chore(ci): fix dependabot workflows and drain PR backlog

[JayT106]

Summary

• dependabot.yml (new): groups added for all ecosystems — cosmos-sdk, otel, gomod-minor-patch for gomod; gh-actions for actions; docker; pip-minor-patch for integration_tests + testground/benchmark; npm-minor-patch for integration_tests/contracts
• dependabot-update-all: pull_request_target trigger so APP_ID/APP_PRIVATE_KEY resolve; gate on dependabot/go_modules/*; tolerate grouped PR titles (tidy-only fallback); head.sha checkout (security); bump setup-go → 1.25.10, checkout → v6, add-and-commit → v10, create-github-app-token → v2.2.1
• dependencies-review: paths filter scopes to go diffs; setup-go → 1.25.10, checkout → v6; allowlist refactored to multi-ID variable

Follow-up (backlog drain post-merge)

• @dependabot recreate on surviving standalone PRs (grpc chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 #1989, hashicorp/go-getter chore(deps): bump github.com/hashicorp/go-getter from 1.7.9 to 1.8.6 #2009)
• @dependabot close on PRs that will be covered by new groups → bundled PRs next cycle
• merge order: gomod group → standalone majors

Summary by CodeRabbit

• Chores
  • Improved automated dependency update configuration for ecosystem management.
  • Enhanced CI workflows for dependency reviews and vulnerability checks.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR establishes Dependabot configuration for multi-ecosystem dependency management and hardens CI workflows. It adds .github/dependabot.yml for GitHub Actions, Docker, Go modules, Python, and npm updates; strengthens the dependency update workflow with conditional execution and gated triggering; upgrades vulnerability checking to use allowlisted IDs; and upgrades GitHub Actions to pinned versions.

Changes

Dependabot configuration and workflow updates

Layer / File(s)	Summary
Dependabot ecosystem configuration .github/dependabot.yml	Defines daily updates for GitHub Actions and Docker, daily Go module updates with grouping for Cosmos SDK and OpenTelemetry (cosmos-sdk and otel groups) allowing minor/patch via gomod-minor-patch, and weekly Python and npm updates for integration test directories with open PR limits and dependencies label assignment per ecosystem.
Dependency update automation workflow .github/workflows/dependabot-update-all.yml	Workflow trigger changed from pull_request to pull_request_target; job now conditionally executes only for Dependabot-authored PRs on branches matching dependabot/go_modules/*. Token generation, checkout, and Go setup actions upgraded to pinned versions (Go 1.25.10). Dependency extraction logic rewritten to output skip=true for grouped/unparseable PR titles instead of failing, enabling conditional module updates to run only on parsed titles while tidy steps always execute. Commit action bumped from @v9 to @v10.
Dependency review and vulnerability scanning .github/workflows/dependencies-review.yml	Workflow now filters to trigger only on changes to Go source files (**/*.go) and module files (**/go.mod, **/go.sum). Actions upgraded to major versions with Go pinned to 1.25.10. Vulnerability check step replaced with allowlist-driven validation: extracts detected GO vulnerability IDs using extended-regex pattern, iterates through detected IDs checking membership in ALLOWED list, and fails the job if any vulnerability is not allowlisted.
Documentation CHANGELOG.md	Added changelog entry under UNRELEASED → Chores documenting CI fixes for Dependabot workflows and PR backlog management.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• XinyuCRO
• ApacCronos

🐰 Dependabot hops into the fold,
With ecosystems grouped and controlled—
Go modules tidy, vulns allowlisted bright,
Workflows pinned versions, gating set right! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and concisely summarizes the main changes: Dependabot workflow fixes and PR backlog draining, matching the actual modifications to CI workflows and configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/fix-dependabot-drain-backlog

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github/​actions/​setup-go@​4a3601121dd01d1626a1e23e37211e3254c1c06c
	github/​endbug/​add-and-commit@​a94899bca583c204427a224a7af87c02f9b325d5 ⏵ 290ea2c423ad77ca9c62ae0f5b224379612c0321	+1

