feat(workflows): add weekly dependency-provenance reusable workflow#232
Conversation
Add python-dependency-provenance.yml, a deterministic, keyless reusable workflow that makes Open-Source vulnerability findings actionable by tracing each insecure transitive package back to the direct dependency that introduces it. It runs OSV-Scanner (keyless) for the vulnerable-package list, then uv tree --invert (Python) and npm why (frontend) for provenance, assembles a structured Markdown report (vuln id, severity, vulnerable package, introducing direct dep, extra/group, suggested action), posts it as a sticky marker-anchored GitHub issue, and uploads it as an artifact. It consumes no Anthropic API key and no hosted Snyk test quota; interpretation runs locally and separately. - Mirror python-snyk.yml structure: detect-config job, deny-all permissions with per-job grants, SHA-pinned actions, harden-runner audit egress, gate job. - Token-optional: uses the default GITHUB_TOKEN; only post-issue needs issues: write. Tolerant of zero-vuln runs (updates a clean-cycle issue). - Extract report assembly and provenance tracing into SHA-pinned scripts (scripts/dependency_provenance.py, dependency_provenance_trace.py), checked out at job.workflow_sha like check_licenses.py. - Add dependency-provenance-weekly.yml scheduled caller (cron 23 6 * * 1). - Add self-test job, actionlint job.workflow_* exception, docs page, USAGE_EXAMPLES entry, and an ADR-003 role-boundary note pointing at ByronWilliamsCPA/.claude ADR-009. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Warning Review limit reached
Next review available in: 5 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (9)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
| "No actionable transitive vulnerabilities were found this week. " | ||
| "OSV-Scanner reported no vulnerable packages in the scanned " | ||
| "ecosystems.", |
| "This issue is kept open as a sticky marker and will be updated on the " | ||
| "next run. A clean result here does not replace the gating " | ||
| "OSV-Scanner job in `python-sbom.yml`; it only confirms there is " | ||
| "nothing to trace this cycle.", |



Summary
Adds
python-dependency-provenance.yml, a weekly, deterministic, keylessdependency-provenance reusable workflow that makes Open-Source vulnerability
findings actionable by showing which DIRECT dependency introduces each insecure
TRANSITIVE package.
It uses no Anthropic API key and no hosted Snyk test quota. The
interpretation layer (deciding which fix to apply) runs locally on the
operator's subscription, separately from CI. This workflow is a reporter; the
gating OSV-Scanner job in
python-sbom.ymlstill owns the merge gate.What it does
uv.lock/requirements*.txt, frontendpackage.json); rejects Poetry on the Python path (uv-only by org policy).uv tree --invert --package <pkg>(Python, tags the introducingextra:/group:) andnpm why <pkg>(frontend). Assembles a structured Markdown report and uploads it as an artifact.<!-- dependency-provenance -->. Tolerant of zero-vuln runs (updates a "no actionable transitive vulns this week" body so a clean cycle is observable).The report table columns: vulnerability id (+ CVE alias), severity, vulnerable package, introducing direct dep, extra/group, suggested action (
remove/upgrade/replace/gate), under a short "how to act" preamble.Conventions mirrored
python-snyk.yml:detect-configstate job,permissions: {}deny-all with per-job grants, SHA-pinned actions,step-security/harden-runneraudit egress,workflow_callinputs, gate job.GITHUB_TOKEN; onlypost-issueneedsissues: write.scripts/dependency_provenance.py,scripts/dependency_provenance_trace.py), checked out atjob.workflow_shalikecheck_licenses.py(injection-safe; all inputs via env).dependency-provenance-weekly.ymlmirrorssbom-nightly.yml(weekly cron23 6 * * 1, off-peak non-:00).Also included
docs/workflows/python-dependency-provenance.md(mirrorspython-snyk.md).USAGE_EXAMPLES.mdentry + Available Workflows row.self-test.ymlself-test job and.github/actionlint.yamlexception forjob.workflow_*.Validation
actionlintclean,yamllintclean,ruff check+ruff format --checkclean, fullpre-commitclean (no em-dash, secret scans pass).Consumer calling convention
Generated with Claude Code