From fd794c5d6e7b8894450a0e2613f6dbdb877da51c Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Fri, 23 Jan 2026 16:57:37 -0300 Subject: [PATCH 01/19] deps: update uuid to version 1.19.0 --- Cargo.lock | 6 +++--- Cargo.toml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 8acc4d43c..5aa35d5ee 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -7168,13 +7168,13 @@ checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" [[package]] name = "uuid" -version = "1.18.1" +version = "1.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f87b8aa10b915a06587d0dec516c282ff295b475d94abf425d62b57710070a2" +checksum = "e2e054861b4bd027cd373e18e8d8d8e6548085000e41290d95ce0c373a654b4a" dependencies = [ "getrandom 0.3.3", "js-sys", - "serde", + "serde_core", "wasm-bindgen", ] diff --git a/Cargo.toml b/Cargo.toml index b22be336e..3f95ccaa1 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -39,7 +39,7 @@ strum = { version = "=0.27.2", features = ["derive"] } quick_cache = "=0.6.18" sugars = "=3.0.1" thiserror = "=2.0.17" -uuid = { version = "=1.18.1", features = ["v7"]} +uuid = { version = "=1.19.0", features = ["v7"]} stratus_macros = { path = "./crates/stratus_macros" } libc = "=0.2.180" From 7e4545e5b611a4716faed8f11ba737ac641e3292 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Fri, 23 Jan 2026 17:53:22 -0300 Subject: [PATCH 02/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 187 ++++++++++++++++++++++ 1 file changed, 187 insertions(+) create mode 100644 .github/workflows/dependabot-auto-vet.yml diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml new file mode 100644 index 000000000..e6f612718 --- /dev/null +++ b/.github/workflows/dependabot-auto-vet.yml @@ -0,0 +1,187 @@ +name: Dependabot Cargo Vet + +on: + pull_request: + types: [opened, synchronize, reopened] + branches: + - "*" + workflow_dispatch: + +jobs: + vet-dependabot: + if: github.actor == 'bronzelle-cw' || github.actor == 'dependabot[bot]' + name: Vet Dependabot Updates + runs-on: ubuntu-22.04 + permissions: + contents: write + pull-requests: write + env: + CARGO_VET_VERSION: 0.10.0 + + steps: + - name: Checkout PR head + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: true + + - name: Set up Rust + run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain 1.88 + + - name: Install cargo-vet + run: cargo install cargo-vet + + - name: Initial cargo vet --locked + id: vet_locked_initial + continue-on-error: true + run: | + cargo vet --locked > vet-locked.log 2>&1 || true + echo "status=$?" >> "$GITHUB_OUTPUT" + + - name: Try importing audits + if: steps.vet_locked_initial.outputs.status != '0' + run: | + cargo vet > vet-import.log 2>&1 || true + set +e + cargo vet --locked > vet-locked-final.log 2>&1 + echo $? > vet-locked-final.status + + - name: Derive vet status + id: vet_status + run: | + if [ -f vet-locked-final.status ]; then + status="$(cat vet-locked-final.status)" + else + status="${{ steps.vet_locked_initial.outputs.status }}" + fi + echo "status=$status" >> "$GITHUB_OUTPUT" + + - name: Early exit when fully vetted + if: steps.vet_status.outputs.status == '0' + run: echo "Vetting complete; no audits needed." + + - name: Collect unvetted dependency and crate diff + id: collect_unvetted_and_diff + if: steps.vet_status.outputs.status != '0' + run: | + # Expect a single unvetted crate from dependabot PRs; parse the line "crate:old -> new" + logfile="vet-locked-final.log" + if [ ! -f "$logfile" ]; then + logfile="vet-locked.log" + fi + line="$(grep -m1 'unvetted dependencies:' -A2 "$logfile" | tail -n1 | tr -d '[:space:]')" + crate="${line%%:*}" + vers="${line#*:}" + old="${vers%->*}" + new="${vers#*->}" + if [ -z "$crate" ] || [ -z "$old" ] || [ -z "$new" ]; then + echo "Failed to parse unvetted crate/version from vet output" >&2 + exit 1 + fi + cargo vet diff "$crate" "$old" "$new" --mode local --output-format=human > crate-diff.txt || true + { + echo "crate=$crate" + echo "version=$new" + echo "diff<<'EOF'" + cat crate-diff.txt + echo "EOF" + } >> "$GITHUB_OUTPUT" + cp VETTING_CONTEXT.md vetting-context.md + + - name: Build prompt for Codex agent + id: build_prompt + if: steps.vet_status.outputs.status != '0' + run: | + ctx="$(cat vetting-context.md)" + diff="${{ steps.collect_unvetted_and_diff.outputs.diff }}" + crate="${{ steps.collect_unvetted_and_diff.outputs.crate }}" + version="${{ steps.collect_unvetted_and_diff.outputs.version }}" + { + echo "prompt<<'EOF'" + echo "You are a Rust supply-chain security auditor. Follow VETTING_CONTEXT strictly and emit an audit for the unvetted crate." + echo + echo "VETTING_CONTEXT:" + echo "$ctx" + echo + echo "Unvetted dependency: $crate $version" + echo + echo "Diff between previous and bumped version (cargo vet diff):" + echo "$diff" + echo + echo "Respond ONLY with JSON (no prose, no code fences) matching:" + echo '[{\"crate\":\"name\",\"version\":\"x.y.z\",\"criteria\":\"safe-to-deploy\",\"who\":\"Agent Name \",\"notes\":\"concise safety-focused notes per VETTING_CONTEXT\"}]' + echo "If you cannot complete the audit, respond with an empty array: []" + echo "EOF" + } >> "$GITHUB_OUTPUT" + + - name: 🤖 Analyze and Fix Issue with Codex + id: codex + if: steps.vet_status.outputs.status != '0' + uses: openai/codex-action@main + with: + openai-api-key: ${{ secrets.OPENAI_API_KEY }} + model: gpt-5-codex + prompt: ${{ steps.build_prompt.outputs.prompt }} + + - name: Comment when agent step failed or missing + if: steps.vet_status.outputs.status != '0' && (steps.codex.outcome == 'failure' || steps.codex.outputs.response == '') + uses: actions/github-script@v7 + with: + script: | + const crate = '${{ steps.collect_unvetted_and_diff.outputs.crate }}'; + const version = '${{ steps.collect_unvetted_and_diff.outputs.version }}'; + const msg = [ + 'Cargo vet still needs audits and no agent result was applied.', + '', + `Unvetted dependency: ${crate} ${version}`, + '', + 'Codex agent was not configured or did not return a response. Ensure OPENAI_API_KEY is set and the prompt is valid.' + ].join('\n'); + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + body: msg + }); + core.setFailed('Agent step failed or was not configured.') + + - name: Apply agent audits + if: steps.vet_status.outputs.status != '0' && steps.codex.outcome == 'success' && steps.codex.outputs.response != '' + run: | + set -eo pipefail + echo '${{ steps.codex.outputs.response }}' > agent-audits.json + audits="$(cat agent-audits.json)" + echo "Agent audits: $audits" + jq -c '.[]' agent-audits.json | while read -r row; do + crate="$(echo "$row" | jq -r '.crate')" + version="$(echo "$row" | jq -r '.version')" + criteria="$(echo "$row" | jq -r '.criteria')" + who="$(echo "$row" | jq -r '.who')" + notes="$(echo "$row" | jq -r '.notes')" + if [ -z "$crate" ] || [ -z "$version" ] || [ -z "$criteria" ] || [ -z "$who" ]; then + echo "Incomplete audit entry: $row" >&2 + exit 1 + fi + cargo vet certify "$crate" "$version" --criteria "$criteria" --who "$who" --notes "$notes" --accept-all + echo "$who" > .agent-who + done + + - name: Verify cargo vet after agent