Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend GHA integration to support push events #332

Open
2 tasks
maxrake opened this issue Oct 17, 2023 · 2 comments
Open
2 tasks

Extend GHA integration to support push events #332

maxrake opened this issue Oct 17, 2023 · 2 comments
Labels
enhancement New feature or request wontfix This will not be worked on

Comments

@maxrake
Copy link
Contributor

maxrake commented Oct 17, 2023

Overview

Is your feature request related to a problem? Please describe.

The current GitHub Action (GHA) integration is limited to pull_request events only. It does not support branch pipelines (e.g., push events). This was considered acceptable as the Phylum GitHub App was promoted as the primary option for GitHub users. However, the action now supports manifests in the form of lockfile generation while the app does not. That means more users are going to turn to the action and will want it to work in more environments than simply internal pull requests.

Describe the solution you'd like

Add support to the GHA for so-called "branch pipelines."

Describe alternatives you've considered

N/A

Additional context

Be careful about the pre-requisite checks for this integration. It will also likely be helpful to create a helper function like the other integrations have...something like is_in_pr()...to know and gate the actions based on the environment/event in use.

Acceptance criteria

  • Branch pipelines are enabled with push events
  • Documentation is updated
@maxrake maxrake added enhancement New feature or request needs triage Used to indicate that an issue hasn't been reviewed labels Oct 17, 2023
@marvin-hansen
Copy link

marvin-hansen commented Oct 17, 2023

I share the sentiment of preferring pull request target over push but imho I suggest to survey users on this topic if anyone actually wants phylum on branch workflows. Over the past year or so, I have not seen one Rust project doing branch workflows but I haven’t seen them all and it might be more popular in other ecosystems.

The case for PR protection is fairly obvious but it’s unclear to me how many projects actually do security scans on branch workflows so I think it’s sensible to link to a survey or poll to figure out actual demand for this.

@kylewillmon
Copy link
Contributor

Currently, phylum-ci focuses on adding value over the Phylum CLI in two main ways:

  1. By supporting analysis on a diff between to versions of code
  2. By submitting results as human-readable PR comments

Neither of these points apply to push events as they are typically used, so phylum-ci does not have much value to add for push events.

Of course, phylum-ci does support "branch pipelines" for certain CI systems, but that uses a best effort guess about which commit to diff against. It is not intuitive and should not be extended unless we have many people asking for this feature (and understanding its limitations).

Users that simply want to run a complete analysis on every push can do so by running phylum analyze in a CI script.

@kylewillmon kylewillmon added wontfix This will not be worked on and removed needs triage Used to indicate that an issue hasn't been reviewed labels Oct 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request wontfix This will not be worked on
Projects
None yet
Development

No branches or pull requests

3 participants