chore: runs snyk deps scan command explicitly

[stalniy]

Why

To decrease snyk limits usage

What

Summary by CodeRabbit

• Chores
  • Updated CI workflows: split validation into separate static-analysis and dependency-scan flows with independent toggles.
  • Improved conditional logic to skip unnecessary dependency scans.
  • Simplified security-scan triggering and removed a redundant polling step.
  • Updated checkout behavior used during validations.

---

Note: Internal infrastructure updates with no direct impact on end-user functionality.

[coderabbitai]

📝 Walkthrough

Walkthrough

The GitHub workflows were refactored to replace implicit change-detection with explicit boolean inputs (run_static_analyses, run_deps_scan). The setup job now paginates PR changed files to gate dependency scans based on package-lock.json, and job conditions and reusable-workflow inputs were adjusted accordingly.

Changes

Cohort / File(s)	Summary
Primary workflow .github/workflows/all-ci-unsafe.yml	Added gating in setup to paginate PR files and disable deps scan when package-lock.json is absent; changed security-scan if to rely on needs.setup.outputs.matrix; replaced skip_change_detection-style input with run_static_analyses / run_deps_scan outputs; removed snyk status polling step from deps scan.
Reusable validate workflow .github/workflows/reusable-validate-app-unsafe.yml	Replaced skip_change_detection input with two booleans: run_static_analyses and run_deps_scan; removed change-detection job and related gating; split validation into static-analyses (runs Snyk Code when run_static_analyses is true) and apps-deps-scan (runs Snyk deps with --file ./untrusted-user-fork/${{ inputs.path }}/package.json when run_deps_scan is true); updated actions/checkout to v6 and added checkout into ./untrusted-user-fork for deps scan.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant PR as "Pull Request"
participant Setup as "setup job\n(GHA)"
participant GitHubAPI as "GitHub API\n(list changed files)"
participant Security as "security-scan job\n(reusable)"
participant Static as "static-analyses job"
participant Deps as "apps-deps-scan job"

PR->>Setup: trigger workflow
Setup->>GitHubAPI: paginate PR changed files
GitHubAPI-->>Setup: file list
Setup->>Setup: set outputs (matrix, should_run_* flags, skip reasons)
Setup->>Security: trigger if needs.setup.outputs.matrix != ''
Security->>Static: pass run_static_analyses input
Security->>Deps: pass run_deps_scan input
alt run_static_analyses == true
    Static->>Static: checkout@v6 + run Snyk Code
end
alt run_deps_scan == true
    Deps->>Deps: checkout@v6 into ./untrusted-user-fork + run Snyk deps
end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐇 I hopped through YAML, lines anew,
Flags set true or false in view,
Paginated files, a tidy scan,
No hidden skips — I’m a careful ram.
CI carrots lined in a neat row,
Happy hops — tests ready to go! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description provides the 'Why' section (to decrease snyk limits usage) but leaves the 'What' section incomplete with only placeholder text and no explanation of the actual implementation changes made.	Fill out the 'What' section with specific details about the workflow changes, such as replacing implicit change detection with explicit run_static_analyses and run_deps_scan boolean inputs.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: explicitly running Snyk dependency scan command instead of implicit/automatic execution, which aligns with the workflow refactoring shown in the raw summary.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/snyk-explicit-deps-check

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.39%. Comparing base (3473d0c) to head (5fe3edf).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2999   +/-   ##
=======================================
  Coverage   59.39%   59.39%           
=======================================
  Files        1031     1031           
  Lines       24130    24130           
  Branches     5988     5988           
=======================================
  Hits        14332    14332           
+ Misses       8543     8538    -5     
- Partials     1255     1260    +5     

Flag	Coverage Δ
api	81.21% <ø> (ø)
deploy-web	42.78% <ø> (ø)
log-collector	86.40% <ø> (ø)
notifications	85.86% <ø> (ø)
provider-console	81.48% <ø> (ø)
provider-proxy	85.93% <ø> (ø)
tx-signer	76.26% <ø> (ø)
see 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/reusable-validate-app-unsafe.yml (1)

62-78: Consider adding explicit permissions block.

The static analysis tool flagged that this workflow lacks a permissions block. While the parent workflow (all-ci-unsafe.yml) has permissions defined, adding explicit minimal permissions here provides defense in depth.

