Automated Dependency Management

[zandre-eng]

Technical Summary

Link to ticket here

This is a release path 1 feature — Improvements to existing features & quick wins.

Sets up automated dependency maintenance for the repo. Rather than introduce Renovate (a third-party GitHub App), this uses Dependabot with its native uv ecosystem — the same setup already running in commcare-hq, keeping dependency tooling consistent across Dimagi repos. The change also removes the transitive-pin constraints left over from the pip-tools → uv migration so the lockfile is the sole source of truth and automated bumps can resolve fresh transitive deps.

Logging and monitoring

No application logging or monitoring changes — this is CI/automation configuration only. Success is observable through GitHub itself: the Dependency graph / Dependabot tab (PRs opened on schedule) and the Security Audit check status on dependency PRs.

Safety Assurance

Safety story

Inherently low risk — no application code, models, migrations, or runtime behavior is touched. The Dependabot config only governs how update PRs are proposed; each resulting bump still arrives as its own reviewable PR that must pass full CI before merge, so nothing is upgraded automatically. The security workflow is additive and only gates PRs that modify dependency manifests. Removing the constraint pins does not change the currently installed versions (those remain pinned in uv.lock) — it only allows future re-resolution; uv.lock was regenerated and committed as part of that commit. Config files were validated by the repo's pre-commit hooks (YAML + prettier).

• I am confident that this change will not break current and/or previous versions of CommCare apps

Automated test coverage

No application tests are applicable, as there is no code change. The security workflow itself is the verification mechanism: pip-audit runs in CI on any change to pyproject.toml / uv.lock. The Dependabot and workflow YAML are validated by the check-yaml and prettier pre-commit hooks.

QA Plan

QA will not be performed for this change.

Labels & Review

• The set of people pinged as reviewers is appropriate for the level of risk of the change

[coderabbitai]

Walkthrough

This PR removes the constraint-dependencies array from pyproject.toml (99 lines of pinned transitive dependency versions), introduces .github/dependabot.yml for weekly automated Python and GitHub Actions dependency updates with minor/patch grouping, adds .github/workflows/security.yml which runs pip-audit on PRs targeting main that modify dependency files, and creates docs/dependency-management.md documenting the full dependency management system including manual workflows and guidance for adding new dependencies.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• dimagi/connect-id#241: Introduced the [tool.uv].constraint-dependencies block in pyproject.toml that this PR removes.

Suggested reviewers

• mkangia
• calellowitz

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Automated Dependency Management' clearly summarizes the main change in the PR, which establishes automated dependency maintenance through Dependabot, security audits, and constraint removal.
Description check	✅ Passed	The pull request description is comprehensive and directly related to the changeset, covering the technical summary, safety assurance, and implementation details of the automated dependency management system.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ze/dependency-maintenance

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/security.yml (1)

32-32: ⚡ Quick win

Pin the pip-audit tool version for reproducible CI scans.

Line [32] runs uvx pip-audit unpinned, so scanner behavior can drift between runs and introduce flaky or unexpected CI outcomes. Pinning the tool version keeps audit results stable and easier to triage.

Suggested fix

-      - name: Run pip-audit
-        run: uvx pip-audit -r /tmp/requirements.txt
+      - name: Run pip-audit
+        run: uvx "pip-audit==<pinned_version>" -r /tmp/requirements.txt

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security.yml at line 32, The uvx pip-audit command in the
security workflow is running without a pinned version, which can cause
inconsistent scan results between runs and lead to flaky CI outcomes. Pin the
pip-audit tool version by specifying an explicit version constraint in the uvx
command (for example, append the version number after pip-audit using the
standard version pinning syntax) to ensure reproducible and stable security
audit results across all workflow executions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/security.yml:
- Around line 18-23: Replace the mutable GitHub Actions version tags with
immutable commit SHAs for supply-chain security. In the
.github/workflows/security.yml file, change the actions/checkout@v4 reference to
use a specific commit SHA instead of the v4 tag, and similarly change the
astral-sh/setup-uv@v4 reference to use its corresponding commit SHA. This
ensures that the workflow always runs the exact same code and prevents
unexpected changes from tag updates.

