-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update github workflows #784
Conversation
c87465f
to
7ae0ecb
Compare
7ae0ecb
to
63a407e
Compare
push: | ||
branches: [ "main" ] | ||
schedule: | ||
- cron: "30 0 1,15 * *" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be running on a cron?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, as otherwise it would only trigger when there is activity on this repo. But in case there isn't any, we still want to trigger this security check so we can get alerted if any dependencies have had vulnerabilities discovered.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the clarification.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't that be done by Dependabot and Snyk anyway?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's done also by Dependabot and Snyk, correct. From my understanding we need both snyk, semgrep and govulncheck to maximize the chance of being alerted on issues, so we don't have just a single point of failure for security checks.
I'll cc: @evansims and @poovamraj tho to confirm.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👋 Yup! Snyk is excellent, but its handling of Go has not proven to be the most reliable in our past experiences. On the other hand, Govulncheck has proven quite reliable. Having it as an additional security filter here makes sense. 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @evansims!
🔧 Changes
Updates to the CI pipeline:
📚 References
🔬 Testing
📝 Checklist