ci: harden CI/CD pipeline

[Aureliolo]

Summary

• mypy on tests/: CI now type-checks tests/ alongside src/ (PR fix: enforce strict mypy on test files #89 enforced strict mypy locally but CI only ran on src/)
• Secret scanning: New secret-scan.yml workflow runs gitleaks on push/PR + weekly Monday 3am UTC (gitleaks is skipped in pre-commit CI)
• Codecov integration: Replaces coverage artifact uploads with Codecov for PR comments, trend tracking, and badges
• Dependency review hardened: Added license allow-list (permissive only) and PR comment summaries
• Dependabot tuned: Added commit-message prefixes (chore/ci), increased PR limit to 10, kept daily schedule
• Auto-merge removed: Deleted dependabot-auto-merge.yml — no auto-merging of anything
• Security hardening: Top-level permissions: {} deny-all, per-job contents: read, persist-credentials: false on all checkouts
• Smarter concurrency: Only cancels stale PR runs, not main branch pushes
• Manual trigger: Added workflow_dispatch for manual CI runs from GitHub UI

Test plan

• CI runs successfully on this PR (lint, type-check, test jobs)
• Verify mypy catches type errors in tests/ files
• Verify Codecov posts coverage comment on PR (requires CODECOV_TOKEN secret)
• Verify secret-scan workflow appears in Actions tab
• Verify dependency-review posts comment on PR
• Verify no auto-merge workflow exists
• Check Dependabot Settings page shows no errors after merge

[coderabbitai]

Warning

Rate limit exceeded

@Aureliolo has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 9 minutes and 40 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 5fbe04e and 2e0a445.

📒 Files selected for processing (5)

• .claude/skills/aurelio-review-pr/skill.md
• .github/workflows/ci.yml
• .github/workflows/dependency-review.yml
• .github/workflows/secret-scan.yml
• CLAUDE.md

📝 Walkthrough

Walkthrough

The pull request updates GitHub Actions workflows and Dependabot configuration to enhance CI/CD security, dependency management, and code quality. Changes include adding secret scanning with gitleaks, expanding type checking to test files, integrating Codecov for coverage reporting, removing Dependabot auto-merge automation, and restricting concurrent dependency updates.

Changes

Cohort / File(s)	Summary
Dependabot Configuration .github/dependabot.yml	Added commit-message prefixes ("chore" and "ci") and concurrent update limits (open-pull-requests-limit: 10) to update blocks.
CI/CD Workflow Updates .github/workflows/ci.yml	Added workflow_dispatch trigger, updated concurrency configuration with conditional cancel-in-progress, implemented per-job permissions, added persist-credentials: false to checkout steps, expanded type checking to include tests/ directory, and replaced artifact-based coverage upload with Codecov integration (codecov-action v5).
Security & Dependency Review .github/workflows/dependency-review.yml, .github/workflows/secret-scan.yml	Added pull-request write permissions and PR comment summaries for dependency review with AGPL license denials; introduced new Secret Scan workflow using gitleaks (v8.24.3) for secret detection on pushes, PRs, and weekly schedule.
Removed Automation .github/workflows/dependabot-auto-merge.yml	Deleted the Dependabot auto-merge workflow that previously auto-merged minor and patch version updates.
Documentation CLAUDE.md	Updated documentation to reflect changes to CI configuration, new auxiliary workflows (secret scanning, dependency review, Codecov integration), and Dependabot policy updates.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: harden CI/CD pipeline' accurately summarizes the main objective of the changeset, which adds multiple security and CI/CD improvements across workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description comprehensively details all changes: mypy on tests/, secret scanning, Codecov integration, dependency review hardening, Dependabot tuning, auto-merge removal, security hardening, concurrency improvements, and manual workflow trigger.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/harden-pipeline

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

• .github/workflows/dependabot-auto-merge.yml

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the project's CI/CD pipeline by integrating robust security measures, improving code quality checks, and refining automation workflows. Key updates include comprehensive type-checking for tests, proactive secret scanning, and detailed code coverage reporting via Codecov. Additionally, it optimizes dependency management with refined Dependabot settings and strengthens overall workflow security and efficiency.

Highlights

• Mypy Type-Checking: CI now type-checks the tests/ directory in addition to src/, ensuring broader type safety.
• Secret Scanning: A new secret-scan.yml workflow has been introduced to run gitleaks on push/PR events and on a weekly schedule, enhancing security.
• Codecov Integration: Coverage artifact uploads have been replaced with Codecov integration, providing PR comments, trend tracking, and badges for code coverage.
• Hardened Dependency Review: The dependency review process now includes an AGPL license deny-list and provides PR comment summaries for better oversight.
• Tuned Dependabot: Dependabot configurations were updated to add commit-message prefixes (chore/ci) and increase the open pull request limit to 10.
• Auto-merge Removed: The dependabot-auto-merge.yml workflow has been deleted, disabling automatic merging of dependencies.
• Security Hardening: Implemented top-level permissions: {} to deny all, per-job contents: read, and persist-credentials: false on all checkouts for enhanced security.
• Smarter Concurrency: Concurrency settings were adjusted to only cancel stale PR runs, preventing cancellations of main branch pushes.
• Manual Trigger: Added workflow_dispatch to allow manual CI runs directly from the GitHub UI.

