ci: replace dependabot auto-vet bot commit with patch artifact

[bronzelle-cw]

1. What changed:
   • Replaced bot commit/push flow with patch generation and artifact upload.
   • Updated PR comment to explain how authors apply the patch locally.
2. Why:
   • Keeps final commit ownership and signing with the PR author.
   • Reduces workflow complexity compared with a review-suggestion engine.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Artifact upload condition Confirm that the upload step runs only for Pull Request events when has_patch is true. Evaluate whether the if condition should handle other event types or manual triggers to avoid missing or redundant uploads. - name: Upload auto-vet patch artifact id: upload_patch if: github.event_name == 'pull_request' && steps.patch.outputs.has_patch == 'true' uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dependabot-auto-vet-patch-pr-${{ github.event.pull_request.number }} path: ${{ steps.patch.outputs.patch_path }} if-no-files-found: error retention-days: ${{ env.RETENTION_DAYS }} Upload outputs naming Verify that actions/upload-artifact@v4.6.2 actually exposes artifact-id and artifact-url outputs as referenced. If the action uses different output keys, patch_meta will receive empty values. if: github.event_name == 'pull_request' && steps.patch.outputs.has_patch == 'true' uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dependabot-auto-vet-patch-pr-${{ github.event.pull_request.number }} path: ${{ steps.patch.outputs.patch_path }} if-no-files-found: error retention-days: ${{ env.RETENTION_DAYS }} JS comment generation syntax Review the JavaScript snippet that builds the PR comment for mismatched braces or indentation in the if (patchGenerated) ... else block to prevent runtime syntax errors. if (patchGenerated) { lines.push(`- **Patch generated:** yes`); lines.push(`- **Artifact uploaded:** ${patchUploaded ? 'yes' : 'no'}`); if (artifactName) lines.push(`- **Artifact name:** ${artifactName}`); if (artifactId) lines.push(`- **Artifact ID:** ${artifactId}`); if (retentionDays) lines.push(`- **Retention:** ${retentionDays} days`); if (artifactUrl) { lines.push(`- **Artifact download:** ${artifactUrl}`); } else if (runUrl) { lines.push(`- **Workflow run:** ${runUrl}`); } } else { lines.push(`- **Patch generated:** no audit files were produced`); }

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Handle git diff errors explicitly Add explicit error handling for the git diff --quiet invocation so that unexpected git errors (exit code >1) are not misclassified as "changes found". Capture and check the exit code, and abort the step on real errors. This prevents generating empty or partial patch files when git itself fails. .github/workflows/dependabot-auto-vet.yml [381-388] -if git diff --quiet -- supply-chain; then +git diff --quiet -- supply-chain +rc=$? +if [ $rc -eq 0 ]; then echo "has_patch=false" >> "$GITHUB_OUTPUT" echo "patch_path=" >> "$GITHUB_OUTPUT" echo "patch_bytes=0" >> "$GITHUB_OUTPUT" exit 0 +elif [ $rc -gt 1 ]; then + echo "Error running git diff" >&2 + exit 1 fi git diff --binary --patch -- supply-chain > "$patch_path" Suggestion importance[1-10]: 7 __ Why: Explicitly checking git diff exit codes prevents treating real git errors as "changes found" and avoids generating empty or partial patches, improving reliability.	Medium

[cloudwalk-review-agent]

Summary

Clean architectural move — shifting commit ownership back to the PR author is the right call, and the patch/artifact flow is well-structured. Two issues in the apply instructions worth fixing before this ships.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.34%. Comparing base (e8889d5) to head (d402bbf).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2467      +/-   ##
==========================================
+ Coverage   84.26%   84.34%   +0.07%     
==========================================
  Files         141      141              
  Lines       10826    10826              
==========================================
+ Hits         9123     9131       +8     
+ Misses       1703     1695       -8     

Flag	Coverage Δ
contracts-rocks-asset-transit-desk	43.59% <ø> (+0.02%)	⬆️
contracts-rocks-balance-freezer	42.66% <ø> (ø)
contracts-rocks-balance-tracker	42.99% <ø> (-0.03%)	⬇️
contracts-rocks-base	43.56% <ø> (ø)
contracts-rocks-blueprint	43.91% <ø> (ø)
contracts-rocks-capybara-finance	44.24% <ø> (ø)
contracts-rocks-capybara-finance-v2	44.30% <ø> (ø)
contracts-rocks-card-payment-processor	44.01% <ø> (ø)
contracts-rocks-card-payment-processor-v2	44.30% <ø> (-0.05%)	⬇️
contracts-rocks-cashier	43.91% <ø> (ø)
contracts-rocks-credit-agent	43.20% <ø> (ø)
contracts-rocks-multisig	43.90% <ø> (ø)
contracts-rocks-net-yield-distributor	43.93% <ø> (+0.02%)	⬆️
contracts-rocks-periphery	42.66% <ø> (ø)
contracts-rocks-shared-wallet-controller	43.94% <ø> (ø)
contracts-rocks-token	44.01% <ø> (ø)
contracts-rocks-treasury	43.63% <ø> (ø)
e2e-admin-password	22.79% <ø> (-0.02%)	⬇️
e2e-clock-stratus	25.65% <ø> (ø)
e2e-genesis	27.18% <ø> (ø)
e2e-importer-offline	59.89% <ø> (+0.01%)	⬆️
e2e-rpc-downloader	55.08% <ø> (+0.19%)	⬆️
e2e-stratus	57.52% <ø> (+0.01%)	⬆️
leader-follower-	61.65% <ø> (+0.07%)	⬆️
rust-tests	31.98% <ø> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cloudwalk-review-agent]

Follow-up

✅ unzip -p path fixed — the fallback block now correctly references vet/auto-vet.patch inside the zip. Good catch addressed.

