ci: add Dependabot,MegaLinter workflows

[Wan-ZL]

Summary

Adds CI/CD tooling to this repository:

• Dependabot: Auto-updates GitHub Actions to latest versions (weekly)
• MegaLinter (python flavor): Lints code on push/PR to catch issues early

Setup Notes

• All workflows use permissions: read-all with minimal write scopes
• No secrets required beyond the default GITHUB_TOKEN

Summary by CodeRabbit

• Chores
  • Implemented Dependabot configuration for automated weekly GitHub Actions dependency updates with organized PR grouping.
  • Added MegaLinter workflow for continuous code quality analysis on push and pull requests with artifact archival.

[gemini-code-assist]

Summary of Changes

Hello @Wan-ZL, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces essential CI/CD tooling to the repository by adding workflows for Dependabot and MegaLinter. These additions aim to automate dependency updates for GitHub Actions and enforce code quality standards, respectively, thereby improving maintainability and reducing technical debt.

Highlights

• Dependabot Workflow: Configured Dependabot to automatically update GitHub Actions to their latest versions on a weekly schedule, ensuring dependencies remain current.
• MegaLinter Workflow: Integrated MegaLinter with a Python flavor to lint code on push and pull requests, facilitating early detection of code quality issues and adherence to style guidelines.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .github/dependabot.yml
  • Added configuration for Dependabot to manage GitHub Actions dependencies.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/mega-linter.yml

Activity

• No specific activity has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Warning

Rate limit exceeded

@Wan-ZL has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 45 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 7639a11 and a2ccb9a.

📒 Files selected for processing (1)

• .github/workflows/mega-linter.yml

📝 Walkthrough

Walkthrough

Two GitHub automation configuration files are added: Dependabot configuration to automatically update GitHub Actions dependencies weekly, and a MegaLinter workflow to lint code on push and pull requests with customizable validation scope and disabled linters.

Changes

Cohort / File(s)	Summary
GitHub Automation Setup .github/dependabot.yml, .github/workflows/mega-linter.yml	Adds Dependabot configuration for weekly GitHub Actions updates with PR grouping and limits, and introduces a new MegaLinter workflow for code linting on push/pull requests with selective validation and disabled linters to reduce noise.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 With a hop and a bound through the CI/CD scene,
Dependabot and Linter keep workflows so clean,
Weekly updates roll in, fresh and bright,
While MegaLinter checks code with all of its might,
Automation dreams come true, don't you know!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: add Dependabot,MegaLinter workflows' accurately and concisely summarizes the main changes: adding CI/CD configurations for Dependabot and MegaLinter.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/add-ci-tools

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request adds CI/CD tooling to the repository. The configuration for Dependabot in .github/dependabot.yml is well-structured and follows best practices, including grouping all GitHub Actions updates into a single pull request to reduce noise and setting a reasonable weekly update schedule. I have no specific feedback or suggestions for improvement on this file. Note that the MegaLinter workflow mentioned in the pull request title and description was not included in the provided changes, so I was unable to review it.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	1		0	0	0.0s
❌ REPOSITORY	gitleaks	yes		3	no	68.62s
✅ REPOSITORY	git_diff	yes		no	no	0.06s
✅ REPOSITORY	secretlint	yes		no	no	3.06s
✅ REPOSITORY	syft	yes		no	no	2.29s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.52s
✅ REPOSITORY	trufflehog	yes		no	no	5.36s
✅ SPELL	lychee	1		0	0	0.26s
✅ YAML	prettier	1		0	0	0.38s
✅ YAML	v8r	1		0	0	2.86s
✅ YAML	yamllint	1		0	0	0.71s

Detailed Issues

❌ REPOSITORY / gitleaks - 3 errors

○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

Finding:     ...ttings_service.set("openai_api_key", "REDACTED"
Secret:      REDACTED
RuleID:      generic-api-key
Entropy:     3.750000
File:        assistant/tests/test_settings.py
Line:        327
Commit:      HIDDEN_BY_MEGALINTERAuthor:      Zelin
Email:       wanzelin007@gmail.com
Date:        2026-02-04T12:29:31Z
Fingerprint: 6bbfad2159083e2b2ff33f44aa76cd2b4e3bae60:assistant/tests/test_settings.py:generic-api-key:327
Link:        https://github.com/Wan-ZL/Genesis/blob/6bbfad2159083e2b2ff33f44aa76cd2b4e3bae60/assistant/tests/test_settings.py#L327

Finding:     ...ttings_service.set("openai_api_key", "REDACTED"
Secret:      REDACTED
RuleID:      generic-api-key
Entropy:     3.750000
File:        assistant/tests/test_settings.py
Line:        79
Commit:      HIDDEN_BY_MEGALINTERAuthor:      Zelin
Email:       wanzelin007@gmail.com
Date:        2026-02-03T09:49:19Z
Fingerprint: 861e7f5fe4e5a847124f3927ad7b28b984b4de6c:assistant/tests/test_settings.py:generic-api-key:79
Link:        https://github.com/Wan-ZL/Genesis/blob/861e7f5fe4e5a847124f3927ad7b28b984b4de6c/assistant/tests/test_settings.py#L79

