Automated Dependency Management

[zandre-eng]

Technical Summary

Link to ticket here

This is a release path 1 feature — Improvements to existing features & quick wins.

Sets up automated dependency maintenance for the repo. Rather than introduce Renovate (a third-party GitHub App), this uses Dependabot with its native uv ecosystem — the same setup already running in commcare-hq, keeping dependency tooling consistent across Dimagi repos. The change also removes the transitive-pin constraints left over from the pip-tools → uv migration so the lockfile is the sole source of truth and automated bumps can resolve fresh transitive deps.

Logging and monitoring

No application logging or monitoring changes — this is CI/automation configuration only. Success is observable through GitHub itself: the Dependency graph / Dependabot tab (PRs opened on schedule) and the Security Audit check status on dependency PRs.

Safety Assurance

Safety story

Inherently low risk — no application code, models, migrations, or runtime behavior is touched. The Dependabot config only governs how update PRs are proposed; each resulting bump still arrives as its own reviewable PR that must pass full CI before merge, so nothing is upgraded automatically. The security workflow is additive and only gates PRs that modify dependency manifests. Removing the constraint pins does not change the currently installed versions (those remain pinned in uv.lock) — it only allows future re-resolution; uv.lock was regenerated and committed as part of that commit. Config files were validated by the repo's pre-commit hooks (YAML + prettier).

• I am confident that this change will not break current and/or previous versions of CommCare apps

Automated test coverage

No application tests are applicable, as there is no code change. The security workflow itself is the verification mechanism: pip-audit runs in CI on any change to pyproject.toml / uv.lock. The Dependabot and workflow YAML are validated by the check-yaml and prettier pre-commit hooks.

QA Plan

QA will not be performed for this change.

Labels & Review

• The set of people pinged as reviewers is appropriate for the level of risk of the change

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 39a16a89-40b8-4a52-b843-98371ba0d1d2

📥 Commits

Reviewing files that changed from the base of the PR and between bc6863d and 3fd10e1.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml

🚧 Files skipped from review as they are similar to previous changes (1)

• pyproject.toml

---

Walkthrough

This PR removes the constraint-dependencies block from pyproject.toml, adds Dependabot automation for Python and GitHub Actions updates, introduces a Security Audit workflow that runs pip-audit on dependency file changes, and updates dependency-management documentation with the new workflows and manual update steps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• dimagi/connect-id#241: Modified the same pyproject.toml [tool.uv] dependency configuration that this PR removes.

Suggested reviewers

• mkangia
• calellowitz

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: automating dependency management with Dependabot and related CI/config updates.
Description check	✅ Passed	The description is directly related to the changeset and accurately describes the Dependabot, lockfile, and security audit updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ze/dependency-maintenance

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/security.yml (1)

32-32: ⚡ Quick win

Pin the pip-audit tool version for reproducible CI scans.

Line [32] runs uvx pip-audit unpinned, so scanner behavior can drift between runs and introduce flaky or unexpected CI outcomes. Pinning the tool version keeps audit results stable and easier to triage.

Suggested fix

-      - name: Run pip-audit
-        run: uvx pip-audit -r /tmp/requirements.txt
+      - name: Run pip-audit
+        run: uvx "pip-audit==<pinned_version>" -r /tmp/requirements.txt

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security.yml at line 32, The uvx pip-audit command in the
security workflow is running without a pinned version, which can cause
inconsistent scan results between runs and lead to flaky CI outcomes. Pin the
pip-audit tool version by specifying an explicit version constraint in the uvx
command (for example, append the version number after pip-audit using the
standard version pinning syntax) to ensure reproducible and stable security
audit results across all workflow executions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/security.yml:
- Around line 18-23: Replace the mutable GitHub Actions version tags with
immutable commit SHAs for supply-chain security. In the
.github/workflows/security.yml file, change the actions/checkout@v4 reference to
use a specific commit SHA instead of the v4 tag, and similarly change the
astral-sh/setup-uv@v4 reference to use its corresponding commit SHA. This
ensures that the workflow always runs the exact same code and prevents
unexpected changes from tag updates.

