From 200a05032caf499361425ab02c5b3a2de92f10ca Mon Sep 17 00:00:00 2001 From: Chris0Jeky Date: Sun, 29 Mar 2026 03:41:39 +0100 Subject: [PATCH 1/7] Add Dependabot configuration for NuGet, npm, and GitHub Actions Weekly Monday schedule for all three ecosystems. Minor/patch updates are grouped to reduce PR noise; major NuGet/npm updates arrive as individual PRs for explicit review. GitHub Actions updates are fully grouped since they are lower-risk. Closes part of #148 --- .github/dependabot.yml | 77 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..0d29eb446 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,77 @@ +# Dependabot configuration for automated dependency updates +# Policy: docs/ops/DEPENDENCY_UPDATE_POLICY.md +# Linked issue: #148 (OPS-18) + +version: 2 + +updates: + # --- NuGet (backend .NET) --- + - package-ecosystem: nuget + directory: /backend + schedule: + interval: weekly + day: monday + time: "06:00" + timezone: America/Chicago + open-pull-requests-limit: 10 + reviewers: + - jekyt + labels: + - dependencies + - backend + groups: + # Group minor/patch updates together to reduce PR noise + dotnet-minor-patch: + update-types: + - minor + - patch + # Let major versions come as individual PRs for explicit review + commit-message: + prefix: "deps(nuget)" + + # --- npm (frontend) --- + - package-ecosystem: npm + directory: /frontend/taskdeck-web + schedule: + interval: weekly + day: monday + time: "06:00" + timezone: America/Chicago + open-pull-requests-limit: 10 + reviewers: + - jekyt + labels: + - dependencies + - frontend + groups: + # Group minor/patch updates together + npm-minor-patch: + update-types: + - minor + - patch + commit-message: + prefix: "deps(npm)" + + # --- GitHub Actions --- + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + day: monday + time: "06:00" + timezone: America/Chicago + open-pull-requests-limit: 5 + reviewers: + - jekyt + labels: + - dependencies + - ci + groups: + # Group all Actions updates together since they are low-risk + actions-all: + update-types: + - major + - minor + - patch + commit-message: + prefix: "deps(actions)" From 97ef67ed7c9e1793b0b7d87243cc54b7332c833d Mon Sep 17 00:00:00 2001 From: Chris0Jeky Date: Sun, 29 Mar 2026 03:42:28 +0100 Subject: [PATCH 2/7] Add dependency update policy and security triage workflow Defines update categories (routine, major, security, lock-file-only), PR verification expectations, severity-based triage SLAs aligned with the existing vulnerability policy, and escalation procedures. Closes part of #148 --- docs/ops/DEPENDENCY_UPDATE_POLICY.md | 124 +++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 docs/ops/DEPENDENCY_UPDATE_POLICY.md diff --git a/docs/ops/DEPENDENCY_UPDATE_POLICY.md b/docs/ops/DEPENDENCY_UPDATE_POLICY.md new file mode 100644 index 000000000..771769954 --- /dev/null +++ b/docs/ops/DEPENDENCY_UPDATE_POLICY.md @@ -0,0 +1,124 @@ +# Dependency Update Policy + +Last Updated: 2026-03-29 +Owner: Repository maintainers +Linked issue: `#148` (OPS-18) + +## Purpose + +This document defines the dependency update automation policy and security-advisory triage workflow for Taskdeck. It complements the existing vulnerability management policy (`docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md`) by adding proactive update automation and structured triage ownership. + +Related docs: + +- `docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md` — vulnerability scan cadence, severity policy, exception process +- `.github/dependabot.yml` — Dependabot automation configuration + +## Automation Tool + +Taskdeck uses **GitHub Dependabot** for automated dependency update PRs across three ecosystems: + +| Ecosystem | Config directory | Schedule | Grouping strategy | +|----------------|---------------------------|-----------------|--------------------------------------------| +| NuGet (backend)| `/backend` | Weekly (Monday) | Minor/patch grouped; major individual | +| npm (frontend) | `/frontend/taskdeck-web` | Weekly (Monday) | Minor/patch grouped; major individual | +| GitHub Actions | `/` | Weekly (Monday) | All update types grouped | + +## Update Categories + +### Routine updates (minor and patch) + +- Grouped into single PRs per ecosystem to reduce noise. +- Expected to pass CI without intervention in most cases. +- Maintainer review is required before merge; no auto-merge is