ci: replace dependabot auto-vet bot commit with patch artifact

[bronzelle-cw]

1. What changed:
   • Replaced bot commit/push flow with patch generation and artifact upload.
   • Updated PR comment to explain how authors apply the patch locally.
2. Why:
   • Keeps final commit ownership and signing with the PR author.
   • Reduces workflow complexity compared with a review-suggestion engine.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Artifact upload condition Confirm that the upload step runs only for Pull Request events when has_patch is true. Evaluate whether the if condition should handle other event types or manual triggers to avoid missing or redundant uploads. - name: Upload auto-vet patch artifact id: upload_patch if: github.event_name == 'pull_request' && steps.patch.outputs.has_patch == 'true' uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dependabot-auto-vet-patch-pr-${{ github.event.pull_request.number }} path: ${{ steps.patch.outputs.patch_path }} if-no-files-found: error retention-days: ${{ env.RETENTION_DAYS }} Upload outputs naming Verify that actions/upload-artifact@v4.6.2 actually exposes artifact-id and artifact-url outputs as referenced. If the action uses different output keys, patch_meta will receive empty values. if: github.event_name == 'pull_request' && steps.patch.outputs.has_patch == 'true' uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dependabot-auto-vet-patch-pr-${{ github.event.pull_request.number }} path: ${{ steps.patch.outputs.patch_path }} if-no-files-found: error retention-days: ${{ env.RETENTION_DAYS }} JS comment generation syntax Review the JavaScript snippet that builds the PR comment for mismatched braces or indentation in the if (patchGenerated) ... else block to prevent runtime syntax errors. if (patchGenerated) { lines.push(`- **Patch generated:** yes`); lines.push(`- **Artifact uploaded:** ${patchUploaded ? 'yes' : 'no'}`); if (artifactName) lines.push(`- **Artifact name:** ${artifactName}`); if (artifactId) lines.push(`- **Artifact ID:** ${artifactId}`); if (retentionDays) lines.push(`- **Retention:** ${retentionDays} days`); if (artifactUrl) { lines.push(`- **Artifact download:** ${artifactUrl}`); } else if (runUrl) { lines.push(`- **Workflow run:** ${runUrl}`); } } else { lines.push(`- **Patch generated:** no audit files were produced`); }

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Handle git diff errors explicitly Add explicit error handling for the git diff --quiet invocation so that unexpected git errors (exit code >1) are not misclassified as "changes found". Capture and check the exit code, and abort the step on real errors. This prevents generating empty or partial patch files when git itself fails. .github/workflows/dependabot-auto-vet.yml [381-388] -if git diff --quiet -- supply-chain; then +git diff --quiet -- supply-chain +rc=$? +if [ $rc -eq 0 ]; then echo "has_patch=false" >> "$GITHUB_OUTPUT" echo "patch_path=" >> "$GITHUB_OUTPUT" echo "patch_bytes=0" >> "$GITHUB_OUTPUT" exit 0 +elif [ $rc -gt 1 ]; then + echo "Error running git diff" >&2 + exit 1 fi git diff --binary --patch -- supply-chain > "$patch_path" Suggestion importance[1-10]: 7 __ Why: Explicitly checking git diff exit codes prevents treating real git errors as "changes found" and avoids generating empty or partial patches, improving reliability.	Medium

[cloudwalk-review-agent]

Summary

Clean architectural move — shifting commit ownership back to the PR author is the right call, and the patch/artifact flow is well-structured. Two issues in the apply instructions worth fixing before this ships.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.34%. Comparing base (e8889d5) to head (d402bbf).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2467      +/-   ##
==========================================
+ Coverage   84.26%   84.34%   +0.07%     
==========================================
  Files         141      141              
  Lines       10826    10826              
==========================================
+ Hits         9123     9131       +8     
+ Misses       1703     1695       -8     

