Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): Add dependency-review action #23951

Merged
merged 4 commits into from
May 10, 2023
Merged

chore(deps): Add dependency-review action #23951

merged 4 commits into from
May 10, 2023

Conversation

rusackas
Copy link
Member

@rusackas rusackas commented May 5, 2023
edited
Loading

SUMMARY

This PR adds the depedency-review action, which will block PRs that add dependencies to manifests with known vulnerabilities.

See docs for more info: https://github.com/actions/dependency-review-action

EDITS:
• Now configured to only block on high/critical
• Added some Apache incompatible license blocking for good measure.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@rusackas rusackas requested a review from dpgaspar May 5, 2023 19:11
@codecov
Copy link

codecov bot commented May 5, 2023
edited
Loading

Codecov Report

Merging #23951 (b6abb90) into master (2a63b39) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master   #23951   +/-   ##
=======================================
  Coverage   68.18%   68.18%           
=======================================
  Files        1941     1941           
  Lines       75241    75241           
  Branches     8158     8158           
=======================================
  Hits        51306    51306           
  Misses      21852    21852           
  Partials     2083     2083
Flag Coverage Δ
hive 53.17% <ø> (ø)
javascript 54.49% <ø> (ø)
mysql 78.90% <ø> (ø)
postgres 78.97% <ø> (ø)
presto 53.09% <ø> (ø)
python 82.75% <ø> (ø)
sqlite 77.50% <ø> (ø)
unit 52.98% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@michael-s-molina
Copy link
Member

By default, fail-on-severity is set to low. Do we want to fail for this level of vulnerability?

@rusackas
Copy link
Member Author

rusackas commented May 5, 2023

By default, fail-on-severity is set to low. Do we want to fail for this level of vulnerability?

No we don't! I've set it to high.

There are probably other config options we can look at, like denying certain license types.

@rusackas
Update .github/workflows/dependency-review.yml
b6abb90 
denying certain licenses (subset)
@rusackas
Copy link
Member Author

rusackas commented May 5, 2023

Added some forbidden license types for good measure.

@rusackas rusackas merged commit 33da642 into master May 10, 2023
@rusackas rusackas deleted the depedency-review branch May 10, 2023 14:08
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 3.0.0 labels Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geido geido geido approved these changes

@dpgaspar dpgaspar dpgaspar approved these changes

@villebro villebro Awaiting requested review from villebro villebro is a code owner

@eschutho eschutho Awaiting requested review from eschutho eschutho is a code owner

@betodealmeida betodealmeida Awaiting requested review from betodealmeida betodealmeida is a code owner

@nytai nytai Awaiting requested review from nytai nytai is a code owner

@mistercrunch mistercrunch Awaiting requested review from mistercrunch mistercrunch is a code owner

@craig-rueda craig-rueda Awaiting requested review from craig-rueda craig-rueda is a code owner

@john-bodley john-bodley Awaiting requested review from john-bodley john-bodley is a code owner

@kgabryje kgabryje Awaiting requested review from kgabryje kgabryje is a code owner

@michael-s-molina michael-s-molina Awaiting requested review from michael-s-molina

Assignees
No one assigned
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/S 🚢 3.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rusackas @michael-s-molina @dpgaspar @geido @mistercrunch