From c9b8a27b28250d5e79679937959b650581165c84 Mon Sep 17 00:00:00 2001 From: CoderDeltaLAN Date: Fri, 19 Jun 2026 19:18:35 +0100 Subject: [PATCH] ci: add Dependabot version updates --- .github/dependabot.yml | 13 +++++++++++++ CHANGELOG.md | 1 + docs/DEPENDABOT-DEPENDENCY-GRAPH.md | 10 +++++----- docs/SECURITY-SUPPLY-CHAIN-EVALUATION.md | 6 +++--- scripts/post-release-audit.sh | 5 ++++- 5 files changed, 26 insertions(+), 9 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f4a6a10 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "monthly" + open-pull-requests-limit: 2 + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + open-pull-requests-limit: 2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ca28f5..903c274 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ This project has a published GitHub Release line, but no stable support or API g ### Changed +- Added low-noise Dependabot version updates for `pip` and `github-actions` with monthly checks and capped open PRs. - Triaged CodeQL findings by removing duplicate `re` imports, making deliberate test string concatenation explicit, and avoiding secret-like test fixture naming that produced false-positive clear-text storage alerts. - Synced Dependabot malware alerts and grouped security updates documentation with follow-up Advanced Security UI evidence, while keeping Dependabot version updates deferred. - Synced product strategy and support public-truth wording with v0.3.0, and expanded the post-release audit guard for stale version and private reporting claims. diff --git a/docs/DEPENDABOT-DEPENDENCY-GRAPH.md b/docs/DEPENDABOT-DEPENDENCY-GRAPH.md index 477f642..4829f4c 100644 --- a/docs/DEPENDABOT-DEPENDENCY-GRAPH.md +++ b/docs/DEPENDABOT-DEPENDENCY-GRAPH.md @@ -35,7 +35,7 @@ Follow-up verification notes from `security/verify-dependabot-settings`: - `GET /repos/{owner}/{repo}/dependabot/alerts` returned an empty list, so no open Dependabot alerts were visible at verification time; - no REST or GraphQL field was found in this phase that clearly exposes the Grouped security updates or Dependabot malware alerts toggle state; - the GitHub Advanced Security UI screenshots are therefore the evidence source for the malware alerts and grouped security updates claims; -- no `.github/dependabot.yml` exists, so Dependabot version updates remain not configured by repository file. +- `.github/dependabot.yml` exists, so Dependabot version updates are configured by repository file. ## Current repository setting record @@ -49,7 +49,7 @@ Follow-up verification notes from `security/verify-dependabot-settings`: | Dependabot malware alerts | Enabled | Advanced Security UI showed `Disable` in the follow-up verification phase | Alerts when malware is detected in dependencies; this is a repository-maintenance signal, not a product guarantee. | | Dependabot security updates | Enabled | Advanced Security UI showed `Disable` | May open security PRs when Dependabot alerts have available patches. | | Grouped security updates | Enabled | Advanced Security UI showed `Disable` in the follow-up verification phase | Groups available Dependabot alert fixes into one pull request per package manager and manifest directory, unless overridden by rules. | -| Dependabot version updates | Disabled / not configured | Advanced Security UI showed `Enable`; no `.github/dependabot.yml` exists | Version updates require a committed `.github/dependabot.yml` and should be handled in a dedicated phase. | +| Dependabot version updates | Configured | `.github/dependabot.yml` committed in `supply-chain/add-dependabot-version-updates` | Low-noise monthly checks for `pip` and `github-actions`, each capped at 2 open version-update PRs. | | CodeQL analysis | Enabled | Advanced Security UI showed CodeQL advanced setup and recent scan | Additional signal only; not a guarantee. | | Copilot Autofix | Enabled as suggestion source | Advanced Security UI showed `On` | Suggestions must not bypass branch, diff, tests, CI, or PR review. | | Secret Protection | Enabled | Advanced Security UI showed `Disable` | Keep active; this record does not configure custom patterns. | @@ -78,11 +78,11 @@ They do not prove that