Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

initial commit to add in a dependabot.yml file #1353

Merged
merged 1 commit into from
Oct 11, 2021
Merged

initial commit to add in a dependabot.yml file #1353

merged 1 commit into from
Oct 11, 2021

Conversation

CEHENKLE
Copy link
Member

@CEHENKLE CEHENKLE commented Oct 9, 2021

Signed-off-by: CEHENKLE henkle@amazon.com

Description

adding dependabot.yml file to enable automatic scanning for issues in dependencies.

Check List

  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@CEHENKLE
initial commit to add in a dependabot.yml file
c991d9b 
Signed-off-by: CEHENKLE <henkle@amazon.com>
@opensearch-ci-bot
Copy link
Collaborator

Can one of the admins verify this patch?

@opensearch-ci-bot
Copy link
Collaborator

✅   DCO Check Passed c991d9b

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Wrapper Validation success c991d9b

@CEHENKLE
Copy link
Member Author

CEHENKLE commented Oct 9, 2021

@dblock I'm thinking we might want to pull out the test gradle build files. What do you think?

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Precommit success c991d9b

@dblock
Copy link
Member

dblock commented Oct 11, 2021

@dblock I'm thinking we might want to pull out the test gradle build files. What do you think?

I don't think so. We should be upgrading test dependencies the same. We get endless vulnerability reports for those by automated software and have to spend a lot of time digging through the dependency tree to finally find out that they are only used in tests. Furthermore developer machines can be compromised through a dev/test dependency.

Is the list of gradle files here basically the list of all gradle files in the project? As a stretch goal we could automate updating this file with a GH workflow that opens a PR every time there's a change.

@dblock
Copy link
Member

dblock commented Oct 11, 2021

start gradle check

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Check success c991d9b
Log 663

Reports 663

@CEHENKLE CEHENKLE merged commit 5a29b47 into opensearch-project:main Oct 11, 2021
@CEHENKLE
Copy link
Member Author

Is the list of gradle files here basically the list of all gradle files in the project? As a stretch goal we could automate updating this file with a GH workflow that opens a PR every time there's a change.

Yeah, this should be every gradle file in the project. That's a good thought. Although honestly I want to be fierce as tigers about adding new dependencies, so hopefully it should be noticeable when we do.

@dblock dblock mentioned this pull request Oct 11, 2021
Open
@dblock
Copy link
Member

dblock commented Oct 11, 2021

#1355

@dlvenable dlvenable mentioned this pull request Oct 13, 2021
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dblock dblock dblock approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@CEHENKLE @opensearch-ci-bot @dblock