Allow the dependency-review action to access api.deps.dev - Githubissues

kubernetes / release

Release infrastructure for Kubernetes and related components

Apache License 2.0

480 stars 496 forks source link

Allow the dependency-review action to access api.deps.dev #3642

Closed xmudrii closed 3 weeks ago

xmudrii commented 3 weeks ago

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

It seems like the dependency-review action uses api.deps.dev to analyze vulnerabilities in packages: https://github.com/actions/dependency-review-action/blob/df5d74f5d3fc9748a904ea2f1dc6bdddea6439d6/src/scorecard.ts#L71

Given that we only allow specific URLs, it could be that the action can't reach this URL and instead fails with fetch failed.

Which issue(s) this PR fixes:

xref https://github.com/actions/dependency-review-action/issues/736 and https://github.com/kubernetes/release/pull/3641

Does this PR introduce a user-facing change?

NONE

/assign @saschagrunert @cpanato @Verolop cc @kubernetes/release-engineering

k8s-ci-robot commented 3 weeks ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: saschagrunert, Verolop, xmudrii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes/release/blob/master/OWNERS)~~ [Verolop,saschagrunert,xmudrii] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment