git-create: enable dependabot alerts, security fixes, CodeQL#10
Merged
Conversation
Adds apply_security_settings that, after repo creation:
- PUT /repos/{owner}/{repo}/vulnerability-alerts
(enables dependabot alerts; pulls in the dependency graph)
- PUT /repos/{owner}/{repo}/automated-security-fixes
(enables dependabot security updates)
- PATCH /repos/{owner}/{repo}/code-scanning/default-setup state=configured
(enables CodeQL default setup)
Each step is toggleable via the [security] section of ~/.agitentic and
defaults to true. Failures are warned about but non-fatal — CodeQL in
particular may have no supported languages on an empty-initial-commit
repo and can be enabled later once code lands.
Dependabot version/grouped updates are intentionally not configured
here: they require committing a dependabot.yml, which is outside the
scope of a repo-creation script.
Fixes brycelelbach#3.
robobryce
force-pushed
the
issue-3-security
branch
from
11522c2 to
dad7405
Compare
git-fork creates a new repo on GitHub (the fork) just like git-create creates a new repo, so the same dependabot / CodeQL defaults should apply to it. Extracts agitentic_apply_security_settings into lib/security-settings.sh (mirroring the lib/repo-settings.sh split from brycelelbach#6) and calls it from git-fork right after agitentic_apply_repo_settings. Skipped when the fork step is skipped (account == upstream owner). git-fork's SKILL.md picks up the same [security] documentation as git-create.
The config section has been [repo] since brycelelbach#6 consolidated defaults into lib/repo-settings.sh, but git-fork's SKILL.md still told users to use [fork]. Bring the wording and example block in line with git-create's SKILL.md, including the "same section controls both skills" note.
robobryce
pushed a commit
to robobryce/agitentic
that referenced
this pull request
Apr 30, 2026
…g validation After PR#7 (--prune), brycelelbach#9 (auto-merge / update-branch defaults), and brycelelbach#10 (dependabot + CodeQL security endpoints) landed, the test suite was silently under-covering the new code paths. Fix the gaps and audit for the rest. Stub: - tests/stubs/gh now handles `gh api --silent --method <V> /path [-f k=v ...]` as a logged no-op. A new STUB_GH_API_FAIL env var makes the stub fail for any api path containing a given substring, letting tests exercise the `|| echo warning` branch in security-settings. New test cases: - git-create: asserts all three security endpoints are called with the expected paths; honours [security] overrides in ~/.agitentic; tolerates a failing endpoint without failing the run. - git-fork: asserts all three security endpoints are called against the fork slug; short-circuit path asserts no security calls either. - git-sync: already-synced no-op; refuses divergent commits without --force; --force resets and force-pushes to fork. - arg-validation: git-create rejects no-args and empty <name>; git-fork and git-clone reject no-args. Also extends the "default repo settings" assertions to cover the two PR#9 keys (enable-auto-merge, allow-update-branch), and drops the now-unnecessary --prune soft-skip since PR#7 is on main. Suite is 39/39 green.
brycelelbach
added a commit
that referenced
this pull request
Apr 30, 2026
…g validation After PR#7 (--prune), #9 (auto-merge / update-branch defaults), and #10 (dependabot + CodeQL security endpoints) landed, the test suite was silently under-covering the new code paths. Fix the gaps and audit for the rest. Stub: - tests/stubs/gh now handles `gh api --silent --method <V> /path [-f k=v ...]` as a logged no-op. A new STUB_GH_API_FAIL env var makes the stub fail for any api path containing a given substring, letting tests exercise the `|| echo warning` branch in security-settings. New test cases: - git-create: asserts all three security endpoints are called with the expected paths; honours [security] overrides in ~/.agitentic; tolerates a failing endpoint without failing the run. - git-fork: asserts all three security endpoints are called against the fork slug; short-circuit path asserts no security calls either. - git-sync: already-synced no-op; refuses divergent commits without --force; --force resets and force-pushes to fork. - arg-validation: git-create rejects no-args and empty <name>; git-fork and git-clone reject no-args. Also extends the "default repo settings" assertions to cover the two PR#9 keys (enable-auto-merge, allow-update-branch), and drops the now-unnecessary --prune soft-skip since PR#7 is on main. Suite is 39/39 green.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new
apply_security_settingsstep togit-createthat, after the repo is created:PUT /repos/{owner}/{repo}/vulnerability-alerts— enables dependabot alerts (pulls in the dependency graph).PUT /repos/{owner}/{repo}/automated-security-fixes— enables dependabot security updates.PATCH /repos/{owner}/{repo}/code-scanning/default-setupwithstate=configured— enables CodeQL default setup.Each step is toggleable via
[security]in~/.agitentic(all default true). Failures are warned-about but non-fatal — CodeQL in particular may have no supported languages on a fresh empty-initial-commit repo, and can be enabled later once real code lands.Dependabot version/grouped updates are intentionally not configured here: they require committing a
dependabot.yml, which matches your comment on #3 (scratch the version-updates piece).Fixes #3.
Test plan
bash -nandshellcheck -xongit-create.gh apiinvocations succeed and the settings flip on the repo.scripts/git-create <name>and confirm the three settings in repo Settings → Security.