---

Nitpick comments:
In @.github/workflows/security.yml:
- Line 32: The uvx pip-audit command in the security workflow is running without
a pinned version, which can cause inconsistent scan results between runs and
lead to flaky CI outcomes. Pin the pip-audit tool version by specifying an
explicit version constraint in the uvx command (for example, append the version
number after pip-audit using the standard version pinning syntax) to ensure
reproducible and stable security audit results across all workflow executions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 5ee928a5-1079-47a2-8381-6d6c9316fb9f

📥 Commits

Reviewing files that changed from the base of the PR and between cc284e2 and e87ed3d.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• .github/workflows/security.yml
• pyproject.toml
• renovate.json

💤 Files with no reviewable changes (1)

• pyproject.toml

[zandre-eng]

The failing check is related to pip-audit failures which are pre-existing CVEs on main. These will be addressed by separate dependency bump PRs and do have tickets created for them.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/dependency-management.md`:
- Around line 39-41: The documentation in docs/dependency-management.md
currently states that the security audit job runs on every pull request that
modifies pyproject.toml or uv.lock, but this is misleading because the workflow
is actually scoped to only run on PRs targeting the main branch. Update the
sentence starting with "Runs on every pull request" to clarify that the job runs
specifically on pull requests targeting main that modify pyproject.toml or
uv.lock, rather than implying it runs on all PRs that touch those files. This
narrows and clarifies the actual scope of when the workflow is triggered.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 1d7c2892-c872-4fa1-b183-dca462ebe58d

📥 Commits

Reviewing files that changed from the base of the PR and between 9a34b99 and 6af055e.

📒 Files selected for processing (1)

• docs/dependency-management.md

[coderabbitai]

♻️ Duplicate comments (1)

docs/dependency-management.md (1)

12-12: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align trigger scope text with the actual workflow.

Line 12 overstates behavior (“every PR”). The workflow is scoped to PRs targeting main that touch pyproject.toml or uv.lock; this should match the table summary to avoid reviewer confusion.

Suggested edit

-| **pip-audit** | Blocks PRs that introduce known CVEs | On every PR touching `pyproject.toml` / `uv.lock` |
+| **pip-audit** | Blocks PRs that introduce known CVEs | On PRs targeting `main` touching `pyproject.toml` / `uv.lock` |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/dependency-management.md` at line 12, The pip-audit table entry
overstates the trigger scope by saying "On every PR touching `pyproject.toml` /
`uv.lock`" when the actual workflow only runs on PRs targeting the main branch
that touch those files. Update the trigger scope text in the pip-audit row to
accurately reflect that the workflow is scoped to PRs targeting main, not every
PR that modifies those files, so reviewers have correct expectations about when
pip-audit checks are enforced.

🧹 Nitpick comments (1)

.github/dependabot.yml (1)

25-31: ⚡ Quick win

Add a PR concurrency cap for GitHub Actions updates

github-actions currently has no open-pull-requests-limit, while the documented behavior says 5 per ecosystem. On Line 25, adding the same cap used in the uv section keeps behavior aligned and avoids PR bursts.

Proposed patch

   - package-ecosystem: github-actions
     directory: '/'
     schedule:
       interval: weekly
       day: monday
+    open-pull-requests-limit: 5
     labels:
       - dependencies

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml around lines 25 - 31, The github-actions section in
the dependabot configuration is missing an open-pull-requests-limit setting,
which could result in PR bursts. Add an open-pull-requests-limit field to the
github-actions package-ecosystem block with the same value used in the uv
section to maintain consistent behavior across all ecosystems and align with the
documented default behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@docs/dependency-management.md`:
- Line 12: The pip-audit table entry overstates the trigger scope by saying "On
every PR touching `pyproject.toml` / `uv.lock`" when the actual workflow only
runs on PRs targeting the main branch that touch those files. Update the trigger
scope text in the pip-audit row to accurately reflect that the workflow is
scoped to PRs targeting main, not every PR that modifies those files, so
reviewers have correct expectations about when pip-audit checks are enforced.

---

Nitpick comments:
In @.github/dependabot.yml:
- Around line 25-31: The github-actions section in the dependabot configuration
is missing an open-pull-requests-limit setting, which could result in PR bursts.
Add an open-pull-requests-limit field to the github-actions package-ecosystem
block with the same value used in the uv section to maintain consistent behavior
across all ecosystems and align with the documented default behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 00f36e64-43d9-481e-83f7-a4f4a01b0d87

📥 Commits

Reviewing files that changed from the base of the PR and between 6af055e and bc6863d.

📒 Files selected for processing (3)

• .github/dependabot.yml
• .github/workflows/security.yml
• docs/dependency-management.md