View full report

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-update-all.yml:
- Around line 37-43: The dep_name extraction is too narrow (only matches
github.com); update the grep on PR_TITLE that sets dep_name to accept other
module hosts (e.g. cosmossdk.io, go.opentelemetry.io) by replacing the pattern
"github.com/[^ ]+" with a more general host+path regex such as
"[A-Za-z0-9._-]+\\.[A-Za-z0-9._-]+/[^ ]+" (or similar host-with-dots pattern) so
dep_name captures any module host and path; leave dep_version extraction as-is
but ensure it still reads from PR_TITLE. Reference: dep_name, dep_version,
PR_TITLE.

In @.github/workflows/dependencies-review.yml:
- Around line 37-40: The current check exits immediately on any non-zero exit
from `make vulncheck`, preventing the allowlist logic from running when
`govulncheck` returns code 3 for found vulnerabilities; change the block that
runs `make vulncheck` so it redirects output to `govulncheck-output.txt`,
captures the command exit code into a variable, and only exit the workflow on
real execution errors (e.g., non-zero codes other than 3). Specifically, modify
the `make vulncheck` invocation to save output to `govulncheck-output.txt`,
capture `$?` into a status variable, and then branch: if the status equals 3,
continue (allow the allowlist logic to run), if status is 0 continue, otherwise
treat it as a failure and exit 1; keep references to the `make vulncheck`
invocation and `govulncheck-output.txt` so the allowlist logic (the subsequent
block) can operate on the generated output.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: edd2b855-c0ed-4b01-ae9e-f77a01bd3fe0

📥 Commits

Reviewing files that changed from the base of the PR and between 43db8cc and db221a1.

📒 Files selected for processing (4)

• .github/dependabot.yml
• .github/workflows/dependabot-update-all.yml
• .github/workflows/dependencies-review.yml
• CHANGELOG.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Dependency name parser is too narrow and skips valid module updates

On Line 41, parsing only github.com/... misses valid modules like cosmossdk.io/... or go.opentelemetry.io/..., which then forces skip=true and bypasses Line 56.

💡 Suggested fix

-          dep_name=$(grep -oE 'github.com/[^ ]+' <<<"$PR_TITLE" | head -1 || true)
+          dep_name=$(sed -nE 's/^build\(deps\): bump ([^ ]+) from .*/\1/p' <<<"$PR_TITLE" | head -1 || true)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Parse Dependabot PR titles of the form:
	# build(deps): bump <module-path> from <x> to <y>
	# Grouped PR titles (e.g. "bump the gomod-minor-patch group across 1 directory")
	# do not match and are handled by falling through to a tidy-only run.
	dep_name=$(grep -oE 'github.com/[^ ]+' <<<"$PR_TITLE" | head -1 || true)
	dep_version=$(grep -oE 'to v?([0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9.]+)?)' <<<"$PR_TITLE" | awk '{print $2}' || true)
	# Parse Dependabot PR titles of the form:
	# build(deps): bump <module-path> from <x> to <y>
	# Grouped PR titles (e.g. "bump the gomod-minor-patch group across 1 directory")
	# do not match and are handled by falling through to a tidy-only run.
	dep_name=$(sed -nE 's/^build\(deps\): bump ([^ ]+) from .*/\1/p' <<<"$PR_TITLE" | head -1 || true)
	dep_version=$(grep -oE 'to v?([0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9.]+)?)' <<<"$PR_TITLE" | awk '{print $2}' || true)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-update-all.yml around lines 37 - 43, The
dep_name extraction is too narrow (only matches github.com); update the grep on
PR_TITLE that sets dep_name to accept other module hosts (e.g. cosmossdk.io,
go.opentelemetry.io) by replacing the pattern "github.com/[^ ]+" with a more
general host+path regex such as "[A-Za-z0-9._-]+\\.[A-Za-z0-9._-]+/[^ ]+" (or
similar host-with-dots pattern) so dep_name captures any module host and path;
leave dep_version extraction as-is but ensure it still reads from PR_TITLE.
Reference: dep_name, dep_version, PR_TITLE.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Locate vulncheck target definition =="
rg -n --type=make -C3 '(^|\s)vulncheck\s*:' Makefile **/Makefile || true

echo
echo "== Locate govulncheck invocations in repo =="
rg -n -C3 '\bgovulncheck\b|\bvulncheck\b'