Finding:     json={"openai_api_key": "REDACTED"
Secret:      REDACTED
RuleID:      generic-api-key
Entropy:     3.750000
File:        assistant/tests/test_settings.py
Line:        206
Commit:      HIDDEN_BY_MEGALINTERAuthor:      Zelin
Email:       wanzelin007@gmail.com
Date:        2026-02-03T09:49:19Z
Fingerprint: 861e7f5fe4e5a847124f3927ad7b28b984b4de6c:assistant/tests/test_settings.py:generic-api-key:206
Link:        https://github.com/Wan-ZL/Genesis/blob/861e7f5fe4e5a847124f3927ad7b28b984b4de6c/assistant/tests/test_settings.py#L206

9:40AM INF 153 commits scanned.
9:40AM INF scanned ~87439532 bytes (87.44 MB) in 1m8.5s
9:40AM WRN leaks found: 3

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/mega-linter.yml:
- Around line 26-47: Replace mutable action tags with pinned commit SHAs for the
three usages: change "actions/checkout@v4",
"oxsecurity/megalinter/flavors/python@v8", and "actions/upload-artifact@v4" to
their corresponding full commit SHAs (while optionally keeping the `@vX` tag in a
trailing comment for readability). Update the uses entries for those three
actions (checkout, MegaLinter flavor, upload-artifact) to the full commit SHA
strings, and verify each SHA matches the intended upstream release before
committing.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

git ls-files .github/workflows/

Repository: Wan-ZL/Genesis

Length of output: 149

---

🏁 Script executed:

cat -n .github/workflows/mega-linter.yml | sed -n '20,50p'

Repository: Wan-ZL/Genesis

Length of output: 1143

---

🏁 Script executed:

rg -n --glob '.github/workflows/*.yml' 'uses:' .github/workflows

Repository: Wan-ZL/Genesis

Length of output: 988

---

🌐 Web query:

GitHub Actions security best practices pinning commit SHA

💡 Result:

Why pin GitHub Actions to a full commit SHA?

• Tags like @v1 can move (intentionally or after a compromise). Pinning to a full-length commit SHA is the most reliable way to make the referenced action immutable. [1][2]
• GitHub explicitly recommends SHA pinning for supply-chain risk reduction. [1][2]

How to pin (recommended pattern)

Use the commit SHA in uses: and keep the human-friendly version in a comment:

- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

This makes the workflow reproducible while still documenting what release you intended. [2][1]

Best practices when choosing the SHA

• Prefer the SHA that corresponds to an upstream tagged release, not an arbitrary commit on main, and verify it’s from the official repo (not a fork). [2][1]
• If you choose to use a tag, do so only when you trust the publisher—tags are still mutable. [2]

Keep SHA-pinned actions up to date (so you don’t get stuck)

• Enable Dependabot version updates for GitHub Actions so it can propose PRs that bump the pinned SHA to newer releases. [1]

Enforce SHA pinning centrally (org/enterprise)

• GitHub Actions policies can enforce “must be pinned to full SHA” so non-compliant workflows fail. This is available via the Allowed actions and reusable workflows policy settings. [1][3]

Don’t stop at uses:: watch for “mutable dependencies”

Even if you pin an action, it can still be risky if it pulls mutable code at runtime (e.g., unpinned container images or downloading scripts without verification). Review/avoid actions with these patterns. [1]

Sources: GitHub Docs on security hardening for GitHub Actions (pin to full-length SHA) [2], GitHub Well-Architected Actions security guidance [1], GitHub Changelog on SHA-pinning enforcement in Actions policy [3].

---

Pin GitHub Actions to commit SHAs to harden supply-chain security.

Using mutable tags (e.g., @v4, @v8) can introduce unreviewed changes. GitHub recommends pinning to full commit SHAs; keep the version tag in a comment for readability.

🔒 Suggested update pattern

-      - name: Checkout Code
-        uses: actions/checkout@v4
+      - name: Checkout Code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

-        uses: oxsecurity/megalinter/flavors/python@v8
+        uses: oxsecurity/megalinter/flavors/python@<commit-sha> # v8

-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344d8b47d953a5c9c86b5ff47cf # v4

Verify the commit SHA matches the intended release tag in the upstream repository before pinning.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/mega-linter.yml around lines 26 - 47, Replace mutable
action tags with pinned commit SHAs for the three usages: change
"actions/checkout@v4", "oxsecurity/megalinter/flavors/python@v8", and
"actions/upload-artifact@v4" to their corresponding full commit SHAs (while
optionally keeping the `@vX` tag in a trailing comment for readability). Update
the uses entries for those three actions (checkout, MegaLinter flavor,
upload-artifact) to the full commit SHA strings, and verify each SHA matches the
intended upstream release before committing.