Fix Aquasec Issues - commit sha vs tags

[miroslavpojer]

Release Notes:

• Update GitHub Actions workflows to use specific versions of actions and add Dependabot configuration

Closes #213

Summary by CodeRabbit

Release Notes

• Chores
  • Configured automated dependency updates via Dependabot for scheduled vulnerability scanning
  • Pinned GitHub Actions to specific versions across all workflows for improved security and build reproducibility
  • Added automated approval and merging of dependency update pull requests

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR addresses security concerns by replacing GitHub Actions version tags with pinned commit SHAs across workflow files and adds dependabot configuration for automated dependency management and auto-approval of dependabot PRs.

Changes

Cohort / File(s)	Summary
Dependabot Configuration .github/dependabot.yml	New configuration for github-actions and pip dependency updates, weekly on Sundays, limited to 3 PRs, labeled with auto update/infrastructure/no RN.
GitHub Actions Pinning .github/workflows/check_pr_release_notes.yml, .github/workflows/release_draft.yml, .github/workflows/test.yml, .github/workflows/update_v1_tag.yml, examples/check_pr_release_notes.yml, examples/release_draft.yml	Replaces GitHub Actions version tags (v4, v5, v0.4.0, etc.) with exact commit SHAs for reproducible, immutable action references.
Dependabot Auto-Merge Workflow .github/workflows/dependabot.yml	New workflow that auto-approves and auto-merges Dependabot PRs with squash strategy for version updates and security patches when triggered on ubuntu-latest.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Primarily repetitive version-pinning changes across multiple workflow files following consistent patterns
• New dependabot workflow (dependabot.yml) is straightforward with standard conditional logic and environment variable passing
• New dependabot configuration follows standard structure with minimal customization

Areas for attention:

• Verify all pinned commit SHAs are from official GitHub Actions repositories
• Confirm dependabot workflow conditions correctly target only dependabot[bot] PRs for the specified repository
• Ensure the new dependabot configuration schedules don't conflict with existing CI/CD timing

Possibly related issues

• Fix Aquasec Issues - commit sha vs tags #213: Fix Aquasec Issues - commit sha vs tags — Directly addresses the acceptance criteria by replacing all GitHub Action tags with commit SHAs across workflow files and introducing dependabot for automated dependency management.

Possibly related PRs

• #194 - Add support for short v1 tag #197 — Touches the same update_v1_tag.yml workflow file affected by this PR; may need coordination if both PRs modify the same action references.

Suggested reviewers

• Zejnilovic
• tmikula-dev

Poem

🐰 With SHAs pinned and dependabot's care,
The Actions now stand on solid ground, fair!
No more version tags to drift and roam,
Each workflow's secured—the bot's found a home.
Security strengthened, one commit at a time! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description provides a summary of changes and links to the related issue #213, but omits the Overview and Release Notes sections from the template.	Add an Overview section explaining the problem being solved and expand Release Notes with specific details about the changes made.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: fixing Aquasec issues by replacing GitHub action tags with commit SHAs and adding Dependabot configuration, which aligns with the changeset.
Linked Issues check	✅ Passed	All changes in the PR address the objectives in issue #213: GitHub action tags are replaced with commit SHAs across all workflow files, and Dependabot configuration is added.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the objectives: pinning GitHub Actions to specific commit SHAs and adding Dependabot configuration; no unrelated changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/213-Fix-Aquasec-Issues---commit-sha-vs-tags

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ce9b260 and cc268ec.

📒 Files selected for processing (8)

• .github/dependabot.yml (1 hunks)
• .github/workflows/check_pr_release_notes.yml (1 hunks)
• .github/workflows/dependabot.yml (1 hunks)
• .github/workflows/release_draft.yml (5 hunks)
• .github/workflows/test.yml (4 hunks)
• .github/workflows/update_v1_tag.yml (1 hunks)
• examples/check_pr_release_notes.yml (1 hunks)
• examples/release_draft.yml (5 hunks)

🔇 Additional comments (10)

examples/check_pr_release_notes.yml (1)

18-18: ✓ SHA pinning consistent.

Actions properly pinned to exact commit SHAs, aligning with the security objectives of the PR.

Also applies to: 23-23

.github/workflows/update_v1_tag.yml (1)

14-16: ✓ Action properly pinned.

The actions/checkout reference is correctly pinned to a specific SHA.

.github/workflows/test.yml (1)

30-30: ✓ SHA pinning consistent across all jobs.

All actions are pinned to exact commit SHAs consistently across the four jobs (static-code-analysis, code-format-check, unit-test, mypy-check).

Also applies to: 35-35, 67-67, 72-72, 95-95, 100-100, 120-120, 125-125

.github/dependabot.yml (1)

1-33: ✓ Dependabot configuration is well-structured.

The configuration correctly sets up automated dependency management for both GitHub Actions and pip packages:

• Weekly schedule reduces noise while maintaining freshness.
• Limit of 3 open PRs prevents overwhelming the maintainers.
• "no RN" label appropriately suppresses release notes for dependency bumps.
• Commit message conventions with scope improve clarity.
• Restricting pip to direct dependencies only is a reasonable auditing choice.

.github/workflows/release_draft.yml (1)

32-32: ✓ SHA pinning applied to all actions.

All GitHub Actions across the release workflow are properly pinned to exact commit SHAs, ensuring reproducible and secure builds.

Also applies to: 37-37, 43-43, 53-53, 63-63, 91-91, 110-110

.github/workflows/check_pr_release_notes.yml (1)

29-29: ✓ Actions pinned consistently.

Both action references are properly pinned to exact SHAs, matching their usage in other workflows.

Also applies to: 34-34

examples/release_draft.yml (1)

18-18: ✓ Example workflow updated consistently.

All action references in the example workflow are pinned to the same SHAs as the production workflow, maintaining consistency across documentation.

Also applies to: 23-23, 29-29, 39-39, 49-49, 71-71, 90-90

.github/workflows/dependabot.yml (3)

1-23: ✓ Dependabot auto-approval workflow is well-structured.

The workflow correctly:

• Checks for the dependabot[bot] user to ensure only Dependabot PRs are processed.
• Fetches Dependabot metadata with a pinned SHA for dependabot/fetch-metadata.
• Sets appropriate permissions (contents: write, pull-requests: write).
• Uses GH_TOKEN environment variable correctly for the gh CLI.
• Includes helpful documentation comment about branch protection requirements.

---

17-35: ⚠️ Hard-coded repository check limits fork compatibility.

Line 17 includes a hard-coded check: github.repository == 'AbsaOSS/generate-release-notes'. This prevents forks (or mirrors) from using this auto-approval workflow.

Verify intent: Confirm whether this restriction is intentional. If the project intends to support forks or mirrors with auto-merge capabilities, remove or parameterize this check. If this workflow should only run in the primary repository, the current implementation is appropriate.

---

30-32: ✓ Auto-merge conditions are appropriate.

The conditional auto-merge for version updates and security patches strikes a good balance:

• Allows automatic merging for low-risk, high-confidence updates (dependencies).
• continue-on-error: true gracefully handles cases where auto-merge is blocked by branch protections.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}