Skip to content

chore: update dependency management and add guardrail checks#1828

Merged
YoshihitoAso merged 3 commits into
dev-26.6from
chore/dependabot-cooldown
May 28, 2026
Merged

chore: update dependency management and add guardrail checks#1828
YoshihitoAso merged 3 commits into
dev-26.6from
chore/dependabot-cooldown

Conversation

@purplesmoke05
Copy link
Copy Markdown
Member

@purplesmoke05 purplesmoke05 commented May 28, 2026

📌 Description

This pull request introduces a repository guardrail test to enforce supply-chain security policies and updates several project files to comply with these new standards.

✅ Related Issues

  • None

🔄 Changes

Repository guardrail enforcement and supply-chain security:

  • Added tests/test_guardrail_check.py, which enforces that all Docker base images and external Compose images are pinned by digest, prohibits remote ADD and pipe-to-shell installers in Dockerfiles, and checks that the Dependabot configuration enforces a 14-day cooldown for regular updates.
  • Updated .github/dependabot.yml to add a cooldown policy of 14 days for all managed ecosystems, explicitly define Docker and Docker Compose update blocks, and ensure all images are grouped and pinned by digest.

Docker and Compose image pinning:

  • Changed all Docker base images and Compose service images (Dockerfile, tests/Dockerfile_unittest, tests/Dockerfile_anvil, docker-compose.yml) to use digests instead of tags, ensuring reproducible builds and improved supply-chain security.

📌 Checklist

  • I have added tests where necessary.
  • I have updated the documentation where necessary.

@purplesmoke05
chore: update dependency management and add guardrail checks
926a9c3 
- Added cooldown policy for Dependabot updates in dependabot.yml
- Enhanced PR workflow to include additional test targets
- Updated Dockerfiles to pin base images by digest
- Added test_guardrail_check.py to enforce supply-chain policies
- Updated README files to document dependency update policy
@github-actions github-actions Bot requested a review from YoshihitoAso May 28, 2026 00:09
@purplesmoke05 purplesmoke05 marked this pull request as draft May 28, 2026 00:26
@purplesmoke05 purplesmoke05 marked this pull request as ready for review May 28, 2026 00:36
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 28, 2026
edited
Loading

Coverage

Coverage Report •
FileStmtsMissBranchBrPartCoverMissing
tests
   test_guardrail_check.py13313362620%20–24, 26–27, 29–33, 39, 50–51, 57, 61, 63–64, 67–69, 73–74, 85–86, 97–100, 102, 106–108, 111–113, 116–120, 122–123, 126–127, 130–133, 137, 141–143, 145, 150–153, 157, 161–167, 169–170, 172–174, 177–178, 180–186, 190, 194–200, 202–206, 208–216, 218–221, 224, 227–233, 238–239, 243, 247–248, 250–252, 254, 260–261, 263–264, 266, 272–273, 277–278
TOTAL372341450349063796% 

Tests Skipped Failures Errors Time
1276 0 💤 0 ❌ 0 🔥 11m 42s ⏱️

purplesmoke05
purplesmoke05 commented May 28, 2026
View reviewed changes
Comment thread tests/test_guardrail_check.py
Copy link
Copy Markdown
Member Author

@purplesmoke05 purplesmoke05 May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added comments above the guardrail tests and helper functions to make their purpose clear.

@YoshihitoAso YoshihitoAso merged commit 07078bf into dev-26.6 May 28, 2026
12 checks passed
@YoshihitoAso YoshihitoAso deleted the chore/dependabot-cooldown branch May 28, 2026 11:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@YoshihitoAso YoshihitoAso YoshihitoAso approved these changes

Assignees

@purplesmoke05 purplesmoke05

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@purplesmoke05 @YoshihitoAso