diff --quiet --exit-code; then + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "changed=true" >> "$GITHUB_OUTPUT" + fi # Mint the App token here, AFTER dependency install has run, so the # contents/pull-requests-write token is never present in the runner # environment while third-party build scripts (allowBuilds) execute. - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + if: steps.changes.outputs.changed == 'true' id: app-token with: app-id: ${{ vars.ACTIONS_APP_ID }} private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }} @@ - name: Open or update fix PR + if: steps.changes.outputs.changed == 'true' uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/audit-fix.yaml around lines 68 - 80, Gate the App token and PR creation in the audit-fix workflow on whether the re-audit produced a real diff. After the re-audit step in the workflow, add a diff check and use it to skip both actions/create-github-app-token and peter-evans/create-pull-request when there is nothing to publish; keep the write-scoped token only for the path that actually opens or updates the fix PR.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/audit-fix.yaml:
- Around line 32-34: The audit-fix job currently has no explicit timeout, so a
hung registry/network call can block the non-canceling concurrency group
indefinitely. Add a bounded timeout to the audit-fix job in the workflow,
alongside the existing if and runs-on settings, so scheduled or manual runs
cannot be stalled for hours.
- Around line 68-80: Gate the App token and PR creation in the audit-fix
workflow on whether the re-audit produced a real diff. After the re-audit step
in the workflow, add a diff check and use it to skip both
actions/create-github-app-token and peter-evans/create-pull-request when there
is nothing to publish; keep the write-scoped token only for the path that
actually opens or updates the fix PR.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: b57c2270-27a6-4c4c-bcbe-18fac8ccb9ee
📒 Files selected for processing (1)
.github/workflows/audit-fix.yaml
- Pin actions/checkout to ref: main so a workflow_dispatch from a feature branch can't leak its tree into the chore/audit-fix PR (which targets main). - Add timeout-minutes: 15 so a hung audit/install can't hold the cancel-in-progress: false concurrency group for GitHub's 360-min default. - Add a conditional "Partial fix" banner to the PR body when the post-fix re-audit is still dirty, since that red status lives on the audit-fix run rather than the PR's own checks. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
What
Adds
.github/workflows/audit-fix.yaml: a scheduled (daily 07:17 UTC) + manually dispatchable workflow that sweeps the standing dependency tree for newly disclosed advisories, independent of any PR.On a finding it runs
pnpm audit --fix=override, refreshes the lockfile, and opens (or refreshes) a singlechore/audit-fixPR for human review. The generated overrides are never auto-merged —--fixoutput is sloppy (broad ranges, caret targets, strayminimumReleaseAgeExcludeentries) and warrants hand-tidying against the existing block inpnpm-workspace.yaml.Why this complements existing checks
Per-PR audits only fire when a PR changes the dependency graph. This catches advisories published against deps we already ship and haven't touched — the time-driven half of the coverage.
Notes
ACTIONS_APP_ID/ACTIONS_APP_PRIVATE_KEY) rather thanGITHUB_TOKEN, so the resulting PR triggers the normalcheckworkflow and sidesteps the org "Actions can create PRs" toggle. Repo secret/variable are configured; the App must be installed on this repo with Contents + Pull requests write.pnpm install), so the write-scoped token is never present in the runner while dependency build scripts execute.schedule+workflow_dispatchonly — nopull_request/pull_request_target, so the secret is never exposed to fork PRs../.github/actions/setup, AI policy disclosure in the generated PR body).AI usage
Authored with Claude Code (Opus 4.8) under close human direction — the workflow was adapted from an existing internal equivalent, reviewed step by step (cache-poisoning/trigger analysis, token-ordering hardening), and the secret/variable wiring was performed interactively. Per AI_POLICY.md.
🤖 Generated with Claude Code
Summary by CodeRabbit