Repository: crypto-org-chain/cronos

Length of output: 712

---

🏁 Script executed:

# Find and inspect the actual workflow file
find . -name "dependencies-review.yml" -type f

Repository: crypto-org-chain/cronos

Length of output: 111

---

🏁 Script executed:

# Read the workflow file to see the full context around lines 37-40 and 42-59
cat -n .github/workflows/dependencies-review.yml | sed -n '25,65p'

Repository: crypto-org-chain/cronos

Length of output: 1610

---

🌐 Web query:

govulncheck exit codes documentation golang vulnerability checker

💡 Result:

govulncheck exit codes (golang vulnerability checker) - Exit code 0: no vulnerabilities found. [1] - Exit code 3: vulnerabilities found. [1] - Exit code 0 even when vulnerabilities are detected if -json is provided (i.e., success regardless of number of detected vulnerabilities). [2][1] Notes / CI implication: - If you run govulncheck in CI with -json output, you should not rely on the process exit code to fail the build when vulnerabilities are detected, because -json causes exit code 0 regardless of findings. [2]

Citations:

• 1: https://go.googlesource.com/vuln/%2B/3ad0a6f964e9/cmd/govulncheck/doc.go
• 2: https://go.googlesource.com/vuln/+/v1.0.0/cmd/govulncheck/doc.go

---

Allowlist logic never executes due to early exit on make vulncheck

When govulncheck finds vulnerabilities, it exits with code 3. The workflow on Line 37 treats any non-zero exit as a failure and exits immediately, preventing Lines 42-59 (the allowlist logic) from running. This defeats the allowlist feature entirely—the workflow will fail on any vulnerability, even allowlisted ones.

Fix: Capture the make vulncheck exit status, allow exit code 3 to continue, and only fail on actual execution errors.

Suggested fix

-          if ! make vulncheck 2>&1 | tee govulncheck-output.txt ; then
-            echo "govulncheck failed to execute"
-            exit 1
-          fi
+          set +e
+          make vulncheck 2>&1 | tee govulncheck-output.txt
+          vulncheck_status=$?
+          set -e
+
+          # Exit code 3 means vulnerabilities found (expected); proceed to allowlist check.
+          # Exit code 0 means no vulnerabilities (success).
+          # Any other code indicates execution failure.
+          if [ "$vulncheck_status" -ne 0 ] && [ "$vulncheck_status" -ne 3 ]; then
+            echo "govulncheck failed to execute (exit=$vulncheck_status)"
+            exit 1
+          fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependencies-review.yml around lines 37 - 40, The current
check exits immediately on any non-zero exit from `make vulncheck`, preventing
the allowlist logic from running when `govulncheck` returns code 3 for found
vulnerabilities; change the block that runs `make vulncheck` so it redirects
output to `govulncheck-output.txt`, captures the command exit code into a
variable, and only exit the workflow on real execution errors (e.g., non-zero
codes other than 3). Specifically, modify the `make vulncheck` invocation to
save output to `govulncheck-output.txt`, capture `$?` into a status variable,
and then branch: if the status equals 3, continue (allow the allowlist logic to
run), if status is 0 continue, otherwise treat it as a failure and exit 1; keep
references to the `make vulncheck` invocation and `govulncheck-output.txt` so
the allowlist logic (the subsequent block) can operate on the generated output.