enabled. +- If CI passes and the changelog shows no breaking changes, merge promptly. + +### Major version updates + +- Arrive as individual PRs for explicit review. +- Require maintainer assessment of breaking changes, migration guides, and downstream impact. +- Should be tested locally when the changelog indicates API surface changes. +- Target resolution within one development cycle (1 to 2 weeks) unless blocked. + +### Security updates + +- Dependabot security updates are enabled by default on GitHub and create PRs independently of the weekly schedule. +- Security PRs are clearly distinguishable by the `security` label automatically applied by GitHub and the security advisory reference in the PR body. +- Security updates follow the severity-based SLA targets defined below. + +### Lock-file-only updates + +- Dependabot may propose lock-file-only changes when transitive dependencies have updates. +- These follow the same review process as routine updates. +- Pay attention to transitive security fixes surfaced through lock-file changes. + +## PR Verification Expectations + +All Dependabot PRs must pass the `ci-required.yml` gate before merge. This includes: + +- Backend build and unit tests (domain, application, CLI, API integration) +- Frontend typecheck, lint, unit tests, and E2E smoke +- Architecture boundary tests +- Docs governance checks + +Additional verification for dependency PRs: + +- Review the Dependabot PR body for changelog links and compatibility notes. +- For NuGet major bumps: verify `dotnet build` succeeds locally and check for deprecation warnings. +- For npm major bumps: verify `npm run build` and `npx vitest --run` succeed locally. +- For GitHub Actions bumps: verify the referenced action version exists and check for breaking changes in the action's release notes. + +## Security-Advisory Triage Workflow + +### Trigger sources + +1. **Dependabot security alerts** — GitHub surfaces these on the Security tab and may auto-create PRs. +2. **Dependabot security update PRs** — automated fix PRs for known advisories. +3. **Nightly dependency security signals** — `nightly-quality.yml` runs vulnerability scans on schedule. +4. **Manual scan** — operators can run `dotnet list ... --vulnerable` and `npm audit` locally (see commands in the vulnerability policy doc). + +### Triage ownership + +- The maintainer who sees the alert first owns initial triage classification. +- Classification means: confirm severity, determine if the package is runtime/test/build-only, and assign a remediation owner. +- If no maintainer is available within the SLA window, the alert must be escalated (GitHub issue with `Priority I` or `Priority II` label). + +### Severity-based response targets + +These targets align with the existing vulnerability policy (`docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md`): + +| Severity | Triage SLA | Remediation target | +|----------|---------------------|-------------------------------------------------------| +| Critical | Same business day | Merge fix within 1 business day; block releases | +| High | 1 business day | Merge fix within 3 business days; block releases | +| Moderate | 5 business days | Schedule in normal backlog; does not block release | +| Low/Info | 10 business days | Batch with routine dependency hygiene | + +### Triage checklist + +For each security advisory or Dependabot security PR: + +1. Confirm the advisory applies to Taskdeck's usage of the package (not just presence in the dependency tree). +2. Classify exposure: `runtime`, `test-only`, `build-only`, `local-dev-only`. +3. Check if Dependabot has already opened a fix PR. If yes, prioritize review. +4. If no automated fix exists, create a GitHub issue with the appropriate priority label. +5. If remediation is blocked (no upstream fix available), follow the exception process in the vulnerability policy doc. +6. Post triage outcome (fixed, excepted, or false positive) as a comment on the alert or PR. + +### Escalation + +- Critical/High findings with no available fix: create a GitHub issue with `Priority I` label and document compensating controls. +- Findings that affect the release pipeline: notify maintainers and block release candidates per the vulnerability policy enforcement rules. + +## Policy Boundaries + +### What this policy does NOT cover + +- Auto-merge: all dependency PRs