search

twitter / finagle

A fault tolerant, protocol-agnostic RPC system
https://twitter.github.io/finagle
Apache License 2.0
8.78k stars 1.45k forks source link

chore: Included githubactions in the dependabot config #931

Closed nathannaveen closed 2 years ago

nathannaveen commented 2 years ago

This should help with keeping the GitHub actions updated on new releases. This will also help with keeping it secure.

Dependabot helps in keeping the supply chain secure https://docs.github.com/en/code-security/dependabot

GitHub actions up to date https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot

https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool Signed-off-by: nathannaveen 42319948+nathannaveen@users.noreply.github.com

CLAassistant commented 2 years ago

CLA assistant check
All committers have signed the CLA.

yufangong commented 2 years ago

@nathannaveen Hi, can you please sign the CLA for this? Also, do you mind explaining what would be the result after this PR, will dependabot open PRs for upgrading dependencies?

yufangong commented 2 years ago

@nathannaveen Hi, can you please sign the CLA for this? Also, do you mind explaining what would be the result after this PR, will dependabot open PRs for upgrading dependencies?

nathannaveen commented 2 years ago

@nathannaveen Hi, can you please sign the CLA for this? Also, do you mind explaining what would be the result after this PR, will dependabot open PRs for upgrading dependencies?

I have signed it, and yes it will open PRs for upgrades.

codecov-commenter commented 2 years ago

Codecov Report

Merging #931 (8375786) into develop (dcd70b1) will decrease coverage by 0.01%. The diff coverage is n/a.

@@             Coverage Diff             @@
##           develop     #931      +/-   ##
===========================================
- Coverage    75.34%   75.33%   -0.02%     
===========================================
  Files          918      918              
  Lines        27080    27080              
  Branches      1657     1673      +16     
===========================================
- Hits         20404    20401       -3     
- Misses        6676     6679       +3
Impacted Files Coverage Δ
...r/finagle/pushsession/PushChannelHandleProxy.scala 83.33% <0.00%> (-8.34%) :arrow_down:
...witter/finagle/mux/pushsession/MessageWriter.scala 70.37% <0.00%> (-7.41%) :arrow_down:
...twitter/finagle/service/PendingRequestFilter.scala 86.36% <0.00%> (-4.55%) :arrow_down:
...inagle/http2/transport/server/H2ServerFilter.scala 82.69% <0.00%> (-1.93%) :arrow_down:
.../com/twitter/finagle/tracing/BroadcastTracer.scala 68.75% <0.00%> (+8.33%) :arrow_up:
...ttp2/transport/client/Http2ClientEventMapper.scala 100.00% <0.00%> (+9.09%) :arrow_up:
...tter/finagle/dispatch/SerialClientDispatcher.scala 100.00% <0.00%> (+16.66%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update dcd70b1...8375786. Read the comment docs.

jyanJing commented 2 years ago

Hi @nathannaveen, thank you for adding dependabot to our repository! Since this involves detecting and resolving vulnerabilities for our project, we need to consult with our security group to understand the outcome a bit more. I am in touch with them and will keep you posted on the progress.

jyanJing commented 2 years ago

Hi @nathannaveen, we are already using a similar security tooling to scan and monitor our repositories. Based on the investigation, Dependabot performs the similar functionality. So we are leaning towards using the existing tooling. I am going to close this pr, please re-open if you feel strongly about adding Depandabot, thank you!