Workflow - Auto update deps #248
Conversation
|
Note Other AI code review bot(s) detectedCodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review. WalkthroughA new GitHub Actions workflow is added that automatically scans dependencies in pyproject.toml files, categorizes updates into patch/minor and major versions, and creates separate pull requests for each category with appropriate labels and documentation. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes
Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| - Number of major updates (and PR link if created) | ||
| - Any packages that were skipped and why | ||
|
|
||
| If no updates needed, print 'All dependencies are up to date'." --model gpt-4o |
There was a problem hiding this comment.
Bug: Missing lockfile update after dependency version changes
The workflow prompts cursor-agent to update pyproject.toml files with new dependency versions but never instructs it to run uv lock to update the uv.lock lockfile. This project uses uv with UV_FROZEN: "1" in tests and --frozen flags, requiring the lockfile to be in sync with pyproject.toml. PRs created by this workflow will have mismatched pyproject.toml and uv.lock files, causing CI test failures when the lockfile check runs against the updated dependencies.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (2)
.github/workflows/check_dependencies.yml (2)
11-14: Review and minimize permission scope.The workflow requests write access to
contents,pull-requests, andissues. While necessary for PR creation, ensure these are the minimum required. Consider whetherissues: writeis actually needed if the workflow only creates PRs and doesn't post comments on issues.If
issues: writeis not needed:permissions: contents: write pull-requests: write - issues: write
1-95: Add documentation about required setup and expected behavior.The workflow file lacks inline documentation explaining:
- What secrets must be configured before running
- Expected behavior (e.g., "creates up to 2 PRs per run")
- How to troubleshoot failures
- Known limitations or gotchas
Add a comment at the top of the file or in the repository README:
# This workflow automatically updates Python dependencies. # # Required secrets: # - CURSOR_API_KEY: API key for Cursor agent # - VISION_AGENTS_GITHUB_TOKEN: GitHub token with write access to contents and pull-requests # # Behavior: # - Runs daily at 02:00 UTC # - Checks all pyproject.toml files for outdated dependencies # - Creates separate PRs for patch/minor and major updates # - Skips workspace packages (e.g., vision-agents-*) # # Known limitations: # - Relies on AI agent interpretation; output should be manually reviewed # - May create multiple PRs in a single run
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (1)
.github/workflows/check_dependencies.yml(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)
- GitHub Check: Cursor Bugbot
- GitHub Check: unit / Test "not integration"
- GitHub Check: unit / Ruff
- GitHub Check: unit / Mypy
- GitHub Check: unit / Test "not integration"
- GitHub Check: unit / Ruff
- GitHub Check: unit / Mypy
🔇 Additional comments (2)
.github/workflows/check_dependencies.yml (2)
43-44: Verify required secrets exist and are configured correctly.The workflow references two secrets:
CURSOR_API_KEY(for the Cursor agent CLI) andVISION_AGENTS_GITHUB_TOKEN(for git authentication and API access). If these are not configured, the workflow will fail when the cursor-agent tool attempts to run.Confirm both secrets are registered:
- GitHub UI: Settings → Secrets and variables → Actions
- Or use:
gh secret list --repo GetStream/Vision-AgentsVerify that
VISION_AGENTS_GITHUB_TOKENhas write permissions for contents, pull-requests, and issues (matching the job's declared permissions at line 11-14).
34-35: The review comment is incorrect. Lines 34 and 45 are in separate GitHub Actions steps, not the same step. Line 34 appends to$GITHUB_PATHin the "Install Cursor CLI" step, while cursor-agent is invoked in the subsequent "Check and update dependencies with Cursor Agent" step. GitHub Actions automatically makes$GITHUB_PATHupdates available to all subsequent steps in the job, so the cursor binary will be in the PATH when cursor-agent is invoked. The proposed diff is unnecessary.Likely an incorrect or invalid review comment.
| schedule: | ||
| - cron: '0 2 * * *' | ||
| workflow_dispatch: {} |
There was a problem hiding this comment.
Adjust schedule frequency and add human safeguards.
The workflow runs daily at 02:00 UTC. Depending on the repository size and number of dependencies, this could generate many PRs. Without safeguards (e.g., draft PRs, auto-merge restrictions, max PR limits), the workflow could overwhelm reviewers.
