Conversation
|
👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎ This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring: Next stepsTake a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with |
EllusionN
left a comment
EllusionN
left a comment
There was a problem hiding this comment.
Thank you so much for taking the time to set us up! This helps us big time and gives us a model we can use for other actions.
Overall looks good but I have one question about the flow:
Should each PR with a notable change update the changelog themselves, or is the changelog generated and updated at the time that the release PR has been created?
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Update shorthand major version tag | ||
| run: | | ||
| ./.github/workflows/scripts/update-major-version-tag.sh \ |
There was a problem hiding this comment.
Is this a file we need to include in our repository? I only see it referenced in a couple locations.
There was a problem hiding this comment.
It is, I forgot to add it. Added now!
For clarity, the script updates the major tag for each release (e.g., v1.2.3 -> v1).
It's updated by the "Create Release Pull Request" workflow, after which we modify it slightly to include the appropriate sections and any additional context that may be helpful to consumers. Happy to create the first release for you, so it's clear how it works! |
|
@SocketSecurity ignore npm/merge-stream@2.0.0 New author is ok. @SocketSecurity ignore npm/execa@5.1.1 This is expected to have shell access. @SocketSecurity ignore npm/http-proxy-agent@7.0.2 This is expected to have network access. |
|
Report too large to display inline |
2 participants
This adds several files and workflows for linting and releasing the action. This follows the release process that we use for most of our libraries. When released, the publish action will take care of tagging and creating the GitHub release.
I've also updated the repository to be standardised, including a changelog, lint tooling, and
@lavamoat/allow-scriptsfor security.Note
An
action-publishenvironment needs to be set up in the repository settings.`action-publish` environment configuration