Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RED-6621 - InfoSec review changes #5

Merged
merged 3 commits into from
Jul 18, 2024
Merged

RED-6621 - InfoSec review changes #5

merged 3 commits into from
Jul 18, 2024

Conversation

matthewbelisle-wf
Copy link
Contributor

  • Adding dependabot.yml for security updates
  • Adding SECURITY.md for threat model documentation
  • Pointing yq at the latest version in case there are security updates

@rmconsole-wf
Copy link

rmconsole-wf commented Jul 18, 2024
edited by rm-astro-wf
Loading

Merge Requirements Met ✅

Request Rosie to automerge this pull request by including @Workiva/release-management-p in a comment.

Release notes requirement met
        :white_check_mark: RED-6621 - Release notes not required

  • Rosie is enforcing release notes requirements because the repo is believed to be customer facing. If this repo is not customer facing, update the value of is_customer_facing in the Rosie Control Panel

General Information

Ticket(s):

Code Review(s): #5
Release Image Tags:

Reviewers: matthewnitschke-wk, matthewbelisle-wf

Additional Information

	When this pull is merged I will add it to the following release:
	Version: gha-dart-oss 0.1.0
	Release Ticket(s): None

Note: This is a shortened report. Click here to view Rosie's full evaluation.
Last updated on Thursday, July 18 04:21 PM CST

@aviary2-wf
Copy link

Security Insights

No security relevant content was detected by automated scans.

Action Items

  • Review PR for security impact; comment "security review required" if needed or unsure
  • Verify aviary.yaml coverage of security relevant code

Questions or Comments? Reach out on Slack: #support-infosec.

matthewbelisle-wf
matthewbelisle-wf commented Jul 18, 2024
View reviewed changes
.github/workflows/test-unit.yaml
@@ -46,7 +46,7 @@ jobs:
- uses: actions/checkout@v4
- name: Install yq
run: |
sudo wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.43.1/yq_linux_amd64
sudo wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure why the download segment switched spots, but I tested that on my ubuntu box and it worked.

matthewnitschke-wk
matthewnitschke-wk previously approved these changes Jul 18, 2024
View reviewed changes
.github/dependabot.yml Outdated
Comment on lines 7 to 9
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there reason to ignore major versions?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope, I removed that in c057d68.

matthewnitschke-wk
matthewnitschke-wk reviewed Jul 18, 2024
View reviewed changes
.github/dependabot.yml Outdated
Comment on lines 24 to 41
- package-ecosystem: "github-actions"
schedule:
interval: "weekly"
commit-message:
prefix: "GHA"
labels:
- "GHA"
- "dependencies"
open-pull-requests-limit: 1
target-branch: "master"
groups:
gha-dependencies:
patterns:
- "workiva/gha-*"
- "actions/*"
directory: "/"
pull-request-branch-name:
separator: "/"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be nice to simplify this a bit

Suggested change
- package-ecosystem: "github-actions"
schedule:
interval: "weekly"
commit-message:
prefix: "GHA"
labels:
- "GHA"
- "dependencies"
open-pull-requests-limit: 1
target-branch: "master"
groups:
gha-dependencies:
patterns:
- "workiva/gha-*"
- "actions/*"
directory: "/"
pull-request-branch-name:
separator: "/"
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily
groups:
all:
patterns: ["*"]

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, did that in 09f876c.

@matthewbelisle-wf
Copy link
Contributor Author

QA +1 CI passes

@matthewbelisle-wf
Copy link
Contributor Author

@Workiva/release-management-p

@rmconsole-wf
Copy link

@matthewbelisle-wf I will not merge this because:

@matthewbelisle-wf
Copy link
Contributor Author

@Workiva/release-management-p

@rm-astro-wf rm-astro-wf merged commit 65707aa into master Jul 18, 2024
12 checks passed
rmconsole-wf
rmconsole-wf approved these changes Jul 18, 2024
View reviewed changes
Copy link

@rmconsole-wf rmconsole-wf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 from RM

@rmconsole-readonly-wk rmconsole-readonly-wk mentioned this pull request Aug 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthewnitschke-wk matthewnitschke-wk matthewnitschke-wk approved these changes

@rmconsole-wf rmconsole-wf rmconsole-wf approved these changes

Assignees
No one assigned
Labels
Merge Requirements Met RM Ready
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@matthewbelisle-wf @rmconsole-wf @aviary2-wf @matthewnitschke-wk @rm-astro-wf