Skip to content

ci: add workflow to auto-regenerate licenses for Dependabot PRs #387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
svor wants to merge 2 commits into
base: main
Choose a base branch
from
+93 −0
Open

ci: add workflow to auto-regenerate licenses for Dependabot PRs #387

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b08237e
ci: add workflow to auto-regenerate licenses for Dependabot PRs
svor May 21, 2026
0baa14b
ci: use verified PR user login instead of spoofable actor
svor May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 93 additions & 0 deletions .github/workflows/dependabot-license.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
#
# Copyright (c) 2022-2026
# This program and the accompanying materials are made
# available under the terms of the Eclipse Public License 2.0
# which is available at https://www.eclipse.org/legal/epl-2.0/
#
# SPDX-License-Identifier: EPL-2.0
#

name: Dependabot License Update

on:
pull_request:
types: [opened, synchronize]
branches:
- main

permissions:
contents: write

jobs:
update-licenses:
runs-on: ubuntu-22.04
if: github.event.pull_request.user.login == 'dependabot[bot]'
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
fetch-depth: 0
Comment on lines +26 to +30
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Security: Prevent credential persistence and pin action version.

Two security concerns:

  1. Missing persist-credentials: false allows the GitHub token to persist in the local git config, potentially leaking through artifacts or logs.
  2. The action reference should be pinned to a specific commit SHA hash to prevent supply chain attacks.
🔒 Recommended security hardening 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.head_ref }}
           fetch-depth: 0
+          persist-credentials: false

Note: The commit SHA corresponds to actions/checkout@v4.2.2. Verify the latest secure version before applying.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
fetch-depth: 0
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.head_ref }}
fetch-depth: 0
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 26-30: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-license.yml around lines 26 - 30, Update the
Checkout step using the actions/checkout usage by adding persist-credentials:
false to prevent the GH token from being written to local git config and replace
the floating tag actions/checkout@v4 with a pinned reference to the specific
commit SHA (the secure SHA matching v4.2.2 or current vetted SHA) so the
workflow points to an immutable release; modify the Checkout step block (the
uses: actions/checkout entry) to include the new persist-credentials key and
change the uses value to the commit-pinned ref.


- name: Use Node 24
uses: actions/setup-node@v4
with:
node-version: 24
Comment on lines +32 to +35
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Security: Pin action to commit SHA.

The action reference should be pinned to a specific commit SHA hash to prevent supply chain attacks.

🔒 Recommended fix 
       - name: Use Node 24
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: 24

Note: The commit SHA corresponds to actions/setup-node@v4.1.0. Verify the latest secure version before applying.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Use Node 24
uses: actions/setup-node@v4
with:
node-version: 24
- name: Use Node 24
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 24
🧰 Tools
🪛 zizmor (1.25.2)

[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-license.yml around lines 32 - 35, Replace the
floating action tag "uses: actions/setup-node@v4" with a pinned commit SHA to
mitigate supply-chain risks: locate the workflow step that currently reads uses:
actions/setup-node@v4 (the block that also sets node-version: 24) and update the
uses value to the full actions/setup-node@<commit-sha> for the intended release
(verify the correct SHA for v4.1.0 or the latest secure release first), ensuring
the rest of the step (node-version: 24) remains unchanged.


- name: Install dependencies
run: yarn install

- name: Regenerate licenses
run: |
MAX_ATTEMPTS=3
for attempt in $(seq 1 $MAX_ATTEMPTS); do
echo "=== Attempt $attempt of $MAX_ATTEMPTS ==="

if yarn license:generate; then
echo "License generation succeeded."
break
fi

if [ ! -f .deps/problems.md ]; then
echo "::error::License generation failed but no problems.md found."
exit 1
fi

SECTION=""
while IFS= read -r line; do
if echo "$line" | grep -q "## UNRESOLVED Production dependencies"; then
SECTION="prod"
elif echo "$line" | grep -q "## UNRESOLVED Development dependencies"; then
SECTION="dev"
fi

PKG=$(echo "$line" | grep -oP '`\K[^`]+' || true)
if [ -z "$PKG" ] || [ -z "$SECTION" ]; then
continue
fi

EXCLUDED_FILE=".deps/EXCLUDED/${SECTION}.md"
if grep -qF "\`${PKG}\`" "$EXCLUDED_FILE" 2>/dev/null; then
echo "Already excluded: $PKG"
continue
fi

echo "| \`${PKG}\` | transitive dependency |" >> "$EXCLUDED_FILE"
echo "Added $PKG to $EXCLUDED_FILE"
done < .deps/problems.md

if [ "$attempt" -eq "$MAX_ATTEMPTS" ]; then
echo "::error::Failed to resolve all dependencies after $MAX_ATTEMPTS attempts."
exit 1
fi
done

- name: Commit and push changes
run: |
git diff --quiet .deps/ && exit 0

git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add .deps/
git commit -s -m "chore(deps): regenerate license dependencies"
git push
Loading