Skip to content

CI: Add dependabot cooldown for pip#5999

Merged
SMoraisAnsys merged 2 commits into
mainfrom
ci/add-dependabot-cooldown
Apr 4, 2025
Merged

CI: Add dependabot cooldown for pip#5999
SMoraisAnsys merged 2 commits into
mainfrom
ci/add-dependabot-cooldown

Conversation

@SMoraisAnsys

@SMoraisAnsys SMoraisAnsys commented Apr 3, 2025
edited
Loading

Copy link
Copy Markdown
Collaborator

Description

Add a cooldown to updates associated to pip. This would mitigate, to some extent, exposure to supply chain attacks since dependabot wouldn't run CICD in our self hosted runners until 7 days after the release has been published. During those 7 days, if a vulnerability is found, we can hope for a new release fixing the vulnerability and avoiding us to be exposed.

Note

This cooldown feature is not yet available for github actions. See dependabot/dependabot-core#3651

Issue linked

Associated to #5524

Checklist

  • I have tested my changes locally.
  • I have added necessary documentation or updated existing documentation.
  • I have followed the coding style guidelines of this project.
  • I have added appropriate tests (unit, integration, system).
  • I have reviewed my changes before submitting this pull request.
  • I have linked the issue or issues that are solved by the PR if any.
  • I have agreed with the Contributor License Agreement (CLA).

@SMoraisAnsys SMoraisAnsys self-assigned this Apr 3, 2025
@ansys-reviewer-bot

ansys-reviewer-bot Bot commented Apr 3, 2025

Copy link
Copy Markdown
Contributor

Thanks for opening a Pull Request. If you want to perform a review write a comment saying:

@ansys-reviewer-bot review

@github-actions github-actions Bot added the maintenance Package and maintenance related label Apr 3, 2025
@codecov

codecov Bot commented Apr 3, 2025
edited
Loading

Copy link
Copy Markdown

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.06%. Comparing base (fe52ee3) to head (6a7295e).
Report is 2 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5999      +/-   ##
==========================================
+ Coverage   85.05%   85.06%   +0.01%     
==========================================
  Files         165      165              
  Lines       62906    62906              
==========================================
+ Hits        53503    53510       +7     
+ Misses       9403     9396       -7
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

MaxJPRey
MaxJPRey approved these changes Apr 3, 2025
View reviewed changes

@MaxJPRey MaxJPRey left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGMT.

@SMoraisAnsys SMoraisAnsys merged commit 7356cf8 into main Apr 4, 2025
@SMoraisAnsys SMoraisAnsys deleted the ci/add-dependabot-cooldown branch April 4, 2025 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Samuelopez-ansys Samuelopez-ansys Samuelopez-ansys approved these changes

@MaxJPRey MaxJPRey MaxJPRey approved these changes

@maxcapodi78 maxcapodi78 Awaiting requested review from maxcapodi78

Assignees

@SMoraisAnsys SMoraisAnsys

Labels

maintenance Package and maintenance related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@SMoraisAnsys @Samuelopez-ansys @MaxJPRey @pyansys-ci-bot