chore: combine dependabot dependency updates#44
Conversation
Combines the following Dependabot PRs into one: - pytest 9.1.0 -> 9.1.1 (#40) - ruff 0.15.17 -> 0.15.18 (#41) - types-requests 2.32.4.20260107 -> 2.33.0.20260518 (#42) - types-PyYAML 6.0.12.20250915 -> 6.0.12.20260518 (#43) - actions/checkout v6 -> v7 (#39) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe CI workflow updates ChangesDependency and CI Updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)
16-16: ⚖️ Poor tradeoffAddress static analysis security/pinning issues flagged by zizmor.
The checkout action upgrade to v7 is consistent and legitimate, but static analysis tools flagged two pre-existing patterns:
- unpinned-uses: The action is not pinned to a commit hash (currently using semantic version tag
v7). Pinning to a hash hardens supply-chain security.- artipacked:
persist-credentials: falseis not set, which allows GitHub Actions to persist credentials through artifacts. This is a security best-practice for fork PRs and untrusted contexts.These are blanket policy issues that affect all three jobs. While v7's security enhancements should not break your workflow (they only block fork PRs on
pull_request_targetandworkflow_run, which you don't use), consider hardening these patterns in this PR or a follow-up.🔒️ Example fix: pin to hash and set persist-credentials
- - uses: actions/checkout@v7 + - uses: actions/checkout@f38e2e3beef34dcd5d003c2adfb663636e8baf5f # v7.0.0 + with: + persist-credentials: falseTo find the commit hash for a version tag, visit https://github.com/actions/checkout/releases and copy the hash from the release.
Also applies to: 38-38, 54-54
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml at line 16, The actions/checkout action is not pinned to a specific commit hash and lacks the persist-credentials security setting. For each occurrence of the checkout action (at lines 16, 38, and 54), replace the semantic version tag reference with a pinned commit hash by visiting https://github.com/actions/checkout/releases to find the hash for v7, then update each instance from "uses: actions/checkout@v7" to "uses: actions/checkout@[COMMIT_HASH]" and add "with: persist-credentials: false" to disable credential persistence for enhanced supply-chain security.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/ci.yml:
- Line 16: The actions/checkout action is not pinned to a specific commit hash
and lacks the persist-credentials security setting. For each occurrence of the
checkout action (at lines 16, 38, and 54), replace the semantic version tag
reference with a pinned commit hash by visiting
https://github.com/actions/checkout/releases to find the hash for v7, then
update each instance from "uses: actions/checkout@v7" to "uses:
actions/checkout@[COMMIT_HASH]" and add "with: persist-credentials: false" to
disable credential persistence for enhanced supply-chain security.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 9698ebd3-fabf-4e2a-89ae-91260b4fe43f
📒 Files selected for processing (2)
.github/workflows/ci.ymlrequirements-dev.txt
📜 Review details
🧰 Additional context used
🪛 zizmor (1.25.2)
.github/workflows/ci.yml
[warning] 16-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 38-38: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 38-38: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 54-54: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 54-54: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🔇 Additional comments (2)
requirements-dev.txt (2)
5-5: No action required—the codebase does not use the patterns rejected by ruff 0.15.18.The codebase does not use
__debug__as a lambda parameter,_as a match-pattern target, or match/case statements at all. The ruff 0.15.18 parser strictness improvements will not affect this project.
2-8: The-r requirements.txtinclude is still present in requirements-dev.txt.The review assumption that this line was removed is not accurate. The current state shows
-r requirements.txton line 1 of the file, which means production dependencies (requests==2.34.2,PyYAML==6.0.3) are still being installed. Since tests import from the main module and require these dependencies to run, there is no concern here.> Likely an incorrect or invalid review comment.
Combines all open Dependabot PRs into a single PR.
Changes
requirements-dev.txt9.1.0→9.1.1(closes Bump pytest from 9.1.0 to 9.1.1 #40)0.15.17→0.15.18(closes Bump ruff from 0.15.17 to 0.15.18 #41)2.32.4.20260107→2.33.0.20260518(closes Bump types-requests from 2.32.4.20260107 to 2.33.0.20260518 #42)6.0.12.20250915→6.0.12.20260518(closes Bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260518 #43).github/workflows/ci.ymlv6→v7(closes Bump actions/checkout from 6 to 7 #39)🤖 Generated with Claude Code