ci: let Dependabot integration tests run via pull_request_target#199
Open
ionmincu wants to merge 2 commits into
Open
ci: let Dependabot integration tests run via pull_request_target#199ionmincu wants to merge 2 commits into
ionmincu wants to merge 2 commits into
Conversation
Mirror the dependabot.yml from uipath-python and uipath-langchain-python so version-update PRs are not opened. They could not pass integration tests because GitHub does not pass repository secrets to workflows triggered by dependabot, leaving uipath auth without credentials. Add timeout-minutes: 10 to the integration-tests job so hung jobs do not sit "in progress" indefinitely. Add set -e to each run.sh so the first failure is surfaced instead of cascading through init/pack/run and ending with a misleading "UIPATH_ACCESS_TOKEN is not set". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR updates repository automation to reduce CI churn from Dependabot and make integration test execution more fail-fast and bounded in duration.
Changes:
- Added a
.github/dependabot.ymlconfiguration that disables new Dependabot version-bump PRs (open-pull-requests-limit: 0) and excludessamples/**. - Added
timeout-minutes: 10to the GitHub Actionsintegration-testsjob to prevent indefinite hangs. - Hardened the three integration testcase
run.shscripts by enablingset -eand preserving MCP server log output even whentest.pyfails.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
testcases/string-server/run.sh |
Enable set -e and capture test failures while still printing mcp_server_output.log. |
testcases/ground-to-cloud/run.sh |
Same hardening as above for the ground-to-cloud testcase script. |
testcases/datetime-server/run.sh |
Same hardening as above for the datetime testcase script. |
.github/workflows/integration_tests.yml |
Add a 10-minute timeout to each integration test job to avoid stuck runs. |
.github/dependabot.yml |
Add Dependabot configuration to stop opening new dependency PRs (and exclude samples). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Supersedes the dependabot.yml disable from the previous commit: instead of blocking Dependabot from opening PRs, let them run integration tests with secrets in scope. Port the pattern from uipath-python PR #1628: - Add pull_request_target trigger alongside pull_request. Both gated by actor so each event fires only for its intended PR source — no double-runs and no secrets exposed to arbitrary fork PRs. - Restrict the Dependabot matrix to alpha only to minimize the blast radius of running PR code with credentials in scope. - actions/checkout uses ref: head.sha in both jobs so the PR's code is tested under pull_request_target (which defaults to base otherwise). - Add a Check secrets availability step that emits a ::warning:: annotation when CLIENT_ID/CLIENT_SECRET/BASE_URL arrive empty, so fork-PR failures have clear context instead of cascading into a misleading UIPATH_ACCESS_TOKEN error downstream. set -e in run.sh and timeout-minutes from the previous commit are kept as-is. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ionmincu
changed the title
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| discover-testcases: | ||
| if: | | ||
| github.event_name == 'push' || | ||
| (github.event_name == 'pull_request' && github.actor != 'dependabot[bot]') || |
| if: | | ||
| github.event_name == 'push' || | ||
| (github.event_name == 'pull_request' && github.actor != 'dependabot[bot]') || | ||
| (github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]') |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Make Dependabot PRs actually able to run integration tests, ported from uipath-python PR #1628:
pull_request_targetadded alongsidepull_request, restricted to[opened, synchronize, reopened]. Both jobs gated by actor:pull_requestruns for everyone exceptdependabot[bot],pull_request_targetruns only fordependabot[bot]. No double-runs, no secrets exposed to fork PRs.actions/checkoutusesref: ${{ github.event.pull_request.head.sha || github.sha }}in bothdiscover-testcasesandintegration-tests, so the PR's actual code is tested underpull_request_target(which otherwise defaults to base) — and behavior is unchanged forpush/pull_request.alphaonly (skippingcloud) to minimize credential blast radius for dependency-bump PRs.Check secrets availabilitystep emits a::warning::annotation whenCLIENT_ID/CLIENT_SECRET/BASE_URLarrive empty. Future fork-PR failures will surface real context instead of cascading into the misleadingUIPATH_ACCESS_TOKEN is not setdownstream.set -e+ safe exit-code capture intestcases/{datetime-server,string-server,ground-to-cloud}/run.shso the first failing command is what gets reported, not the cascading symptom.timeout-minutes: 10on theintegration-testsjob. The cloud jobs on PR chore(deps): bump python-multipart from 0.0.20 to 0.0.27 #198 were stuck in_progress for 3+ hours; this caps that.Security tradeoff to acknowledge
pull_request_targetruns the PR's code (uv syncinstalling the bumped dependency, thenbash run.sh) with repo secrets in scope. For Dependabot PRs that means new dependency versions execute against realBASE_URL/CLIENT_ID/CLIENT_SECRET. If a malicious package version slips into the dependency tree (typosquat, hijacked maintainer, etc.), it runs with those creds. Mitigations baked into this PR:pull_request_targettodependabot[bot]only — fork PRs from humans still use the no-secretspull_requestpath.alphafor Dependabot runs.Optional further mitigations the maintainer can layer on top (not in this PR):
integration-testsjob behind a GitHub Environment with required reviewers.How this differs from the first version of this PR
This branch initially took the opposite approach — adding a
.github/dependabot.ymlwithopen-pull-requests-limit: 0to block Dependabot from opening version-bump PRs (mirroring how uipath-python and uipath-langchain-python avoided the problem at the time). That commit has been superseded: the dependabot.yml file is removed, and the workflow is changed to let Dependabot's PRs actually run. Theset -eandtimeout-minuteshardening from that first attempt is kept.Test plan
pull_request+set -e+timeout-minutes).pull_request_target, runs only thealphamatrix axis, and passes auth.[alpha, cloud]matrix.Check secrets availabilitywarning appears in the Actions UI when a fork PR with no secrets opens.🤖 Generated with Claude Code