Two issues remain: the -S GPG signing flag (flagged last round, still present in both blocks), and a new path bug in the gh run download block that will make git apply fail for anyone who uses the preferred flow.

[cloudwalk-review-agent]

Follow-up

✅ unzip -p path fixed — fallback block now correctly references vet/auto-vet.patch inside the zip. Good.

Three issues remain (two carried over, one new):

1. New bug: mkdir -p vet is missing before the git diff … > "$patch_path" redirect — if the vet/ directory doesn't already exist the shell will immediately error with No such file or directory and the patch step will exit 1 silently discarding the diff.
2. Carried over: git apply --index auto-vet.patch in the gh run download block still references the wrong path.
3. Carried over: -S (GPG signing) in both commit blocks will silently fail or error for developers without a signing key configured.

[cloudwalk-review-agent]

Follow-up

✅ unzip -p path fixed — fallback block now correctly uses vet/auto-vet.patch as the member path. Good.

Three issues remain unaddressed from previous rounds:

[cloudwalk-review-agent]

mkdir -p vet still missing (flagged in previous review).

patch_path is set to vet/auto-vet.patch but the vet/ directory is never created. The shell redirect will fail with No such file or directory on a clean runner where vet/ doesn't already exist. Fix:

mkdir -p vet
git diff --binary --patch -- supply-chain > "$patch_path"

[cloudwalk-review-agent]

Bug (carried over): wrong apply path after gh run download.

gh run download <run-id> -n <artifact-name> creates <artifactName>/ and preserves the uploaded directory structure inside it. Because the file was uploaded from vet/auto-vet.patch, it lands at <artifactName>/vet/auto-vet.patch — not auto-vet.patch. This instruction will fail with error: can't open patch file auto-vet.patch for anyone using the preferred CLI flow.

Fix:

git apply --index ${artifactName}/vet/auto-vet.patch

[cloudwalk-review-agent]

-S still requires a GPG key (flagged in first review, present in both blocks).

git commit -S (uppercase) is GPG commit signing — it fails or produces an unverified commit for developers without a signing key configured. Use lowercase -s (DCO/Signed-off-by trailer) if a traceable attribution line is wanted, or drop the flag and let the developer sign per their own setup. Same issue at the fallback block (~line 524).

[carneiro-cw]

I tried running the action on the branch test_vet_2 multiple times, and it neither generated artifact nor it commented on the PR. https://github.com/cloudwalk/stratus/actions/runs/23492063861/job/68362706808

[bronzelle-cw]

I tried running the action on the branch test_vet_2 multiple times, and it neither generated artifact nor it commented on the PR. https://github.com/cloudwalk/stratus/actions/runs/23492063861/job/68362706808

The patch generation did happen, but that run was started manually, and this automation is only meant to fully work in a PR-triggered run.

With workflow_dispatch, GitHub starts the workflow from a branch/ref, not from a PR context, so the job does not know which PR it should attach the result to or comment on. Because of that, manual runs are not a valid test for the “upload artifact + comment on the PR” path.

That connects with the other guard in this workflow: the PR-triggered path was also restricted to PRs opened by dependabot[bot]. I retried on the same test_vet_2 branch, removing only that PR author check, and with that change the automation worked as expected on the PR path, including the artifact/comment behavior.

The test run did not go through the expected path because it was a manual dispatch.

[cloudwalk-review-agent]

Follow-up

✅ mkdir -p vet — the Prepare workspace step already runs mkdir -p vet/diffs vet/prompts vet/decisions, which creates vet/ before the patch step. No longer an issue.

✅ unzip -p fallback path — correctly references vet/auto-vet.patch inside the zip.

Two issues remain:

1. gh run download apply path still wrong — gh run download preserves directory structure, so the patch lands at ${artifactName}/vet/auto-vet.patch, not auto-vet.patch. The preferred CLI block still uses git apply --index auto-vet.patch, which will fail with error: can't open patch file auto-vet.patch.
2. -S flag requires GPG — still present in both blocks.

[cloudwalk-review-agent]

Bug (carried over): wrong apply path after gh run download.

gh run download <run-id> -n <artifact-name> creates <artifactName>/ and preserves the directory structure uploaded. Because the file was uploaded from vet/auto-vet.patch, it lands at <artifactName>/vet/auto-vet.patch — not auto-vet.patch at the top level. This will fail for any developer using the preferred CLI flow.

Fix:

git apply --index ${artifactName}/vet/auto-vet.patch

[cloudwalk-review-agent]

-S still requires a GPG key (flagged in every previous review).

git commit -S is GPG commit signing — it fails silently or errors for developers without a signing key configured. Drop the flag or replace with -s (DCO Signed-off-by trailer). Same issue at the fallback block (line 524).