-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
run dependency review only on pull requests #1443
Conversation
🦋 Changeset detectedLatest commit: 9c63140 The changes in this PR will be included in the next version bump. This PR includes changesets to release 0 packagesWhen changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
contents: read | ||
|
||
jobs: | ||
dependency-review: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not this
if: github.event_name == 'pull_request' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this job doesn't depend on any other steps, it's probably fine as a separate workflow. But yeah, this could also work
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can do that too, I assumed every check in health_checks
follows this
amplify-backend/.github/workflows/health_checks.yml
Lines 4 to 13 in d1716d1
push: | |
branches: | |
- main | |
- hotfix | |
pull_request: | |
branches: | |
- main | |
- hotfix | |
- feature/** | |
workflow_dispatch: |
I added dependency review back and added the if line.
- name: Checkout repository | ||
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # version 3.6.0 | ||
- name: Dependency Review | ||
uses: actions/dependency-review-action@v4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why don't we use the commit hash here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have a strong opinion, we can just like what we do with checkout
. Seems like only flutter does this and does not use a commit hash https://github.com/search?q=org%3Aaws-amplify%20dependency-review-action&type=code
Problem
dependency-review-action
is meant to only run on pull request, when pushing it fails with https://github.com/aws-amplify/amplify-backend/actions/runs/8977249446/job/24655630829#step:3:6.Issue number, if available:
Changes
dependency-review-action
run only on pull requestsdependency-review-action
to a specific commit hash for the current latest version 4.3.2Corresponding docs PR, if applicable:
Validation
PR checks
Checklist
run-e2e
label set.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.