devicons/devicon

[FEATURE REQUEST] Add dependency review (automatically check PR's for security

Open

#1,483 opened on 2022年10月29日

GitHub で見る
 (0 comments) (0 reactions) (0 assignees)CSS (2,448 forks)batch import
devopsenhancementgood first issue

Repository metrics

Stars
 (11,625 stars)
PR merge metrics
 (30d に merged PR はありません)

説明

I have searched through the issues and didn't find my problem.

  • Confirm

Problem

Dependency review adds the ability to block pull requests that introduce vulnerable dependencies. We can select what order of severity we want to accept too, so that for example minor security vulnerabilities are ignored, while critical ones are handled.

There's not much need for running this for each icon request though, since they never introduce new dependencies. So we can just run it every time the PR is not an icon request.

Possible Solution

This is the documentation that shows how you can configure dependency review.

The documentation provides a little snippet which I've modified it to fit what I think we want. More precisely I've changed the following:

  • Added an if statement so it only runs on PR's that aren't icon requests:
  • Changed fail-on-severity from critical to high
name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    if: ${{!startsWith(github.event.pull_request.title, 'new icon') || startsWith(github.event.pull_request.title, 'update icon')}}  # only run if not an icon PR
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: Dependency Review
        uses: actions/dependency-review-action@v2
        with:
          # Possible values: "critical", "high", "moderate", "low" 
          fail-on-severity: high

          # You can only can only include one of these two options: `allow-licenses` and `deny-licences`
          # ([String]). Only allow these licenses (optional)
          # Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses 
          # allow-licenses: GPL-3.0, BSD-3-Clause, MIT

          # ([String]). Block the pull request on these licenses (optional)
          # Possible values: Any  `spdx_id` value(s) from https://docs.github.com/en/rest/licenses 
          # deny-licenses: LGPL-2.0, BSD-2-Clause

Additional information

We might also want to deny (or only accept) certain licenses. I'm no licensing expert however, so I'll leave that up to the community to decide what makes the most sense.

Please discuss in the comments below what you think about the request, and the licenses in particular.

コントリビューターガイド

調査方針
提供されたYAMLスニペットを確認し、.github/workflowsディレクトリにdependency review.ymlという新しいワークフローファイルを作成し、条件がアイコンリクエストPRを正しく除外することを確認してください。
技術スタック
github actions
領域
devops
Issue 種別
機能
難度新しい貢献者にとっての実装難度です。1 は非常に小さな変更、5 は専門的な作業です。
1
推定時間経験ある貢献者が調査、実装、テスト、pull request 準備にかけるおおよその時間範囲です。
1時間未満
活動状況Issue が今どれだけ取り組みやすいかを示します。新しい、活発、古い、ブロック中、またはメンテナー入力待ちなどです。
アクティブ
明確さ期待される変更、受け入れ条件、次の手順がどれだけ明確かを示します。
明確
前提条件
GitGitHub Actions
初心者向け度初回貢献者にどれだけ取り組みやすいかを 1-100 で推定したスコアです。
85