Consider:
- Increasing frequency to weekly or less often
- Restricting PR creation to draft status initially
- Adding a step to check if recent PRs already exist before creating new ones
schedule:
- - cron: '0 2 * * *'
+ - cron: '0 2 * * 0' # Weekly instead of daily🤖 Prompt for AI Agents
In .github/workflows/check_dependencies.yml around lines 4-6, the schedule runs
daily and lacks safeguards; change the cron to a weekly cadence (e.g., once a
week), modify the PR-creation step to open dependency PRs as draft by default,
and add a pre-check step that queries the GitHub API for existing open
dependency update PRs (or PRs created in the last N days) and exits early if
such PRs exist to enforce a max-one-open policy; also ensure any automatic merge
action is disabled or gated behind a label/review check.
|
|
||
| - name: Install Cursor CLI | ||
| run: | | ||
| curl https://cursor.com/install -fsS | bash |
There was a problem hiding this comment.
Piping curl output directly to bash is a security anti-pattern and vulnerable to MITM attacks. Additionally, there's no verification that the installation succeeded before proceeding.
Replace this with a secure installation method:
- curl https://cursor.com/install -fsS | bash
- echo "$HOME/.cursor/bin" >> $GITHUB_PATH
+ # Use a package manager or verify checksum instead of piping to bash
+ # For example, if available via package managers:
+ # sudo apt-get install cursor
+ # Or manually verify the binary before execution
+ curl -fsSL https://cursor.com/install -o /tmp/cursor-install.sh
+ # TODO: Add checksum verification here before executing
+ bash /tmp/cursor-install.sh
+ echo "$HOME/.cursor/bin" >> $GITHUB_PATHAlternatively, check if Cursor provides a published package in standard package managers or a tarball with published checksums.
Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
.github/workflows/check_dependencies.yml around line 33: the workflow uses an
unsafe pattern "curl ... | bash" to install Cursor; replace it with a secure
installation sequence that either (1) uses an official package from a system
package manager or the project's published installer package, or (2) downloads a
release tarball/installer to a temporary file, fetches and verifies its checksum
or GPG signature against the project's published value, then executes the
installer from disk; after installation, explicitly verify the installed
binary/version and fail the job if verification or installation fails so the
workflow does not continue on an untrusted or incomplete install.
| env: | ||
| CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }} | ||
| GH_TOKEN: ${{ secrets.VISION_AGENTS_GITHUB_TOKEN }} | ||
| run: | | ||
| cursor-agent -p "You are a dependency update bot. Your task is to check for outdated Python dependencies and create PRs to update them. | ||
|
|
||
| ## Step 1: Discover pyproject.toml files | ||
| Find all pyproject.toml files in this repository, excluding .venv directories. | ||
|
|
||
| ## Step 2: Check for outdated dependencies | ||
| For each pyproject.toml, extract dependencies from: | ||
| - [project].dependencies | ||
| - [project].optional-dependencies | ||
| - [dependency-groups] | ||
|
|
||
| Skip packages that are workspace packages (listed in [tool.uv.sources] with workspace = true or path references like vision-agents-*, etc.). | ||
|
|
||
| For each external package, query PyPI (https://pypi.org/pypi/{package}/json) to get the latest version. | ||
|
|
||
| Categorize updates into: | ||
| - PATCH/MINOR: e.g., 1.2.0 -> 1.2.5 or 1.2.0 -> 1.3.0 | ||
| - MAJOR: e.g., 1.2.0 -> 2.0.0 | ||
|
|
||
| ## Step 3: Create PR for patch/minor updates | ||
| If there are patch/minor updates: | ||
| 1. Create branch: deps/patch-minor-YYYYMMDD | ||
| 2. Update pyproject.toml files with patch/minor version bumps only | ||
| 3. Preserve exact formatting, extras, and markers | ||
| 4. Respect override-dependencies in root pyproject.toml | ||
| 5. Commit with message: 'chore: update dependencies (patch/minor)' | ||
| 6. Push and create PR with: | ||
| - Title: 'chore: update dependencies (patch/minor)' | ||
| - Body: Table of updated packages with old -> new versions | ||
| - Labels: dependencies, automated | ||
|
|
||
| ## Step 4: Create separate PR for major updates | ||
| If there are major updates: | ||
| 1. Reset to main branch | ||
| 2. Create branch: deps/major-YYYYMMDD | ||
| 3. Update pyproject.toml files with major version bumps only | ||
| 4. Preserve exact formatting, extras, and markers | ||
| 5. Commit with message: 'chore: update dependencies (major) - BREAKING' | ||
| 6. Push and create PR with: | ||
| - Title: 'chore: update dependencies (major) ⚠️ BREAKING' | ||
| - Body: Table of updated packages with old -> new versions, note that these are major updates requiring manual review | ||
| - Labels: dependencies, automated, breaking | ||
|
|
||
| ## Step 5: Summary | ||
| Print a summary of what was done: | ||
| - Number of patch/minor updates (and PR link if created) | ||
| - Number of major updates (and PR link if created) | ||
| - Any packages that were skipped and why | ||
|
|
||
| If no updates needed, print 'All dependencies are up to date'." --model gpt-4o |
There was a problem hiding this comment.
