Skip to content

ci: add dependabot with auto-merge#5

Merged
koinsaari merged 3 commits into
mainfrom
ci/dependabot
May 29, 2026
Merged

ci: add dependabot with auto-merge#5
koinsaari merged 3 commits into
mainfrom
ci/dependabot

Conversation

@koinsaari
Copy link
Copy Markdown
Contributor

@koinsaari koinsaari commented May 29, 2026

No description provided.

@claude
Copy link
Copy Markdown

claude Bot commented May 29, 2026
edited
Loading

Claude finished @koinsaari's task in 1m 19s —— View job

PR Review

  • Read REVIEW.md for review instructions
  • Read CLAUDE.md for project context (file not present)
  • Read changed files
  • Analyze and post review
  • Set commit status (blocked — gh api requires explicit permission; could not be set)

No blocking issues. This PR adds standard Dependabot configuration with an auto-merge workflow.

.github/dependabot.yml

The setup is straightforward and correct — weekly Saturday updates for both gomod and github-actions, with minor/patch updates grouped. Major updates are intentionally excluded from groups, meaning they'll arrive as separate PRs requiring manual review.

🟡 Nit — The dependencies and area:ci labels referenced in the config need to exist in the repo for Dependabot to apply them. If they don't, Dependabot silently skips labeling. Consider creating these labels if they aren't already present.

.github/workflows/dependabot-auto-merge.yml

The workflow looks correct and follows security best practices:

  • The if condition is at the job level (github.event.pull_request.user.login == 'dependabot[bot]'), so the entire job is skipped for non-Dependabot PRs — no unnecessary execution.
  • dependabot/fetch-metadata is pinned to a full commit SHA (25dd0e34f4fe68f24cc83900b1fe3fe149efef98) with the version tagged in a comment (# v3.1.0). This is the recommended supply-chain security practice.
  • Auto-merge is gated on update-type != 'version-update:semver-major', correctly skipping major bumps.
  • Permissions are scoped minimally to contents: write and pull-requests: write.

No security or correctness issues found.

@koinsaari @claude
ci: fix lint, docker, and gitleaks checks
3d5b461 
- Migrate .golangci.yml to v2 schema (golangci-lint v2 rejects v1 config)
- Add Dockerfile (static build on distroless) so the docker-build job runs
- Add .gitleaks.toml allowlisting dummy credentials in *_test.go files
- Set ReadHeaderTimeout on the HTTP server (gosec G114)
- Comment the blank sqlite driver import (revive) and apply gofmt

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude
Copy link
Copy Markdown

claude Bot commented May 29, 2026
edited
Loading

Claude finished @koinsaari's task in 1m 48s —— View job

PR Review

  • Read REVIEW.md for review instructions
  • Read CLAUDE.md for project context (file not present)
  • Read changed files
  • Analyze and post review
  • Set commit status

No blocking issues. This PR bundles several CI quality improvements alongside the Dependabot config.

REVIEW.md checklist

  • JWT keyfuncjwt.go:37 checks t.Method.(*jwt.SigningMethodHMAC) before returning the signing key. ✅
  • SQL queries — No new queries introduced; no string concatenation found. ✅
  • Import cycleinternal/auth does not import internal/clients/jellyfin. ✅
  • New API routes — None added. ✅

.github/dependabot.yml + .github/workflows/dependabot-auto-merge.yml

Both look correct. The auto-merge workflow uses a job-level if guard, pins dependabot/fetch-metadata to a full SHA, and gates auto-merge on non-major semver updates. Permissions are minimal.

🟡 Nit — The dependencies and area:ci labels in dependabot.yml must exist in the repo. Dependabot silently skips labeling if they don't.

Dockerfile

Good multi-stage build: distroless nonroot runtime image, CGO disabled, -trimpath -ldflags="-s -w" for a clean binary.

🟡 Nitgolang:1.26 and distroless/static-debian13:nonroot are floating tags. A silent upstream update can change the image between builds, making the build non-reproducible. Consider pinning both to a digest (e.g. golang:1.26@sha256:...).