🔒 Proposed addition at workflow level (after line 39)

permissions:
  contents: read

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/reusable-validate-app-unsafe.yml around lines 62 - 78, Add
an explicit minimal permissions block to this reusable workflow so the
apps-deps-scan job runs with least privilege; update the workflow top-level to
include "permissions: contents: read" (affecting the jobs such as apps-deps-scan
that perform actions/checkout and the Snyk step) to provide defense-in-depth
even though the parent workflow defines permissions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/all-ci-unsafe.yml:
- Around line 161-172: The bug is that the template string uses the loop
variable `output` which is out of scope (it was declared by destructuring inside
the for...of loop), so replace the out-of-scope reference by using a
properly-scoped name (capture the loop's output value into a variable in the
outer scope or move this github.paginate + core.setOutput block inside the same
for...of loop where `output` is defined). Specifically, ensure the code that
calls github.paginate(github.rest.pulls.listFiles, ...) and the subsequent
core.setOutput(`should_run_${output}`, ...) /
core.setOutput(`skip_reason_${output}`, ...) either runs inside the loop that
defines `output` or use a new variable (e.g., const outputName = output)
declared in the same scope before using it so `output` is defined when setting
outputs.

In @.github/workflows/reusable-validate-app-unsafe.yml:
- Around line 62-63: The conditional on the apps-deps-scan job is comparing the
boolean input run_deps_scan to the string 'true', which makes the job never run;
update the job condition to evaluate the boolean correctly (e.g., use ${{
inputs.run_deps_scan }} or ${{ inputs.run_deps_scan == true }}) so the
apps-deps-scan job triggers when run_deps_scan is true.
- Around line 42-43: The job conditional uses a string comparison so it never
runs; change the `if` expression on the `static-analyses` job from `if: ${{
inputs.run_static_analyses == 'true' }}` to a boolean check such as `if: ${{
inputs.run_static_analyses }}` (or `== true`) so the boolean
`run_static_analyses` input correctly controls execution.

---

Nitpick comments:
In @.github/workflows/reusable-validate-app-unsafe.yml:
- Around line 62-78: Add an explicit minimal permissions block to this reusable
workflow so the apps-deps-scan job runs with least privilege; update the
workflow top-level to include "permissions: contents: read" (affecting the jobs
such as apps-deps-scan that perform actions/checkout and the Snyk step) to
provide defense-in-depth even though the parent workflow defines permissions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4f85a967-2b0b-48fd-8f44-84bc9bc8cd13

📥 Commits

Reviewing files that changed from the base of the PR and between 3473d0c and e5fac57.

📒 Files selected for processing (2)

• .github/workflows/all-ci-unsafe.yml
• .github/workflows/reusable-validate-app-unsafe.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Bug: output variable is out of scope.

The variable output was declared inside the for...of loop (via destructuring in line 148), but this code block is outside the loop. After the loop ends at line 159, output is no longer in scope, causing this to use undefined in the template string.

🐛 Proposed fix

             if (core.getOutput('should_run_deps_scan') === 'true') {
               const files = await github.paginate(github.rest.pulls.listFiles, {
                 owner: context.repo.owner,
                 repo: context.repo.repo,
                 pull_number: Number(prNumber),
               });
               const hasLockfileChange = files.some(f => f.filename === 'package-lock.json');
               if (!hasLockfileChange) {
-                core.setOutput(`should_run_${output}`, 'false');
-                core.setOutput(`skip_reason_${output}`, 'package-lock.json not changed');
+                core.setOutput('should_run_deps_scan', 'false');
+                core.setOutput('skip_reason_deps_scan', 'package-lock.json not changed');
               }
             }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (core.getOutput('should_run_deps_scan') === 'true') {
	const files = await github.paginate(github.rest.pulls.listFiles, {
	owner: context.repo.owner,
	repo: context.repo.repo,
	pull_number: Number(prNumber),
	});
	const hasLockfileChange = files.some(f => f.filename === 'package-lock.json');
	if (!hasLockfileChange) {
	core.setOutput(`should_run_${output}`, 'false');
	core.setOutput(`skip_reason_${output}`, 'package-lock.json not changed');
	}
	}
	if (core.getOutput('should_run_deps_scan') === 'true') {
	const files = await github.paginate(github.rest.pulls.listFiles, {
	owner: context.repo.owner,
	repo: context.repo.repo,
	pull_number: Number(prNumber),
	});
	const hasLockfileChange = files.some(f => f.filename === 'package-lock.json');
	if (!hasLockfileChange) {
	core.setOutput('should_run_deps_scan', 'false');
	core.setOutput('skip_reason_deps_scan', 'package-lock.json not changed');
	}
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/all-ci-unsafe.yml around lines 161 - 172, The bug is that
the template string uses the loop variable `output` which is out of scope (it
was declared by destructuring inside the for...of loop), so replace the
out-of-scope reference by using a properly-scoped name (capture the loop's
output value into a variable in the outer scope or move this github.paginate +
core.setOutput block inside the same for...of loop where `output` is defined).
Specifically, ensure the code that calls
github.paginate(github.rest.pulls.listFiles, ...) and the subsequent
core.setOutput(`should_run_${output}`, ...) /
core.setOutput(`skip_reason_${output}`, ...) either runs inside the loop that
defines `output` or use a new variable (e.g., const outputName = output)
declared in the same scope before using it so `output` is defined when setting
outputs.