---

Nitpick comments:
In @.github/workflows/security.yml:
- Line 32: The uvx pip-audit command in the security workflow is running without
a pinned version, which can cause inconsistent scan results between runs and
lead to flaky CI outcomes. Pin the pip-audit tool version by specifying an
explicit version constraint in the uvx command (for example, append the version
number after pip-audit using the standard version pinning syntax) to ensure
reproducible and stable security audit results across all workflow executions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 5ee928a5-1079-47a2-8381-6d6c9316fb9f

📥 Commits

Reviewing files that changed from the base of the PR and between cc284e2 and e87ed3d.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• .github/workflows/security.yml
• pyproject.toml
• renovate.json

💤 Files with no reviewable changes (1)

• pyproject.toml

[zandre-eng]

The failing check is related to pip-audit failures which are pre-existing CVEs on main. These will be addressed by separate dependency bump PRs and do have tickets created for them.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/dependency-management.md`:
- Around line 39-41: The documentation in docs/dependency-management.md
currently states that the security audit job runs on every pull request that
modifies pyproject.toml or uv.lock, but this is misleading because the workflow
is actually scoped to only run on PRs targeting the main branch. Update the
sentence starting with "Runs on every pull request" to clarify that the job runs
specifically on pull requests targeting main that modify pyproject.toml or
uv.lock, rather than implying it runs on all PRs that touch those files. This
narrows and clarifies the actual scope of when the workflow is triggered.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 1d7c2892-c872-4fa1-b183-dca462ebe58d

📥 Commits

Reviewing files that changed from the base of the PR and between 9a34b99 and 6af055e.

📒 Files selected for processing (1)

• docs/dependency-management.md

[coderabbitai]

♻️ Duplicate comments (1)

docs/dependency-management.md (1)

12-12: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align trigger scope text with the actual workflow.

Line 12 overstates behavior (“every PR”). The workflow is scoped to PRs targeting main that touch pyproject.toml or uv.lock; this should match the table summary to avoid reviewer confusion.

Suggested edit

-| **pip-audit** | Blocks PRs that introduce known CVEs | On every PR touching `pyproject.toml` / `uv.lock` |
+| **pip-audit** | Blocks PRs that introduce known CVEs | On PRs targeting `main` touching `pyproject.toml` / `uv.lock` |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/dependency-management.md` at line 12, The pip-audit table entry
overstates the trigger scope by saying "On every PR touching `pyproject.toml` /
`uv.lock`" when the actual workflow only runs on PRs targeting the main branch
that touch those files. Update the trigger scope text in the pip-audit row to
accurately reflect that the workflow is scoped to PRs targeting main, not every
PR that modifies those files, so reviewers have correct expectations about when
pip-audit checks are enforced.

🧹 Nitpick comments (1)

.github/dependabot.yml (1)

25-31: ⚡ Quick win

Add a PR concurrency cap for GitHub Actions updates

github-actions currently has no open-pull-requests-limit, while the documented behavior says 5 per ecosystem. On Line 25, adding the same cap used in the uv section keeps behavior aligned and avoids PR bursts.

Proposed patch

   - package-ecosystem: github-actions
     directory: '/'
     schedule:
       interval: weekly
       day: monday
+    open-pull-requests-limit: 5
     labels:
       - dependencies

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml around lines 25 - 31, The github-actions section in
the dependabot configuration is missing an open-pull-requests-limit setting,
which could result in PR bursts. Add an open-pull-requests-limit field to the
github-actions package-ecosystem block with the same value used in the uv
section to maintain consistent behavior across all ecosystems and align with the
documented default behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@docs/dependency-management.md`:
- Line 12: The pip-audit table entry overstates the trigger scope by saying "On
every PR touching `pyproject.toml` / `uv.lock`" when the actual workflow only
runs on PRs targeting the main branch that touch those files. Update the trigger
scope text in the pip-audit row to accurately reflect that the workflow is
scoped to PRs targeting main, not every PR that modifies those files, so
reviewers have correct expectations about when pip-audit checks are enforced.

---

Nitpick comments:
In @.github/dependabot.yml:
- Around line 25-31: The github-actions section in the dependabot configuration
is missing an open-pull-requests-limit setting, which could result in PR bursts.
Add an open-pull-requests-limit field to the github-actions package-ecosystem
block with the same value used in the uv section to maintain consistent behavior
across all ecosystems and align with the documented default behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 00f36e64-43d9-481e-83f7-a4f4a01b0d87

📥 Commits

Reviewing files that changed from the base of the PR and between 6af055e and bc6863d.

📒 Files selected for processing (3)

• .github/dependabot.yml
• .github/workflows/security.yml
• docs/dependency-management.md