Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): Included dependency review #788

Merged
merged 1 commit into from
Apr 29, 2022
Merged

chore(deps): Included dependency review #788

merged 1 commit into from
Apr 29, 2022

Conversation

naveensrinivasan
Copy link
Contributor

Dependency Review GitHub Action in your repository to enforce dependency reviews on your pull requests.
The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests,
and warns you about the associated security vulnerabilities.
This gives you better visibility of what's changing in a pull request,
and helps prevent vulnerabilities being added to your repository.

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
Signed-off-by: naveensrinivasan [email protected]

@codecov-commenter
Copy link

Codecov Report

Merging #788 (5fe704a) into main (ed3b98f) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #788   +/-   ##
=======================================
  Coverage   47.56%   47.56%           
=======================================
  Files          62       62           
  Lines        5460     5460           
=======================================
  Hits         2597     2597           
  Misses       2558     2558           
  Partials      305      305

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ed3b98f...5fe704a. Read the comment docs.

asraa
asraa reviewed Apr 26, 2022
View reviewed changes
Copy link
Contributor

@asraa asraa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Could you please add version comments to the pinned actions? e.g.

rekor/.github/workflows/build.yml

Line 55 in e0b7916

uses: google-github-actions/auth@b258a9f230b36c9fa86dfaa43d1906bd76399edb # v0.7.1

@naveensrinivasan
Copy link
Contributor Author

Thanks! Could you please add version comments to the pinned actions? e.g.

rekor/.github/workflows/build.yml

Line 55 in e0b7916

uses: google-github-actions/auth@b258a9f230b36c9fa86dfaa43d1906bd76399edb # v0.7.1

The dependabot doesn't update the version. It becomes obsolete, and that is why I didn't add one. Let me know.

@cpanato
Copy link
Member

cpanato commented Apr 26, 2022

usually i update the dependabot pr to update the version

@naveensrinivasan naveensrinivasan force-pushed the naveen/feat/deps-review branch from 5fe704a to 87eab33 Compare April 26, 2022 20:31
@naveensrinivasan
chore(deps): Included dependency review
82416d1 
> Dependency Review GitHub Action in your repository to enforce dependency reviews on your pull requests.
> The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests,
> and warns you about the associated security vulnerabilities.
> This gives you better visibility of what's changing in a pull request,
> and helps prevent vulnerabilities being added to your repository.

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
Signed-off-by: naveensrinivasan <[email protected]>
@naveensrinivasan naveensrinivasan force-pushed the naveen/feat/deps-review branch from 87eab33 to 82416d1 Compare April 26, 2022 20:33
@naveensrinivasan
Copy link
Contributor Author

usually i update the dependabot pr to update the version

I can add the version. If that is required.

usually i update the dependabot pr to update the version

Included the version.

@naveensrinivasan
Copy link
Contributor Author

@cpanato A friendly ping to merge.

@bobcallaway bobcallaway merged commit 3a2deb6 into sigstore:main Apr 29, 2022
@github-actions github-actions bot added this to the v1.0.0 milestone Apr 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bobcallaway bobcallaway bobcallaway approved these changes

@cpanato cpanato cpanato approved these changes

@asraa asraa Awaiting requested review from asraa

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.0.0
Development

Successfully merging this pull request may close these issues.
5 participants
@naveensrinivasan @codecov-commenter @cpanato @bobcallaway @asraa