audits + if: steps.vet_status.outputs.status != '0' && steps.codex.outcome == 'success' && steps.codex.outputs.response != '' + run: cargo vet --locked + + - name: Commit audit changes + if: steps.vet_status.outputs.status != '0' && steps.codex.outcome == 'success' && steps.codex.outputs.response != '' + run: | + set -eo pipefail + if git diff --quiet; then + echo "No changes to commit." + exit 0 + fi + + who="$(cat .agent-who || true)" + git config user.name "${who:-dependabot-vet-bot}" + git config user.email "actions@github.com" + git add supply-chain/audits.toml supply-chain/imports.lock || true + git commit -m "chore(vet): apply agent audits" + git push origin "HEAD:${{ github.event.pull_request.head.ref }}" From a048a948d8b412eacfcf8329c96ee13dfd3b88ea Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Fri, 23 Jan 2026 17:59:12 -0300 Subject: [PATCH 03/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index e6f612718..a3b877b89 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -26,10 +26,14 @@ jobs: persist-credentials: true - name: Set up Rust - run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain 1.88 + run: | + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain 1.89 + echo "$HOME/.cargo/bin" >> "$GITHUB_PATH" - name: Install cargo-vet - run: cargo install cargo-vet + run: | + source "$HOME/.cargo/env" + cargo install --locked --version $CARGO_VET_VERSION cargo-vet - name: Initial cargo vet --locked id: vet_locked_initial From 9f7c2b22ff08f929e1af4aacde64f5002fa00f86 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Fri, 23 Jan 2026 18:41:55 -0300 Subject: [PATCH 04/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index a3b877b89..7cac3a883 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -39,8 +39,11 @@ jobs: id: vet_locked_initial continue-on-error: true run: | - cargo vet --locked > vet-locked.log 2>&1 || true - echo "status=$?" >> "$GITHUB_OUTPUT" + set +e + cargo vet --locked > vet-locked.log 2>&1 + status=$? + echo "status=$status" >> "$GITHUB_OUTPUT" + exit 0 - name: Try importing audits if: steps.vet_locked_initial.outputs.status != '0' From caa28e6ce78c84e07cdd4921b0364395bf8d53f5 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Mon, 26 Jan 2026 15:58:10 -0300 Subject: [PATCH 05/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index 7cac3a883..9523ea53a 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -76,11 +76,14 @@ jobs: if [ ! -f "$logfile" ]; then logfile="vet-locked.log" fi - line="$(grep -m1 'unvetted dependencies:' -A2 "$logfile" | tail -n1 | tr -d '[:space:]')" + # Grab the first unvetted dependency line, e.g., "uuid:1.18.1 -> 1.19.0 missing ..." + line="$(grep -m1 'unvetted dependencies:' -A2 "$logfile" | tail -n1)" + line="$(echo "$line" | tr -d '[:space:]')" crate="${line%%:*}" - vers="${line#*:}" - old="${vers%->*}" - new="${vers#*->}" + rest="${line#*:}" + old="${rest%%->*}" + rest="${rest#*->}" + new="${rest%%missing*}" if [ -z "$crate" ] || [ -z "$old" ] || [ -z "$new" ]; then echo "Failed to parse unvetted crate/version from vet output" >&2 exit 1 From ff7f0ad9ecfffee36a4c81b583fe5b277c861644 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Mon, 26 Jan 2026 16:12:14 -0300 Subject: [PATCH 06/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index 9523ea53a..2b2ac22c9 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -78,12 +78,9 @@ jobs: fi # Grab the first unvetted dependency line, e.g., "uuid:1.18.1 -> 1.19.0 missing ..." line="$(grep -m1 'unvetted dependencies:' -A2 "$logfile" | tail -n1)" - line="$(echo "$line" | tr -d '[:space:]')" - crate="${line%%:*}" - rest="${line#*:}" - old="${rest%%->*}" - rest="${rest#*->}" - new="${rest%%missing*}" + crate="$(echo "$line" | awk '{split($1,a,":"); print a[1]}')" + old="$(echo "$line" | awk '{split($1,a,":"); print a[2]}')" + new="$(echo "$line" | awk '{print $3}')" if [ -z "$crate" ] || [ -z "$old" ] || [ -z "$new" ]; then echo "Failed to parse unvetted crate/version from vet output" >&2 exit 1 From a30ed3189b5658fd1f07a6212d3ebe669b895e04 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Mon, 26 Jan 2026 16:19:56 -0300 Subject: [PATCH 07/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index 2b2ac22c9..8a7b13a7c 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -62,6 +62,10 @@ jobs: status="${{ steps.vet_locked_initial.outputs.status }}" fi echo "status=$status" >> "$GITHUB_OUTPUT" + echo "vet-locked.log:" + cat vet-locked.log || true + echo "vet-locked-final.log:" + cat vet-locked-final.log || true - name: Early exit when fully vetted if: steps.vet_status.outputs.status == '0' @@ -78,9 +82,12 @@ jobs: fi # Grab the first unvetted dependency line, e.g., "uuid:1.18.1 -> 1.19.0 missing ..." line="$(grep -m1 'unvetted dependencies:' -A2 "$logfile" | tail -n1)" - crate="$(echo "$line" | awk '{split($1,a,":"); print a[1]}')" - old="$(echo "$line" | awk '{split($1,a,":"); print a[2]}')" - new="$(echo "$line" | awk '{print $3}')" + echo "Parsed line: $line" + # Use regex to extract crate, old, new + crate="$(echo "$line" | sed -n 's/^[[:space:]]*\\([^: ]*\\):.*$/\\1/p')" + old="$(echo "$line" | sed -n 's/^[^:]*:\\([^ ]*\\).*/\\1/p')" + new="$(echo "$line" | sed -n 's/.*->[[:space:]]*\\([^[:space:]]*\\)[[:space:]]*.*/\\1/p')" + echo "crate=$crate old=$old new=$new" if [ -z "$crate" ] || [ -z "$old" ] || [ -z "$new" ]; then echo "Failed to parse unvetted crate/version from vet output" >&2 exit 1 From 1580c54a4b6c44840878f97adbfab424ce4ce034 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Mon, 26 Jan 2026 16:25:54 -0300 Subject: [PATCH 08/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index 8a7b13a7c..24cd7a326 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -75,18 +75,14 @@ jobs: id: collect_unvetted_and_diff if: steps.vet_status.outputs.status != '0' run: | - # Expect a single unvetted crate from dependabot PRs; parse the line "crate:old -> new" logfile="vet-locked-final.log" - if [ ! -f "$logfile" ]; then - logfile="vet-locked.log" - fi - # Grab the first unvetted dependency line, e.g., "uuid:1.18.1 -> 1.19.0 missing ..." + [ -f "$logfile" ] || logfile="vet-locked.log" line="$(grep -m1 'unvetted dependencies:' -A2 "$logfile" | tail -n1)" echo "Parsed line: $line" - # Use regex to extract crate, old, new - crate="$(echo "$line" | sed -n 's/^[[:space:]]*\\([^: ]*\\):.*$/\\1/p')" - old="$(echo "$line" | sed -n 's/^[^:]*:\\([^ ]*\\).*/\\1/p')" - new="$(echo "$line" | sed -n 's/.*->[[:space:]]*\\([^[:space:]]*\\)[[:space:]]*.*/\\1/p')" + # Line format: " uuid:1.18.1 -> 1.19.0 missing [\"safe-to-deploy\"]" + crate="$(echo "$line" | awk -F':' '{print $1}' | xargs)" + old="$(echo "$line" | awk -F':' '{print $2}' | awk '{print $1}')" + new="$(echo "$line" | awk '{for(i=1;i<=NF;i++) if($i==\"->\") {print $(i+1); break}}')" echo "crate=$crate old=$old new=$new" if [ -z "$crate" ] || [ -z "$old" ] || [ -z "$new" ]; then echo "Failed to parse unvetted crate/version from vet output" >&2 From 2e742cd988947861e2373223763a10e58496ab48 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Mon, 26 Jan 2026 16:32:23 -0300 Subject: [PATCH 09/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index 24cd7a326..740ec9814 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -82,7 +82,7 @@ jobs: # Line format: " uuid:1.18.1 -> 1.19.0 missing [\"safe-to-deploy\"]" crate="$(echo "$line" | awk -F':' '{print $1}' | xargs)" old="$(echo "$line" | awk -F':' '{print $2}' | awk '{print $1}')" - new="$(echo "$line" | awk '{for(i=1;i<=NF;i++) if($i==\"->\") {print $(i+1); break}}')" + new="$(echo "$line" | awk '{for(i=1;i<=NF;i++) if($i=="->") {print $(i+1); break}}')" echo "crate=$crate old=$old new=$new" if [ -z "$crate" ] || [ -z "$old" ] || [ -z "$new" ]; then echo "Failed to parse unvetted crate/version from vet output" >&2 From f38d8c416fcb8e40e492a45ce7e721a8758ffdea Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Mon, 26 Jan 2026 16:42:49 -0300 Subject: [PATCH 10/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 42 +++++++++++------------ 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index 740ec9814..6f55c1633 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -49,23 +49,18 @@ jobs: if: steps.vet_locked_initial.outputs.status != '0' run: | cargo vet > vet-import.log 2>&1 || true - set +e - cargo vet --locked > vet-locked-final.log 2>&1 - echo $? > vet-locked-final.status + # capture the first recommended diff command, if present + grep -m1 'cargo vet diff ' vet-import.log > recommended.diff.cmd || true - name: Derive vet status id: vet_status run: | - if [ -f vet-locked-final.status ]; then - status="$(cat vet-locked-final.status)" - else - status="${{ steps.vet_locked_initial.outputs.status }}" - fi + status="${{ steps.vet_locked_initial.outputs.status }}" echo "status=$status" >> "$GITHUB_OUTPUT" echo "vet-locked.log:" cat vet-locked.log || true - echo "vet-locked-final.log:" - cat vet-locked-final.log || true + echo "vet-import.log:" + cat vet-import.log || true - name: Early exit when fully vetted if: steps.vet_status.outputs.status == '0' @@ -75,18 +70,21 @@ jobs: id: collect_unvetted_and_diff if: steps.vet_status.outputs.status != '0' run: | - logfile="vet-locked-final.log" - [ -f "$logfile" ] || logfile="vet-locked.log" - line="$(grep -m1 'unvetted dependencies:' -A2 "$logfile" | tail -n1)" - echo "Parsed line: $line" - # Line format: " uuid:1.18.1 -> 1.19.0 missing [\"safe-to-deploy\"]" - crate="$(echo "$line" | awk -F':' '{print $1}' | xargs)" - old="$(echo "$line" | awk -F':' '{print $2}' | awk '{print $1}')" - new="$(echo "$line" | awk '{for(i=1;i<=NF;i++) if($i=="->") {print $(i+1); break}}')" - echo "crate=$crate old=$old new=$new" - if [ -z "$crate" ] || [ -z "$old" ] || [ -z "$new" ]; then - echo "Failed to parse unvetted crate/version from vet output" >&2 - exit 1 + if [ -s recommended.diff.cmd ]; then + diff_cmd="$(cat recommended.diff.cmd)" + echo "Using recommended diff: $diff_cmd" + set -- $diff_cmd + crate="$3" + old="$4" + new="$5" + else + logfile="vet-locked.log" + line="$(grep -m1 'unvetted dependencies:' -A2 "$logfile" | tail -n1)" + echo "Parsed line: $line" + crate="$(echo "$line" | awk -F':' '{print $1}' | xargs)" + old="$(echo "$line" | awk -F'[: ]' '{print $2}')" + new="$old" + diff_cmd="cargo vet diff $crate $old $new" fi cargo vet diff "$crate" "$old" "$new" --mode local --output-format=human > crate-diff.txt || true { From 7a70f576550bfa5931e9a688ae96b3d78792ec60 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Mon, 26 Jan 2026 16:50:14 -0300 Subject: [PATCH 11/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 29 ++++++++++------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index 6f55c1633..410e5e2de 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -49,8 +49,8 @@ jobs: if: steps.vet_locked_initial.outputs.status != '0' run: | cargo vet > vet-import.log 2>&1 || true - # capture the first recommended diff command, if present - grep -m1 'cargo vet diff ' vet-import.log > recommended.diff.cmd || true + # capture the first recommended diff command, keep only the command and three args + grep -m1 'cargo vet diff ' vet-import.log | awk '{print $1, $2, $3, $4}' > recommended.diff.cmd || true - name: Derive vet status id: vet_status @@ -70,22 +70,17 @@ jobs: id: collect_unvetted_and_diff if: steps.vet_status.outputs.status != '0' run: | - if [ -s recommended.diff.cmd ]; then - diff_cmd="$(cat recommended.diff.cmd)" - echo "Using recommended diff: $diff_cmd" - set -- $diff_cmd - crate="$3" - old="$4" - new="$5" - else - logfile="vet-locked.log" - line="$(grep -m1 'unvetted dependencies:' -A2 "$logfile" | tail -n1)" - echo "Parsed line: $line" - crate="$(echo "$line" | awk -F':' '{print $1}' | xargs)" - old="$(echo "$line" | awk -F'[: ]' '{print $2}')" - new="$old" - diff_cmd="cargo vet diff $crate $old $new" + if [ ! -s recommended.diff.cmd ]; then + echo "No recommended diff found" >&2 + exit 1 fi + diff_cmd="$(cat recommended.diff.cmd)" + echo "Using recommended diff: $diff_cmd" + # tokens: cargo vet diff crate old new + set -- $diff_cmd + crate="$3" + old="$4" + new="$5" cargo vet diff "$crate" "$old" "$new" --mode local --output-format=human > crate-diff.txt || true { echo "crate=$crate" From d3bd9eaf230a1f693957db7b99460d0cc1052d35 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Mon, 26 Jan 2026 17:20:15 -0300 Subject: [PATCH 12/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 33 +++++++++++++---------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index 410e5e2de..30ff63f50 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -49,9 +49,15 @@ jobs: if: steps.vet_locked_initial.outputs.status != '0' run: | cargo vet > vet-import.log 2>&1 || true - # capture the first recommended diff command, keep only the command and three args - grep -m1 'cargo vet diff ' vet-import.log | awk '{print $1, $2, $3, $4}' > recommended.diff.cmd || true + # Grab the first recommended diff line and keep the first 6 tokens: + # cargo vet diff + line="$(grep -m1 -E '^\s*cargo vet diff ' vet-import.log | sed -E 's/^\s+//')" + echo "Recommended line: $line" + echo "$line" | awk '{print $1,$2,$3,$4,$5,$6}' > recommended.diff.cmd || true + + echo "recommended.diff.cmd:" + cat recommended.diff.cmd || true - name: Derive vet status id: vet_status run: | @@ -70,25 +76,24 @@ jobs: id: collect_unvetted_and_diff if: steps.vet_status.outputs.status != '0' run: | + set -euo pipefail + if [ ! -s recommended.diff.cmd ]; then echo "No recommended diff found" >&2 exit 1 fi + diff_cmd="$(cat recommended.diff.cmd)" echo "Using recommended diff: $diff_cmd" - # tokens: cargo vet diff crate old new + + # diff_cmd tokens: cargo vet diff set -- $diff_cmd - crate="$3" - old="$4" - new="$5" - cargo vet diff "$crate" "$old" "$new" --mode local --output-format=human > crate-diff.txt || true - { - echo "crate=$crate" - echo "version=$new" - echo "diff<<'EOF'" - cat crate-diff.txt - echo "EOF" - } >> "$GITHUB_OUTPUT" + crate="$4" + old="$5" + new="$6" + + cargo vet diff "$crate" "$old" "$new" --output-format=human > crate-diff.txt + cp VETTING_CONTEXT.md vetting-context.md - name: Build prompt for Codex agent From 99932a8dfe07fd9a8d720249a7f8ba21285ac551 