Skip to content

Add security update workflow for automated dependency fixes #263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Alyssa Evans (alycda) wants to merge 1 commit into
base: main
Choose a base branch
from
+49 −0
Open

Add security update workflow for automated dependency fixes #263

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions .github/workflows/security-update.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# Per-repo caller workflow.
# Copy this file into each repo that should receive automated security fixes.
# The reusable workflow lives in getditto/.github.
# See TINES_AUTOMATION.md for the full design.
Copy link
Copy Markdown
Member Author

@alycda Alyssa Evans (alycda) Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/getditto/ditto/blob/66dfe00d3efac806ca4b1cf6b1b0a56033883e60/TINES_AUTOMATION.md

Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The header comment references TINES_AUTOMATION.md, but there is no such file in this repository. This will mislead future maintainers; either add the referenced doc to the repo or update the comment to point at the correct documentation location.

Suggested change
# See TINES_AUTOMATION.md for the full design.
# See that reusable workflow for the full implementation details.

Copilot uses AI. Check for mistakes.

name: Security Update

on:
workflow_dispatch:
inputs:
ecosystem:
description: 'Package ecosystem (npm, cargo, docker, go, python)'
required: true
type: choice
options:
- npm
- cargo
- docker
- go
- python
alerts:
description: 'JSON array of {package, version, cve, manifest}'
required: true
type: string
linear_tickets:
description: 'Comma-separated Linear ticket IDs'
required: false
type: string
batch_id:
description: 'Unique batch identifier'
required: true
type: string
reviewers:
description: 'Comma-separated GitHub teams/users to request review from'
required: false
type: string
default: 'security-team,copilot'

Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow is expected to create/update branches/PRs via the called workflow, but it doesn't declare explicit permissions. In this repo, workflows that create PRs set least-privilege write perms (e.g., .github/workflows/update-sdk-versions.yml:18-20). Consider adding explicit permissions here (at least contents: write and pull-requests: write, plus any other scopes the reusable workflow needs) so it both works reliably and avoids overly broad defaults.

Suggested change
permissions:
contents: write
pull-requests: write

Copilot uses AI. Check for mistakes.
jobs:
fix:
uses: getditto/.github/.github/workflows/security-update-claude.yml@main
Copy link

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reusable workflow is referenced by a moving ref (@main). For a security-sensitive workflow that can open PRs and use secrets, this should be pinned to an immutable ref (commit SHA or a version tag) to avoid supply-chain risk and unexpected behavior changes.

Suggested change
uses: getditto/.github/.github/workflows/security-update-claude.yml@main
uses: getditto/.github/.github/workflows/security-update-claude.yml@0123456789abcdef0123456789abcdef01234567

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Member

@busec0 Bulzan Sergiu (busec0) Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This won't work. The workflow cannot be accessed here. Context here

with:
ecosystem: ${{ inputs.ecosystem }}
alerts: ${{ inputs.alerts }}
linear_tickets: ${{ inputs.linear_tickets }}
batch_id: ${{ inputs.batch_id }}
reviewers: ${{ inputs.reviewers }}
secrets:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}