Enable dependabot and dependency-submission workflow

[vinodbhorge]

• Enabled the dependabot dependency graph submission workflow

Summary by CodeRabbit

• Chores
  • Enabled automated weekly dependency updates with concurrent pull request limits
  • Introduced automated Software Bill of Materials (SBOM) generation and submission for dependency tracking

[coderabbitai]

📝 Walkthrough

Walkthrough

Two new configuration files are introduced to GitHub Actions: a Dependabot configuration enabling automated weekly npm package updates in the /src directory with a 10 concurrent PR limit and dependency labeling, plus a GitHub Actions workflow that generates SPDX-formatted Software Bill of Materials (SBOM) on master pushes and pull requests, then submits it to GitHub's dependency submission action.

Changes

Cohort / File(s)	Summary
Dependency Management Configuration .github/dependabot.yml, .github/workflows/dependency-submission.yml	Adds Dependabot configuration for weekly npm updates and GitHub Actions workflow for SBOM generation. The workflow checks out code, installs dependencies using npm ci, generates SPDX SBOM via npm sbom command, and submits it through the dependency-submission action.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Twitch! Twitch! Dependabot hops in with weekly cheer,
Fresh packages bundled, no version fear,
SBOM scrolls bloom from npm's magical ground,
Our burrow's inventory—tracked and sound! 📦✨
Organized warren of code, dependency-free! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main changes: enabling Dependabot configuration and a dependency-submission GitHub Actions workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependency-submission.yml:
- Around line 9-10: The workflow currently grants a global write-scoped token
via the permissions block ("contents: write") which exposes that token to steps
that run "npm ci" (and therefore any package "preinstall" scripts); change the
workflow to split SBOM generation and SBOM submission into separate jobs so the
job that runs "npm ci" and generates the SBOM uses least privilege (e.g.,
"contents: read" or minimal scopes) and runs "npm ci --ignore-scripts" to avoid
lifecycle script execution, and grant "contents: write" only to the separate
SBOM-submission job; locate and update the permissions block and the job(s) that
run "npm ci" and the SBOM submission step to apply these permission boundaries
and the --ignore-scripts flag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4834879c-e46e-4db1-815f-5bee2a0364df

📥 Commits

Reviewing files that changed from the base of the PR and between 95d0c60 and da80bb1.

📒 Files selected for processing (2)

• .github/dependabot.yml
• .github/workflows/dependency-submission.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Workflow permission + npm install context =="
rg -n -C2 'permissions:|contents:\s*write|npm ci|npm install' .github/workflows/dependency-submission.yml

echo
echo "== Lifecycle scripts that can run during npm ci =="
rg -n -C2 '"preinstall"|"install"|"postinstall"' src/package.json

Repository: Sunbird-Knowlg/knowledge-mw-service

Length of output: 1065

---

🏁 Script executed:

cat -n .github/workflows/dependency-submission.yml

Repository: Sunbird-Knowlg/knowledge-mw-service

Length of output: 1112

---

Reduce token exposure during dependency install (security hardening).

The workflow grants contents: write globally at line 10, which makes the write-scoped token available to all steps, including the npm ci command at line 27. Since src/package.json contains a preinstall script that runs multiple npm install commands, untrusted package code executes with write access. Split SBOM generation and submission into separate jobs with appropriate permission boundaries, and use npm ci --ignore-scripts since SBOM generation does not require lifecycle scripts.

🔒 Suggested workflow hardening

 name: Dependency Submission (npm)

 on:
   push:
     branches: ["master"]
   pull_request:
     branches: ["master"]

 permissions:
-  contents: write
+  contents: read

 jobs:
-  dependency-submission:
+  generate-sbom:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           submodules: 'recursive'

       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'

       - name: Install dependencies
         working-directory: src
-        run: npm ci
+        run: npm ci --ignore-scripts

       - name: Generate SPDX SBOM
         working-directory: src
         run: npm sbom --sbom-format spdx > sbom.spdx.json
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: npm-sbom
+          path: src/sbom.spdx.json

+  submit-dependency-snapshot:
+    needs: generate-sbom
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Download SBOM artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: npm-sbom
+          path: src
+
       - name: Submit npm Dependencies
         uses: advanced-security/spdx-dependency-submission-action@v0.2.0
         with:
           filePath: src/sbom.spdx.json

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependency-submission.yml around lines 9 - 10, The
workflow currently grants a global write-scoped token via the permissions block
("contents: write") which exposes that token to steps that run "npm ci" (and
therefore any package "preinstall" scripts); change the workflow to split SBOM
generation and SBOM submission into separate jobs so the job that runs "npm ci"
and generates the SBOM uses least privilege (e.g., "contents: read" or minimal
scopes) and runs "npm ci --ignore-scripts" to avoid lifecycle script execution,
and grant "contents: write" only to the separate SBOM-submission job; locate and
update the permissions block and the job(s) that run "npm ci" and the SBOM
submission step to apply these permission boundaries and the --ignore-scripts
flag.