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Mon, 26 Jan 2026 17:31:43 -0300 Subject: [PATCH 13/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index 30ff63f50..2a267d42c 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -92,7 +92,10 @@ jobs: old="$5" new="$6" - cargo vet diff "$crate" "$old" "$new" --output-format=human > crate-diff.txt + # Force CI-friendly output: + # - --mode=local avoids opening diff.rs in browser + # - pipe through cat to disable pager behavior reliably + cargo vet diff "$crate" "$old" "$new" --mode=local --output-format=text 2>crate-diff.stderr | cat > crate-diff.txt cp VETTING_CONTEXT.md vetting-context.md From 71d9a500d6526d7f7efedcfc9ec0da088b7f8222 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Mon, 26 Jan 2026 17:46:24 -0300 Subject: [PATCH 14/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index 2a267d42c..97341a4c0 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -95,16 +95,34 @@ jobs: # Force CI-friendly output: # - --mode=local avoids opening diff.rs in browser # - pipe through cat to disable pager behavior reliably - cargo vet diff "$crate" "$old" "$new" --mode=local --output-format=text 2>crate-diff.stderr | cat > crate-diff.txt + # Run diff and capture output, but don't let -e kill the step yet + set +e + cargo vet diff "$crate" "$old" "$new" --mode=local --output-format=text \ + > crate-diff.txt 2> crate-diff.stderr + status=$? + set -e + + echo "cargo vet diff exit status: $status" + # 0 = no diff, 1 = diff exists (expected), 2 = trouble (real failure) + if [ "$status" -gt 1 ]; then + echo "cargo vet diff failed (status=$status). stderr:" + sed -n '1,200p' crate-diff.stderr + exit "$status" + fi cp VETTING_CONTEXT.md vetting-context.md + { + echo "crate=$crate" + echo "version=$new" + } >> "$GITHUB_OUTPUT" - name: Build prompt for Codex agent id: build_prompt if: steps.vet_status.outputs.status != '0' run: | ctx="$(cat vetting-context.md)" - diff="${{ steps.collect_unvetted_and_diff.outputs.diff }}" + # diff="${{ steps.collect_unvetted_and_diff.outputs.diff }}" + diff="$(head -c 180000 crate-diff.txt)" crate="${{ steps.collect_unvetted_and_diff.outputs.crate }}" version="${{ steps.collect_unvetted_and_diff.outputs.version }}" { From 2facf35a463cdb5257869524f009b92b5b0a50f0 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Mon, 26 Jan 2026 17:53:01 -0300 Subject: [PATCH 15/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index 97341a4c0..d15d17358 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -97,7 +97,7 @@ jobs: # - pipe through cat to disable pager behavior reliably # Run diff and capture output, but don't let -e kill the step yet set +e - cargo vet diff "$crate" "$old" "$new" --mode=local --output-format=text \ + cargo vet diff "$crate" "$old" "$new" --mode=local --output-format=human \ > crate-diff.txt 2> crate-diff.stderr status=$? set -e From 1f4eb5f3dbad8eb452e0b1a1550f70b2c45e95f1 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Mon, 26 Jan 2026 18:01:42 -0300 Subject: [PATCH 16/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index d15d17358..935737ea9 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -125,8 +125,9 @@ jobs: diff="$(head -c 180000 crate-diff.txt)" crate="${{ steps.collect_unvetted_and_diff.outputs.crate }}" version="${{ steps.collect_unvetted_and_diff.outputs.version }}" + delim="PROMPT_$(date +%s%N)" { - echo "prompt<<'EOF'" + echo "prompt<<$delim" echo "You are a Rust supply-chain security auditor. Follow VETTING_CONTEXT strictly and emit