Skip to content

Create dependency-review.yml #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jeffpaul merged 1 commit into from
Apr 20, 2022
Merged

Create dependency-review.yml #97

jeffpaul merged 1 commit into from
Apr 20, 2022

Conversation

@jeffpaul
Copy link
Member

@jeffpaul jeffpaul commented Apr 20, 2022

Description of the Change

Adds a dependency review action that scans all PRs for introducing insecure dependencies and will block merge of those PRs until the insecure item is resolved. Will help protect us from accidentally introducing insecure code into our projects. More details on this official GitHub Action here: https://github.blog/changelog/2022-04-06-github-action-for-dependency-review-enforcement/.

Alternate Designs

Don't have this and just... 🤞🏼?

Possible Drawbacks

none identified

Verification Process

Already verified as working in 10up/distributor#869, merely replicating that change in this repo.

Checklist:

  • I have read the CONTRIBUTING document.
  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my change.
  • All new and existing tests passed.

Changelog Entry

Added - Dependency security scanning.

Credits

Props @jeffpaul.

@jeffpaul jeffpaul requested a review from peterwilsoncc April 20, 2022 02:55
@jeffpaul jeffpaul self-assigned this Apr 20, 2022
@jeffpaul jeffpaul added this to the 1.5.0 milestone Apr 20, 2022
peterwilsoncc
peterwilsoncc approved these changes Apr 20, 2022
View reviewed changes
Copy link
Contributor

@peterwilsoncc peterwilsoncc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, verified against documentation.

@jeffpaul jeffpaul merged commit dff342f into develop Apr 20, 2022
@jeffpaul jeffpaul deleted the add/dependency-action branch April 20, 2022 03:37
@peterwilsoncc peterwilsoncc modified the milestones: 1.5.0, 1.4.1 Dec 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peterwilsoncc peterwilsoncc peterwilsoncc approved these changes

Assignees

@jeffpaul jeffpaul

Labels

None yet

Projects

None yet

Milestone

1.4.1

Development

Successfully merging this pull request may close these issues.

2 participants

@jeffpaul @peterwilsoncc