Flag	Coverage Δ
contracts-rocks-asset-transit-desk	43.59% <ø> (+0.02%)	⬆️
contracts-rocks-balance-freezer	42.66% <ø> (ø)
contracts-rocks-balance-tracker	42.99% <ø> (-0.03%)	⬇️
contracts-rocks-base	43.56% <ø> (ø)
contracts-rocks-blueprint	43.91% <ø> (ø)
contracts-rocks-capybara-finance	44.24% <ø> (ø)
contracts-rocks-capybara-finance-v2	44.30% <ø> (ø)
contracts-rocks-card-payment-processor	44.01% <ø> (ø)
contracts-rocks-card-payment-processor-v2	44.30% <ø> (-0.05%)	⬇️
contracts-rocks-cashier	43.91% <ø> (ø)
contracts-rocks-credit-agent	43.20% <ø> (ø)
contracts-rocks-multisig	43.90% <ø> (ø)
contracts-rocks-net-yield-distributor	43.93% <ø> (+0.02%)	⬆️
contracts-rocks-periphery	42.66% <ø> (ø)
contracts-rocks-shared-wallet-controller	43.94% <ø> (ø)
contracts-rocks-token	44.01% <ø> (ø)
contracts-rocks-treasury	43.63% <ø> (ø)
e2e-admin-password	22.79% <ø> (-0.02%)	⬇️
e2e-clock-stratus	25.65% <ø> (ø)
e2e-genesis	27.18% <ø> (ø)
e2e-importer-offline	59.89% <ø> (+0.01%)	⬆️
e2e-rpc-downloader	55.08% <ø> (+0.19%)	⬆️
e2e-stratus	57.52% <ø> (+0.01%)	⬆️
leader-follower-	61.65% <ø> (+0.07%)	⬆️
rust-tests	31.98% <ø> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cloudwalk-review-agent]

Follow-up

✅ unzip -p path fixed — the fallback block now correctly references vet/auto-vet.patch inside the zip. Good catch addressed.

Two issues remain: the -S GPG signing flag (flagged last round, still present in both blocks), and a new path bug in the gh run download block that will make git apply fail for anyone who uses the preferred flow.

[cloudwalk-review-agent]

Follow-up

✅ unzip -p path fixed — fallback block now correctly references vet/auto-vet.patch inside the zip. Good.

Three issues remain (two carried over, one new):

1. New bug: mkdir -p vet is missing before the git diff … > "$patch_path" redirect — if the vet/ directory doesn't already exist the shell will immediately error with No such file or directory and the patch step will exit 1 silently discarding the diff.
2. Carried over: git apply --index auto-vet.patch in the gh run download block still references the wrong path.
3. Carried over: -S (GPG signing) in both commit blocks will silently fail or error for developers without a signing key configured.

[cloudwalk-review-agent]

Follow-up

✅ unzip -p path fixed — fallback block now correctly uses vet/auto-vet.patch as the member path. Good.

Three issues remain unaddressed from previous rounds:

[cloudwalk-review-agent]

mkdir -p vet still missing (flagged in previous review).

patch_path is set to vet/auto-vet.patch but the vet/ directory is never created. The shell redirect will fail with No such file or directory on a clean runner where vet/ doesn't already exist. Fix:

mkdir -p vet
git diff --binary --patch -- supply-chain > "$patch_path"

[cloudwalk-review-agent]

Bug (carried over): wrong apply path after gh run download.

gh run download <run-id> -n <artifact-name> creates <artifactName>/ and preserves the uploaded directory structure inside it. Because the file was uploaded from vet/auto-vet.patch, it lands at <artifactName>/vet/auto-vet.patch — not auto-vet.patch. This instruction will fail with error: can't open patch file auto-vet.patch for anyone using the preferred CLI flow.

Fix:

git apply --index ${artifactName}/vet/auto-vet.patch

[cloudwalk-review-agent]

-S still requires a GPG key (flagged in first review, present in both blocks).

git commit -S (uppercase) is GPG commit signing — it fails or produces an unverified commit for developers without a signing key configured. Use lowercase -s (DCO/Signed-off-by trailer) if a traceable attribution line is wanted, or drop the flag and let the developer sign per their own setup. Same issue at the fallback block (~line 524).

[carneiro-cw]

I tried running the action on the branch test_vet_2 multiple times, and it neither generated artifact nor it commented on the PR. https://github.com/cloudwalk/stratus/actions/runs/23492063861/job/68362706808