Skip to content

chore: combine dependabot dependency updates#44

Merged
finallyjay merged 1 commit into
mainfrom
chore/combine-dependabot-updates
Jun 21, 2026
Merged

chore: combine dependabot dependency updates#44
finallyjay merged 1 commit into
mainfrom
chore/combine-dependabot-updates

Conversation

@finallyjay

Copy link
Copy Markdown
Owner

Combines all open Dependabot PRs into a single PR.

Changes

requirements-dev.txt

.github/workflows/ci.yml

🤖 Generated with Claude Code

Combines the following Dependabot PRs into one:
- pytest 9.1.0 -> 9.1.1 (#40)
- ruff 0.15.17 -> 0.15.18 (#41)
- types-requests 2.32.4.20260107 -> 2.33.0.20260518 (#42)
- types-PyYAML 6.0.12.20250915 -> 6.0.12.20260518 (#43)
- actions/checkout v6 -> v7 (#39)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 21, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Updated continuous integration configuration with the latest GitHub Actions checkout version for improved reliability.
    • Refreshed development and testing dependencies to their latest compatible versions.

Walkthrough

The CI workflow updates actions/checkout from v6 to v7 across all three jobs (lint, test, docker). In requirements-dev.txt, four dev dependency pins are bumped (pytest, ruff, types-requests, types-PyYAML) and the -r requirements.txt top-level include is removed.

Changes

Dependency and CI Updates

Layer / File(s) Summary
actions/checkout bump to v7 in CI jobs
.github/workflows/ci.yml
Checkout action version changed from v6 to v7 in the lint, test, and docker jobs. No other workflow steps are modified.
Dev dependency version updates
requirements-dev.txt
pytest bumped to 9.1.1, ruff to 0.15.18, types-requests to 2.33.0.20260518, types-PyYAML to 6.0.12.20260518. The -r requirements.txt include line is removed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

Suggested labels

dependencies, python

Poem

🐇 Hop, hop, hooray for version seven!
Checkout flies up closer to heaven.
Pytest and ruff get a fresh new coat,
PyYAML and types-requests — worth a note.
The rabbit stamps versions with a cheerful thump,
Every dep gets a well-deserved bump! 🌟

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: consolidating multiple Dependabot dependency updates into a single PR.
Description check ✅ Passed The description covers the main summary and lists key changes with issue references, but lacks a test plan section as specified in the template.
Linked Issues check ✅ Passed All code changes match their linked issues: pytest 9.1.1, ruff 0.15.18, types-requests and types-PyYAML updates, and actions/checkout v7 are all correctly implemented.
Out of Scope Changes check ✅ Passed All changes are directly related to the five Dependabot updates referenced in linked issues; no out-of-scope changes detected.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/combine-dependabot-updates

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot added dependencies Dependency updates python Pull requests that update python code labels Jun 21, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)

16-16: ⚖️ Poor tradeoff

Address static analysis security/pinning issues flagged by zizmor.

The checkout action upgrade to v7 is consistent and legitimate, but static analysis tools flagged two pre-existing patterns:

  1. unpinned-uses: The action is not pinned to a commit hash (currently using semantic version tag v7). Pinning to a hash hardens supply-chain security.
  2. artipacked: persist-credentials: false is not set, which allows GitHub Actions to persist credentials through artifacts. This is a security best-practice for fork PRs and untrusted contexts.

These are blanket policy issues that affect all three jobs. While v7's security enhancements should not break your workflow (they only block fork PRs on pull_request_target and workflow_run, which you don't use), consider hardening these patterns in this PR or a follow-up.

🔒️ Example fix: pin to hash and set persist-credentials
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@f38e2e3beef34dcd5d003c2adfb663636e8baf5f  # v7.0.0
+        with:
+          persist-credentials: false

To find the commit hash for a version tag, visit https://github.com/actions/checkout/releases and copy the hash from the release.

Also applies to: 38-38, 54-54

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 16, The actions/checkout action is not
pinned to a specific commit hash and lacks the persist-credentials security
setting. For each occurrence of the checkout action (at lines 16, 38, and 54),
replace the semantic version tag reference with a pinned commit hash by visiting
https://github.com/actions/checkout/releases to find the hash for v7, then
update each instance from "uses: actions/checkout@v7" to "uses:
actions/checkout@[COMMIT_HASH]" and add "with: persist-credentials: false" to
disable credential persistence for enhanced supply-chain security.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/ci.yml:
- Line 16: The actions/checkout action is not pinned to a specific commit hash
and lacks the persist-credentials security setting. For each occurrence of the
checkout action (at lines 16, 38, and 54), replace the semantic version tag
reference with a pinned commit hash by visiting
https://github.com/actions/checkout/releases to find the hash for v7, then
update each instance from "uses: actions/checkout@v7" to "uses:
actions/checkout@[COMMIT_HASH]" and add "with: persist-credentials: false" to
disable credential persistence for enhanced supply-chain security.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9698ebd3-fabf-4e2a-89ae-91260b4fe43f

📥 Commits

Reviewing files that changed from the base of the PR and between dbbe966 and dcb1ee3.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml
  • requirements-dev.txt
📜 Review details
🧰 Additional context used
🪛 zizmor (1.25.2)
.github/workflows/ci.yml

[warning] 16-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 38-38: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 38-38: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 54-54: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 54-54: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🔇 Additional comments (2)
requirements-dev.txt (2)

5-5: No action required—the codebase does not use the patterns rejected by ruff 0.15.18.

The codebase does not use __debug__ as a lambda parameter, _ as a match-pattern target, or match/case statements at all. The ruff 0.15.18 parser strictness improvements will not affect this project.


2-8: The -r requirements.txt include is still present in requirements-dev.txt.

The review assumption that this line was removed is not accurate. The current state shows -r requirements.txt on line 1 of the file, which means production dependencies (requests==2.34.2, PyYAML==6.0.3) are still being installed. Since tests import from the main module and require these dependencies to run, there is no concern here.

			> Likely an incorrect or invalid review comment.

@finallyjay finallyjay merged commit cd1653d into main Jun 21, 2026
7 checks passed
@finallyjay finallyjay deleted the chore/combine-dependabot-updates branch June 21, 2026 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Dependency updates python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant