Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

workflows: no audit on bots #187

Merged
merged 1 commit into from
Oct 8, 2024
Merged

workflows: no audit on bots #187

merged 1 commit into from
Oct 8, 2024

Conversation

thypon
Copy link
Member

@thypon thypon commented Oct 8, 2024

No description provided.

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 8, 2024

openai debug - [puLL-Merge] - brave/pull-merge@187

Description

This pull request modifies the GitHub Actions workflow for Node.js to conditionally run the npm audit command only if the actor is not dependabot[bot] or renovate[bot]. The motivation for this change seems to be to prevent audit logs from being excessively generated by automated dependency update bots.

Possible Issues

  • Audit Coverage: By skipping npm audit for bots, you may miss detecting vulnerabilities introduced by automated dependency updates until a human-initiated workflow runs.
Changes

Changes

  • File: .github/workflows/node.js.yml
    • Change: 
      -    - run: npm audit
+    - if: ${{ github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]' }}
+      run: npm audit
```</details>

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 8, 2024

anthropic debug - [puLL-Merge] - brave/pull-merge@187

Description

This PR modifies the GitHub Actions workflow for Node.js. The change introduces a conditional execution of the npm audit command, excluding it when the actor triggering the workflow is either Dependabot or Renovate bot.

Changes

Changes

.github/workflows/node.js.yml:

  • The npm audit step is now conditional: 
    - if: ${{ github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]' }}
  run: npm audit
  • This replaces the previous unconditional execution of npm audit.

The motivation for this change appears to be avoiding redundant security checks when automated dependency update bots (Dependabot and Renovate) create pull requests, as these bots typically perform their own security checks.

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 8, 2024

bedrock debug - [puLL-Merge] - brave/pull-merge@187

Description

This PR modifies the GitHub Actions workflow for Node.js. It adds a conditional check to skip the npm audit step when the actor triggering the workflow is either Dependabot or Renovate bot.

Changes

Changes

File: .github/workflows/node.js.yml

  1. Removed the unconditional npm audit step:

    - run: npm audit

  2. Added a conditional npm audit step:

    - if: ${{ github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]' }}
  run: npm audit

This change ensures that the npm audit command is only run when the GitHub actor is not Dependabot or Renovate bot. This is likely done to avoid redundant security checks, as these bots typically perform their own security audits when proposing dependency updates.

@thypon thypon merged commit fb13a7a into main Oct 8, 2024
7 checks passed
@thypon thypon deleted the features/no-npm-audit-on-bots branch October 8, 2024 00:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
puLL-Merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@thypon