Bug: DependabotAlertPropDependency.relationship missing "inconclusive" literal (webhook model out of sync with REST API model) #284
Description
Summary
DependabotAlertPropDependency.relationship (used by all 8 dependabot_alert webhook action variants) is missing the "inconclusive" literal that GitHub actually sends and that already exists in the REST API model DependabotAlertWithRepositoryPropDependency.relationship.
This causes a ValidationError that rejects the entire webhook payload when GitHub sends dependency.relationship = "inconclusive" on any dependabot_alert event.
Environment
- githubkit version: 0.15.0
- Python: 3.12
Affected Models
| Model | Field | Current Type | Expected Type |
|---|---|---|---|
DependabotAlertPropDependency |
relationship |
Missing[None | Literal["unknown", "direct", "transitive"]] |
Missing[None | Literal["unknown", "direct", "transitive", "inconclusive"]] |
All 8 webhook action variants are affected through the chain:
WebhookDependabotAlert{Action} → DependabotAlert → DependabotAlertPropDependency
The REST API model DependabotAlertWithRepositoryPropDependency.relationship already includes "inconclusive" — this is an upstream OpenAPI spec inconsistency (webhook model out of sync with REST API model).
Reproduction
from githubkit.versions.latest.models import DependabotAlertPropDependency
# Raises ValidationError — "inconclusive" not in the literal
DependabotAlertPropDependency.model_validate({
"package": {"ecosystem": "pip", "name": "requests"},
"manifest_path": "requirements.txt",
"scope": "runtime",
"relationship": "inconclusive",
})Workaround
Runtime monkeypatch until a fix is released:
from typing import Literal
from githubkit.typing import Missing
from githubkit.versions.latest.models import (
DependabotAlert,
DependabotAlertPropDependency,
WebhookDependabotAlertAssigneesChanged,
WebhookDependabotAlertAutoDismissed,
WebhookDependabotAlertAutoReopened,
WebhookDependabotAlertCreated,
WebhookDependabotAlertDismissed,
WebhookDependabotAlertFixed,
WebhookDependabotAlertReintroduced,
WebhookDependabotAlertReopened,
)
DependabotAlertPropDependency.__annotations__["relationship"] = (
Missing[None | Literal["unknown", "direct", "transitive", "inconclusive"]]
)
DependabotAlertPropDependency.model_fields["relationship"].annotation = (
Missing[None | Literal["unknown", "direct", "transitive", "inconclusive"]]
)
for model in [
DependabotAlertPropDependency,
DependabotAlert,
WebhookDependabotAlertAssigneesChanged,
WebhookDependabotAlertAutoDismissed,
WebhookDependabotAlertAutoReopened,
WebhookDependabotAlertCreated,
WebhookDependabotAlertDismissed,
WebhookDependabotAlertFixed,
WebhookDependabotAlertReintroduced,
WebhookDependabotAlertReopened,
]:
model.model_rebuild(force=True)Root Cause
Upstream OpenAPI spec inconsistency in github/rest-api-description — the webhook schema for dependabot_alert does not include "inconclusive" in dependency.relationship, while the REST API schema does. Upstream bug filed at github/rest-api-description.
Related Issues
- WebhookCodeScanningAlertFixedPropAlert.fixed_at typed as Missing[None] but GitHub sends a datetime string #275, WebhookCodeScanningAlertFixedPropAlert.state typed as None | Literal["fixed"] but GitHub sends "dismissed" #276, WebhookCodeScanningAlertClosedByUserPropAlert.fixed_at typed as Missing[None] but GitHub sends a datetime string #279, WebhookCodeScanningAlertReopenedPropAlertPropDismissedBy has no fields — dismissed_by user data silently dropped #283 — same class of upstream spec inaccuracy patched previously