Changelog

• .github/dependabot.yml
  • Added commit-message prefixes 'chore' and 'ci' for uv and github-actions updates, respectively.
  • Increased open-pull-requests-limit to 10 for both uv and github-actions updates.
• CLAUDE.md
  • Updated the 'CI' section to reflect that mypy now type-checks src/ and tests/.
  • Modified the Dependabot description to mention grouped minor/patch updates and the removal of auto-merge.
  • Added new entries for 'Secret scanning', 'Dependency review', and 'Coverage' to detail the new CI features.

Ignored Files

• Ignored by pattern: .github/workflows/** (4)
  • .github/workflows/ci.yml
  • .github/workflows/dependabot-auto-merge.yml
  • .github/workflows/dependency-review.yml
  • .github/workflows/secret-scan.yml

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull request overview

This PR hardens the CI/CD pipeline by adding secret scanning, improving security posture with least-privilege permissions, replacing artifact-based coverage uploads with Codecov, removing auto-merge, and extending mypy type-checking to include tests/.

Changes:

• Security hardening: Top-level permissions: {} deny-all with per-job overrides, persist-credentials: false on all checkouts, removal of dependabot-auto-merge.yml
• New workflows / integrations: secret-scan.yml (gitleaks), Codecov coverage upload replaces artifact upload, AGPL license deny-listing and PR comment summaries in dependency review
• CI refinements: workflow_dispatch manual trigger, smarter concurrency (cancel-in-progress only for PRs), mypy src/ tests/, Dependabot commit-message prefixes and increased PR limit

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.github/workflows/ci.yml	Adds security hardening, workflow_dispatch, smarter concurrency, extends mypy to tests/, replaces artifact upload with Codecov
.github/workflows/secret-scan.yml	New workflow running gitleaks on push/PR/schedule
.github/workflows/dependency-review.yml	Adds AGPL license deny-list, PR comment summaries, persist-credentials: false
.github/workflows/dependabot-auto-merge.yml	Deleted — removes auto-merging
.github/dependabot.yml	Adds commit-message prefixes, increases PR limit to 10
CLAUDE.md	Updates CI section to reflect new pipeline capabilities

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

gitleaks/gitleaks-action@v2 requires a GITLEAKS_LICENSE secret to run on pull_request events from fork contributors. Without this secret, the action will detect it's running against a fork PR and exit with a warning instead of actually scanning, silently skipping secret detection on the most risky event (untrusted code from external contributors). The GITHUB_TOKEN provided here is insufficient for that use-case.

Either add the GITLEAKS_LICENSE secret to the repository settings (it requires a paid Gitleaks plan), or switch to running gitleaks as a plain CLI step (e.g. install via brew/apt/uv tool install gitleaks and invoke gitleaks detect) which has no license requirement for open-source use and avoids this gap.

Suggested change

	- uses: gitleaks/gitleaks-action@v2
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Install gitleaks
	run: |
	curl -sSL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks-linux-amd64.tar.gz \
	| tar xz
	sudo mv gitleaks /usr/local/bin/gitleaks
	- name: Run gitleaks
	run: gitleaks detect --source . --no-git -v

[Copilot]

The checkout step in secret-scan.yml is missing persist-credentials: false. Every other workflow touched in this PR (ci.yml, dependency-review.yml) explicitly sets persist-credentials: false for security hardening. Omitting it here means the Git credentials token is persisted in the runner's global config for the duration of the job, which is inconsistent with the security intent of this PR.

Suggested change

	fetch-depth: 0
	fetch-depth: 0
	persist-credentials: false

[gemini-code-assist]

Code Review

This pull request hardens the CI/CD pipeline by updating Dependabot configuration and documenting the new CI/CD features. The changes in .github/dependabot.yml add commit message prefixes and increase the open pull request limit, which are reasonable adjustments. The updates to CLAUDE.md accurately reflect the broader CI enhancements mentioned in the pull request description, such as expanded type checking, secret scanning, and Codecov integration. The changes appear to be in order and I have no specific feedback on the provided diffs.

