apache/sedona

pre-commit: validate-dependabot-yml flakes in CI on TLS reset to json.schemastore.org

Closed

#2866 opened on Apr 27, 2026

View on GitHub
 (0 comments) (1 reaction) (1 assignee)Scala (1,953 stars) (693 forks)batch import
good first issuein progresspre-commit

Description

The validate-dependabot-yml pre-commit hook (powered by @bugron/validate-dependabot-yaml) fetches the JSON schema from https://json.schemastore.org/dependabot-2.0.json on every run. When the TLS handshake to schemastore.org is reset mid-connection, the whole pre-commit job fails with ECONNRESET, even though .github/dependabot.yml itself is valid.

This is a transient infrastructure failure that has nothing to do with the PR being checked, so it shows up as a flaky red on otherwise green CI runs.

Proposed fix

Replace the live-fetch validator with python-jsonschema/check-jsonschema's check-dependabot hook, which ships the schema bundled with the package — fully offline, no network at runtime, no flakes:

  - repo: https://github.com/python-jsonschema/check-jsonschema
    rev: 0.30.0
    hooks:
      - id: check-dependabot
        name: validate dependabot.yml
        files: ^\.github/dependabot\.yml$

This is a drop-in replacement: same coverage (validates .github/dependabot.yml against the dependabot v2 schema), same trigger pattern, but no outbound HTTP from the hook.

Contributor guide

Tech stack
Domain
Issue type
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
Prerequisites
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
Research direction