This sets up a Snyk test on GitHub Actions as part of security pairing, using this PR as a model: https://github.com/guardian/ophan/pull/4141. As covered here, this approach is best practice.
It fails succesfully on this branch (before updating the PR to apply only to main)!
snyk monitor will always return successfully if it manages to report to snyk.io, whether there are vulnerabilities present or not. Only snyk test (previously being run on non-main branches) returns a failure if it detects a vulnerability.
Because we are setting the command to monitor we're covered by this.
[x] Check that vulnerabilities are being reported in snyk.io dashboard post-merge
[x] Follow up by deleting the old config in Snyk, and the repo webhook
This sets up a Snyk test on GitHub Actions as part of security pairing, using this PR as a model: https://github.com/guardian/ophan/pull/4141. As covered here, this approach is best practice.
It fails succesfully on this branch (before updating the PR to apply only to main)!
This will not lead to big red crosses on every PR, because as @ripecosta put it when we did this in Ophan proper:
Because we are setting the command to monitor we're covered by this.