[Aureliolo]

/gemini review @copilot review

[Copilot]

@Aureliolo I've opened a new pull request, #93, to work on those changes. Once the pull request is ready, I'll request review from you.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/secret-scan.yml:
- Around line 24-28: In the "Install gitleaks" workflow step (using
GITLEAKS_VERSION and the gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz artifact)
add checksum verification: download the corresponding checksum file (and
signature if available) from the release, verify the checksum against the
downloaded tarball (e.g., using sha256sum or shasum -a 256) and fail the job on
mismatch, only then extract and move the binary to /usr/local/bin/gitleaks;
ensure the step sequence uses the same GITLEAKS_VERSION variable for both
artifact and checksum URLs and exits non‑zero when verification fails.

In `@CLAUDE.md`:
- Around line 78-83: Update the stale mypy invocation in CLAUDE.md: replace the
referenced local command "uv run mypy src/" with the CI-aligned command that
type-checks both sources and tests (e.g., "uv run mypy src/ tests/") so
documentation matches the CI behavior; locate the mypy quick-start line in
CLAUDE.md and update the text/example to show the new command and, if present,
any explanatory sentence that restricts mypy to only src/.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 40a61f4 and 5fbe04e.

📒 Files selected for processing (6)

• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/dependabot-auto-merge.yml
• .github/workflows/dependency-review.yml
• .github/workflows/secret-scan.yml
• CLAUDE.md

💤 Files with no reviewable changes (1)

• .github/workflows/dependabot-auto-merge.yml

📜 Review details

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2026-03-01T10:09:25.209Z

Learnt from: CR
Repo: Aureliolo/ai-company PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-01T10:09:25.209Z
Learning: Use commit message format `<type>: <description>` with types: feat, fix, refactor, docs, test, chore, perf, ci

Applied to files:

• .github/dependabot.yml

📚 Learning: 2026-02-26T17:43:50.902Z

Learnt from: CR
Repo: Aureliolo/story-factory PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-02-26T17:43:50.902Z
Learning: When making changes that affect architecture, services, key files, settings, or workflows, update the relevant sections of existing documentation (CLAUDE.md, README.md, etc.) to reflect those changes.

Applied to files:

• CLAUDE.md

🔇 Additional comments (3)

.github/workflows/dependency-review.yml (1)

9-9: Good hardening and policy enforcement in dependency review workflow.

Permissions, credential persistence, AGPL deny-listing, and PR summaries are configured coherently for this job.

Also applies to: 17-18, 24-25

.github/dependabot.yml (1)

10-12: Dependabot policy updates look consistent and valid.

The new commit prefixes and PR cap are well-scoped for automated update flow control.

Based on learnings: Use commit message format <type>: <description> with types: feat, fix, refactor, docs, test, chore, perf, ci.

Also applies to: 15-15, 27-29, 32-32

.github/workflows/ci.yml (1)

8-14: CI hardening changes are solid and internally consistent.

Deny-all defaults, scoped job permissions, persist-credentials: false, PR-only stale-run cancellation, and mypy coverage for tests/ are all correctly aligned.

Also applies to: 20-26, 37-47, 51-53, 58-60

[gemini-code-assist]

Code Review

This pull request introduces several improvements to harden the CI/CD pipeline, including tuning Dependabot, adding secret scanning, and enhancing dependency review. My review focuses on improving the maintainability of the Dependabot configuration and clarifying a potential inconsistency in the updated documentation.

[gemini-code-assist]

To improve maintainability and reduce duplication between the pip and github-actions configurations, consider using YAML anchors. This would centralize the common settings, making future updates easier. Here's an example of how you could refactor this file:

version: 2

updates:
  - &defaults
    directory: "/"
    schedule:
      interval: daily
      time: "06:00"
      timezone: Etc/UTC
    groups:
      minor-and-patch:
        update-types: [minor, patch]
    open-pull-requests-limit: 10
    reviewers:
      - Aureliolo

  - package-ecosystem: pip
    <<: *defaults
    commit-message:
      prefix: "chore"
    labels:
      - dependencies
      - python

  - package-ecosystem: github-actions
    <<: *defaults
    commit-message:
      prefix: "ci"
    labels:
      - dependencies
      - ci

[gemini-code-assist]

There appears to be a discrepancy between this line and the PR summary regarding the dependency review setup. This documentation mentions a license allow-list (permissive only), whereas the PR summary states Added AGPL license deny-list. An allow-list of only permissive licenses is significantly more restrictive than a deny-list that only blocks AGPL. To ensure the documentation is accurate, could you clarify which implementation is correct and update accordingly?

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The PR description states "Added AGPL license deny-list" but the actual implementation only uses an allow-licenses list (a permit-only approach). There is no explicit deny-licenses entry. This is fine — a strict allow-list implicitly rejects AGPL and everything else not listed — but the PR description creates a misleading expectation. Additionally, LGPL variants (LGPL-2.0, LGPL-2.1, LGPL-3.0) are absent from the allow-list, which would block any dependency using those licenses. If any transitive dependency is under an LGPL license this workflow will start failing. Consider whether LGPL variants should be included, since they are generally considered permissive for non-copyleft use.

