Closed jpl-jengelke closed 1 year ago
riverma
commented
2 years ago Hi @jpl-jengelke - this is pretty interesting - is using dependabot free? The GitHub security page seems to imply this is a paid service? If so - a stand-alone GitHub action workflow file to add it to a given repo would be super useful, along with integration of this into your slim-starterkit-python and other repos. Probably very light overview of the dependabot solution as well as links to existing docs.
jpl-jengelke
commented
2 years ago The implementations I have used are all no cost.
riverma
commented
2 years ago That's great to hear @jpl-jengelke
riverma
commented
2 years ago Oh by the way, @jpl-jengelke can you please add labels to this ticket? Looking for the complexity level and the level of interest (requests) for this from the community. For the latter, we have one team interested in dependency management, and that's Unity. So at the least we can state "requested" until we check in with them for more. Also the category - which is likely "software lifecycle".
riverma
commented
1 year ago @jpl-jengelke - is this ticket complete? Please close if so.
jpl-jengelke
commented
1 year ago Closing as this has been published.
Checked for duplicates
Yes - I've already checked
Describe the needs
This is intended for the Continuous Testing Starter Kit.
It's desirable for OSS publishers to implement automatic security and bug scanning of software dependencies used within their repo. This SK will provide a guide on implementing basic dependabot checking for a software project with configurable options. It's GitHub Actions-based process that will be helped with a simple template.