feat(ci): add guarded Mergify auto-merge for Dependabot security PRs

[ashleyshaw]

Summary

Add scoped Mergify automation so only eligible Dependabot security updates can auto-merge into develop after checks pass.

Changes

• add .github/mergify.yml with strict Dependabot security merge conditions
• add .github/workflows/dependabot-security-label.yml to detect and maintain dependabot:security label
• remove broad security default label from .github/dependabot.yml
• add canonical dependabot:security label in .github/labels.yml

Why

Dependabot PRs were not auto-merging; this introduces a conservative policy that avoids auto-merging non-security dependency updates.

Validation

• npm run lint:yaml
• npm run lint:workflows
• pre-push test suite passed

Related

• chore(deps-dev): bump eslint-plugin-prettier from 5.5.5 to 5.5.6 #533
• chore(deps): bump actions/download-artifact from 4 to 8 #532

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: dc24b04d-3387-4417-b125-d3d0f9f203dd

📥 Commits

Reviewing files that changed from the base of the PR and between 2120535 and c4c4a62.

📒 Files selected for processing (1)

• CHANGELOG.md

✅ Files skipped from review due to trivial changes (1)

• CHANGELOG.md

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: check
• GitHub Check: lint-and-links
• GitHub Check: coderabbit-gate

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Implemented automated detection and labelling of security-related Dependabot pull requests based on vulnerability references, CVE identifiers, and security-fix mentions found in PR titles and descriptions.
  • Enabled automatic merging of Dependabot pull requests on the develop branch when all required status checks pass, including continuous integration, code linting, and code review validation gates.

Walkthrough

Adds a workflow that detects security-related Dependabot PRs and toggles a meta:dependabot-security label, removes Dependabot’s legacy security label from npm config, and adds a Mergify rule to auto-merge qualifying Dependabot security PRs into develop.

Changes

Security Update Automation

Layer / File(s)	Summary
Label definition and security detection workflow .github/labels.yml, .github/workflows/dependabot-security-label.yml	A new meta:dependabot-security label is added and a GitHub Actions workflow scans Dependabot PR titles/bodies for CVE/GHSA/vulnerability/security-fix patterns, creating, adding, or removing the label on PRs to develop.
Dependabot npm configuration adjustment .github/dependabot.yml	Removes the security label from the npm package-ecosystem Dependabot config, keeping only dependencies.
Auto-merge configuration for security updates .github/mergify.yml	Adds a Mergify pull_request_rules entry to squash-merge Dependabot PRs into develop when authored by dependabot[bot], labelled dependencies and meta:dependabot-security, and required checks pass; excludes drafts/conflicts.
Changelog metadata and notes updated CHANGELOG.md	Bumps version/last_updated, fixes a pending sub-bullet link, and documents the guarded Dependabot security auto-merge automation in Unreleased → Changed.

Sequence Diagram

sequenceDiagram
  participant Dependabot
  participant GitHubActions as GitHub Actions Workflow
  participant LabelAPI as GitHub API (Labels)
  participant Mergify
  Dependabot->>GitHubActions: Create/edit PR to develop
  GitHubActions->>LabelAPI: Ensure `meta:dependabot-security` exists
  GitHubActions->>GitHubActions: Scan PR title/body for security patterns
  alt Security pattern detected
    GitHubActions->>LabelAPI: Add `meta:dependabot-security`
  else No security pattern
    GitHubActions->>LabelAPI: Remove `meta:dependabot-security` if present
  end
  LabelAPI-->>Mergify: Label state updated
  alt PR has `dependencies` + `meta:dependabot-security` and checks pass
    Mergify->>Mergify: Merge PR (squash) to develop
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• krugazul

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description covers the key areas (Summary, Changes, Why, Validation, Related) but lacks formal Changelog section, Risk Assessment, and Testing Instructions from the template.	Add explicit Changelog section with Added/Changed bullets, complete Risk Assessment section, and provide clear testing instructions for the automation.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarises the main change: adding guarded Mergify automation for Dependabot security PRs, which is the core objective of this changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch config/dependabot-mergify

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 19df9a52aa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[gemini-code-assist]

Code Review

This pull request configures Mergify to auto-merge Dependabot security updates on the develop branch, introducing a new 'dependabot:security' label and removing the old 'security' label from dependabot.yml. Feedback on the changes highlights a critical issue where the Mergify configuration lacks status check requirements, meaning updates could be merged automatically even if CI checks fail. It is recommended to add explicit check-success conditions to the Mergify rules.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/dependabot-security-label.yml (1)

18-18: ⚡ Quick win

Consider SHA-pinning the action for enhanced supply-chain security.

