Manual Test Runbook — I2: Dependency Scanning

Owner: Sagar | Time: ~3 min (Part A offline) · +10 min (Part B/C live) | Cloud: none · $0

Promotes I2 (.github/dependabot.yml + .github/workflows/dependency-review.yml + .github/workflows/dependency-digest.yml) from 🟦 Code Complete → 🟩 Shipped. Part A is offline (YAML lint). Parts B/C are live (PR gate + digest issue).

Prerequisites

Local tooling: python3 (YAML lint), gh (for the digest drill)
(Parts B/C) GitHub Advanced Security / Dependency Graph + Dependabot alerts enabled
Working directory: repo root

Steps

Part A — config lint (offline, ~3 min)

bash python3 -c "import yaml; yaml.safe_load(open('.github/dependabot.yml')); print('dependabot OK')" python3 -c "import yaml; yaml.safe_load(open('.github/workflows/dependency-review.yml')); print('review OK')" python3 -c "import yaml; yaml.safe_load(open('.github/workflows/dependency-digest.yml')); print('digest OK')"

Expected: three ... OK lines. Confirm dependabot.yml covers all four ecosystems (github-actions, terraform, npm, gomod) and dependency-review.yml sets fail-on-severity: high + a deny-licenses list.

Part B — PR gate drill (~5 min, $0)

On a throwaway branch, add a known-vulnerable pinned dependency to one apps/*/package.json (e.g. an old lodash/minimist with a High advisory). Open a PR to main.
Confirm the dependency-review check fails and posts a summary comment naming the advisory. Revert → check goes green.

Part C — digest issue drill (~5 min, $0)

Trigger the digest manually:

gh workflow run dependency-digest.yml

Confirm a single "Dependency alert digest — N open" issue (label dependencies) is opened. Run it again and confirm the SAME issue is updated (not duplicated) — the  marker makes it idempotent.

If the repo has no GHAS/Dependabot alerts API, the digest job no-ops cleanly (logs "API unavailable — skipping digest") — record Part C as skipped.

Sign-Off

Field	Value
Part A (lint)	☐ PASS
Part B (PR gate)	☐ PASS / ☐ skipped
Part C (digest)	☐ PASS / ☐ skipped
Tester
Date
Result	☐ PASS