Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ci/Schedule dependencies checks #1014

Merged
merged 5 commits into from
Nov 30, 2023
Merged

Ci/Schedule dependencies checks #1014

merged 5 commits into from
Nov 30, 2023

Conversation

Luni-4
Copy link
Collaborator

@Luni-4 Luni-4 commented Nov 29, 2023
edited
Loading

Pull Request Template

Checklist

  • Confirmed that run-checks all script has been executed.
  • Made sure the book is up to date with changes in this PR.

Changes

This PR adds a scheduled event for dependencies checks and also improve the audit action through the addition of an audit.toml file.

This PR fixes #975, below the list of items:

  • Determine the optimal frequency for the scheduled udeps scans
    • weekly: in this way we can immediately find unused deps, but at the same time we do not block development
  • Define the scope and parameters of the udeps scans.
    • codebase: Unused deps should be detected in each crate, that is why the --all-targets feature is enabled. If some false-positives are found, they can be ignored setting up the respective field in the Cargo.toml file
  • Develop a workflow for handling and addressing issues identified in the scans.
    • CI run logs: We can use logs to identify the unused deps without creating new issues
    • Issues for Audit vulnerabilities: Audit finds vulnerabilities in dependencies, we can open issues for dependencies vulnerabilities. It already does that on main branch as stated here
  • Integrate the scheduled scan action into the existing CI/CD system.
    • Done in this PR

@Luni-4 Luni-4 marked this pull request as draft November 29, 2023 08:53
@Luni-4 Luni-4 marked this pull request as ready for review November 29, 2023 10:06
@Luni-4 Luni-4 requested a review from antimora November 29, 2023 10:06
nathanielsimard
nathanielsimard requested changes Nov 29, 2023
View reviewed changes
.github/workflows/dependencies.yml Show resolved Hide resolved
audit.toml Outdated Show resolved Hide resolved
@louisfd louisfd merged commit ba1de9c into tracel-ai:main Nov 30, 2023
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathanielsimard nathanielsimard nathanielsimard approved these changes

@antimora antimora Awaiting requested review from antimora

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement scheduled action for scanning unused dependencies
3 participants
@Luni-4 @nathanielsimard @louisfd