Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require approval when Dependabot runs Esti #8381

Open
arielshaqed opened this issue Nov 18, 2024 · 0 comments
Open

Require approval when Dependabot runs Esti #8381

arielshaqed opened this issue Nov 18, 2024 · 0 comments
Labels
area/ci area/testing Improvements or additions to tests e2e-tests tech-debt

Comments

@arielshaqed
Copy link
Contributor

This is the first part of enabling Esti to run on Dependabot PRs.

What

For PRs opened by Dependabot, require user approval to run Esti.

How

Hopefully similar to treeverse/patura#432.

Why

Dependabot PRs can contain essentially anything, including potentially
malicious updates. Running them could expose all secrets of our CI. Limit
the scope of damage that such a PR can do by requiring reviewer approval.
This allows us to:

  • Wait.

    Supply-chain attacks on packages are detected within hours. If we don't
    immediately run Esti, we avoid many attacks.

  • Review.

    Does the PR make sense? Are lock files (go.sum, package-lock.json)
    modified more than dependency files (go.mod, package.json)?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/ci area/testing Improvements or additions to tests e2e-tests tech-debt
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@arielshaqed