ci: daily dependabot critical-severity slack alerts

[nicktrn]

Sibling to the weekly summary, focused on critical alerts only. Pings Slack daily while any critical alerts are open; skips the post entirely when zero, so no daily "all clear" noise.

• Daily 08:00 UTC cron + workflow_dispatch with severity input (default critical, override to high/medium/low for manual checks)
• Reuses the existing dependabot-summary environment (token, channel, bot)
• Alerts link at the end is severity-filtered

[changeset-bot]

⚠️ No Changeset found

Latest commit: 42811b7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This PR adds a new GitHub Actions workflow .github/workflows/dependabot-critical-alerts.yml that automates security alert notifications. The workflow runs daily at 08:00 UTC and on manual dispatch, fetches open Dependabot alerts for a specified severity level via the GitHub CLI with pagination, aggregates the results using jq, and posts a formatted message to Slack containing alert URLs and advisory summaries. The job uses minimal permissions, concurrency controls, and two secrets for GitHub and Slack API authentication.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description covers the workflow's functionality and configuration but lacks most required template sections like Testing, Changelog, issue reference, and the checklist.	Add required sections: issue reference, testing steps, changelog entry, and complete the checklist. Fill in Screenshots if applicable or note as N/A.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a daily CI workflow for Dependabot critical-severity alerts to Slack.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/dependabot-critical-alerts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-critical-alerts.yml:
- Around line 48-51: The jq formatter that builds LIST is producing literal
"null" when Dependabot fields are missing; update the jq expression used to
build LIST (the map(...) pipeline that reads alerts.json) to guard each
interpolated field with a default using the jq alternative operator (e.g.,
.html_url // "", .number // "", .dependency.package.name // "",
.security_advisory.summary // "") so missing values produce an empty string or
sensible placeholder instead of "null" in Slack.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 32d7e4ae-1075-4f3f-b382-0bbf8031facd

📥 Commits

Reviewing files that changed from the base of the PR and between c80b85e and 42811b7.

📒 Files selected for processing (1)

• .github/workflows/dependabot-critical-alerts.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: audit
• GitHub Check: audit
• GitHub Check: Analyze (actions)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (python)

🔇 Additional comments (7)

.github/workflows/dependabot-critical-alerts.yml (7)

1-16: LGTM!

---

18-20: LGTM!

---

22-23: LGTM!

---

25-31: LGTM!

---

58-75: LGTM!

---

40-42: ⚡ Quick win

Confirm pagination aggregation with jq -s 'add' is correct for gh api --paginate.

gh api --paginate outputs each page separately as its own JSON array/object; jq -s slurps those sequential JSON values, and add concatenates the page arrays—so the existing pages.json → alerts.json pipeline is appropriate. (Using --slurp would be an alternative, not required.)

---

79-79: ⚡ Quick win

Update: slack-github-action pin is on the latest release (v3.0.3), but confirm the SHA matches that release

• The upstream slackapi/slack-github-action repo shows latest release: v3.0.3 (2026-05-01) and no public GHSA/CVE-style security advisories were found in the retrieved sources.
• The workflow’s pinned commit 45a88b9581bfab2566dc881e2cd66d334e621e2c is not mapped to the v3.0.3 tag in the retrieved evidence; confirm the SHA is the v3.0.3 release commit (or in its history) via the v3.0.3 release/compare page.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.