Revert "ci: setup ossf scorecard and codql workflows" #3056
Conversation
|
@casualjim I am proposing to take care of this by reverting more selectively.
Overall we agree on principle: let's not allow this thing to become a work generator. |
fredbi
force-pushed
the
revert-3049-ossf
branch
from
0f5c7b2
to
0152912
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #3056 +/- ##
===========================================
+ Coverage 32.55% 82.64% +50.09%
===========================================
Files 60 62 +2
Lines 12803 12856 +53
===========================================
+ Hits 4168 10625 +6457
+ Misses 8296 1692 -6604
- Partials 339 539 +200
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
fredbi
force-pushed
the
revert-3049-ossf
branch
from
0152912
to
7a6bec6
Compare
|
@casualjim I've resolved the merge conflict and re-added 2 things that I've found interesting to continue experimenting with: the codeSQL scan and the "security score cards" (a kind of linter for "opsec best practices). The report is eventually available (it took a day to set up, but now it's there) and the findings, if not necessarily relevant to our use-case, are interesting to analyze and be reflected upon. https://securityscorecards.dev/viewer/?uri=github.com/go-swagger/go-swagger Maybe we'll eventually decide to disable this scorecard if it turns out to be really not suited to our project, but for the moment I am still curious about the recommendations. I've removed dependabot and the by-commit-sha pinning for now. I think that @mmorel-35 raised an interesting point, but the PR did not come with a complete solution, just more problems to solve in the short term and more work until we find an appropriate solution to maintain our dependencies with minimal burden. So, statu quo for now, I need more experimentation on my fork. @mmorel-35 I have to thank you for having raised an interesting point. However yesterday's experiment proved not to be very successful: as soon as the stuff was merged, we already had about 5 such update PRs, stalling all our CI for hours. This started a fascinating conversation with @casualjim about the extra workload that comes from all those update bots... If we eventually move to such kind of automation, it will have to be more carefully designed and discussed beforehand. Another contributor has suggested a dependabot setup to some of the go-openapi repos. The problem to solve for those repos is different, but still, we don't want to use many different tools. |
|
NOTE: I've updated those damned actions, so the bot PR's should disappear automatically. |
This reverts commit e19f744.
* The main disagreement on #3049 came from dependabot * codeql scan and score card are thought as desirable additions dependabot triggered a lot of PRs and overall, generates a lot of extra work for the maintainers. We need extra care and testing before introducing a dependency update bot that understands our dependencies, may be coupled with auto approval and auto merge, and may skip long running integration tests when they are irrelevant. This work is deferred to a forthcoming PR. The pinning of build dependencies (github actions, docker base images) is reverted until we set out for a proper update process to automatically update them with an appropriate frequency. Signed-off-by: Frederic BIDON <fredbi@yahoo.com>
fredbi
force-pushed
the
revert-3049-ossf
branch
from
c5f7275
to
b6b31b0
Compare
Reverts #3049