-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can it work with normal push instead of just pull request? #826
Comments
@umeshnebhani733 I'm not on the GitHub team, but have looked into something similar. The dependency review action depends on a difference API; that's why it doesn't work on If you don't building your own solution:
If you use dependency submission, you'll also have to worry about race conditions with that workflow since it will also run on a push and update the dependency list. An artificial delay in GitHub app processing could help here, I suppose :D It's also worth noting some things could still slip through the cracks - a Another idea I had passed to me from a GitHub support rep is using repository custom properties to store metadata - you could have an It's not an insignificant amount of work, but once you have the app you can use it to drive a lot of custom security behavior. It was worth it in our case. |
This seems to work well. name: "Dependency Review"
on:
pull_request_target:
types: [ "opened", "synchronize", "edited", "reopened" ]
paths:
- "*"
- ".github/**"
push:
branches:
- "**"
paths:
- "*"
- ".github/**"
concurrency:
group: "${{ github.workflow }}-${{ github.ref }}"
cancel-in-progress: true
permissions:
contents: "read"
pull-requests: "write"
jobs:
dependency-review:
name: "Dependency Review"
runs-on: "ubuntu-latest"
steps:
- name: "Checkout"
uses: "actions/checkout@v4"
- name: "Dependency Review"
uses: "actions/dependency-review-action@v4"
with:
base-ref: "${{ github.event_name == 'push' && github.event.before || '' }}"
head-ref: "${{ github.event_name == 'push' && github.sha || '' }}"
comment-summary-in-pr: "always"
fail-on-severity: "high"
show-openssf-scorecard: false |
@mabar have you tested to see if it fail when you use a lib which is not part of allowed list? |
We are not using a pull requests, we tried using it for normal push as follows, however it seems to be not working as we want it to be.
Here is our usecase:
Here is how my pipeline looks like
`name: Dependency Review
on:
push:
branches:
- main
paths-ignore:
- '.talismanrc'
pull_request:
branches:
- main
permissions:
contents: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
2 problems i am facing:
The text was updated successfully, but these errors were encountered: