Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dependency review GH action #1392

Merged
merged 2 commits into from
Apr 21, 2022
Merged

Add dependency review GH action #1392

merged 2 commits into from
Apr 21, 2022

Conversation

julio-lopez
Copy link
Contributor

@julio-lopez julio-lopez commented Apr 20, 2022
edited

Change Overview

This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.

Source repository

Documentation

Pull request type

  • 🌈 Refactoring (no functional changes, no api changes)

Test Plan

  • CI

@julio-lopez
Add dependency review GH action
a165c8a 
This Action will scan dependency manifest files that change as part of a Pull
Reqest, surfacing known-vulnerable versions of the packages declared or updated
in the PR. Once installed, if the workflow run is marked as required, PRs
introducing known-vulnerable packages will be blocked from merging.

[Source repository](https://github.com/actions/dependency-review-action)

[Documentation](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement)
@julio-lopez julio-lopez added dependencies Pull requests that update a dependency file security Security related issues labels Apr 20, 2022
@infraq infraq enabled auto-merge (squash) April 21, 2022 01:30
@infraq infraq disabled auto-merge April 21, 2022 01:30
@infraq infraq enabled auto-merge (squash) April 21, 2022 01:31
ihcsim
ihcsim approved these changes Apr 21, 2022
View reviewed changes
Copy link
Contributor

@ihcsim ihcsim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@infraq infraq merged commit 9e28eb2 into master Apr 21, 2022
@infraq infraq deleted the pr-dep-review branch April 21, 2022 01:56
@shuguet shuguet added this to In Progress in Kanister via automation Apr 21, 2022
@shuguet shuguet moved this from In Progress to Done in Kanister Apr 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ihcsim ihcsim ihcsim approved these changes

@pavannd1 pavannd1 pavannd1 approved these changes

@viveksinghggits viveksinghggits Awaiting requested review from viveksinghggits

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file kueue security Security related issues
Projects
Kanister
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@julio-lopez @ihcsim @pavannd1 @infraq