Problem
The Dependency Audit Trail check (vendored-patch-audit job in .github/workflows/quality-gates.yml, running scripts/ci/vendored-patch-audit.sh) requires every PR that changes a lockfile (Cargo.lock, package-lock.json, requirements*.txt, go.sum, etc.) to also add a dated docs/dependency-audits/YYYY-MM-DD-<desc>.md document.
Dependabot changes lockfiles but never authors that doc, so every Dependabot PR fails this required gate by construction. Today that blocks a large batch (e.g. #2959, #2960, #2961, #2962, #2963, #2898, #2894, #2889). The only ways to merge are to hand-author an audit doc per PR or to admin-bypass the gate, neither of which scales for routine patch bumps.
This is a deliberate and valuable supply-chain control for human-authored dependency changes; the gap is specifically that automated bumps cannot satisfy it.
Proposed options (pick one)
- Auto-generate the audit doc for Dependabot PRs. A small workflow triggered on Dependabot PRs that creates
docs/dependency-audits/<date>-<dep>.md from a template (dependency, old -> new version, ecosystem, change type, links), committed to the PR branch before the gate runs.
- Exempt routine bumps from the gate. Have
vendored-patch-audit.sh skip the audit-doc requirement when the only lockfile delta is a patch/minor version bump by dependabot[bot] (still require the doc for human PRs and major bumps).
- Group + document. Combine Dependabot updates via grouping (already partly configured) and require a single consolidated audit doc per group, auto-generated.
Context
Discovered while clearing the open Dependabot backlog. The conflicts and stale-config issues (dependabot.yml validity #2958, dep-confusion allowlist #2968, agent-os lint #2969 / test deps #2972, integration re-exports #2970) are already fixed; the audit-trail gate is the remaining structural blocker for automated dependency updates.
Problem
The
Dependency Audit Trailcheck (vendored-patch-auditjob in.github/workflows/quality-gates.yml, runningscripts/ci/vendored-patch-audit.sh) requires every PR that changes a lockfile (Cargo.lock,package-lock.json,requirements*.txt,go.sum, etc.) to also add a dateddocs/dependency-audits/YYYY-MM-DD-<desc>.mddocument.Dependabot changes lockfiles but never authors that doc, so every Dependabot PR fails this required gate by construction. Today that blocks a large batch (e.g. #2959, #2960, #2961, #2962, #2963, #2898, #2894, #2889). The only ways to merge are to hand-author an audit doc per PR or to admin-bypass the gate, neither of which scales for routine patch bumps.
This is a deliberate and valuable supply-chain control for human-authored dependency changes; the gap is specifically that automated bumps cannot satisfy it.
Proposed options (pick one)
docs/dependency-audits/<date>-<dep>.mdfrom a template (dependency, old -> new version, ecosystem, change type, links), committed to the PR branch before the gate runs.vendored-patch-audit.shskip the audit-doc requirement when the only lockfile delta is a patch/minor version bump bydependabot[bot](still require the doc for human PRs and major bumps).Context
Discovered while clearing the open Dependabot backlog. The conflicts and stale-config issues (dependabot.yml validity #2958, dep-confusion allowlist #2968, agent-os lint #2969 / test deps #2972, integration re-exports #2970) are already fixed; the audit-trail gate is the remaining structural blocker for automated dependency updates.