Skip to content

ci: Add pnpm audit checks to CI workflow#36

Merged
jamesbhobbs merged 3 commits into
mainfrom
devin/1760027869-add-audit-checks
Oct 10, 2025
Merged

ci: Add pnpm audit checks to CI workflow#36
jamesbhobbs merged 3 commits into
mainfrom
devin/1760027869-add-audit-checks

Conversation

@jamesbhobbs

@jamesbhobbs jamesbhobbs commented Oct 9, 2025
edited by devin-ai-integration Bot
Loading

Copy link
Copy Markdown
Contributor

Add pnpm audit checks to CI workflow

Summary

Adds two new CI jobs to check for security vulnerabilities in npm dependencies:

  • audit-prod ("Audit - Production"): Checks production dependencies only using pnpm audit --prod
  • audit-all ("Audit - All"): Checks all dependencies (including dev) using pnpm audit with default audit level

Both jobs follow the existing CI job pattern with 3-minute timeout and standard pnpm/Node.js setup. The production audit job is intended to be added as a required status check in a follow-up tf-org PR.

Review & Testing Checklist for Human

  • Test audit commands manually - Run pnpm audit --prod and pnpm audit locally to verify they produce expected output and aren't too noisy for CI
  • Verify job names - Confirm "Audit - Production" is the exact name needed for the tf-org required status check configuration
  • Consider audit failure impact - Determine if audit failures should block PR merges or just provide warnings

Notes

This replaces the more restrictive --audit-level high approach with default audit levels per user request. The existing security.yml audit job remains unchanged - these are additional checks specifically for the CI workflow.

Link to Devin run: https://app.devin.ai/sessions/1494020fb75d493c8b35d32b2f17aea9
Requested by: James Hobbs (@jamesbhobbs)

@devin-ai-integration
feat: add pnpm audit checks to CI workflow
84fed6c 
- Add audit-prod job for production dependencies only
- Add audit-all job for all dependencies
- Both jobs follow existing CI job pattern
- Use --audit-level high to flag high/critical vulnerabilities
@devin-ai-integration

devin-ai-integration Bot commented Oct 9, 2025

Copy link
Copy Markdown

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR that start with 'DevinAI' or '@devin'.
  • Look at CI failures and help fix them

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@coderabbitai

coderabbitai Bot commented Oct 9, 2025
edited
Loading

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

Adds two GitHub Actions jobs to .github/workflows/ci.yml: audit-prod and audit-all. Each job checks out the repo, sets up pnpm and Node (using .nvmrc and pnpm cache), installs dependencies, then runs pnpm audit (with --prod for audit-prod; all deps for audit-all). These jobs mirror the existing install/setup structure, run in parallel alongside current CI jobs with a 3-minute timeout, and do not change other workflow logic or exported/public code entities.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Push/PR
  participant GH as GitHub Actions
  participant AP as Job: audit-prod
  participant AA as Job: audit-all
  note over GH: Workflow: ci.yml

  Dev->>GH: Trigger workflow
  GH->>AP: Start job (parallel)
  GH->>AA: Start job (parallel)

  rect rgba(230,240,255,0.5)
  note right of AP: audit-prod
  AP->>AP: actions/checkout
  AP->>AP: setup pnpm
  AP->>AP: setup Node (.nvmrc, pnpm cache)
  AP->>AP: pnpm install
  AP->>AP: pnpm audit --prod
  end

  rect rgba(230,255,230,0.5)
  note right of AA: audit-all
  AA->>AA: actions/checkout
  AA->>AA: setup pnpm
  AA->>AA: setup Node (.nvmrc, pnpm cache)
  AA->>AA: pnpm install
  AA->>AA: pnpm audit
  end

  AP-->>GH: Report audit results
  AA-->>GH: Report audit results
  GH-->>Dev: CI status updated
Loading

Possibly related PRs

  • deepnote/deepnote-toolkit#158 — Modifies the same .github/workflows/ci.yml to add/adjust audit/CI jobs; directly related to workflow job additions.
  • chore: setup spell-check and root pnpm config #2 — Adds CI jobs using pnpm/Node (.nvmrc) setup steps in .github/workflows/ci.yml; related through similar CI job patterns.

Suggested reviewers

  • equiet
  • jankuca
  • hc2p

Pre-merge checks

✅ Passed checks (3 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title clearly and concisely summarizes the primary change by stating that pnpm audit checks are being added to the CI workflow, matching the pull request’s main objective without extraneous detail.

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented Oct 9, 2025
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.59%. Comparing base (ff70ece) to head (bd755fc).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #36   +/-   ##
=======================================
  Coverage   93.59%   93.59%           
=======================================
  Files          19       19           
  Lines         593      593           
  Branches      179      120   -59     
=======================================
  Hits          555      555           
  Misses         38       38

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai[bot]
coderabbitai Bot requested changes Oct 9, 2025
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e981d2d and 84fed6c.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml (1 hunks)

Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/ci.yml Outdated
Comment thread .github/workflows/ci.yml
@devin-ai-integration
refactor: simplify audit job names and use default audit level
4330710 
- Change 'Audit (Production Dependencies)' to 'Audit - Production'
- Change 'Audit (All Dependencies)' to 'Audit - All'
- Remove --audit-level high flags to use pnpm audit defaults
coderabbitai[bot]
coderabbitai Bot requested changes Oct 9, 2025
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 84fed6c and 4330710.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml (1 hunks)

Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/ci.yml
@jamesbhobbs jamesbhobbs marked this pull request as ready for review October 9, 2025 17:00
@jamesbhobbs jamesbhobbs changed the title Add pnpm audit checks to CI workflow ci: Add pnpm audit checks to CI workflow Oct 9, 2025
@jamesbhobbs

jamesbhobbs commented Oct 9, 2025

Copy link
Copy Markdown
Contributor Author

https://github.com/deepnote/tf-org/pull/31/files once merged make this ready for review

@jamesbhobbs jamesbhobbs mentioned this pull request Oct 9, 2025
Merged
4 tasks
@andyjakubowski

andyjakubowski commented Oct 10, 2025

Copy link
Copy Markdown
Contributor

Devin’s commits are not signed, so merging is blocked. Please configure Devin: https://docs.devin.ai/integrations/gh?utm_source=chatgpt.com#commit-signing

@jamesbhobbs jamesbhobbs enabled auto-merge (squash) October 10, 2025 09:57
@jamesbhobbs jamesbhobbs disabled auto-merge October 10, 2025 10:02
@jamesbhobbs jamesbhobbs merged commit 67451a3 into main Oct 10, 2025
12 checks passed
@jamesbhobbs jamesbhobbs deleted the devin/1760027869-add-audit-checks branch October 10, 2025 10:02
@coderabbitai coderabbitai Bot mentioned this pull request Oct 10, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

@saltenasl saltenasl Awaiting requested review from saltenasl

@Artmann Artmann Awaiting requested review from Artmann

+1 more reviewer

@andyjakubowski andyjakubowski andyjakubowski approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jamesbhobbs jamesbhobbs

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamesbhobbs @andyjakubowski