You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
The current GitHub Action (GHA) integration is limited to pull_request events only. It does not support branch pipelines (e.g., push events). This was considered acceptable as the Phylum GitHub App was promoted as the primary option for GitHub users. However, the action now supports manifests in the form of lockfile generation while the app does not. That means more users are going to turn to the action and will want it to work in more environments than simply internal pull requests.
Describe the solution you'd like
Add support to the GHA for so-called "branch pipelines."
Describe alternatives you've considered
N/A
Additional context
Be careful about the pre-requisite checks for this integration. It will also likely be helpful to create a helper function like the other integrations have...something like is_in_pr()...to know and gate the actions based on the environment/event in use.
Acceptance criteria
Branch pipelines are enabled with push events
Documentation is updated
The text was updated successfully, but these errors were encountered:
I share the sentiment of preferring pull request target over push but imho I suggest to survey users on this topic if anyone actually wants phylum on branch workflows. Over the past year or so, I have not seen one Rust project doing branch workflows but I haven’t seen them all and it might be more popular in other ecosystems.
The case for PR protection is fairly obvious but it’s unclear to me how many projects actually do security scans on branch workflows so I think it’s sensible to link to a survey or poll to figure out actual demand for this.
Currently, phylum-ci focuses on adding value over the Phylum CLI in two main ways:
By supporting analysis on a diff between to versions of code
By submitting results as human-readable PR comments
Neither of these points apply to push events as they are typically used, so phylum-ci does not have much value to add for push events.
Of course, phylum-ci does support "branch pipelines" for certain CI systems, but that uses a best effort guess about which commit to diff against. It is not intuitive and should not be extended unless we have many people asking for this feature (and understanding its limitations).
Users that simply want to run a complete analysis on every push can do so by running phylum analyze in a CI script.
Overview
Is your feature request related to a problem? Please describe.
The current GitHub Action (GHA) integration is limited to
pull_request
events only. It does not support branch pipelines (e.g.,push
events). This was considered acceptable as the Phylum GitHub App was promoted as the primary option for GitHub users. However, the action now supports manifests in the form of lockfile generation while the app does not. That means more users are going to turn to the action and will want it to work in more environments than simply internal pull requests.Describe the solution you'd like
Add support to the GHA for so-called "branch pipelines."
Describe alternatives you've considered
N/A
Additional context
Be careful about the pre-requisite checks for this integration. It will also likely be helpful to create a helper function like the other integrations have...something like
is_in_pr()
...to know and gate the actions based on the environment/event in use.Acceptance criteria
push
eventsThe text was updated successfully, but these errors were encountered: