You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In order to truly judge whether this CLI extension is fit for a v1.0.0 milestone, it needs to fulfill an end rather than just being a means. One of the motivations for building this extension was to make it easier for GitHub enterprises to audit dependencies and take action. This issue aims to capture the requirements and design of a minimally viable product that can run on a schedule and/or ad-hoc to do just that.
The text was updated successfully, but these errors were encountered:
The frequency of auditing and addressing issues around licenses is cyclical but could vary depending on the maturity of the enterprise; weekly, monthly, quarterly, semi-annually, annually
Most enterprises know either the licenses they can or cannot use
Actions that enterprises might perform when reviewing licenses:
Acknowledge (ideal case)
Report / Alert (reasonable response)
Lock the repository (extreme response)
It is likely that licenses that have been Report / Alert might not be addressed before subsequent runs, so detecting and escalating these Report / Alert might be necessary
In the case of Report / Alert, this might be something that customers want done within the repository the dependency resides within OR in the repository where the workflow lives
Once the report is generated and analyzed, a digest of findings and actions taken would be helpful for executive review
If the workflow fails to run, then someone needs to be notified to follow up on it (workflow_run failures)
In order to truly judge whether this CLI extension is fit for a
v1.0.0
milestone, it needs to fulfill an end rather than just being a means. One of the motivations for building this extension was to make it easier for GitHub enterprises to audit dependencies and take action. This issue aims to capture the requirements and design of a minimally viable product that can run on a schedule and/or ad-hoc to do just that.The text was updated successfully, but these errors were encountered: