Skip to content

chore(ci): fix dependabot workflows and drain PR backlog #2044

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JayT106 wants to merge 4 commits into
base: main
Choose a base branch
from
+133 −31
Open

chore(ci): fix dependabot workflows and drain PR backlog #2044

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8e14908
ci: fix dependabot workflows and add grouping config
JayT106 May 8, 2026
7bc8b12
ci: update CHANGELOG with PR number #2044
JayT106 May 8, 2026
0f8e98f
Merge branch 'main' into ci/fix-dependabot-drain-backlog
JayT106 May 8, 2026
db221a1
ci: fix CHANGELOG entry for #2044
JayT106 May 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 82 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: daily
time: "10:00"
open-pull-requests-limit: 5
labels:
- dependencies
groups:
gh-actions:
patterns:
- "*"
- package-ecosystem: docker
directory: "/"
schedule:
interval: daily
time: "10:00"
open-pull-requests-limit: 5
labels:
- dependencies
groups:
docker:
patterns:
- "*"
- package-ecosystem: gomod
directory: "/"
schedule:
interval: daily
time: "10:00"
open-pull-requests-limit: 10
labels:
- dependencies
groups:
cosmos-sdk:
patterns:
- "cosmossdk.io/*"
- "github.com/cosmos/*"
otel:
patterns:
- "go.opentelemetry.io/*"
gomod-minor-patch:
update-types:
- minor
- patch
- package-ecosystem: pip
directory: "/integration_tests"
schedule:
interval: weekly
open-pull-requests-limit: 5
labels:
- dependencies
groups:
pip-minor-patch:
update-types:
- minor
- patch
- package-ecosystem: pip
directory: "/testground/benchmark"
schedule:
interval: weekly
open-pull-requests-limit: 5
labels:
- dependencies
groups:
pip-minor-patch:
update-types:
- minor
- patch
- package-ecosystem: npm
directory: "/integration_tests/contracts"
schedule:
interval: weekly
open-pull-requests-limit: 5
labels:
- dependencies
groups:
npm-minor-patch:
update-types:
- minor
- patch
49 changes: 28 additions & 21 deletions .github/workflows/dependabot-update-all.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: Dependabot Update All Go Modules
on: pull_request
on: pull_request_target

permissions:
contents: write
Expand All @@ -11,46 +11,53 @@ env:
jobs:
update-all:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
if: >
github.actor == 'dependabot[bot]' &&
startsWith(github.event.pull_request.head.ref, 'dependabot/go_modules/')
steps:
- name: Generate Token
uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v1
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
id: app-token
with:
app-id: "${{ secrets.APP_ID }}"
private-key: "${{ secrets.APP_PRIVATE_KEY }}"
- uses: actions/checkout@v4
- uses: actions/checkout@v6
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
ref: ${{ github.event.pull_request.head.sha }}
token: "${{ steps.app-token.outputs.token }}"
- uses: actions/setup-go@v5
- uses: actions/setup-go@v6
with:
go-version: "1.25"
go-version: "1.25.10"
check-latest: true
- name: Extract updated dependency
id: deps
run: |
set -euo pipefail
# Example title:
# "build(deps): Bump github.com/cosmos/cosmos-sdk from v0.46.0 to v0.47.0-rc1"

dep_name=$(grep -oE 'github.com/[^ ]+' <<<"$PR_TITLE" || true)
# Parse Dependabot PR titles of the form:
# build(deps): bump <module-path> from <x> to <y>
# Grouped PR titles (e.g. "bump the gomod-minor-patch group across 1 directory")
# do not match and are handled by falling through to a tidy-only run.
dep_name=$(grep -oE 'github.com/[^ ]+' <<<"$PR_TITLE" | head -1 || true)
dep_version=$(grep -oE 'to v?([0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9.]+)?)' <<<"$PR_TITLE" | awk '{print $2}' || true)

Comment on lines +37 to +43
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Dependency name parser is too narrow and skips valid module updates

On Line 41, parsing only github.com/... misses valid modules like cosmossdk.io/... or go.opentelemetry.io/..., which then forces skip=true and bypasses Line 56.

💡 Suggested fix 
-          dep_name=$(grep -oE 'github.com/[^ ]+' <<<"$PR_TITLE" | head -1 || true)
+          dep_name=$(sed -nE 's/^build\(deps\): bump ([^ ]+) from .*/\1/p' <<<"$PR_TITLE" | head -1 || true)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Parse Dependabot PR titles of the form:
# build(deps): bump <module-path> from <x> to <y>
# Grouped PR titles (e.g. "bump the gomod-minor-patch group across 1 directory")
# do not match and are handled by falling through to a tidy-only run.
dep_name=$(grep -oE 'github.com/[^ ]+' <<<"$PR_TITLE" | head -1 || true)
dep_version=$(grep -oE 'to v?([0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9.]+)?)' <<<"$PR_TITLE" | awk '{print $2}' || true)
# Parse Dependabot PR titles of the form:
# build(deps): bump <module-path> from <x> to <y>
# Grouped PR titles (e.g. "bump the gomod-minor-patch group across 1 directory")
# do not match and are handled by falling through to a tidy-only run.
dep_name=$(sed -nE 's/^build\(deps\): bump ([^ ]+) from .*/\1/p' <<<"$PR_TITLE" | head -1 || true)
dep_version=$(grep -oE 'to v?([0-9]+\.[0-9]+\.[0-9]+(-[A-Za-z0-9.]+)?)' <<<"$PR_TITLE" | awk '{print $2}' || true)
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-update-all.yml around lines 37 - 43, The
dep_name extraction is too narrow (only matches github.com); update the grep on
PR_TITLE that sets dep_name to accept other module hosts (e.g. cosmossdk.io,
go.opentelemetry.io) by replacing the pattern "github.com/[^ ]+" with a more
general host+path regex such as "[A-Za-z0-9._-]+\\.[A-Za-z0-9._-]+/[^ ]+" (or
similar host-with-dots pattern) so dep_name captures any module host and path;
leave dep_version extraction as-is but ensure it still reads from PR_TITLE.
Reference: dep_name, dep_version, PR_TITLE.

if [[ -z "$dep_name" || -z "$dep_version" ]]; then
echo "❌ Unable to parse dependency from PR title: $PR_TITLE" >&2
exit 1
echo "Grouped or unparseable PR title; skipping single-dep update."
echo "skip=true" >> "$GITHUB_OUTPUT"
else
{
echo "name=$dep_name"
echo "version=${dep_version#v}"
echo "skip=false"
} >> "$GITHUB_OUTPUT"
fi

echo "name=$dep_name" >> "$GITHUB_OUTPUT"
echo "version=${dep_version#v}" >> "$GITHUB_OUTPUT"
- name: Update all Go modules
run: |
./scripts/go-update-dep-all.sh ${{ format('{0}@v{1}', steps.deps.outputs.name, steps.deps.outputs.version) }}
./scripts/go-mod-tidy-all.sh
if: steps.deps.outputs.skip != 'true'
run: ./scripts/go-update-dep-all.sh ${{ format('{0}@v{1}', steps.deps.outputs.name, steps.deps.outputs.version) }}
- name: Tidy all Go modules
run: ./scripts/go-mod-tidy-all.sh
- name: Commit changes
uses: EndBug/add-and-commit@v9
uses: EndBug/add-and-commit@v10
with:
default_author: user_info
message: "${{ github.event.pull_request.title }} for all modules"
32 changes: 22 additions & 10 deletions .github/workflows/dependencies-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
name: "Dependency Review"
on:
pull_request:
paths:
- "**/*.go"
- "**/go.mod"
- "**/go.sum"
merge_group:

permissions:
Expand All @@ -11,11 +15,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: "Checkout Repository"
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: "Setup Go"
uses: actions/setup-go@v5
uses: actions/setup-go@v6
with:
go-version: "1.25"
go-version: "1.25.10"
check-latest: true
- name: "Dependency Review"
uses: actions/dependency-review-action@v4
Expand All @@ -26,22 +30,30 @@ jobs:
- name: "Go vulnerability check"
id: govuln
run: |
# Run the vulnerability check and capture its output (ignoring non-zero exit codes)
# Known unfixable vulns can be appended here (space-separated GO-IDs).
# GO-2025-3443 is a legacy allowlisted entry. Any other GO-ID fails the job.
ALLOWED="GO-2025-3443"

if ! make vulncheck 2>&1 | tee govulncheck-output.txt ; then
echo "govulncheck failed to execute"
exit 1
fi
Comment on lines 37 to 40
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Locate vulncheck target definition =="
rg -n --type=make -C3 '(^|\s)vulncheck\s*:' Makefile **/Makefile || true

echo
echo "== Locate govulncheck invocations in repo =="
rg -n -C3 '\bgovulncheck\b|\bvulncheck\b'

Repository: crypto-org-chain/cronos

Length of output: 712

🏁 Script executed:

# Find and inspect the actual workflow file
find . -name "dependencies-review.yml" -type f

Repository: crypto-org-chain/cronos

Length of output: 111

🏁 Script executed:

# Read the workflow file to see the full context around lines 37-40 and 42-59
cat -n .github/workflows/dependencies-review.yml | sed -n '25,65p'

Repository: crypto-org-chain/cronos

Length of output: 1610

🌐 Web query:

govulncheck exit codes documentation golang vulnerability checker

💡 Result:

govulncheck exit codes (golang vulnerability checker) - Exit code 0: no vulnerabilities found. [1] - Exit code 3: vulnerabilities found. [1] - Exit code 0 even when vulnerabilities are detected if -json is provided (i.e., success regardless of number of detected vulnerabilities). [2][1] Notes / CI implication: - If you run govulncheck in CI with -json output, you should not rely on the process exit code to fail the build when vulnerabilities are detected, because -json causes exit code 0 regardless of findings. [2]

Citations:

Allowlist logic never executes due to early exit on make vulncheck

When govulncheck finds vulnerabilities, it exits with code 3. The workflow on Line 37 treats any non-zero exit as a failure and exits immediately, preventing Lines 42-59 (the allowlist logic) from running. This defeats the allowlist feature entirely—the workflow will fail on any vulnerability, even allowlisted ones.

Fix: Capture the make vulncheck exit status, allow exit code 3 to continue, and only fail on actual execution errors.

Suggested fix 
-          if ! make vulncheck 2>&1 | tee govulncheck-output.txt ; then
-            echo "govulncheck failed to execute"
-            exit 1
-          fi
+          set +e
+          make vulncheck 2>&1 | tee govulncheck-output.txt
+          vulncheck_status=$?
+          set -e
+
+          # Exit code 3 means vulnerabilities found (expected); proceed to allowlist check.
+          # Exit code 0 means no vulnerabilities (success).
+          # Any other code indicates execution failure.
+          if [ "$vulncheck_status" -ne 0 ] && [ "$vulncheck_status" -ne 3 ]; then
+            echo "govulncheck failed to execute (exit=$vulncheck_status)"
+            exit 1
+          fi
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependencies-review.yml around lines 37 - 40, The current
check exits immediately on any non-zero exit from `make vulncheck`, preventing
the allowlist logic from running when `govulncheck` returns code 3 for found
vulnerabilities; change the block that runs `make vulncheck` so it redirects
output to `govulncheck-output.txt`, captures the command exit code into a
variable, and only exit the workflow on real execution errors (e.g., non-zero
codes other than 3). Specifically, modify the `make vulncheck` invocation to
save output to `govulncheck-output.txt`, capture `$?` into a status variable,
and then branch: if the status equals 3, continue (allow the allowlist logic to
run), if status is 0 continue, otherwise treat it as a failure and exit 1; keep
references to the `make vulncheck` invocation and `govulncheck-output.txt` so
the allowlist logic (the subsequent block) can operate on the generated output.


# Extract vulnerability identifiers from the output (e.g., GO-2025-3443)
vulnerabilities=$(grep -o 'GO-[0-9]\{4\}-[0-9]\+' govulncheck-output.txt | sort | uniq)
vulnerabilities=$(grep -oE 'GO-[0-9]{4}-[0-9]+' govulncheck-output.txt | sort -u)
echo "Detected vulnerabilities: $vulnerabilities"

# Check if any vulnerability other than GO-2025-3443 exists
for vuln in $vulnerabilities; do
if [ "$vuln" != "GO-2025-3443" ]; then
echo "Found vulnerability $vuln, failing..."
found=false
for allow in $ALLOWED; do
if [ "$vuln" = "$allow" ]; then
found=true
break
fi
done
if [ "$found" = false ]; then
echo "Unallowed vulnerability $vuln found; failing."
exit 1
fi
done

echo "Only known vulnerability (GO-2025-3443) present. Continuing."
echo "Only known allowlisted vulnerabilities present. Continuing."
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
* [#1986](https://github.com/crypto-org-chain/cronos/pull/1986) Remove unused precompiles
* [#2017](https://github.com/crypto-org-chain/cronos/pull/2017) chore(deps): bump ibc to 10.5.1
* [#2038](https://github.com/crypto-org-chain/cronos/pull/2038) chore(ci): improve ci running
* [#2044](https://github.com/crypto-org-chain/cronos/pull/2044) ci: fix dependabot workflows and drain PR backlog



Expand Down
Loading