ci: add dependency canary workflow

[ParticularlyPythonicBS]

Introduces an automated Dependency Canary workflow to proactively manage package upgrades and enhances the security of all project pipelines by pinning GitHub Actions to immutable commit SHAs.

New Dependency Canary Workflow: Created .github/workflows/dependency-canary.yml.
Scheduled to run daily at midnight UTC.
Automatically identifies dependency updates using uv lock --upgrade.
Validates updates by running the full test suite (pytest) and type checks (mypy).
On Success: Creates a Pull Request to the unstable branch with updated lock files and requirement exports.
On Failure: Opens or updates a persistent GitHub Issue to alert maintainers.

Security Hardening:
Audited ci.yml and deploy-nightly.yml to replace mutable version tags with verified commit SHAs.
This mitigates supply chain risks by ensuring our CI/CD environment remains consistent even if an upstream action tag is compromised or deleted.

Summary by CodeRabbit

• Chores
  • Pinned third-party CI actions to specific revisions to improve pipeline security and stability.
  • Added a daily automated dependency-canary that checks/upgrades dependencies and opens update pull requests.
  • Updated nightly deployment workflow to use pinned action revisions for more reliable deployments.

[coderabbitai]

Warning

Rate limit exceeded

@ParticularlyPythonicBS has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 14 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 11 minutes and 14 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3f056ab6-29a9-462f-b43c-58e586a97111

📥 Commits

Reviewing files that changed from the base of the PR and between d384d1a and 2a9c251.

📒 Files selected for processing (1)

• .github/workflows/dependency-canary.yml

Walkthrough

Pins GitHub Actions to specific commit SHAs in CI and nightly workflows and adds a new scheduled/manual "dependency-canary" workflow that upgrades dependencies, runs type checks and tests, and opens issues or PRs based on results.

Changes

Cohort / File(s)	Summary
Action Version Pinning \.github/workflows/ci.yml, \.github/workflows/deploy-nightly.yml	Replaced actions/checkout@vX and astral-sh/setup-uv@vX references with specific commit SHAs (pins) in CI, type-check, and nightly deployment jobs. No other step inputs or commands changed.
Dependency Canary Workflow \.github/workflows/dependency-canary.yml	Adds a new workflow (daily @ 00:00 UTC, manual dispatch) targeting unstable: checks out unstable, installs/caches uv, runs uv lock --upgrade and uv pip compile to regenerate requirements, installs deps, runs mypy and pytest, then either files/comments a dependency-canary issue on failure or opens a pull request with updates on success.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Scheduler as Scheduler
    participant Runner as GitHub Runner
    participant Repo as Repository (unstable)
    participant UV as uv Tool
    participant Test as Test Suite (mypy, pytest)
    participant GHAPI as GitHub API (issues/PRs)
    Scheduler->>Runner: cron / manual dispatch
    Runner->>Repo: checkout `unstable`
    Runner->>UV: install (with cache)
    Runner->>UV: run `uv lock --upgrade` / `uv pip compile` (regenerate requirements)
    Runner->>Runner: install dependencies (uv sync), install graphviz
    Runner->>Test: run mypy
    Runner->>Test: run pytest
    alt Tests fail or mypy error
        Runner->>GHAPI: list open issues labeled `dependency-canary`
        GHAPI->>Runner: existing issue list
        Runner->>GHAPI: create or comment on issue (`dependency-canary,bug`) 
    else All checks pass
        Runner->>GHAPI: create pull request `dependency-canary-updates` with updates
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Add CI workflow to deploy nightly builds to private PyPI serve #194: Modifies .github/workflows/deploy-nightly.yml alongside this PR's pinning updates.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: add dependency canary workflow' accurately summarizes the main change: introducing a new GitHub Actions workflow for daily dependency updates with validation and PR automation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/dependency-canary

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependency-canary.yml:
- Around line 55-60: The labels parameter passed to
github.rest.issues.listForRepo is an array but the API expects a comma-separated
string; update the call to github.rest.issues.listForRepo so the labels field is
a string (e.g., 'dependency-canary' or use Array.join(',') if building from an
array) to ensure correct filtering of issues in the dependency-canary lookup.
- Around line 33-34: The requirements-dev export is missing the project's
dependency-group "dev" because the pipeline uses the --all-extras flag; update
the second command invocation (the line currently running pip compile for
requirements-dev.txt) to include the dependency group for dev (use the --group
dev flag instead of or in addition to --all-extras) so that the
[dependency-groups] dev dependencies are included in requirements-dev.txt.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9e3559ac-d811-4fe6-b879-059ba93beb3e

📥 Commits

Reviewing files that changed from the base of the PR and between 0d540c3 and b26602b.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/dependency-canary.yml
• .github/workflows/deploy-nightly.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependency-canary.yml:
- Around line 73-79: The call to github.rest.issues.create is passing labels as
a single comma-separated string which should be an array; update the labels
argument in the github.rest.issues.create invocation to pass an array of label
strings (e.g., ['dependency-canary','bug']) instead of a single string so the
API receives a string[] for labels and issue creation won't fail.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 534181e1-23ac-4716-b1a5-bf076dacf3d9

📥 Commits

Reviewing files that changed from the base of the PR and between b26602b and d384d1a.

📒 Files selected for processing (1)

• .github/workflows/dependency-canary.yml