Skip to content

feat(strands-command): add dependabot-analyze mode#61

Open
yonib05 wants to merge 10 commits into
strands-agents:mainfrom
yonib05:feat/dependabot-analyze
Open

feat(strands-command): add dependabot-analyze mode#61
yonib05 wants to merge 10 commits into
strands-agents:mainfrom
yonib05:feat/dependabot-analyze

Conversation

@yonib05

@yonib05 yonib05 commented Jun 9, 2026

Copy link
Copy Markdown
Member

Summary

  • Add task-dependabot-analyze.sop.md — a read-only SOP that assesses dependency update safety
  • Wire dependabot-analyze command mode into the input parser
  • Add a sanitized_changelog input to the agent-runner action, injected into the agent task as untrusted data

The SOP treats all changelog/PR content as untrusted and emits a machine-readable verdict (safe / needs-review / breaking) consumed by the harness-sdk dependabot-auto-merge workflow.

Test plan

  • Parser loads and resolves the dependabot-analyze SOP path
  • Agent receives the sanitized changelog appended to its task

@yonib05 yonib05 mentioned this pull request Jun 9, 2026
Open
4 tasks
yonib05 added 5 commits June 9, 2026 19:49
@yonib05
fix(strands-command): use explicit inputs for non-comment events
0595355
@yonib05
feat(strands-command): emit DEPENDABOT_VERDICT marker in analyze SOP
0d41152
@yonib05
fix(strands-command): enforce changelog trust boundary in the runner
103272a 
Wrap SANITIZED_CHANGELOG in untrusted-changelog tags at the runner
boundary, strip embedded closing tags, apply it only in
dependabot-analyze mode, and keep its content out of the action log.
Restrict the dependabot-analyze tool set to read-only tools plus
add_pr_comment so the SOP's read-only constraint is enforced.
@yonib05
fix(strands-command): fail clearly when issue_id is missing, add pars…
93f79f8 
…er tests

Replace the confusing TypeError on non-comment events without an
issue_id with an explicit error. Cover the explicit-input branching,
mode selection, and the new guard with node:test unit tests.
@yonib05
docs(strands-command): document no-changelog case and verdict-consume…
3e5c021 
…r requirements

Cover the manually triggered path where no changelog is provided,
require verdict consumers to verify the comment author and use only
the latest verdict, and align the README with the enforced tool
restrictions and changelog wrapping behavior.
@yonib05

yonib05 commented Jun 14, 2026

Copy link
Copy Markdown
Member Author

Validation

Tested end-to-end on a fork before review. The internal action checkouts were temporarily repointed at the fork branch so the runner and dependabot-analyze SOP from this PR actually executed (the actions otherwise pull scripts/SOPs from @main).

Run: Dependabot Analyze e2e — run 27487508770 (success)
Target: a boto3 >=1.35.0 → >=1.40.0 bump PR
Agent verdict comment: yonib05#9 (comment)

Verified from the run logs and the posted comment:

Behavior Evidence
Command routes to the new mode Parser log: Mode: dependabot-analyze, new SOP loaded
Changelog kept out of the Actions log 📋 Appended sanitized changelog (143 chars) instead of raw text
Changelog wrapped at the trust boundary Verdict comment renders it inside <untrusted-changelog>…</untrusted-changelog>
Reduced read-only toolset enforced Only notebook, get_pull_request, get_pr_files, shell, add_pr_comment invoked — no edit/create/update tools
Machine-readable verdict contract Comment ends with DEPENDABOT_VERDICT: {"verdict": "safe"}

The agent identified the minor bump, grepped the repo for boto3 usages, assessed the (wrapped, untrusted) changelog, and rendered a safe verdict.

Parser branching is also covered by unit tests (process-input.test.cjs): explicit-input vs comment-payload routing, dependabot-analyze mode resolution, and the missing-issue_id guard.

@yonib05
refactor(strands-command): trim analyze toolset to PR-only read tools
a6f9357 
Drop the unused issue tools (get_issue, get_issue_comments, list_issues)
and list_pull_requests from the dependabot-analyze tool set so the
enforced least-privilege surface matches the SOP, which operates only on
the pull request. Hoist the mode name to an ANALYZE_MODE constant.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yonib05