Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infra: Consider running the Infra: CVE checks with every commit as well #707

Open
2 tasks done
yeikel opened this issue Dec 12, 2024 · 8 comments · Fixed by #745
Open
2 tasks done

Infra: Consider running the Infra: CVE checks with every commit as well #707

yeikel opened this issue Dec 12, 2024 · 8 comments · Fixed by #745
Labels
scope/infra CI, CD, dev. env, etc. status/triage/completed Automatic triage completed type/enhancement En enhancement/improvement to an already existing feature type/security Pull requests that address a security vulnerability

Comments

@yeikel
Copy link
Collaborator

yeikel commented Dec 12, 2024

Issue submitter TODO list

  • I've searched for an already existing issues here
  • I'm running a supported version of the application which is listed here and the feature is not present there

Is your proposal related to a problem?

Currently, the "Infra: CVE checks" check is configured to run twice per month, and while that is great, it does not raise the constant awareness that CVE should raise.

For example, the latest run failed but it is only known if we navigate to the specific build check while main is considered to be healthy

Describe the feature you're interested in

We should extend the cve_checks.yml workflow to also run on pull requests and merges to main. It should continue to be a separate check

  • Pull requests: Because we should not be introducing new dependencies with CVEs
  • On Main : To raise awareness and serve as a continuous reminder that actions may be needed

Describe alternatives you've considered

Use the existing schedule and remember to check manually

Version you're running

318bcc9

Additional context

No response
@yeikel yeikel added status/triage Issues pending maintainers triage type/feature A brand new feature labels Dec 12, 2024
@kapybro kapybro bot added status/triage/manual Manual triage in progress scope/infra CI, CD, dev. env, etc. status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Dec 12, 2024
@yeikel yeikel changed the title Consider running the "Infra: CVE checks" with every commit as well Consider running the Infra: CVE checks with every commit as well Dec 12, 2024
@Haarolean
Copy link
Member

Pull requests: Because we should not be introducing new dependencies with CVEs

I don't mind this one, would be nice to know if there's anything new in case of newly introduced dependencies.

On Main : To raise awareness and serve as a continuous reminder that actions may be needed

This one is questionable, considering we don't have much bandwidth to fix these issues too often. Like, #256 was open for half a year. Running this on every commit sounds like an extra noise.

@yeikel what do you think?

@yeikel
Copy link
Collaborator Author

yeikel commented Dec 16, 2024

Pull requests: Because we should not be introducing new dependencies with CVEs

I don't mind this one, would be nice to know if there's anything new in case of newly introduced dependencies.

On Main : To raise awareness and serve as a continuous reminder that actions may be needed

This one is questionable, considering we don't have much bandwidth to fix these issues too often. Like, #256 was open for half a year. Running this on every commit sounds like an extra noise.

@yeikel what do you think?

I agree that it would be noise if it not actioned, but I think that this is good noise. We should be more than aware than issues with CVE exist and I think that every commit is a good way to show that

@Haarolean
Copy link
Member

Pull requests: Because we should not be introducing new dependencies with CVEs

I don't mind this one, would be nice to know if there's anything new in case of newly introduced dependencies.

On Main : To raise awareness and serve as a continuous reminder that actions may be needed

This one is questionable, considering we don't have much bandwidth to fix these issues too often. Like, #256 was open for half a year. Running this on every commit sounds like an extra noise.
@yeikel what do you think?

I agree that it would be noise if it not actioned, but I think that this is good noise. We should be more than aware than issues with CVE exist and I think that every commit is a good way to show that

aight, @yeikel wanna raise a PR for these changes?

@Haarolean Haarolean added type/enhancement En enhancement/improvement to an already existing feature type/security Pull requests that address a security vulnerability and removed type/feature A brand new feature status/triage/manual Manual triage in progress labels Dec 30, 2024
@Haarolean Haarolean changed the title Consider running the Infra: CVE checks with every commit as well Infra: Consider running the Infra: CVE checks with every commit as well Dec 30, 2024
@yeikel yeikel mentioned this issue Jan 3, 2025
Merged
8 tasks
@yeikel
Copy link
Collaborator Author

yeikel commented Jan 3, 2025

Pull requests: Because we should not be introducing new dependencies with CVEs

I don't mind this one, would be nice to know if there's anything new in case of newly introduced dependencies.

On Main : To raise awareness and serve as a continuous reminder that actions may be needed

This one is questionable, considering we don't have much bandwidth to fix these issues too often. Like, #256 was open for half a year. Running this on every commit sounds like an extra noise.
@yeikel what do you think?

I agree that it would be noise if it not actioned, but I think that this is good noise. We should be more than aware than issues with CVE exist and I think that every commit is a good way to show that

aight, @yeikel wanna raise a PR for these changes?

See #745

@Haarolean Haarolean reopened this Jan 30, 2025
@Haarolean
Copy link
Member

We need a '0' exit code in case of a PR trigger, so it doesn't block the PR from being merged in

@yeikel
Copy link
Collaborator Author

yeikel commented Jan 30, 2025

We need a '0' exit code in case of a PR trigger, so it doesn't block the PR from being merged in

Can't we just make it an optional check?

@Haarolean
Copy link
Member

We need a '0' exit code in case of a PR trigger, so it doesn't block the PR from being merged in

Can't we just make it an optional check?

not really, it's either all or none. And I've checked, if I use a 0 exit code it will be marked green, so no way to tell it has actually failed.

@yeikel
Copy link
Collaborator Author

yeikel commented Jan 31, 2025

We need a '0' exit code in case of a PR trigger, so it doesn't block the PR from being merged in

Can't we just make it an optional check?

not really, it's either all or none. And I've checked, if I use a 0 exit code it will be marked green, so no way to tell it has actually failed.

I don't understand? In Github, you can have optional checks and more so when this workflow is completely independent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
scope/infra CI, CD, dev. env, etc. status/triage/completed Automatic triage completed type/enhancement En enhancement/improvement to an already existing feature type/security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Infra: Run cve checks workflow on pull requests and pushes to main yeikel/kafka-ui
2 participants
@Haarolean @yeikel