The workflow offloads all dependency checking, version categorization, and PR creation logic to a natural language prompt sent to cursor-agent. This approach has several systemic risks:
- Unverifiable logic: The AI agent's interpretation of the prompt cannot be audited before execution. If it misinterprets instructions (e.g., incorrectly categorizes versions, skips packages, or modifies unrelated dependencies), the damage is already done post-merge.
- No error recovery: There's no validation that PRs were created correctly, commits match expectations, or files were modified as intended.
- Dependency on external service: If Cursor's API is down, rate-limited, or changes behavior, the workflow silently fails or produces unexpected results.
- PR spam risk: Without explicit safeguards, the workflow could create many PRs in a single run, overwhelming the review queue.
- Timeout hazard: No timeout is specified; a hanging cursor-agent command could consume runner resources indefinitely.
Recommendation: Replace this with a deterministic, auditable approach using established dependency update tools:
- - name: Check and update dependencies with Cursor Agent
+ - name: Check and update dependencies
env:
- CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }}
GH_TOKEN: ${{ secrets.VISION_AGENTS_GITHUB_TOKEN }}
- run: |
- cursor-agent -p "..." --model gpt-4o
+ uses: dependabot/fetch-metadata@v2
+ # OR use Renovate for more advanced categorization
+ # OR implement a custom Python script with explicit error handlingIf cursor-agent is required, at minimum add:
- Explicit timeout (e.g.,
timeout 600) - Exit code validation
- Output validation (check created PRs exist)
- Rate limiting (skip if PRs already exist from recent runs)
Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
.github/workflows/check_dependencies.yml lines 42-95: the workflow currently
delegates all dependency discovery, version categorization, and PR creation to
cursor-agent via a long natural-language prompt (unreliable and unauditable);
replace this with a deterministic dependency-updater (e.g., dependabot,
poetry-lock-update, pip-upgrade-action or a custom script) that explicitly finds
pyproject.toml files, queries PyPI, classifies semver changes, and creates PRs,
or — if cursor-agent must remain — wrap the call with strict safeguards: enforce
a hard timeout (e.g., timeout 600s), check the cursor-agent exit code and fail
the job on nonzero, validate output by confirming created PRs via the GitHub API
before pushing commits/labels, rate-limit and skip if recent automated PRs
already exist, and add explicit logging and retry/error-handling to ensure
auditable, recoverable behavior.
|
@Nash0x7E2 have you seen this one https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide ? |
|
Do you think it's a better option, @dangusev? If so then let's go with that |
|
@Nash0x7E2, if we want to get notified about the new deps release, Dependabot works quite well. |
|
Let's try it
*Neevash Ramdial* | *Director of Marketing*
GetStream.io ( https://mailtrack.io/trace/link/be5c5d0a737d0cb4f5ee4fdce5b4e26ab1c04b98?url=http%3A%2F%2Fgetstream.io%2F&userId=4023412&signature=87e80d454a2e94c3 ) | Techstars NYC 2015
***@***.*** ( ***@***.*** ) | LinkedIn ( https://www.linkedin.com/in/neevash-ramdial/ ) | Twitter ( https://twitter.com/Nash0x7E2 ) | GitHub ( https://github.com/Nash0x7E2/ )
…On Wed, Dec 10, 2025 at 09:33:44, Dan Gusev < ***@***.*** > wrote:
*dangusev* left a comment (GetStream/ Vision-Agents#248) (
#248 (comment)
)
@ Nash0x7E2 ( https://github.com/Nash0x7E2 ) , if we want to get notified
about the new deps release, Dependabot works quite well.
It scans requirements files on schedule and automatically generates PRs
with updates.
—
Reply to this email directly, view it on GitHub (
#248 (comment)
) , or unsubscribe (
https://github.com/notifications/unsubscribe-auth/AGD4ID44LXBDTHNKUT6DI5T4BBDORAVCNFSM6AAAAACORXV3KOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTMMZXHE2TANRQGA
).
You are receiving this because you were mentioned. Message ID: <GetStream/Vision-Agents/pull/248/c3637950600
@ github. com>
|
Note
Adds a scheduled GitHub Actions workflow that scans Python dependencies and opens separate PRs for patch/minor and major updates using Cursor Agent.
.github/workflows/check_dependencies.yml.uv, and Cursor CLI; configures git and required permissions.pyproject.tomlfiles and query PyPI for latest versions.Written by Cursor Bugbot for commit 248e605. This will update automatically on new commits. Configure here.
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.