[Copilot]

The gitleaks detect command is run without a --no-git flag or a --log-opts to restrict the scan range. With fetch-depth: 0, this performs a full repository history scan on every push and PR. For large repositories with a long history, this can become very slow. On PRs in particular, consider scoping the scan to only the commits introduced by the PR (e.g., using --log-opts="origin/main..HEAD") to reduce scanning time and noise from historical false positives, while keeping the weekly full-history scheduled scan as-is.

Suggested change

	- name: Run gitleaks
	run: gitleaks detect --source . -v
	- name: Run gitleaks (scheduled full scan)
	if: github.event_name == 'schedule'
	run: gitleaks detect --source . -v
	- name: Run gitleaks (push full scan)
	if: github.event_name == 'push'
	run: gitleaks detect --source . -v
	- name: Run gitleaks (PR incremental scan)
	if: github.event_name == 'pull_request'
	run: gitleaks detect --source . -v --log-opts="origin/main..HEAD"

[Copilot]

The secret-scan.yml workflow installs gitleaks by downloading a binary from GitHub via curl with no checksum verification. If the remote release asset is tampered with or the download URL is compromised (e.g., via a CDN-level attack), a malicious binary would be silently executed with sudo privileges. Consider verifying the SHA256 checksum of the downloaded archive against a known-good value (published in gitleaks' release assets as checksums.txt) before extracting and installing.

Suggested change

	curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
	| tar xz
	set -euo pipefail
	ARCHIVE="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
	CHECKSUMS_URL="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/checksums.txt"
	ARCHIVE_URL="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${ARCHIVE}"
	curl -sSLo "${ARCHIVE}" "${ARCHIVE_URL}"
	curl -sSLo checksums.txt "${CHECKSUMS_URL}"
	grep " ${ARCHIVE}\$" checksums.txt | sha256sum -c -
	tar xzf "${ARCHIVE}"

[Aureliolo]

/gemini review

[gemini-code-assist]

Code Review

This pull request makes several improvements to the CI/CD pipeline configuration and documentation. The changes to dependabot.yml effectively tune the behavior of dependency updates. The documentation updates align with the overall goal of hardening the CI pipeline. I have one suggestion to improve the transparency of a shell command in the process documentation. The review is based on the provided changes to dependabot.yml and markdown files.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The ${{ github.base_ref }} expression is interpolated directly into the shell script, which is an injection vector. GitHub's security hardening guide recommends passing context values through environment variables instead of inlining them in run: blocks. While github.base_ref is provided by GitHub infrastructure (not user-controlled) and the branch filter constrains it to main, the safe pattern is to bind it to an env variable and reference $BASE_REF in the shell. Inline context interpolation in run: is the pattern that causes script injection vulnerabilities when the context value comes from less-trusted sources (e.g., PR titles, branch names from forks), so avoiding it consistently is important to set the right precedent.

Suggested change

	run: |
	if [ "${{ github.event_name }}" = "pull_request" ]; then
	gitleaks detect --source . -v --log-opts="origin/${{ github.base_ref }}..HEAD"
	env:
	EVENT_NAME: ${{ github.event_name }}
	BASE_REF: ${{ github.base_ref }}
	run: |
	if [ "$EVENT_NAME" = "pull_request" ]; then
	gitleaks detect --source . -v --log-opts="origin/$BASE_REF..HEAD"

[Copilot]

The secret-scan.yml workflow uses a workflow-level permissions: contents: read directly, rather than the deny-all (permissions: {}) at the top level with an explicit per-job permissions: contents: read override that is the established convention in this repo's ci.yml. This deviates from the hardened pattern and is inconsistent with ci.yml lines 10 and 20-21. The workflow-level permissions apply to all jobs, but the deny-all + per-job pattern makes scope explicit and reduces the blast radius if a new job is added without permission consideration.

Suggested change

	permissions:
	contents: read
	jobs:
	gitleaks:
	name: Gitleaks
	runs-on: ubuntu-latest
	permissions: {}
	jobs:
	gitleaks:
	name: Gitleaks
	runs-on: ubuntu-latest
	permissions:
	contents: read

[Copilot]

The dependency-review.yml workflow uses a workflow-level permissions: block directly, rather than the deny-all (permissions: {}) at the top level with per-job overrides that is the convention established in ci.yml (lines 10, 20-21, 37-38, 51-52). For a single-job workflow that also needs pull-requests: write, the hardened equivalent would be permissions: {} at the top and permissions: { contents: read, pull-requests: write } on the dependency-review job.