ci: add Dependabot, CodeQL, lint, and security workflows#73
Conversation
logicminds
commented
Feb 5, 2026
logicminds
commented
- Add .github/dependabot.yml for Bundler and GitHub Actions updates
- Add CodeQL workflow for Ruby security/code analysis (security-extended)
- Add lint workflow running RuboCop on PR/push
- Add security workflow: dependency-review on PRs, bundler-audit for gems
- Document workflows and Copilot Code Review (Rulesets) in README
- Add .github/dependabot.yml for Bundler and GitHub Actions updates - Add CodeQL workflow for Ruby security/code analysis (security-extended) - Add lint workflow running RuboCop on PR/push - Add security workflow: dependency-review on PRs, bundler-audit for gems - Document workflows and Copilot Code Review (Rulesets) in README
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
This PR establishes a comprehensive CI/CD and security automation infrastructure for the rubyipmi project. It adds Dependabot for automated dependency updates, CodeQL for security analysis, RuboCop linting automation, and security scanning workflows, along with documentation for all these tools.
Changes:
- Added automated dependency management with weekly Bundler and GitHub Actions updates via Dependabot
- Added CodeQL security analysis workflow with security-extended query suite
- Added automated RuboCop linting on PRs and main/master pushes
- Added security scanning with dependency-review for PRs and bundler-audit for gem vulnerabilities
- Updated Gemfile source from http to https for security
- Documented all CI/security workflows and GitHub Copilot Code Review setup in README
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/dependabot.yml | Configures weekly dependency updates for Bundler and GitHub Actions with appropriate labels and commit message prefixes |
| .github/workflows/codeql.yml | Sets up CodeQL security analysis with security-extended queries, running on PRs, pushes to main/master, and weekly schedule |
| .github/workflows/lint.yml | Configures RuboCop linting workflow to run on PRs and main/master pushes |
| .github/workflows/security.yml | Implements dependency-review for PRs and bundler-audit for gem vulnerability scanning |
| Gemfile | Updates RubyGems source from http to https for improved security |
| README.md | Adds comprehensive documentation table for all workflows and instructions for Dependabot and GitHub Copilot Code Review |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Rename moved cops (Metrics/LineLength → Layout/LineLength, etc.) - Add department prefixes (Style/SignalException, Layout/SpaceInsideHashLiteralBraces) - Style/PredicateName → Naming/PredicatePrefix - Add AllCops: NewCops: enable - Exclude spec blocks from Metrics/BlockLength - Add exclusions for OptionalBooleanParameter, DuplicateMethods, MissingRespondToMissing, MissingSuper, EmptyBlock, EmptyFile, Lint/Void - Exclude lib/rubyipmi.rb from complexity/module length limits
- Gemfile: frozen_string_literal, hash rockets, alphabetical gem order - Rakefile: remove redundant encoding comment, add frozen_string_literal, use warn instead of $stderr.puts, modifier if, heredoc indentation
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 61 out of 61 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| def list | ||
| @sensors ||= parse(getsensors) | ||
| @list ||= parse(getsensors) |
There was a problem hiding this comment.
The variable name was changed from @sensors to @list on line 11, but the refresh method on line 6 still references @sensors. This should be changed to @list = nil to properly clear the cached sensor list.
| def run | ||
| # we search for the command everytime just in case its removed during execution | ||
| # we also don't want to add this to the initialize since mocking is difficult and we don't want to | ||
| # throw errors upon object creation | ||
| retrycount = 0 | ||
| process_status = false | ||
| @cmd = locate_command(@cmdname) | ||
| setpass | ||
| @result = nil | ||
| logger.debug(makecommand) if logger | ||
| logger&.debug(makecommand) | ||
| begin | ||
| command = makecommand | ||
| @lastcall = command | ||
| @result, @result_err, status = Rubyipmi.capture3(command) | ||
| # sometimes the command tool does not return the correct result, validate it with additional code | ||
| process_status = validate_status(status) | ||
| rescue | ||
| validate_status(status) | ||
| rescue StandardError | ||
| if retrycount < max_retry_count | ||
| find_fix(@result) | ||
| retrycount = retrycount.next | ||
| retry | ||
| else | ||
| logger.error("Exhausted all auto fixes, cannot determine what the problem is") if logger | ||
| logger&.error("Exhausted all auto fixes, cannot determine what the problem is") | ||
| raise "Exhausted all auto fixes, cannot determine what the problem is" | ||
| end | ||
| ensure | ||
| removepass | ||
| process_status | ||
| end | ||
| end |
There was a problem hiding this comment.
The refactoring has changed the return value of the run method. Previously, the method would return process_status (the result of validate_status) via the ensure block. Now, the ensure block returns the result of removepass (likely nil). This could break code that depends on the return value of run. The method should explicitly return the result of validate_status before the ensure block or use a variable to preserve the return value.
| # require: | ||
| # - rubocop-rake | ||
| # - rubocop-rspec |
There was a problem hiding this comment.
The require statements for rubocop-rake and rubocop-rspec are commented out, but these gems are added to the Gemfile. These requires should be uncommented to enable the additional cops provided by these gems, otherwise they won't be used during linting.
| # require: | |
| # - rubocop-rake | |
| # - rubocop-rspec | |
| require: | |
| - rubocop-rake | |
| - rubocop-rspec |
logicminds
force-pushed
the
ci_automations
branch
from
0527f47 to
337f1e3
Compare
logicminds
force-pushed
the
ci_automations
branch
from
337f1e3 to
8b55b35
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
automated rubocop fixes break code, ignoring for now |