.golangci.yml

Correctly migrated to the golangci-lint v2 config format: default: none, formatters section for gofmt/goimports, exclusions blocks replacing the old issues.exclude-dirs / issues.exclude-rules. This is consistent with the golangci-lint-action@v8 already pinned in ci.yml.

cmd/api-proxy/main.go

Adding ReadHeaderTimeout: 10 * time.Second to the http.Server closes a potential Slowloris vector. Good fix.

.gitleaks.toml

Allowing dummy credentials in _test.go files via path regex is reasonable. The allowlist is narrow and purposeful.

Whitespace / alignment changes

internal/auth/service.go, internal/auth/login_test.go, internal/auth/lockout_test.go, internal/auth/jwt_test.go, internal/clients/jellyfin/quickconnect_test.go — all alignment-only, likely driven by the updated linter rules. No logic changes.

internal/db/db.go

Adding a comment to the blank sqlite import (// registers the "sqlite" database/sql driver) is acceptable, though per REVIEW.md conventions the _ import alias already signals a side-effect import. Minor.

@koinsaari @claude
ci: pin Dockerfile base image digests and track via Dependabot
899c556 
Pin golang and distroless base images to digests for reproducible
builds, and add the docker ecosystem to dependabot.yml so the digests
stay current.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude
Copy link
Copy Markdown

claude Bot commented May 29, 2026
edited
Loading

Claude finished @koinsaari's task in 1m 19s —— View job

PR Review

  • Read REVIEW.md for review instructions
  • Read CLAUDE.md for project context (file not present)
  • Read changed files
  • Analyze and post review
  • Set commit status (blocked — gh api requires explicit permission; could not be set)

No blocking issues. This PR bundles Dependabot configuration, a Docker image, and several CI quality improvements.

REVIEW.md checklist

  • JWT keyfuncinternal/auth/jwt.go:37 checks t.Method.(*jwt.SigningMethodHMAC) before returning the signing key. ✅
  • SQL queries — No new queries introduced; all existing queries use ? parameterised placeholders, no string concatenation. ✅
  • Import cycleinternal/auth does not import internal/clients/jellyfin. ✅
  • New API routes — None added. ✅

.github/dependabot.yml

Correct setup: weekly Saturday updates for gomod, docker, and github-actions, with minor/patch updates grouped. Major updates are excluded from groups and will arrive as separate PRs requiring manual review.

🟡 Nit — The dependencies and area:ci labels must exist in the repo for Dependabot to apply them. Dependabot silently skips labeling when labels are missing.

.github/workflows/dependabot-auto-merge.yml

Correct and secure:

  • Job-level if guard prevents execution for non-Dependabot PRs.
  • dependabot/fetch-metadata pinned to full commit SHA (25dd0e3) with version in a comment — good supply-chain hygiene.
  • Auto-merge gated on update-type != 'version-update:semver-major', correctly skipping major bumps.
  • Permissions scoped to contents: write and pull-requests: write only.

Dockerfile

Good multi-stage build: distroless nonroot runtime, CGO disabled, -trimpath -ldflags="-s -w". Both base images are pinned to full digests — reproducible builds. ✅

.golangci.yml

Correct migration to golangci-lint v2 format: default: none, formatters section for gofmt/goimports, and exclusions blocks. The internal/gen exclusion is correctly preserved. Consistent with golangci-lint-action@v8 already in CI.

cmd/api-proxy/main.go

Adding ReadHeaderTimeout: 10 * time.Second to the http.Server closes the Slowloris slow-header attack vector. Good fix.

.gitleaks.toml

Allowlisting dummy credentials in _test.go files via path regex is a narrow, purposeful exemption. Acceptable.

Whitespace-only changes

internal/auth/service.go, internal/auth/login_test.go, internal/auth/lockout_test.go, internal/auth/jwt_test.go, internal/clients/jellyfin/quickconnect_test.go — struct field alignment only, driven by the updated linter rules. No logic changes.

internal/db/db.go

Adding a comment to the blank sqlite import is acceptable, though per REVIEW.md conventions the _ import alias already signals a side-effect import. Minor.

@koinsaari koinsaari merged commit 985b374 into main May 29, 2026
6 checks passed
@koinsaari koinsaari deleted the ci/dependabot branch May 29, 2026 19:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@koinsaari koinsaari

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@koinsaari