[github-actions]

Auto-approved: chore that does not touch source code files.

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/all-ci-unsafe.yml (1)

161-172: ⚠️ Potential issue | 🔴 Critical

Bug: output variable is out of scope - deps scan will never be disabled.

The output variable is declared via destructuring inside the for...of loop (line 148) and is block-scoped to that loop. On lines 169-170, output is referenced outside the loop where it's undefined, resulting in outputs like should_run_undefined being set instead of should_run_deps_scan.

🐛 Proposed fix

             if (core.getOutput('should_run_deps_scan') === 'true') {
               const files = await github.paginate(github.rest.pulls.listFiles, {
                 owner: context.repo.owner,
                 repo: context.repo.repo,
                 pull_number: Number(prNumber),
               });
               const hasLockfileChange = files.some(f => f.filename === 'package-lock.json');
               if (!hasLockfileChange) {
-                core.setOutput(`should_run_${output}`, 'false');
-                core.setOutput(`skip_reason_${output}`, 'package-lock.json not changed');
+                core.setOutput('should_run_deps_scan', 'false');
+                core.setOutput('skip_reason_deps_scan', 'package-lock.json not changed');
               }
             }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/all-ci-unsafe.yml around lines 161 - 172, The code
references the block-scoped variable `output` outside its `for...of` loop when
calling core.setOutput(`should_run_${output}`, ...) which makes `output`
undefined; fix by using the actual output name for the deps scan instead of the
out-of-scope variable (e.g. replace core.setOutput(`should_run_${output}`,
'false') and core.setOutput(`skip_reason_${output}`, 'package-lock.json not
changed') with core.setOutput('should_run_deps_scan', 'false') and
core.setOutput('skip_reason_deps_scan', 'package-lock.json not changed')
respectively, or alternatively declare `let output` in an outer scope so the
same `output` variable is valid here; update the calls that use
`should_run_${output}`/`skip_reason_${output}` accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/all-ci-unsafe.yml:
- Around line 161-172: The code references the block-scoped variable `output`
outside its `for...of` loop when calling core.setOutput(`should_run_${output}`,
...) which makes `output` undefined; fix by using the actual output name for the
deps scan instead of the out-of-scope variable (e.g. replace
core.setOutput(`should_run_${output}`, 'false') and
core.setOutput(`skip_reason_${output}`, 'package-lock.json not changed') with
core.setOutput('should_run_deps_scan', 'false') and
core.setOutput('skip_reason_deps_scan', 'package-lock.json not changed')
respectively, or alternatively declare `let output` in an outer scope so the
same `output` variable is valid here; update the calls that use
`should_run_${output}`/`skip_reason_${output}` accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e96d8a77-ce03-46a5-8ce9-0f736284473c

📥 Commits

Reviewing files that changed from the base of the PR and between e5fac57 and 5fe3edf.

📒 Files selected for processing (2)

• .github/workflows/all-ci-unsafe.yml
• .github/workflows/reusable-validate-app-unsafe.yml

[github-actions]

Auto-approved: chore that does not touch source code files.