Add dependency submission job to CI #340
Conversation
| steps = githubWorkflowJobSetup.value.toList :+ | ||
| WorkflowStep | ||
| .DependencySubmission | ||
| .withCond(Some("github.event_name != 'pull_request'")) |
There was a problem hiding this comment.
So I'm a bit confused if we want to enable it for PRs or not. This page seems to suggest that if a PR updates dependencies that it can be reviewed, so it really seems like it would need this to run for that PR. But all the examples I've seen only run it on push.
There was a problem hiding this comment.
The API submissions are not yet integrated into Dependency Review or Organization Insights, but they do trigger Dependabot alerts, even for transitive dependencies (which the POM integration does not!).
There was a problem hiding this comment.
I did experiment with dependency review in #342 but the problem is that PRs from external repos don't have permission to submit the dependencies, so I'm not entirely sure how it would work.
There was a problem hiding this comment.
I just introduced a vulnerability in a PR, and nothing flagged it until I merged. I think push for now, and pull once GitHub better integrates their new toys.
Closes #326.
This adds a job that submits the projects dependencies to GitHub via
https://github.com/scalacenter/sbt-dependency-submission
Results should go here:
https://github.com/typelevel/sbt-typelevel/network/dependencies
Annoyingly I don't think we'll be able to see any results yet. I've targeted this at the
mainbranch since I'm not sure yet how stable the action is, but GitHub only cares about the default branch which isseries/0.4.