Add Dependabot Cargo Vet workflow

[bronzelle-cw]

User description

Concise Summary
The intent of this PR is to automate cargo-vet for Dependabot crate bumps. It runs automatically on Dependabot PRs and can also be manually dispatched on any branch.

How It Works

1. Setup: checkout PR head, install Rust + cargo-vet, create workspace folders, validate and cap the policy context file.
2. Verification: run cargo vet --locked as a fast gate; if already fully vetted, comment and stop.
3. Collect: run cargo vet to find recommended diffs; build a cases.tsv list when diffs exist.
4. Reasoning setup: generate capped diffs, build prompt template + per-crate prompts, initialize Codex once.
5. Reasoning: for each crate, run Codex to decide vetted vs unvetted, producing vet/decisions.json.
6. Apply: auto-certify vetted crates with cargo vet certify, then re-check cargo vet --locked.
7. Commit & push: commit any changes in supply-chain/ and push back to the PR branch.
8. PR comment: post a consolidated summary with vetted/unvetted counts and commit info.
9. Optional gate: fail the job if any crate remains unvetted.

---

Diagram Walkthrough

flowchart LR
  A["Dependabot PR opened"] --> B["Checkout PR head"]
  B --> C["Set up Rust toolchain"]
  C --> D["Install cargo-vet"]
  D --> E["Initial cargo vet --locked"]
  E -- "non-zero status" --> F["Import audits and rerun vet"]
  E -- "zero status" --> G["Exit: fully vetted"]
  F --> H["Derive final vet status"]
  H -- "still unvetted" --> I["Prepare vetting context"]
  I --> J["Invoke external agent"]
  J -- "agent success" --> K["Apply agent audits"]
  J -- "agent failure" --> L["Comment on PR and fail"]
  K --> M["Verify cargo vet"]
  M --> N["Commit audit changes"]
  H -- "vetted after import" --> G

Loading

File Walkthrough

	Relevant files
Configuration changes	dependabot-auto-vet.yml Create Dependabot cargo-vet workflow                                          .github/workflows/dependabot-auto-vet.yml Added Dependabot Cargo Vet GitHub Actions workflow Configured steps: checkout, Rust setup, cargo-vet install Implemented vetting logic with initial run and import Integrated optional agent, comments, and commit steps +158/-0
Documentation	VETTING_CONTEXT.md Extend vetting context guidelines                                                VETTING_CONTEXT.md Added instructions to record audits via cargo vet certify Provided audit note structure examples Enforced duplicate audit entry guard +9/-0

---

---

PR Type

Enhancement

---

Description

• Add Dependabot cargo-vet workflow

  • Setup Rust and install cargo-vet
  • Generate and cap diffs
  • Integrate OpenAI Codex for decisions
  • Auto-certify crates and push commits

• Remove obsolete VETTING_CONTEXT.md file

• Add supply-chain/vet/VETTING_POLICY.md policy

---

Diagram Walkthrough

flowchart LR
  A["Dependabot PR"] --> B["Checkout PR head"]
  B --> C["Setup Rust & cargo-vet"]
  C --> D["Run cargo vet locked/unlocked"]
  D --> E["Generate and cap diffs"]
  E --> F["Run Codex for decisions"]
  F --> G["Auto-certify vetted crates"]
  G --> H["Commit changes & comment PR"]

Loading

File Walkthrough

	Relevant files
Configuration changes	dependabot-auto-vet.yml Add Dependabot cargo-vet workflow                                                .github/workflows/dependabot-auto-vet.yml Introduce Dependabot cargo-vet workflow Steps: setup Rust, install cargo-vet Run vet, generate and cap diffs Integrate Codex, auto-certify, comment PR +504/-0
Documentation	VETTING_CONTEXT.md Remove obsolete vetting context                                                    VETTING_CONTEXT.md Remove outdated AI vetting context file +0/-146  VETTING_POLICY.md Add vetting policy file                                                                    supply-chain/vet/VETTING_POLICY.md Add new dependency diff vetting policy +91/-0

---

[github-actions]

PR Reviewer Guide 🔍

(Review updated until commit 5fe976d)

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Manual Dispatch The workflow_dispatch trigger is intended for manual runs, but the job’s top-level if: github.actor == 'dependabot[bot]' will prevent it from executing when invoked manually. Consider separating the actor check or adding a conditional that allows manual dispatch to run. on: pull_request: types: [opened, synchronize, reopened] branches: ["*"] workflow_dispatch: jobs: vet: if: github.actor == 'dependabot[bot]' runs-on: ubuntu-22.04 Dependabot Actor Coverage Ensure that the actor filter dependabot[bot] covers all Dependabot scenarios (e.g., preview bots or renamed actors). If there are other Dependabot actor identifiers, include them or use a broader condition. if: github.actor == 'dependabot[bot]' Deleted Context File The VETTING_CONTEXT.md file was deleted. Confirm there are no residual references to it in the workflow or documentation, and that the new supply-chain/vet/VETTING_POLICY.md fully replaces its content.