require human review. Auto-merge may be considered in the future for patch-only grouped updates with passing CI, but is not enabled now. +- Renovate: the project uses Dependabot only. Renovate may be evaluated if Dependabot proves insufficient. +- SBOM generation: tracked separately in `#103`. +- Stricter required-PR blocking for vulnerability findings: tracked as a follow-up in the vulnerability policy doc. + +### Review cadence + +- Maintainers should review open Dependabot PRs at least weekly (aligned with the Monday generation schedule). +- Stale Dependabot PRs older than 30 days should be investigated: either the update is blocked (needs an issue) or it was overlooked. From 8d9dfe78afbb7521c2b41b6d1ac1ce1c3b9c7507 Mon Sep 17 00:00:00 2001 From: Chris0Jeky Date: Sun, 29 Mar 2026 03:42:43 +0100 Subject: [PATCH 3/7] Update STATUS.md to reflect active dependency update automation Adds dependency automation section under CI topology and removes #148 from the SBOM/provenance follow-through placeholder since it is now delivered. --- docs/STATUS.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/STATUS.md b/docs/STATUS.md index 847f25dc7..453a11c53 100644 --- a/docs/STATUS.md +++ b/docs/STATUS.md @@ -619,7 +619,14 @@ Release workflow: `.github/workflows/ci-release.yml` - release/tag/manual build verification (backend + frontend) - container image artifact/checksum lane reused from container baseline workflow -- SBOM/provenance placeholder (follow-through: `#103`, `#106`, `#148`) +- SBOM/provenance placeholder (follow-through: `#103`, `#106`) + +Dependency update automation: `.github/dependabot.yml` + +- weekly Dependabot PRs for NuGet, npm, and GitHub Actions ecosystems +- minor/patch grouped; major NuGet/npm individual; Actions fully grouped +- security updates follow severity-based triage SLAs in `docs/ops/DEPENDENCY_UPDATE_POLICY.md` +- no auto-merge; all dependency PRs require human review and `ci-required.yml` gate pass Release/security deep workflow: `.github/workflows/release-security.yml` From 4ac20ba00605ab33dba3b48bb050154ccb5c2d54 Mon Sep 17 00:00:00 2001 From: Chris0Jeky Date: Sun, 29 Mar 2026 03:43:02 +0100 Subject: [PATCH 4/7] Update IMPLEMENTATION_MASTERPLAN.md with OPS-18 delivery entry Records #148 dependency update automation as item 95 in the delivered cycle list. --- docs/IMPLEMENTATION_MASTERPLAN.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/IMPLEMENTATION_MASTERPLAN.md b/docs/IMPLEMENTATION_MASTERPLAN.md index 2d3fb0f07..79c19a17c 100644 --- a/docs/IMPLEMENTATION_MASTERPLAN.md +++ b/docs/IMPLEMENTATION_MASTERPLAN.md @@ -434,6 +434,11 @@ Delivered in the latest cycle: - ArchiveRecovery decomposition: `ArchiveRecoveryService` → `ArchiveConflictDetector` + `RestorePlanner` + `RestoreExecutor` - AutomationExecutor decomposition: `AutomationExecutorService` → `OperationParameterParser` + `ExecutionAuditRecorder` + `OperationHandlerRegistry` - Deploy/MCP failure injection drills: 5 shell drill scripts + `run-all-drills.sh` orchestrator in `scripts/drills/` +95. OPS-18 dependency update automation and security triage workflow (`#148`): + - added `.github/dependabot.yml` with weekly update schedules for NuGet (`/backend`), npm (`/frontend/taskdeck-web`), and GitHub Actions (`/`) ecosystems + - minor/patch updates grouped per ecosystem; major NuGet/npm updates arrive as individual PRs; GitHub Actions updates fully grouped + - added `docs/ops/DEPENDENCY_UPDATE_POLICY.md` with update categories, PR verification expectations, severity-based triage SLAs, escalation procedures, and policy boundaries + - security triage workflow aligns with existing `docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md` severity policy; no auto-merge enabled ## Current Planning Pivot (2026-03-07) From 7978136355f1647a3e27b1bff7f50d085e55f198 Mon Sep 17 00:00:00 2001 From: Chris0Jeky Date: Sun, 29 Mar 2026 03:43:18 +0100 Subject: [PATCH 5/7] Update vulnerability policy to reflect active Dependabot automation Removes Dependabot from the follow-up scope list since it is now delivered. Adds cross-reference to the new dependency update policy doc. --- docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md b/docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md index 7dea6edad..46ab9fa93 100644 --- a/docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md +++ b/docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md @@ -176,7 +176,7 @@ node --test scripts/ci/summarize-dependency-security-signals.test.mjs ## Follow-up Scope Still Outside This Policy - automated issue creation for fresh findings -- Dependabot or Renovate policy automation beyond current dependency review usage - stricter required-PR blocking for vulnerability findings +- auto-merge for low-risk dependency update PRs -Those can be added later if the current signal-first posture proves reliable enough. +Dependabot automation is now active (`.github/dependabot.yml`). The update policy and security-advisory triage workflow are documented in `docs/ops/DEPENDENCY_UPDATE_POLICY.md`. From 2cced1038fe241ed3da2bbfa7fa7c2dae8921173 Mon Sep 17 00:00:00 2001 From: Chris0Jeky Date: Sun, 29 Mar 2026 03:44:09 +0100 Subject: [PATCH 6/7] Fix security PR distinguisher description accuracy Security advisory reference in PR body and title prefix are the reliable distinguishers; the security label is conditional on repo label existence. --- docs/ops/DEPENDENCY_UPDATE_POLICY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ops/DEPENDENCY_UPDATE_POLICY.md b/docs/ops/DEPENDENCY_UPDATE_POLICY.md index 771769954..a7ca6a741 100644 --- a/docs/ops/DEPENDENCY_UPDATE_POLICY.md +++ b/docs/ops/DEPENDENCY_UPDATE_POLICY.md @@ -42,7 +42,7 @@ Taskdeck uses **GitHub Dependabot** for automated dependency update PRs across t ### Security updates - Dependabot security updates are enabled by default on GitHub and create PRs independently of the weekly schedule. -- Security PRs are clearly distinguishable by the `security` label automatically applied by GitHub and the security advisory reference in the PR body. +- Security PRs are clearly distinguishable by the security advisory reference in the PR body and `[security]` prefix in the PR title. GitHub may also auto-apply a `security` label if one exists in the repo. - Security updates follow the severity-based SLA targets defined below. ### Lock-file-only updates From 7d120b67f126ec3c35aec6217059b65bdcbd5abd Mon Sep 17 00:00:00 2001 From: Chris0Jeky Date: Sun, 29 Mar 2026 03:55:31 +0100 Subject: [PATCH 7/7] Fix security PR identification guidance and add missing labels to taxonomy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Correct inaccurate claim that Dependabot security PRs have a [security] title prefix — they use the same title format as regular updates. Add dependencies and ci labels to GITHUB_LABEL_TAXONOMY.md to match the labels configured in dependabot.yml. --- docs/ops/DEPENDENCY_UPDATE_POLICY.md | 2 +- docs/ops/GITHUB_LABEL_TAXONOMY.md | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/ops/DEPENDENCY_UPDATE_POLICY.md b/docs/ops/DEPENDENCY_UPDATE_POLICY.md index a7ca6a741..5fcc2d933 100644 --- a/docs/ops/DEPENDENCY_UPDATE_POLICY.md +++ b/docs/ops/DEPENDENCY_UPDATE_POLICY.md @@ -42,7 +42,7 @@ Taskdeck uses **GitHub Dependabot** for automated dependency update PRs across t ### Security updates - Dependabot security updates are enabled by default on GitHub and create PRs independently of the weekly schedule. -- Security PRs are clearly distinguishable by the security advisory reference in the PR body and `[security]` prefix in the PR title. GitHub may also auto-apply a `security` label if one exists in the repo. +- Security PRs are distinguishable by the security advisory reference in the PR body. GitHub may also auto-apply a `security` label if one exists in the repo. Note: the PR title format is the same as regular Dependabot PRs ("Bump X from Y to Z"), so rely on the body and labels rather than the title to identify security updates. - Security updates follow the severity-based SLA targets defined below. ### Lock-file-only updates diff --git a/docs/ops/GITHUB_LABEL_TAXONOMY.md b/docs/ops/GITHUB_LABEL_TAXONOMY.md index 94b85fe04..cc4b19beb 100644 --- a/docs/ops/GITHUB_LABEL_TAXONOMY.md +++ b/docs/ops/GITHUB_LABEL_TAXONOMY.md @@ -44,6 +44,10 @@ Note: - Background worker runtime behavior, queue processing, retry semantics, and worker observability. - `performance` - Latency, throughput, responsiveness, and resource-efficiency improvements across API, worker, and frontend surfaces. +- `dependencies` + - Dependency version updates managed by Dependabot or manual dependency hygiene. +- `ci` + - CI/CD pipeline, workflow, and build infrastructure changes. ## Priority Labels