fix(ci): allow dependabot in codex init and add graceful auto-vet fallback

[bronzelle-cw]

Problem

Dependabot PR runs were failing early in because bot actors are rejected by default, so auto-vet never reached reasoning/apply steps.

Changes

• Explicitly enabled bot execution in Codex init with .
• Made Codex init non-fatal and captured a output signal.
• Gated prompt-building steps on successful Codex initialization.
• Added fallback behavior in reasoning loop to mark crates as with manual-review-required reason when Codex init is unavailable.
• Extended consolidated PR summary comment with Codex mode ( vs ).

Result

• Dependabot runs no longer fail at the bot permission gate.
• Workflow preserves fail-closed behavior and still produces and summary output in fallback mode.
• Signed commit/push behavior remains unchanged.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Codex Init Outcome Handling Verify that using continue-on-error on the Codex init step still populates steps.codex_init.outcome correctly, and that the capture step reliably sets codex_init_ok for downstream gating. id: codex_init if: steps.vet_import.outputs.has_cases == 'true' continue-on-error: true uses: openai/codex-action@v1 with: openai-api-key: ${{ secrets.OPENAI_KEY }} model: ${{ env.CODEX_MODEL }} prompt: "init" output-file: vet/_codex-init.json allow-bots: "true" safety-strategy: drop-sudo sandbox: workspace-write - name: Capture Codex init status id: codex_init_status if: steps.vet_import.outputs.has_cases == 'true' Fallback Logic JSON Ensure the fallback branch correctly initializes or truncates vet/decisions.jsonl and that the jq output produces valid JSON lines without leftover state when Codex init is unavailable. if [ "${CODEX_INIT_OK}" != "true" ]; then jq -nc --arg crate "$crate" --arg version "$new" \ --arg description "Codex initialization unavailable or blocked; requires manual review." \ '{crate:$crate,version:$version,status:"unvetted",description:$description}' >> vet/decisions.jsonl continue fi if [ ! -s "$prompt_file" ]; then Summary Variable Consistency Confirm that the output variable name codex_init_ok in YAML matches the JS usage in the summary step and that defaulting to 'false' behaves as expected. const hasCases = `${{ steps.vet_import.outputs.has_cases || 'true' }}` === 'true'; const importChanged = `${{ steps.detect_import_changes.outputs.import_changed || 'false' }}` === 'true'; const codexInitOk = `${{ steps.codex_init_status.outputs.codex_init_ok || 'false' }}` === 'true'; const changed = `${{ steps.commit.outputs.changed || 'false' }}` === 'true';

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Allow status step to continue on errors Ensure the status‐capture step never fails the job if something goes wrong in the script. Add continue-on-error: true so the workflow continues even if the status check errors unexpectedly. .github/workflows/dependabot-auto-vet.yml [194-202] id: codex_init_status +continue-on-error: true if: steps.vet_import.outputs.has_cases == 'true' run: | set -euo pipefail if [ "${{ steps.codex_init.outcome }}" = "success" ]; then echo "codex_init_ok=true" >> "$GITHUB_OUTPUT" else echo "codex_init_ok=false" >> "$GITHUB_OUTPUT" fi Suggestion importance[1-10]: 6 __ Why: Adding continue-on-error: true to the codex_init_status step ensures the workflow won't halt if the status capture script fails, improving resilience without changing logic.	Low
General	Quote combined if expression Wrap complex if: conditionals in the ${{ }} expression syntax to ensure GitHub Actions evaluates them correctly. This avoids parser ambiguity around &&. .github/workflows/dependabot-auto-vet.yml [205] -if: steps.vet_import.outputs.has_cases == 'true' && steps.codex_init_status.outputs.codex_init_ok == 'true' +if: ${{ steps.vet_import.outputs.has_cases == 'true' && steps.codex_init_status.outputs.codex_init_ok == 'true' }} Suggestion importance[1-10]: 5 __ Why: Wrapping the combined condition in ${{ }} follows GitHub Actions syntax and avoids ambiguity when using && in the if field.	Low
	Simplify init status env var Simplify the environment variable assignment by removing the || 'false' fallback and treat an empty value as false in the script itself. This uses the native output directly and avoids unexpected literal strings. .github/workflows/dependabot-auto-vet.yml [259-260] env: - CODEX_INIT_OK: ${{ steps.codex_init_status.outputs.codex_init_ok || 'false' }} + CODEX_INIT_OK: ${{ steps.codex_init_status.outputs.codex_init_ok }} Suggestion importance[1-10]: 4 __ Why: The || 'false' fallback is redundant because the script treats any non-true value as false, so removing it simplifies the env assignment with no functional change.	Low

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.73%. Comparing base (d5188d5) to head (5d20520).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2464      +/-   ##
==========================================
- Coverage   84.41%   83.73%   -0.69%     
==========================================
  Files         141      141              
  Lines       10808    10895      +87     
==========================================
- Hits         9124     9123       -1     
- Misses       1684     1772      +88     

Flag	Coverage Δ
contracts-rocks-asset-transit-desk	43.64% <ø> (+<0.01%)	⬆️
contracts-rocks-balance-freezer	42.71% <ø> (+<0.01%)	⬆️
contracts-rocks-balance-tracker	43.04% <ø> (-0.02%)	⬇️
contracts-rocks-base	43.62% <ø> (+<0.01%)	⬆️
contracts-rocks-blueprint	43.97% <ø> (+<0.01%)	⬆️
contracts-rocks-capybara-finance	44.30% <ø> (+<0.01%)	⬆️
contracts-rocks-capybara-finance-v2	44.36% <ø> (+<0.01%)	⬆️
contracts-rocks-card-payment-processor	44.07% <ø> (+<0.01%)	⬆️
contracts-rocks-card-payment-processor-v2	44.36% <ø> (+<0.01%)	⬆️
contracts-rocks-cashier	43.97% <ø> (+<0.01%)	⬆️
contracts-rocks-credit-agent	43.26% <ø> (+<0.01%)	⬆️
contracts-rocks-multisig	43.96% <ø> (+<0.01%)	⬆️
contracts-rocks-net-yield-distributor	43.97% <ø> (-0.02%)	⬇️
contracts-rocks-periphery	42.71% <ø> (+<0.01%)	⬆️
contracts-rocks-shared-wallet-controller	44.02% <ø> (+<0.01%)	⬆️
contracts-rocks-token	44.07% <ø> (-0.02%)	⬇️
contracts-rocks-treasury	43.68% <ø> (+<0.01%)	⬆️
e2e-admin-password	22.82% <ø> (-0.03%)	⬇️
e2e-clock-stratus	25.67% <ø> (-0.02%)	⬇️
e2e-genesis	27.21% <ø> (-0.02%)	⬇️
e2e-importer-offline	60.15% <ø> (-0.01%)	⬇️
e2e-rpc-downloader	55.15% <ø> (-0.01%)	⬇️
e2e-stratus	57.59% <ø> (-0.04%)	⬇️
leader-follower-	61.69% <ø> (-0.02%)	⬇️
rust-tests	30.51% <ø> (-0.21%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.