[github-actions]

PR Code Suggestions ✨

Latest suggestions up to 5fe976d
Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Fix grep whitespace matching The \s escape isn't supported in POSIX ERE, so the grep never matches whitespace-prefixed lines. Use a POSIX character class like [[:space:]] to correctly detect leading whitespace. .github/workflows/dependabot-auto-vet.yml [126-129] -grep -E '^\s*cargo vet diff ' vet/vet-import.log \ - | sed -E 's/^\s+//' \ +grep -E '^[[:space:]]*cargo vet diff ' vet/vet-import.log \ + | sed -E 's/^[[:space:]]+//' \ | awk '{print $1"\t"$2"\t"$3"\t"$4"\t"$5"\t"$6}' \ > vet/recommended.diff.cmds || true Suggestion importance[1-10]: 8 __ Why: grep -E does not support \s, so the original pattern never matches indented lines, breaking diff extraction; using [[:space:]] ensures proper detection.	Medium
General	Skip unlocked vet if already vetted Add a condition to only run the unlocked cargo vet step if the locked vet fast-gate failed. This prevents unnecessary processing and side effects when no diffs are needed. .github/workflows/dependabot-auto-vet.yml [118-122] - name: cargo vet (unlocked) to get recommendations id: vet_import + if: steps.vet_locked.outputs.status != '0' run: | set -euo pipefail cargo vet > vet/vet-import.log 2>&1 || true ... Suggestion importance[1-10]: 5 __ Why: Skipping the unlocked cargo vet step when the locked gate passes avoids unnecessary work and side effects, improving workflow efficiency.	Low

---

Previous suggestions

Suggestions up to commit f21b728

Category	Suggestion	Impact
Possible issue	Generate unvetted.json for agent The agent expects an unvetted.json but the workflow never generates it, so the agent step will always run on an empty file. Run cargo vet with JSON output to produce unvetted.json before copying context. This ensures the agent has real data to process. .github/workflows/dependabot-auto-vet.yml [62-70] - name: Collect unvetted dependencies if: steps.vet_status.outputs.status != '0' run: | + # generate unvetted dependencies in JSON + cargo vet --locked --json unvetted.json > vet-locked.log 2>&1 logfile="vet-locked-final.log" if [ ! -f "$logfile" ]; then logfile="vet-locked.log" fi cp VETTING_CONTEXT.md vetting-context.md Suggestion importance[1-10]: 9 __ Why: The agent expects unvetted.json, and without generating it via cargo vet --json, the agent will always receive empty data.	High
	Pin cargo-vet installation version The workflow sets CARGO_VET_VERSION but does not use it when installing cargo-vet, making the installed version unpredictable. Pin the installation to the desired version by referencing the env variable. This ensures reproducible runs. .github/workflows/dependabot-auto-vet.yml [30-31] - name: Install cargo-vet - run: cargo install cargo-vet + run: cargo install cargo-vet --version $CARGO_VET_VERSION Suggestion importance[1-10]: 8 __ Why: Using --version $CARGO_VET_VERSION ensures reproducible and predictable cargo-vet versions, matching the declared env var.	Medium
	Import core before setFailed call The script uses core.setFailed without importing @actions/core, causing a runtime error. Require the core module at the top of the script block before calling setFailed. This will correctly fail the step when needed. .github/workflows/dependabot-auto-vet.yml [93-114] uses: actions/github-script@v7 with: script: | const fs = require('fs'); + const core = require('@actions/core'); const unvetted = fs.existsSync('unvetted.json') ? fs.readFileSync('unvetted.json', 'utf8') : '[]'; … core.setFailed('Agent step failed or was not configured.') Suggestion importance[1-10]: 8 __ Why: Without require('@actions/core'), the call to core.setFailed will throw an error, breaking the feedback step.	Medium

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.90%. Comparing base (c06f544) to head (bfcbfbd).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2438      +/-   ##
==========================================
- Coverage   84.34%   81.90%   -2.45%     
==========================================
  Files         141      141              
  Lines       10803    10803              
==========================================
- Hits         9112     8848     -264     
- Misses       1691     1955     +264     

