New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create dependency-review.yml #850
Conversation
I have been trying this out on several Python projects and am unable to get this Action to fail. Is there a Python dependency that we could add to this project that will prove that this Action can actually fail? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can merge this as Dependency Review / dependency-review (pull_request) is passing and working
The failing Why does As stated above, my worry is that there is no proof that |
When the setuptools version is added in requirements.txt, it is detecting it correctly and merging is blocked. Note that different lang has different checks, according to https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems I suppose it becomes trickier when dependencies are installed in GitHub Actions without versions, as the Dependency API won't have a way to check changes.. I think we're good to proceed even tho it seems a duplicate of |
#871 fixes some of the remaining issues. |
No description provided.