Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce actions/dependency-review-action #845

Open
GaryGSC opened this issue Feb 27, 2023 · 1 comment
Open

Introduce actions/dependency-review-action #845

GaryGSC opened this issue Feb 27, 2023 · 1 comment
Labels
enhancement New feature or request

Comments

@GaryGSC
Copy link
Member

GaryGSC commented Feb 27, 2023
edited

Dependency Review is recommended by the GitHub Advanced Security folks.

To use it, we would add actions/dependency-review-action to one of our CI workflows.

But... I'm not seeing a great way to introduce it to this repo without breaking things for users without GHAS licenses.

In order to use features that require a GHAS license, I see there's now a way to see if GHAS is enabled on a repo, where part of the response looks like:

"security_and_analysis": {
  "advanced_security": {
    "status": "enabled"
  }
}

However, it might be tricky to call that API as part of a workflow because

In order to see the security_and_analysis block for a repository you must have admin permissions for the repository or be an owner or security manager for the organization that owns the repository.
@GaryGSC GaryGSC added the enhancement New feature or request label Feb 27, 2023
@GaryGSC
Copy link
Member Author

GaryGSC commented Mar 6, 2023

This might be sufficient:

if: github.repository_owner == 'byu-oit' # Intent is to check if GHAS is enabled

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GaryGSC