docs(workflows): document Bumblebee Supply-Chain Scan by dkastl · Pull Request #45 · geolonia/.github

dkastl · 2026-05-29T03:50:07Z

Summary

Documents the Bumblebee reusable workflow + template under docs/workflows.md, matching the existing per-workflow sections.

Why

The reusable workflow + template were added in #44 / v1.14.0, but the documentation was never updated. New adopters land on docs/workflows.md and currently do not see Bumblebee listed.

What was added

A ## Bumblebee Supply-Chain Scan section between Release on Tag and Updating templates, covering:

Trigger model (PR + daily schedule + workflow_dispatch)
Minimal consumer wrapper example
Inputs reference table
Outputs on a finding (PR comment vs. tracking issue depending on trigger)
One-click enablement path via "New workflow" UI

No code changes.

Test plan

CodeRabbit review clean
Rendered preview looks right in TechDocs

Summary by CodeRabbit

Documentation
- Added guidance for the Bumblebee Supply-Chain Scan reusable workflow: trigger modes (pull requests, daily schedule, manual), configuration inputs (version, fail-on-findings, ecosystems, profile), expected outputs, and onboarding via the workflow picker.
- Describes how results are reported (PR comments with inline annotations and artifact uploads) and behavior for non-PR runs (idempotent tracking issues and labeling).

Add a section to docs/workflows.md mirroring the existing per-workflow entries (publish-techdocs, release-auto-on-tag, cdk-deploy-monitor). Covers the trigger model, inputs, outputs on a finding, and the one-click "New workflow" enablement path. Pairs with the consumer-side ops documentation in geolonia-operations.

github-actions · 2026-05-29T03:50:17Z

Secret Leak Check

OK No secrets detected in this PR's diff.

coderabbitai · 2026-05-29T03:50:18Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b08f9545-b5a1-4d87-95d0-452ada9f3d5c

📥 Commits

Reviewing files that changed from the base of the PR and between b52178a and f0503e1.

📒 Files selected for processing (1)

docs/workflows.md

Walkthrough

This PR adds documentation for the Bumblebee Supply-Chain Scan reusable workflow, describing triggers, delegated actions (download/pinned Bumblebee and threat-intel matching), PR vs non-PR reporting, inputs/outputs, minimal usage, and steps to add/configure the workflow.

Changes

Bumblebee Supply-Chain Scan Documentation

Layer / File(s)	Summary
Workflow documentation `docs/workflows.md`	Added complete documentation for the Bumblebee Supply-Chain Scan workflow, including trigger modes (pull request, daily schedule, manual dispatch), reusable-workflow delegation behavior (pinned Bumblebee release and threat-intel matching), PR vs. non-PR reporting (PR comments with annotations vs. tracking issue updates and NDJSON artifacts), minimal example configuration, usage guidance, inputs table (bumblebee-version, fail-on-findings, ecosystems, profile), outputs behavior, and configuration steps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

feat(workflows): add Bumblebee supply-chain scan (reusable + template) #44: Introduces the reusable reusable-bumblebee-scan.yml workflow that is documented by this PR.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: documentation for the Bumblebee Supply-Chain Scan workflow in docs/workflows.md.
Description check	✅ Passed	The PR description is comprehensive and follows the template structure with Summary, Why, What was added, and Test plan sections providing clear context and motivation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch docs/bumblebee-workflow

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/workflows.md`:
- Around line 115-118: The docs currently claim the workflow runs on "schedule /
workflow_dispatch / release / push" which is inaccurate for the reusable
`workflow_call`-only template; update the paragraph that mentions `schedule`,
`workflow_dispatch`, `release` and `push` to reflect the actual triggers used by
the template (it supports `workflow_call` and the default template enables
`pull_request`, `schedule` (cron) and `workflow_dispatch`), removing or
clarifying `release` and `push` (or explicitly state that `release`/`push` only
apply when invoked by non-template callers) so the text matches the workflow
configuration.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b85670f5-be74-490b-a9c7-232532529490

📥 Commits

Reviewing files that changed from the base of the PR and between d26766b and b52178a.

📒 Files selected for processing (1)

docs/workflows.md

The reusable workflow is workflow_call-only; the default template enables pull_request + schedule + workflow_dispatch (release commented, push not configured). Reword the issue-on-finding bullet to say 'any non-PR trigger' and note which the template enables vs. what callers may add, instead of listing release/push as if active.

github-actions · 2026-05-31T22:33:42Z

Secret Leak Check

OK No secrets detected in this PR's diff.

coderabbitai Bot reviewed May 29, 2026

View reviewed changes

Comment thread docs/workflows.md Outdated

dkastl merged commit 51a49fe into main May 31, 2026
2 checks passed

dkastl deleted the docs/bumblebee-workflow branch May 31, 2026 23:05

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

docs(workflows): document Bumblebee Supply-Chain Scan#45

docs(workflows): document Bumblebee Supply-Chain Scan#45
dkastl merged 2 commits into
mainfrom
docs/bumblebee-workflow

dkastl commented May 29, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

github-actions Bot commented May 29, 2026

Uh oh!

coderabbitai Bot commented May 29, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot left a comment

Uh oh!

Uh oh!

github-actions Bot commented May 31, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dkastl commented May 29, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Why

What was added

Test plan

Summary by CodeRabbit

Uh oh!

github-actions Bot commented May 29, 2026

Secret Leak Check

Uh oh!

coderabbitai Bot commented May 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Possibly related PRs

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

github-actions Bot commented May 31, 2026

Secret Leak Check

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dkastl commented May 29, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented May 29, 2026 •

edited

Loading