Audit action maintenance and ownership #1460
Assignees
Labels
enhancement
New feature or request
Comments
|
We could add "make the audit check pass" as part of triage duties |
|
@kate-goldenring - I really like that idea. |
|
Did we settle on adding audit checks to triage duty or do we have any other ideas here? |
|
@michelleN I think we should add it to triage duty. We can always remove it if we find a different strategy, but we should probably prioritize taking steps in resolving audits |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The "Run Rust audits" action has been failing for several weeks now. It currently reports 78 unvetted dependencies.
We should figure out a way to ensure that the vetted list is maintained, and that one or more maintainers "own" it in the sense of being notified about failures and driving the resolution of those failures.
#1246 and #1240 (comment) discuss switching the audit action to block PRs, but the latter rejects it on the basis that "We usually have non-maintainers contributing to the code base, and for the audits, we would like to keep them to just maintainers. Besides trusting audits from external people, we would also add an extra burden to someone submitting a PR." (Which I completely agree with.)
Can we find a happy medium?
The text was updated successfully, but these errors were encountered: