actions / dependency-review-action

A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs
MIT License
602 stars 106 forks source link

Can it work with normal push instead of just pull request? #826

Open umeshnebhani733 opened 1 month ago

umeshnebhani733 commented 1 month ago

We are not using a pull requests, we tried using it for normal push as follows, however it seems to be not working as we want it to be.

Here is our usecase:

Here is how my pipeline looks like `name: Dependency Review

on: push: branches:

permissions: contents: write

jobs: dependency-review: runs-on: ubuntu-latest steps:

ebickle commented 6 days ago

@umeshnebhani733 I'm not on the GitHub team, but have looked into something similar.

The dependency review action depends on a difference API; that's why it doesn't work on push and is not very likely they'll add support for it.

If you don't building your own solution:

If you use dependency submission, you'll also have to worry about race conditions with that workflow since it will also run on a push and update the dependency list. An artificial delay in GitHub app processing could help here, I suppose :D It's also worth noting some things could still slip through the cracks - a push with a very large number of changes won't fire the push webhook. But catching 99.99% of the changes is likely better than 0%.

Another idea I had passed to me from a GitHub support rep is using repository custom properties to store metadata - you could have an invalid_license: boolean custom property that the GitHub app updates. Then to find all the non-compliant repos, you can just grab the list directly from the repositories list or via API (assuming the app keeps the property updated).

It's not an insignificant amount of work, but once you have the app you can use it to drive a lot of custom security behavior. It was worth it in our case.