Whilst tag-based pinning (v7) is acceptable per the coding guidelines, SHA-pinning offers stronger immutability guarantees. Static analysis flagged this as well.

🔐 Proposed fix to use SHA-pinned action

You can find the SHA for actions/github-script@v7 and pin it like so:

-      - uses: actions/github-script@v7
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1

Check the releases page for the exact SHA of the version you want.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-security-label.yml at line 18, Replace the
tag-based reference "actions/github-script@v7" with a SHA-pinned reference for
the exact v7 release (e.g., "actions/github-script@<sha>"); locate the step that
uses the string actions/github-script@v7 in the workflow and update it to the
corresponding commit SHA from the actions/github-script release you want to lock
to, ensuring the action is immutably pinned for supply-chain security.

.github/mergify.yml (1)

1-13: ⚖️ Poor tradeoff

Optionally require code review approvals for an extra safety layer.

Whilst auto-merging security updates is convenient, requiring at least one human approval can catch cases where the security pattern detection yields false positives or where the update might have unexpected impacts.

🛡️ Example: add approval requirement

 pull_request_rules:
   - name: Auto-merge Dependabot security updates on develop
     conditions:
       - author=dependabot[bot]
       - base=develop
       - label=dependencies
       - label=dependabot:security
       - -draft
       - -conflict
+      - "`#approved-reviews-by`>=1"
     actions:
       merge:
         method: squash
         strict: smart

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/mergify.yml around lines 1 - 13, Add a requirement for at least one
human approval to the existing auto-merge rule by adding a review approval
condition to the pull_request_rules entry named "Auto-merge Dependabot security
updates on develop" (the block containing conditions and actions.merge.method).
Insert a condition like "review-approved" or "approved-reviews-by>=1" into the
conditions list so the rule only auto-merges when the PR has at least one
approved review, keeping the existing author/base/label/draft/conflict checks
and merge.method strictness.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-security-label.yml:
- Around line 8-10: Move the top-level permissions block into the specific job
that runs Dependabot labels: remove the workflow-level "permissions:" entry
(contents: read, pull-requests: write) and add an equivalent "permissions:"
section under the appropriate job definition in the "jobs" map, scoping
pull-requests: write only to that job and keeping other permissions read-only;
ensure the job-level block uses the same keys ("contents" and "pull-requests")
and that no other workflows rely on the removed global permissions.

---

Nitpick comments:
In @.github/mergify.yml:
- Around line 1-13: Add a requirement for at least one human approval to the
existing auto-merge rule by adding a review approval condition to the
pull_request_rules entry named "Auto-merge Dependabot security updates on
develop" (the block containing conditions and actions.merge.method). Insert a
condition like "review-approved" or "approved-reviews-by>=1" into the conditions
list so the rule only auto-merges when the PR has at least one approved review,
keeping the existing author/base/label/draft/conflict checks and merge.method
strictness.

In @.github/workflows/dependabot-security-label.yml:
- Line 18: Replace the tag-based reference "actions/github-script@v7" with a
SHA-pinned reference for the exact v7 release (e.g.,
"actions/github-script@<sha>"); locate the step that uses the string
actions/github-script@v7 in the workflow and update it to the corresponding
commit SHA from the actions/github-script release you want to lock to, ensuring
the action is immutably pinned for supply-chain security.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 7679b704-df0a-497d-92ef-d513451d8c97

📥 Commits

Reviewing files that changed from the base of the PR and between d7419c6 and 19df9a5.