dependencies are safe, complete, current, or free of vuln Dependabot security updates may open pull requests for vulnerable dependencies with available patches. Those pull requests must follow the normal Always-Green workflow: branch, diff review, checks, PR, CI, and merge by exact head SHA. -## Deferred Dependabot version updates +## Dependabot version updates -Dependabot version updates are deliberately deferred in this phase. +Dependabot version updates are now configured by `.github/dependabot.yml`. -Reason: version updates are enabled by committing a `.github/dependabot.yml` file, and they can open normal update PRs even when no vulnerability exists. That is useful, but it is a separate supply-chain maintenance phase, not part of this settings-record phase. +Current policy: keep the first configuration deliberately low-noise. Dependabot checks `pip` and `github-actions` monthly, with at most 2 open version-update PRs per ecosystem. Security updates remain governed separately by GitHub's Dependabot security update controls. Expected future branch if accepted: diff --git a/docs/SECURITY-SUPPLY-CHAIN-EVALUATION.md b/docs/SECURITY-SUPPLY-CHAIN-EVALUATION.md index 1888156..c24af46 100644 --- a/docs/SECURITY-SUPPLY-CHAIN-EVALUATION.md +++ b/docs/SECURITY-SUPPLY-CHAIN-EVALUATION.md @@ -82,10 +82,10 @@ Current repository setting record: - dependency graph is manually verified as enabled; - Dependabot alerts are manually verified as enabled; - Dependabot security updates are manually verified as enabled; -- Dependabot version updates are deferred because no `.github/dependabot.yml` exists in this phase; +- Dependabot version updates are configured by `.github/dependabot.yml` with low-noise monthly `pip` and `github-actions` checks; - automatic dependency submission is deferred; - Dependabot malware alerts and grouped security updates are manually verified as enabled by the follow-up Advanced Security UI evidence; -- Dependabot version updates remain disabled / not configured because no `.github/dependabot.yml` exists; +- Dependabot version updates are capped at 2 open version-update PRs per configured ecosystem; - terminal/API probes are preferred for repeatable evidence, while UI evidence is retained only for settings without a clear API state in this phase. See `docs/DEPENDABOT-DEPENDENCY-GRAPH.md` for the dedicated settings record. @@ -101,7 +101,7 @@ Risks and constraints: Recommended future Dependabot phase boundaries: - inspect and document the existing Dependabot rule before claiming it as a control; -- decide whether to add `.github/dependabot.yml` for version updates in a separate branch; +- monitor Dependabot version-update PR volume before increasing cadence or scope; - keep malware alerts and grouped security updates documented as repository-maintenance signals, not security guarantees; - do not combine version-update automation with CodeQL, release, or security-policy changes. diff --git a/scripts/post-release-audit.sh b/scripts/post-release-audit.sh index 8115fd7..67ee5b5 100755 --- a/scripts/post-release-audit.sh +++ b/scripts/post-release-audit.sh @@ -69,7 +69,10 @@ require_contains docs/PRODUCT-STRATEGY.md 'Status: published in v0\.3\.0' require_contains SUPPORT.md 'Private vulnerability reporting is enabled' require_contains docs/DEPENDABOT-DEPENDENCY-GRAPH.md 'Dependabot malware alerts | Enabled' require_contains docs/DEPENDABOT-DEPENDENCY-GRAPH.md 'Grouped security updates | Enabled' -require_contains docs/DEPENDABOT-DEPENDENCY-GRAPH.md 'Dependabot version updates | Disabled / not configured' +require_contains .github/dependabot.yml 'package-ecosystem: "pip"' +require_contains .github/dependabot.yml 'package-ecosystem: "github-actions"' +require_contains .github/dependabot.yml 'open-pull-requests-limit: 2' +require_contains docs/DEPENDABOT-DEPENDENCY-GRAPH.md 'Dependabot version updates | Configured' require_contains docs/DEPENDABOT-DEPENDENCY-GRAPH.md 'Evidence is ranked in this record as follows' require_contains docs/DEPENDABOT-DEPENDENCY-GRAPH.md 'vulnerability-alerts` returned HTTP `204`' require_contains docs/DEPENDABOT-DEPENDENCY-GRAPH.md 'private-vulnerability-reporting` returned `enabled: true`'