Open MarkAckert opened 1 year ago
We discussed on the systems squad standup, and our current plan is to use PR labels to conditionally allow dependabot access to Github Action Secrets so builds will be able to run. PR labels should be added by repository committers after reviewing the changes to ensure dependabot's code changes are acceptable. cc @1000TurquoisePogs , @pinpan for awareness. We still need to investigate the implementation details - ideally this solution is something we could provide in a common way via zowe-actions
, but we're not sure at this point in time.
Depandabot's open PRs fail to pass CI checks in most of the Zowe repositories, as Github Action Secrets are intentionally unshared with the bot account to prevent pwn attacks or other unintended leakage of privileged information. The Zowe squads should agree on a strategy for handling these dependabot PRs.