Schema Inaccuracy: dependabot_alert webhook dependency.relationship missing "inconclusive" literal #6108
Description
Summary
The dependabot_alert webhook payload schema for dependency.relationship is missing the "inconclusive" literal value that GitHub sends in practice and that already exists in the corresponding REST API model.
Affected Schema
Webhook model (DependabotAlertPropDependency.relationship — used by all 8 dependabot_alert webhook action variants):
"unknown" | "direct" | "transitive" ← missing "inconclusive"
REST API model (DependabotAlertWithRepositoryPropDependency.relationship):
"unknown" | "direct" | "transitive" | "inconclusive" ← correct
The same field, same semantics — the webhook model is simply out of sync with the REST API model.
Impact
Any consumer using a strictly-typed client generated from the webhook OpenAPI spec (e.g. githubkit) will receive a ValidationError and reject the entire webhook payload when GitHub sends "inconclusive" as the relationship value on a dependabot_alert created (or any other action) event.
Reproduction
- Trigger a
dependabot_alertwebhook where the dependency relationship is inconclusive. - Parse the payload using a strictly-typed model generated from the current webhook spec.
- Observe
ValidationError:"inconclusive"is not a valid literal.
Expected Behaviour
The dependency.relationship field in the webhook schema should accept the same set of values as the REST API model:
{ "enum": ["unknown", "direct", "transitive", "inconclusive"] }Related
- Same class of bug as [Schema Inaccuracy] code_scanning_alert fixed webhook: fixed_at typed as null instead of date-time string #6058 / [Schema Inaccuracy] code_scanning_alert fixed webhook: alert.state typed as null | "fixed" but GitHub sends "dismissed" #6059 (code scanning alert
state/fixed_atschema inaccuracies). - Downstream githubkit issue filed at Bug:
DependabotAlertPropDependency.relationshipmissing"inconclusive"literal (webhook model out of sync with REST API model) yanyongyu/githubkit#284.