Add Dependabot Cargo Vet workflow

[bronzelle-cw]

User description

Add a new workflow .github/workflows/dependabot-auto-vet.yml that runs on Dependabot PRs, installs cargo-vet, runs cargo vet --locked, retries with imports, and when audits are still needed hands off to an external agent.

If the agent returns audits, the workflow certifies them, re-runs cargo vet --locked, and commits the changes back to the PR. If no agent is configured or the agent fails, it comments on the PR with the unvetted crates and fails.

This wires Dependabot updates into cargo-vet automation while keeping a hook for an AI/human agent to supply audits when required.

---

PR Type

Enhancement

---

Description

• Automate Dependabot PR vetting with GitHub Actions

• Run cargo vet --locked and import audits automatically

• Invoke optional external agent for missing audits

• Commit agent-provided audits or comment on failures

---

Diagram Walkthrough

flowchart LR
  A["Dependabot PR opened"] --> B["Checkout PR head"]
  B --> C["Set up Rust toolchain"]
  C --> D["Install cargo-vet"]
  D --> E["Initial cargo vet --locked"]
  E -- "non-zero status" --> F["Import audits and rerun vet"]
  E -- "zero status" --> G["Exit: fully vetted"]
  F --> H["Derive final vet status"]
  H -- "still unvetted" --> I["Prepare vetting context"]
  I --> J["Invoke external agent"]
  J -- "agent success" --> K["Apply agent audits"]
  J -- "agent failure" --> L["Comment on PR and fail"]
  K --> M["Verify cargo vet"]
  M --> N["Commit audit changes"]
  H -- "vetted after import" --> G

Loading

File Walkthrough

	Relevant files
Configuration changes	dependabot-auto-vet.yml Create Dependabot cargo-vet workflow                                          .github/workflows/dependabot-auto-vet.yml Added Dependabot Cargo Vet GitHub Actions workflow Configured steps: checkout, Rust setup, cargo-vet install Implemented vetting logic with initial run and import Integrated optional agent, comments, and commit steps +158/-0
Documentation	VETTING_CONTEXT.md Extend vetting context guidelines                                                VETTING_CONTEXT.md Added instructions to record audits via cargo vet certify Provided audit note structure examples Enforced duplicate audit entry guard +9/-0

---

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Unpinned cargo-vet version CARGO_VET_VERSION is declared but never used in the install step, so cargo install cargo-vet pulls the latest version. Pin the version (e.g. cargo install cargo-vet --version $CARGO_VET_VERSION) and consider adding --locked for reproducible installs. - name: Install cargo-vet run: cargo install cargo-vet Missing unvetted.json generation The workflow later reads unvetted.json for both the agent and comment steps, but no preceding step generates this file. Add a step to export unvetted dependencies (e.g. cargo vet --locked --format json > unvetted.json) before invoking the agent or rendering the comment. - name: Collect unvetted dependencies if: steps.vet_status.outputs.status != '0' run: | logfile="vet-locked-final.log" if [ ! -f "$logfile" ]; then logfile="vet-locked.log" fi

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Generate unvetted.json for agent The agent expects an unvetted.json but the workflow never generates it, so the agent step will always run on an empty file. Run cargo vet with JSON output to produce unvetted.json before copying context. This ensures the agent has real data to process. .github/workflows/dependabot-auto-vet.yml [62-70] - name: Collect unvetted dependencies if: steps.vet_status.outputs.status != '0' run: | + # generate unvetted dependencies in JSON + cargo vet --locked --json unvetted.json > vet-locked.log 2>&1 logfile="vet-locked-final.log" if [ ! -f "$logfile" ]; then logfile="vet-locked.log" fi cp VETTING_CONTEXT.md vetting-context.md Suggestion importance[1-10]: 9 __ Why: The agent expects unvetted.json, and without generating it via cargo vet --json, the agent will always receive empty data.	High
	Pin cargo-vet installation version The workflow sets CARGO_VET_VERSION but does not use it when installing cargo-vet, making the installed version unpredictable. Pin the installation to the desired version by referencing the env variable. This ensures reproducible runs. .github/workflows/dependabot-auto-vet.yml [30-31] - name: Install cargo-vet - run: cargo install cargo-vet + run: cargo install cargo-vet --version $CARGO_VET_VERSION Suggestion importance[1-10]: 8 __ Why: Using --version $CARGO_VET_VERSION ensures reproducible and predictable cargo-vet versions, matching the declared env var.	Medium
	Import core before setFailed call The script uses core.setFailed without importing @actions/core, causing a runtime error. Require the core module at the top of the script block before calling setFailed. This will correctly fail the step when needed. .github/workflows/dependabot-auto-vet.yml [93-114] uses: actions/github-script@v7 with: script: | const fs = require('fs'); + const core = require('@actions/core'); const unvetted = fs.existsSync('unvetted.json') ? fs.readFileSync('unvetted.json', 'utf8') : '[]'; … core.setFailed('Agent step failed or was not configured.') Suggestion importance[1-10]: 8 __ Why: Without require('@actions/core'), the call to core.setFailed will throw an error, breaking the feedback step.	Medium

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.31%. Comparing base (ec1cbd4) to head (8920b23).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2438      +/-   ##
==========================================
- Coverage   84.33%   84.31%   -0.02%     
==========================================
  Files         141      141              
  Lines       10803    10803              
==========================================
- Hits         9111     9109       -2     
- Misses       1692     1694       +2     

Flag	Coverage Δ
contracts-rocks-asset-transit-desk	43.62% <ø> (ø)
contracts-rocks-balance-freezer	42.71% <ø> (ø)
contracts-rocks-balance-tracker	43.04% <ø> (-0.03%)	⬇️
contracts-rocks-base	43.62% <ø> (ø)
contracts-rocks-blueprint	43.97% <ø> (ø)
contracts-rocks-capybara-finance	44.29% <ø> (ø)
contracts-rocks-capybara-finance-v2	44.00% <ø> (ø)
contracts-rocks-card-payment-processor	44.06% <ø> (ø)
contracts-rocks-card-payment-processor-v2	44.38% <ø> (+0.02%)	⬆️
contracts-rocks-cashier	43.97% <ø> (ø)
contracts-rocks-credit-agent	43.28% <ø> (+0.02%)	⬆️
contracts-rocks-multisig	43.95% <ø> (ø)
contracts-rocks-net-yield-distributor	43.99% <ø> (ø)
contracts-rocks-periphery	42.71% <ø> (ø)
contracts-rocks-shared-wallet-controller	44.00% <ø> (-0.03%)	⬇️
contracts-rocks-token	44.11% <ø> (+0.04%)	⬆️
contracts-rocks-treasury	43.68% <ø> (ø)
e2e-admin-password	22.83% <ø> (-0.02%)	⬇️
e2e-clock-stratus	25.69% <ø> (ø)
e2e-genesis	27.22% <ø> (ø)
e2e-importer-offline	60.17% <ø> (+0.19%)	⬆️
e2e-rpc-downloader	55.15% <ø> (ø)
e2e-stratus	57.64% <ø> (+0.01%)	⬆️
leader-follower-	61.67% <ø> (-0.02%)	⬇️
rust-tests	31.86% <ø> (+1.30%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.