Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: add nancy #184

Merged
merged 9 commits into from
Mar 11, 2021
Merged

ci: add nancy #184

merged 9 commits into from
Mar 11, 2021

Conversation

jeinfeldt
Copy link

@jeinfeldt jeinfeldt commented Feb 18, 2021
edited

Hello,

we would benefit from using Nancy to check our dependencies.
@tessig opened a PR for this previously #69
before go.mod was fully supported.

Since flamingo does not use travis anymore for CI, lets try with github actions.
Workflow suggested by: https://github.com/marketplace/actions/nancy-for-github-actions

For now I would suggest to only do this on PR, as we would otherwise break the CI on master.
After all vulnerabilities are fixed, we can adjust the behaviour.
Of course we can discuss how to integrate this workflow / naming things.

The current vulnerability is related to
spf13/viper#957

If we decide to merge this closes #69

@jeinfeldt jeinfeldt mentioned this pull request Feb 18, 2021
Merged
@carstendietrich
Copy link
Member

We could move this to the Static checks part, and we should have a look at https://docs.github.com/en/actions/reference/events-that-trigger-workflows#scheduled-events to run the dependency check on a daily basis..

@carstendietrich
Copy link
Member

@jeinfeldt please check the scheduled trigger and try to do a go get on etcd to override the vuln dependency

@jeinfeldt jeinfeldt marked this pull request as ready for review March 1, 2021 09:17
@jeinfeldt jeinfeldt mentioned this pull request Mar 1, 2021
Closed
tessig
tessig requested changes Mar 11, 2021
View reviewed changes
.github/workflows/main.yml Outdated Show resolved Hide resolved
.github/workflows/daily.yml Outdated Show resolved Hide resolved
@jeinfeldt jeinfeldt requested a review from tessig March 11, 2021 14:28
tessig
tessig approved these changes Mar 11, 2021
View reviewed changes
Copy link
Member

@tessig tessig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very nice, thanks!

@tessig tessig merged commit 23632ee into master Mar 11, 2021
@carstendietrich carstendietrich deleted the nancy-github-actions branch April 22, 2021 07:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tessig tessig tessig approved these changes

@carstendietrich carstendietrich Awaiting requested review from carstendietrich

@bastianccm bastianccm Awaiting requested review from bastianccm

Assignees

@tessig tessig

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jeinfeldt @carstendietrich @tessig