an audit for the unvetted crate." echo echo "VETTING_CONTEXT:" @@ -138,9 +139,9 @@ jobs: echo "$diff" echo echo "Respond ONLY with JSON (no prose, no code fences) matching:" - echo '[{\"crate\":\"name\",\"version\":\"x.y.z\",\"criteria\":\"safe-to-deploy\",\"who\":\"Agent Name \",\"notes\":\"concise safety-focused notes per VETTING_CONTEXT\"}]' + echo '[{"crate":"name","version":"x.y.z","criteria":"safe-to-deploy","who":"Agent Name ","notes":"concise safety-focused notes per VETTING_CONTEXT"}]' echo "If you cannot complete the audit, respond with an empty array: []" - echo "EOF" + echo "$delim" } >> "$GITHUB_OUTPUT" - name: 🤖 Analyze and Fix Issue with Codex From 7636795263b510edc661d3a4d324f6594198f327 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Mon, 26 Jan 2026 19:06:35 -0300 Subject: [PATCH 17/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index 935737ea9..d33673980 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -144,10 +144,20 @@ jobs: echo "$delim" } >> "$GITHUB_OUTPUT" + - name: Debug OPENAI key presence + run: | + if [ -z "${{ secrets.OPENAI_API_KEY }}" ]; then + echo "OPENAI_API_KEY is empty/missing" + exit 1 + fi + echo "OPENAI_API_KEY present (length: ${#OPENAI_API_KEY})" + env: + OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} + - name: 🤖 Analyze and Fix Issue with Codex id: codex if: steps.vet_status.outputs.status != '0' - uses: openai/codex-action@main + uses: openai/codex-action@v1 with: openai-api-key: ${{ secrets.OPENAI_API_KEY }} model: gpt-5-codex From b76ce8bd02439a6d7ad7167b56d57c0029d1b612 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Wed, 28 Jan 2026 10:00:45 -0300 Subject: [PATCH 18/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index d33673980..feadfd397 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -145,24 +145,30 @@ jobs: } >> "$GITHUB_OUTPUT" - name: Debug OPENAI key presence + shell: bash + env: + OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} run: | - if [ -z "${{ secrets.OPENAI_API_KEY }}" ]; then + if [ -z "$OPENAI_API_KEY" ]; then echo "OPENAI_API_KEY is empty/missing" exit 1 fi + echo "OPENAI_API_KEY present (length: ${#OPENAI_API_KEY})" - env: - OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} + + # Persist for subsequent steps in this job + echo "OPENAI_API_KEY=$OPENAI_API_KEY" >> "$GITHUB_ENV" - name: 🤖 Analyze and Fix Issue with Codex id: codex if: steps.vet_status.outputs.status != '0' uses: openai/codex-action@v1 with: - openai-api-key: ${{ secrets.OPENAI_API_KEY }} + openai-api-key: ${{ env.OPENAI_API_KEY }} model: gpt-5-codex prompt: ${{ steps.build_prompt.outputs.prompt }} + - name: Comment when agent step failed or missing if: steps.vet_status.outputs.status != '0' && (steps.codex.outcome == 'failure' || steps.codex.outputs.response == '') uses: actions/github-script@v7 From ea211c2d1c887b46e8babc39e5d9b862eb6438c5 Mon Sep 17 00:00:00 2001 From: Rodrigo Bronzelle Date: Thu, 29 Jan 2026 09:51:03 -0300 Subject: [PATCH 19/19] wip: testing --- .github/workflows/dependabot-auto-vet.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-auto-vet.yml b/.github/workflows/dependabot-auto-vet.yml index feadfd397..62a14184f 100644 --- a/.github/workflows/dependabot-auto-vet.yml +++ b/.github/workflows/dependabot-auto-vet.yml @@ -147,7 +147,7 @@ jobs: - name: Debug OPENAI key presence shell: bash env: - OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} + OPENAI_API_KEY: ${{ secrets.OPENAI_KEY }} run: | if [ -z "$OPENAI_API_KEY" ]; then echo "OPENAI_API_KEY is empty/missing"