Summary
The dependabot_alert webhook payload schema for dependency.relationship is missing the "inconclusive" literal value that GitHub sends in practice and that already exists in the corresponding REST API model.
Affected Schema
Webhook model (DependabotAlertPropDependency.relationship — used by all 8 dependabot_alert webhook action variants):
"unknown" | "direct" | "transitive" ← missing "inconclusive"
REST API model (DependabotAlertWithRepositoryPropDependency.relationship):
"unknown" | "direct" | "transitive" | "inconclusive" ← correct
The same field, same semantics — the webhook model is simply out of sync with the REST API model.
Impact
Any consumer using a strictly-typed client generated from the webhook OpenAPI spec (e.g. githubkit) will receive a ValidationError and reject the entire webhook payload when GitHub sends "inconclusive" as the relationship value on a dependabot_alert created (or any other action) event.
Reproduction
- Trigger a
dependabot_alert webhook where the dependency relationship is inconclusive.
- Parse the payload using a strictly-typed model generated from the current webhook spec.
- Observe
ValidationError: "inconclusive" is not a valid literal.
Expected Behaviour
The dependency.relationship field in the webhook schema should accept the same set of values as the REST API model:
{ "enum": ["unknown", "direct", "transitive", "inconclusive"] }Related
Summary
The
dependabot_alertwebhook payload schema fordependency.relationshipis missing the"inconclusive"literal value that GitHub sends in practice and that already exists in the corresponding REST API model.Affected Schema
Webhook model (
DependabotAlertPropDependency.relationship— used by all 8dependabot_alertwebhook action variants):REST API model (
DependabotAlertWithRepositoryPropDependency.relationship):The same field, same semantics — the webhook model is simply out of sync with the REST API model.
Impact
Any consumer using a strictly-typed client generated from the webhook OpenAPI spec (e.g. githubkit) will receive a
ValidationErrorand reject the entire webhook payload when GitHub sends"inconclusive"as the relationship value on adependabot_alert created(or any other action) event.Reproduction
dependabot_alertwebhook where the dependency relationship is inconclusive.ValidationError:"inconclusive"is not a valid literal.Expected Behaviour
The
dependency.relationshipfield in the webhook schema should accept the same set of values as the REST API model:{ "enum": ["unknown", "direct", "transitive", "inconclusive"] }Related
state/fixed_atschema inaccuracies).DependabotAlertPropDependency.relationshipmissing"inconclusive"literal (webhook model out of sync with REST API model) yanyongyu/githubkit#284.