Flag	Coverage Δ
contracts-rocks-asset-transit-desk	43.62% <ø> (-0.03%)	⬇️
contracts-rocks-balance-freezer	42.71% <ø> (ø)
contracts-rocks-balance-tracker	43.06% <ø> (ø)
contracts-rocks-base	43.62% <ø> (ø)
contracts-rocks-blueprint	43.97% <ø> (-0.03%)	⬇️
contracts-rocks-capybara-finance	44.29% <ø> (ø)
contracts-rocks-capybara-finance-v2	44.00% <ø> (ø)
contracts-rocks-card-payment-processor	44.06% <ø> (ø)
contracts-rocks-card-payment-processor-v2	44.36% <ø> (ø)
contracts-rocks-cashier	43.97% <ø> (ø)
contracts-rocks-credit-agent	43.26% <ø> (ø)
contracts-rocks-multisig	43.95% <ø> (ø)
contracts-rocks-net-yield-distributor	43.97% <ø> (ø)
contracts-rocks-periphery	42.71% <ø> (ø)
contracts-rocks-shared-wallet-controller	44.02% <ø> (+0.02%)	⬆️
contracts-rocks-token	44.06% <ø> (-0.03%)	⬇️
contracts-rocks-treasury	43.68% <ø> (ø)
e2e-admin-password	22.84% <ø> (-0.02%)	⬇️
e2e-clock-stratus	25.69% <ø> (ø)
e2e-genesis	27.25% <ø> (+0.02%)	⬆️
e2e-importer-offline	60.15% <ø> (-0.03%)	⬇️
e2e-rpc-downloader	54.96% <ø> (-0.20%)	⬇️
e2e-stratus	53.60% <ø> (-4.00%)	⬇️
leader-follower-	61.11% <ø> (-0.62%)	⬇️
rust-tests	31.91% <ø> (+0.08%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Persistent review updated to latest commit 5fe976d

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5fe976d13b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[carneiro-cw]

This feels confusing, if the context file size will be capped, how can I know that something I add to the VETTING_POLICY is actually being used?

[bronzelle-cw]

I understand the concern — this is a trade-off we need to make.

There is no guarantee if the context is partially truncated, so the safer options are:

• Keep the context size conservative and within a fixed limit.
• Always try to include the full diff and the VETTING_POLICY, and if the context limit is reached, stop the automation instead of continuing with incomplete data.
• As a more complex alternative, split the diff into smaller parts and analyze them separately.

[carneiro-cw]

Sorry, I don't think this trade off makes any sense. The CONTEXT_CHAR_LIMIT is limiting only the CONTEXT_FILE (VETTING_POLICY.md) size.

I cannot understand the rationale of possibly not including the full policy. If including the entire policy is not that important then it is not a policy. If instead it is important that the policy doesn't get too big, the action should fail if it does.

I can't think of a scenario where the policy is amended such that it has more than 90k characters, but we don't actually care if the entire updated policy is used. (what was the point of updating the policy in this scenario?)

[carneiro-cw]

On this point, truncating the diff also seems non-sensical. We want to vet the crate upgrades because they could be malicious, truncating the diff is like saying to a possible supply chain attacker "you can include whatever you want as long as you pad it with enough characters". It'd be better to just outright fail the action if the diff size is too large or something. The 180000 character limit does seem too small either way, as the model being used can handle up to 400k tokens (and usually tokens are larger than 1 character).

[bronzelle-cw]

There's no capping of neither the policy nor the diff. If the context is too big for being checked in fact this should be treated as unvetted.

[carneiro-cw]

why not initially write most of the file before the if then append the DIFF if it exsits? No need to repeat everything

[bronzelle-cw]

That’s fair. I duplicated the block to keep the “missing diff” case explicit, but I agree it’s cleaner to write the common header once and append the DIFF when it exists. I’ll change it.

[carneiro-cw]

isn't most of these in the VETTING_POLICY.md already?

[bronzelle-cw]

Good point — there was overlap. I originally split it per a model suggestion: put the role/policy in a separate file and keep only concise technical instructions (like the JSON-only output) in the workflow prompt. I did keep a little more in the workflow as extra guardrails, but I’ve now trimmed it to refer to VETTING_POLICY.md and keep only the minimal output requirements.

[carneiro-cw]

I don't know what will work, if you find that it works better to repeat the instructions here, go ahead, I just want to understand it.