这是indexloc提供的服务,不要输入任何密码
Skip to content

ci: dependency review action #4191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 24, 2024
Merged

ci: dependency review action #4191

merged 1 commit into from
Jul 24, 2024

Conversation

@mdtro
Copy link
Contributor

@mdtro mdtro commented Jul 23, 2024

Add dependency review action. Any new dependencies added with known high or critical vulnerabilities will fail CI.

@mdtro mdtro requested a review from a team July 23, 2024 22:03
@mdtro mdtro enabled auto-merge (squash) July 23, 2024 22:10
@armcknight
Copy link
Member

armcknight commented Jul 23, 2024

Thanks @mdtro , this sounds like a good idea. Regarding the pinned versions, will a github bot automatically submit PRs for us to upgrade this tool? Or will we have to monitor that tool to see if there are updates? I don't want to set it and forget it and let it slowly rot.

@mdtro
Copy link
Contributor Author

mdtro commented Jul 23, 2024

Thanks @mdtro , this sounds like a good idea. Regarding the pinned versions, will a github bot automatically submit PRs for us to upgrade this tool? Or will we have to monitor that tool to see if there are updates? I don't want to set it and forget it and let it slowly rot.

Dependabot's current configuration on this repo won't update these since we have the SHAs pinned. We would need to enable version updates (instead of just security updates). I can do that in this PR if you'd like. :)

@mdtro
Copy link
Contributor Author

mdtro commented Jul 23, 2024
edited
Loading

Thanks @mdtro , this sounds like a good idea. Regarding the pinned versions, will a github bot automatically submit PRs for us to upgrade this tool? Or will we have to monitor that tool to see if there are updates? I don't want to set it and forget it and let it slowly rot.

Dependabot's current configuration on this repo won't update these since we have the SHAs pinned. We would need to enable version updates (instead of just security updates). I can do that in this PR if you'd like. :)

@armcknight Scratch that, it looks like Dependabot is already configured here to do version updates on GitHub Actions. So yes, it should be auto-updated. 🎉

sentry-cocoa/.github/dependabot.yml

Lines 13 to 16 in 2a769ba

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: weekly

armcknight
armcknight approved these changes Jul 24, 2024
View reviewed changes
Copy link
Member

@armcknight armcknight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mdtro ❤️ !

@mdtro mdtro merged commit bce565d into main Jul 24, 2024
@mdtro mdtro deleted the mdtro/add-dependency-review branch July 24, 2024 00:03
kahest
kahest reviewed Jul 24, 2024
View reviewed changes
.github/workflows/dependency-review.yml
name: 'Dependency Review'
on:
pull_request:
branches: ['master']
Copy link
Contributor

@kahest kahest Jul 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mdtro should this be main?

@kahest
Copy link
Contributor

kahest commented Jul 24, 2024

@mdtro should we also make sure this is part of the required status checks for merging to main?

mdtro added a commit that referenced this pull request Jul 24, 2024
@mdtro
Revert "ci: dependency review action (#4191)"
556fb9b 
This reverts commit bce565d.
@mdtro mdtro mentioned this pull request Jul 24, 2024
Merged
mdtro added a commit that referenced this pull request Jul 24, 2024
@mdtro
Revert "ci: dependency review action (#4191)" (#4195)
f1ed6f8 
This reverts commit bce565d.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@armcknight armcknight armcknight approved these changes

@philipphofmann philipphofmann Awaiting requested review from philipphofmann philipphofmann is a code owner

@brustolin brustolin Awaiting requested review from brustolin

+1 more reviewer

@kahest kahest kahest left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mdtro @armcknight @kahest