📒 Files selected for processing (4)

• .github/dependabot.yml
• .github/labels.yml
• .github/mergify.yml
• .github/workflows/dependabot-security-label.yml

💤 Files with no reviewable changes (1)

• .github/dependabot.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: add-and-sync
• GitHub Check: validate
• GitHub Check: Unified Labeling, Status, and Type Assignment
• GitHub Check: readme-regen
• GitHub Check: coderabbit-gate
• GitHub Check: check

🧰 Additional context used

📓 Path-based instructions (1)

**/.github/workflows/*.yml

⚙️ CodeRabbit configuration file

**/.github/workflows/*.yml: Review GitHub Actions workflows for this governance repo:

• Security: check for least-privilege permissions (use permissions: at job level, default to read-only).
• Secret handling: ensure secrets are passed via env vars, not interpolated directly into run: steps to prevent injection.
• Action pinning: prefer SHA-pinned actions over mutable tags (e.g. actions/checkout@v4 is acceptable; SHA pins are better).
• No pull_request_target with untrusted code execution unless explicitly justified.
• Avoid storing sensitive outputs as unmasked step outputs.
• Check for reusable workflow patterns and matrix strategies where appropriate.
• Validate on: triggers: ensure branch/path filters are present to avoid unnecessary runs.
• Confirm workflows are documented, DRY, and maintainable.
• Ensure agent-triggered workflows use workflow_dispatch with defined inputs.

Files:

• .github/workflows/dependabot-security-label.yml

🪛 zizmor (1.25.2)

.github/workflows/dependabot-security-label.yml

[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🔇 Additional comments (4)

.github/labels.yml (1)

413-415: LGTM!

.github/workflows/dependabot-security-label.yml (2)

13-15: LGTM!

---

21-75: LGTM!

.github/mergify.yml (1)

1-13: 🏗️ Heavy lift

Ensure Dependabot auto-merge on develop is gated by successful CI checks.

The Mergify rule in .github/mergify.yml restricts author/base/labels (and excludes draft/conflicts) but contains no check-success / status-success conditions—so it currently looks like there’s no “CI bouncer”. Mergify may still honour whatever “required status checks” are configured in develop branch protection, so confirm that develop actually requires the relevant CI contexts; if it doesn’t, add explicit check-success = <check-name> conditions (or qualified check-success = @<app-name>/<check-name>).

[github-actions]

🔍 Reviewer Summary for PR #563

CI Status: ✅ success
Files changed: 4

Recommendations

• Ready to proceed pending human review

[github-actions]

🔍 Reviewer Summary for PR #563

CI Status: ✅ success
Files changed: 4

Recommendations

• Ready to proceed pending human review

[ashleyshaw]

Addressed requested fixes:\n\n1. Moved permissions to job scope and added issues:write for label mutations in dependabot-security-label workflow.\n2. Added explicit check-success conditions in Mergify before auto-merge.\n\nResolved the related review threads; please re-evaluate merge readiness.

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/dependabot-security-label.yml (2)

18-18: ⚡ Quick win

Consider SHA-pinning the action for stronger supply-chain security.

Whilst @v7 is acceptable, pinning to a specific SHA provides better protection against tag-moving attacks and unexpected upstream changes. As per coding guidelines, "prefer SHA-pinned actions over mutable tags".

🔒 Example SHA-pin format

-      - name: Detect security-related Dependabot updates
-        uses: actions/github-script@v7
+      - name: Detect security-related Dependabot updates
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1

(Find the current v7 SHA at https://github.com/actions/github-script/releases)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-security-label.yml at line 18, Replace the
mutable tag usage of the GitHub Action by pinning actions/github-script@v7 to a
specific commit SHA: locate the line using "uses: actions/github-script@v7" and
update it to the corresponding SHA-pinned ref (e.g.,
actions/github-script@<commit-sha>) fetched from the actions/github-script v7
release; ensure the chosen SHA matches the intended v7 release to preserve
behavior while preventing tag-moving supply-chain risks.

---

42-56: ⚡ Quick win

Label creation duplicates the canonical definition in labels.yml.

The inline label creation logic hardcodes properties (color: 'B60205', description) that already exist in .github/labels.yml (lines 413-415), which declares itself the "single source of truth" for label configuration. Whilst this provides resilience if the label is accidentally deleted, it creates a maintenance burden and violates the DRY principle—if the canonical definition changes, this workflow must be updated separately.

