Fix Aquasec alerts

[miroslavpojer]

Release Notes

• Update GitHub Actions workflows and add Dependabot configuration

Close #59

Summary by CodeRabbit

• Chores

  • Added automated dependency update configuration with weekly scheduling.
  • Pinned GitHub Actions to specific commit references across CI/CD workflows for improved supply-chain security and reproducibility.

• Infrastructure

  • Enhanced release workflow with refined tag creation and draft release generation steps.
  • Added token configuration to dependency management automation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This pull request adds Dependabot configuration for automated dependency updates on GitHub Actions and sbt packages, and pins GitHub Actions across multiple workflows to specific commit SHAs instead of version tags for reproducibility and security compliance.

Changes

Cohort / File(s)	Summary
Dependency Management .github/dependabot.yml	Added new Dependabot configuration with weekly update schedules for GitHub Actions and sbt, targeting master branch with auto-update labels and commit message prefixes
Workflow Action Pinning (Security) .github/workflows/assign_issue_to_project.yml, .github/workflows/build.yml, .github/workflows/check_pr_release_notes.yml, .github/workflows/dependent_items.yml, .github/workflows/jacoco_report.yml, .github/workflows/release_publish.yml, .github/workflows/test_filenames_check.yml	Replaced version tag references with exact commit SHA hashes for multiple GitHub Actions (actions/checkout, actions/setup-python, coursier/cache-action, olafurpg/setup-scala, madrapps/jacoco-report, actions/github-script, etc.) across workflows
Release Draft Enhancement .github/workflows/release_draft.yml	Added "Create and push tag" step using github-script; reorganized draft release configuration with new chapters structure (Breaking Changes, New Features, Bugfixes, Infrastructure, Documentation, Closed Epics, etc.), granular labeling, and duplicity settings

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• The majority of changes are repetitive SHA pinning across workflows following the same pattern, which requires minimal per-file reasoning
• Dependabot configuration is straightforward YAML setup
• release_draft.yml adds more detailed release notes configuration but no complex control flow logic
• All changes are configuration-focused without substantial code logic modifications

Possibly related PRs

• .github file upgrade #57: Modifies overlapping workflow files (check_pr_release_notes.yml, release_draft.yml) with related security and release configuration updates

Suggested labels

enhancement

Suggested reviewers

• benedeki
• salamonpavel

Poem

🐰 A rabbit hops through configs with care,
Pinning each action with SHA love to share!
Dependabot awakens with schedule so keen,
While release notes dance through chapters pristine—
Security fortified, reproducible cheer! 🔐✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete; it lacks the required 'Overview' section and does not explain what problem is being solved or why these changes address Aquasec alerts.	Add an 'Overview' section explaining how the Dependabot configuration and GitHub Actions workflow updates address the specific Aquasec alerts (AVD-PIPELINE-0022, AVD-PIPELINE-0008).

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Fix Aquasec alerts' directly relates to the main objective of the PR to address Aquasec security alerts, and clearly summarizes the primary change.
Linked Issues check	✅ Passed	The PR addresses issue #59 by pinning GitHub Actions to specific commit SHAs and adding Dependabot configuration, which mitigates supply chain security risks related to the mentioned Aquasec alerts.
Out of Scope Changes check	✅ Passed	All changes focus on updating GitHub Actions workflows to use commit SHAs and adding Dependabot configuration, directly aligned with fixing Aquasec supply chain security alerts.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/59-Fix-Aquasec-alerts

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 420cfbe and 117768a.

📒 Files selected for processing (2)

• .github/workflows/check_pr_release_notes.yml (1 hunks)
• .github/workflows/release_draft.yml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/check_pr_release_notes.yml

🧰 Additional context used

🪛 actionlint (1.7.9)

.github/workflows/release_draft.yml

120-120: property "tagname" is not defined in object type {from-tag-name: string; tag-name: string}

(expression)

---

144-144: property "tagname" is not defined in object type {from-tag-name: string; tag-name: string}

(expression)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

JaCoCo 'balta' module code coverage report - scala 2.12.18

Overall Project	67.11%	🍏

There is no coverage information present for the Files changed

[lsulak]

is this necessary? It's really really cumbersome to use such rule globally across our repos

[miroslavpojer]

I was in extra meeting with CSO. From security point of view, it is reasonable. This reason of low resistance from our side and why I have introduced the dependabot.

[lsulak]

Understood. Let's die on another hill, not this one.

[lsulak]

hmm shouldn't we prevent doing this for major library update?

also, I think that this automatically, each Sunday, creates, approves, and merges up to 3 PRs of this kind - I'd rather prefer 1 step from a human, approval from someone from CODEOWNERS. I think it should be doable, we just need to adjust the branch protection, i.e. by adding Rulesets into this repo, right?

[miroslavpojer]

no problem, I was waiting for decision to keep or remove the automated approve and merge. I will remove it.

[lsulak]

Yeah I think it's probably much better to have control over this and perform PR merges by a human hand...well, finger. Library updates, even minor ones, can have serious consequences for the functional aspects of the project and all other projects using it. In other words I don't prefer automation for this one

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (5)

.github/workflows/release_draft.yml (5)

91-94: Remove incomplete step definition.

This step is missing the required with block containing the script. The complete implementation exists in the next step (lines 96-112), making this an incomplete duplicate that will cause the workflow to fail.

🔎 Apply this diff to remove the incomplete step:

-      - name: Create and Push Tag
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
-        env:
-          TAG_NAME: ${{ github.event.inputs.tag-name }}
-

---

96-112: Add missing environment variable definition.

After removing the incomplete duplicate step above, this step needs the env block to define TAG_NAME.

🔎 Apply this diff to add the missing env block:

       - name: Create and push tag
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
+        env:
+          TAG_NAME: ${{ github.event.inputs.tag-name }}
         with:
           script: |

---

114-138: Remove incorrectly configured step.

This step contains configuration parameters (chapters, duplicity-scope, duplicity-icon, etc.) that don't exist in softprops/action-gh-release. These parameters belong to AbsaOSS/generate-release-notes, which is already correctly configured at lines 63-89. Additionally, line 120 references the non-existent input inputs.tagName instead of inputs.tag-name.

The correct draft release creation step exists at lines 139-148.

🔎 Apply this diff to remove the incorrectly configured step:

-      - name: Create Draft Release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          name: ${{ github.event.inputs.tag-name }}
-          tag-name: ${{ github.event.inputs.tagName }}
-          chapters: |
-            - { title: No entry 🚫, label: duplicate }
-            - { title: Breaking Changes 💥, label: breaking-change }
-            - { title: New Features 🎉, label: enhancement }
-            - { title: Bugfixes 🛠, label: bug }
-            - { title: Infrastructure ⚙️, label: infrastructure }
-            - { title: Silent-live 🤫, label: silent-live }
-            - { title: Documentation 📜, label: documentation }
-            - { title: Closed Epics 📚, label: epic }
-          duplicity-scope: 'service'
-          duplicity-icon: '🔁'
-          warnings: true
-          skip-release-notes-labels: "no RN"
-          print-empty-chapters: false
-          row-format-issue: '_{title}_ {developed-by} {co-authored-by} in #{number}'
-          row-format-pr: '_{title}_ {developed-by} {co-authored-by} in #{number}'
-          row-format-link-pr: true
-

---

139-148: Fix reference to non-existent input parameter.

Line 144 references inputs.tagName (camelCase), but the workflow input is defined as tag-name (kebab-case) at line 21. This will cause the workflow to fail.

🔎 Apply this diff to fix the input reference:

       - name: Create draft release
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          name: ${{ github.event.inputs.tagName }}
+          name: ${{ github.event.inputs.tag-name }}
           body: ${{ steps.generate_release_notes.outputs.release-notes }}
           tag_name: ${{ github.event.inputs.tag-name }}
           draft: true
           prerelease: false

---

91-148: Fix multiple critical issues in release workflow steps.

This workflow contains several blocking issues that will cause failures:

1. Incomplete first step (line ~101): "Create and Push Tag" uses actions/github-script but lacks the required script parameter—only defines env.

2. Invalid parameters in third step (line ~119): "Create Draft Release" passes chapters, duplicity-scope, duplicity-icon, and row-format-* parameters to softprops/action-gh-release, which does not support these inputs. These parameters belong to the AbsaOSS/generate-release-notes action used earlier.

3. Parameter name inconsistency: Uses both tag-name and tag_name inconsistently (and tagName vs tag-name for input references), which will not resolve correctly.

4. Duplicate release creation: Steps 3 and 4 both create releases using softprops/action-gh-release, causing redundant executions.

Remove the invalid "Create Draft Release" step, consolidate to a single release creation step using the correct tag_name parameter, and verify input variable names are consistent throughout.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 420cfbe and 117768a.

📒 Files selected for processing (2)

• .github/workflows/check_pr_release_notes.yml (1 hunks)
• .github/workflows/release_draft.yml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/check_pr_release_notes.yml

🧰 Additional context used

🪛 actionlint (1.7.9)

.github/workflows/release_draft.yml

120-120: property "tagname" is not defined in object type {from-tag-name: string; tag-name: string}

(expression)

---

144-144: property "tagname" is not defined in object type {from-tag-name: string; tag-name: string}

(expression)

[lsulak]

this has nothing to do with the Aquasec. Please let's all strive to have as relevant and small PRs as possible. You can keep it now...and thank for the contribution, definitely feel grateful, but I like us to improve on such things

[lsulak]

Thanks, I feel like it's good as is, hopefully I did not miss anything - but can be changed easily & quickly if so

[tmikula-dev]

From my point of view, these changes looks good to me! The approach and upgrade of the release_draft.yml was already implemented in our QA repositories. However there needs to be answered the questions raised by @lsulak, so we behave on agreed terms. Crucial to be on the same page with our cooperation.