TEST VETTING - DO NOT APPROVE

[bronzelle-cw]

PR Type

Enhancement

---

Description

• Introduce Dependabot Cargo Vet GitHub Actions workflow

• Integrate cargo-vet with Codex agent for audits

• Auto-commit audit changes on successful vetting

• Bump uuid crate to version 1.19.0

---

Diagram Walkthrough

flowchart LR
  PR["Pull Request"]
  Checkout["Checkout PR head"]
  Setup["Set up Rust & install cargo-vet"]
  Vet["Run cargo vet --locked"]
  Exit["Exit if fully vetted"]
  Diff["Collect unvetted crate diff"]
  Prompt["Build Codex prompt"]
  Codex["Codex audit action"]
  Apply["Apply agent audits"]
  Commit["Commit audit changes"]

  PR --> Checkout
  Checkout --> Setup
  Setup --> Vet
  Vet -->|vetted| Exit
  Vet -->|unvetted| Diff
  Diff --> Prompt
  Prompt --> Codex
  Codex --> Apply
  Apply --> Commit

Loading

File Walkthrough

	Relevant files
Configuration changes	dependabot-auto-vet.yml Add Dependabot Cargo Vet workflow                                                .github/workflows/dependabot-auto-vet.yml Add new Dependabot Cargo Vet workflow Define steps: checkout, Rust setup, install cargo-vet Run initial vet, import audits, derive vet status Integrate Codex for automated audit and commit +191/-0
Dependencies	Cargo.toml Bump uuid crate to 1.19.0                                                                Cargo.toml Bump uuid dependency version from 1.18.1 to 1.19.0 Retain "v7" feature +1/-1

---

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Fragile output parsing The shell parsing of cargo vet output using grep and simple string slicing can break if the output format changes. Consider using cargo vet --output-format json and a JSON parser or more robust extraction logic to reliably capture unvetted crate names and versions. run: | # Expect a single unvetted crate from dependabot PRs; parse the line "crate:old -> new" logfile="vet-locked-final.log" if [ ! -f "$logfile" ]; then logfile="vet-locked.log" fi line="$(grep -m1 'unvetted dependencies:' -A2 "$logfile" | tail -n1 | tr -d '[:space:]')" crate="${line%%:*}" vers="${line#*:}" old="${vers%->*}" new="${vers#*->}" if [ -z "$crate" ] || [ -z "$old" ] || [ -z "$new" ]; then echo "Failed to parse unvetted crate/version from vet output" >&2 exit 1 fi Incorrect failure handling in GitHub Script The actions/github-script step uses core.setFailed without importing or referencing the @actions/core module. In this context you should throw an error (e.g. throw new Error(...)) or ensure the correct API is available. - name: Comment when agent step failed or missing if: steps.vet_status.outputs.status != '0' && (steps.codex.outcome == 'failure' || steps.codex.outputs.response == '') uses: actions/github-script@v7 with: script: | const crate = '${{ steps.collect_unvetted_and_diff.outputs.crate }}'; const version = '${{ steps.collect_unvetted_and_diff.outputs.version }}'; const msg = [ 'Cargo vet still needs audits and no agent result was applied.', '', `Unvetted dependency: ${crate} ${version}`, '', 'Codex agent was not configured or did not return a response. Ensure OPENAI_API_KEY is set and the prompt is valid.' ].join('\n'); await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, body: msg }); core.setFailed('Agent step failed or was not configured.')

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Capture real exit status The current pipeline always records a zero exit code because || true resets $?. Capture the real exit status before forcing success. .github/workflows/dependabot-auto-vet.yml [38-43] - name: Initial cargo vet --locked id: vet_locked_initial continue-on-error: true run: | - cargo vet --locked > vet-locked.log 2>&1 || true - echo "status=$?" >> "$GITHUB_OUTPUT" + set +e + cargo vet --locked > vet-locked.log 2>&1 + status=$? + echo "status=$status" >> "$GITHUB_OUTPUT" Suggestion importance[1-10]: 8 __ Why: The || true causes echo to always report success, so capturing $? before forcing success is crucial to detect vet failures.	Medium
General	Sanitize notes for CLI If the notes field contains quotes or newlines, the CLI call can break. Normalize newlines to spaces and escape quotes before passing to --notes. .github/workflows/dependabot-auto-vet.yml [169] -cargo vet certify "$crate" "$version" --criteria "$criteria" --who "$who" --notes "$notes" --accept-all +safe_notes=$(echo "$notes" | tr '\n' ' ' | sed 's/\"/\\"/g') +cargo vet certify "$crate" "$version" --criteria "$criteria" --who "$who" --notes "$safe_notes" --accept-all Suggestion importance[1-10]: 6 __ Why: Normalizing newlines and escaping quotes in notes prevents malformed command lines and potential script failures when calling cargo vet certify.	Low
	Enable pushing new commits To allow pushing audit commits back to the PR branch, the checkout action needs the full history. Add fetch-depth: 0 so Git can create and push new commits. .github/workflows/dependabot-auto-vet.yml [22-26] - name: Checkout PR head uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} persist-credentials: true + fetch-depth: 0 Suggestion importance[1-10]: 5 __ Why: Adding fetch-depth: 0 ensures the full Git history is available, which is necessary for creating and pushing audit commits back to the PR.	Low

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.31%. Comparing base (ec1cbd4) to head (9f7c2b2).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2440      +/-   ##
==========================================
- Coverage   84.33%   84.31%   -0.02%     
==========================================
  Files         141      141              
  Lines       10803    10803              
==========================================
- Hits         9111     9109       -2     
- Misses       1692     1694       +2     

Flag	Coverage Δ
contracts-rocks-asset-transit-desk	43.64% <ø> (+0.02%)	⬆️
contracts-rocks-balance-freezer	42.71% <ø> (ø)
contracts-rocks-balance-tracker	43.04% <ø> (-0.03%)	⬇️
contracts-rocks-base	43.62% <ø> (ø)
contracts-rocks-blueprint	43.97% <ø> (ø)
contracts-rocks-capybara-finance	44.31% <ø> (+0.02%)	⬆️
contracts-rocks-capybara-finance-v2	44.00% <ø> (ø)
contracts-rocks-card-payment-processor	44.06% <ø> (ø)
contracts-rocks-card-payment-processor-v2	44.36% <ø> (ø)
contracts-rocks-cashier	44.01% <ø> (+0.04%)	⬆️
contracts-rocks-credit-agent	43.26% <ø> (ø)
contracts-rocks-multisig	43.95% <ø> (ø)
contracts-rocks-net-yield-distributor	43.97% <ø> (-0.03%)	⬇️
contracts-rocks-periphery	42.71% <ø> (ø)
contracts-rocks-shared-wallet-controller	44.02% <ø> (ø)
contracts-rocks-token	44.06% <ø> (ø)
contracts-rocks-treasury	43.68% <ø> (ø)
e2e-admin-password	22.84% <ø> (ø)
e2e-clock-stratus	25.69% <ø> (ø)
e2e-genesis	27.22% <ø> (ø)
e2e-importer-offline	60.16% <ø> (+0.18%)	⬆️
e2e-rpc-downloader	55.15% <ø> (ø)
e2e-stratus	57.60% <ø> (-0.04%)	⬇️
leader-follower-	61.72% <ø> (+0.04%)	⬆️
rust-tests	30.55% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.