Consider either:

• Option A (preferred): Remove the creation logic and assume the label exists (managed via labels.yml sync)
• Option B: Add a comment documenting the intentional duplication and the resilience trade-off

♻️ Option A: Remove inline creation

-            try {
-              await github.rest.issues.getLabel({ owner, repo, name: labelName });
-            } catch (error) {
-              if (error.status === 404) {
-                await github.rest.issues.createLabel({
-                  owner,
-                  repo,
-                  name: labelName,
-                  color: 'B60205',
-                  description: 'Dependabot update appears security-related and eligible for guarded automation',
-                });
-              } else {
-                throw error;
-              }
-            }
-
             const existing = await github.rest.issues.listLabelsOnIssue({ owner, repo, issue_number });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-security-label.yml around lines 42 - 56, Remove
the inline label-creation fallback and rely on the canonical labels.yml as the
single source of truth: delete the catch branch that calls
github.rest.issues.createLabel (the code that hardcodes color and description)
and either let github.rest.issues.getLabel({ owner, repo, name: labelName })
surface a 404 error or rethrow it, keeping only the existence check logic that
references labelName; if you prefer to keep a note, add a short comment near the
getLabel call explaining that labels are managed via .github/labels.yml and
intentional resilience was removed.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/dependabot-security-label.yml:
- Line 18: Replace the mutable tag usage of the GitHub Action by pinning
actions/github-script@v7 to a specific commit SHA: locate the line using "uses:
actions/github-script@v7" and update it to the corresponding SHA-pinned ref
(e.g., actions/github-script@<commit-sha>) fetched from the
actions/github-script v7 release; ensure the chosen SHA matches the intended v7
release to preserve behavior while preventing tag-moving supply-chain risks.
- Around line 42-56: Remove the inline label-creation fallback and rely on the
canonical labels.yml as the single source of truth: delete the catch branch that
calls github.rest.issues.createLabel (the code that hardcodes color and
description) and either let github.rest.issues.getLabel({ owner, repo, name:
labelName }) surface a 404 error or rethrow it, keeping only the existence check
logic that references labelName; if you prefer to keep a note, add a short
comment near the getLabel call explaining that labels are managed via
.github/labels.yml and intentional resilience was removed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 7b4ab387-4acd-4c4f-964b-8a7b0342d1ba

📥 Commits

Reviewing files that changed from the base of the PR and between 19df9a5 and 2120535.

📒 Files selected for processing (3)

• .github/labels.yml
• .github/mergify.yml
• .github/workflows/dependabot-security-label.yml

✅ Files skipped from review due to trivial changes (1)

• .github/mergify.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: coderabbit-gate
• GitHub Check: check

🧰 Additional context used

📓 Path-based instructions (1)

**/.github/workflows/*.yml

⚙️ CodeRabbit configuration file

**/.github/workflows/*.yml: Review GitHub Actions workflows for this governance repo:

• Security: check for least-privilege permissions (use permissions: at job level, default to read-only).
• Secret handling: ensure secrets are passed via env vars, not interpolated directly into run: steps to prevent injection.
• Action pinning: prefer SHA-pinned actions over mutable tags (e.g. actions/checkout@v4 is acceptable; SHA pins are better).
• No pull_request_target with untrusted code execution unless explicitly justified.
• Avoid storing sensitive outputs as unmasked step outputs.
• Check for reusable workflow patterns and matrix strategies where appropriate.
• Validate on: triggers: ensure branch/path filters are present to avoid unnecessary runs.
• Confirm workflows are documented, DRY, and maintainable.
• Ensure agent-triggered workflows use workflow_dispatch with defined inputs.

Files:

• .github/workflows/dependabot-security-label.yml

🔇 Additional comments (4)

.github/labels.yml (1)

413-415: LGTM!

.github/workflows/dependabot-security-label.yml (3)

3-6: LGTM!

---

31-40: LGTM!

---

58-75: LGTM!

[github-actions]

🔍 Reviewer Summary for PR #563

CI Status: ✅ success
Files changed: 4

Recommendations

• Ready to proceed pending human review

[github-actions]

🔍 Reviewer Summary for PR #563

CI Status: ✅ success
Files changed: 5

Recommendations

• Ready to proceed pending human review

[github-actions]

🔍 Reviewer Summary for PR #563

CI Status: ✅ success
Files changed: 5

Recommendations

• Ready to proceed pending human review

[github-actions]

🔍 Reviewer Summary for PR #563

CI Status: ✅ success
Files changed: 5

Recommendations

• Ready to proceed pending human review