Skip to content

Releases: EthanThePhoenix38/dependabot-secure-flow

Release v1.0.2

06 Feb 16:21
@EthanThePhoenix38 EthanThePhoenix38
v1.0.2
856f5b0

Choose a tag to compare

View all tags
Release v1.0.2

Automated sync from AI-Pulse repository

Changes:

  • Updated workflow and action files
  • Synced dependencies

Synced files:

  • .github/workflows/dependabot-secure-flow.yaml
  • .github/workflows/release-notification.yaml
  • action.yml
  • .github/dependabot.yml
Loading

Release v1.0.1

01 Feb 14:42
@EthanThePhoenix38 EthanThePhoenix38
v1.0.1
4fd8d46

Choose a tag to compare

View all tags
Release v1.0.1

Automated sync from AI-Pulse repository

Changes:

  • Updated workflow and action files
  • Synced dependencies

Synced files:

  • .github/workflows/dependabot-secure-flow.yml
  • action.yml
  • .github/dependabot.yml
  • README.md
  • package.json
  • package-lock.json
Loading

v1.0.0 - Initial Release

28 Jan 22:18
@EthanThePhoenix38 EthanThePhoenix38
v1.0.0
7452ade

Choose a tag to compare

View all tags
v1.0.0 - Initial Release
Marketplace
Marketplace

DependabotSecureFlow - The Silent Guardian

Version 1.0.0 - Enterprise-grade GitHub Action workflow for zero-touch dependency management.

Overview

DependabotSecureFlow implements a "Silent Guardian" philosophy: automating security updates, validating them via actual builds, and auto-correcting failures without human intervention. It acts as a Security Sandbox that filters dependencies before they reach your production code.

Key Features

1. Absolute Silence & Automation

  • No Notification Fatigue: You only receive notifications for successful outcomes (ready-to-merge batch updates)
  • Green-Only Policy: Failing dependency updates are caught, handled, and discarded quietly

2. Security Sandbox (securite branch)

  • Isolation: Dependabot PRs are never merged directly to master
  • Batching: All valid updates are consolidated into a single "Batch PR" from securite to master

3. Build Validation

  • Smoke Testing: Runs npm install and npm run build on your project
  • Prevention: If a dependency causes build failures, it is rejected immediately

4. Auto-Correction ("Self-Healing")

  • The Solution: If validation fails, the workflow automatically closes the PR, deletes the branch, and tells Dependabot to ignore that specific version

Why This Pattern?

This workflow implements a rare and advanced DevOps pattern known as a Self-Healing Pipeline:

  • SRE-Grade Maturity: Architecture typically found in highly mature Site Reliability Engineering teams
  • Self-Healing: Detects failures and repairs itself without human intervention
  • Ultra-Lightweight: Under 100 lines of YAML, no external services required

What's Included

  • Complete GitHub Actions workflow template
  • Action metadata (action.yml)
  • Comprehensive documentation
  • Configuration examples

Getting Started

  1. Create .github/dependabot.yml to enable Dependabot
  2. Add .github/workflows/dependabot-secure-flow.yml workflow file
  3. Set up GIT_AUTHOR_EMAIL secret in repository settings
  4. Let the Silent Guardian protect your dependencies

Documentation

Full documentation available in the README

Security

  • MIT Licensed
  • No external dependencies
  • Pure GitHub Actions native logic
  • GDPR compliant

Credits

Created by EthanThePhoenix38 | Phoenix Project

Note: This workflow assumes your repository is a Node.js project with a valid package.json file.

Loading