Update fossa action to v1.1.0 #118

r-hang · 2023-10-11T01:06:38Z

Update fossa action to v1.1.0

The FOSSA check has been failing for a while with
fossa-actions@v1 Error: Input required and not supplied: api-key

This has caused the dependabot queue to backup, we also can't merge them
manually in sally because this check is required.

Updating the version seems to cause the check to run successfully again.

Other repositories have run into the same issue
ref: getsentry/self-hosted#1351

codecov · 2023-10-11T01:08:42Z

Codecov Report

Merging #118 (e7e6599) into master (b1dc33f) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #118   +/-   ##
=======================================
  Coverage   74.03%   74.03%           
=======================================
  Files           3        3           
  Lines         104      104           
=======================================
  Hits           77       77           
  Misses         23       23           
  Partials        4        4

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

The FOSSA check has been failing for a while with fossa-actions@v1 Error: Input required and not supplied: api-key This has caused the dependabot queue to backup, can we can't merge them manually in sally because this check is required. Updating the version seems to cause the check to run successfully again. Other repositories have run into the same issue ref: getsentry/self-hosted#1351

abhinav · 2023-10-12T12:13:53Z

This has caused the dependabot queue to backup, we also can't merge them manually in sally because this check is required.

This is because dependabot PRs don't run with the standard repository secrets by default -- because that's a supply chain attack vector (e.g., ship a malicious update to a small dependency you happen to maintain, let dependabot create PRs on all repositories that use it, steal credentials).

The reason your upgrade PR works is because the author of the PR is a maintainer, not dependabot, so it runs with regular secrets. You can verify this: go to any dependabot PR, do a commit --allow-empty and push a new commit onto that PR. Now that there's a maintainer involved in the PR, it'll run with proper secrets again.

To fix this, you need to separately set Dependabot secrets: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets. If you're able to do it successfully on this repository, it may be worth setting up Org-level dependabot secrets for fossa.

r-hang · 2023-10-12T18:19:36Z

Thanks @abhinav, i'll follow up.

r-hang force-pushed the rhang/fix-fossa-workflow branch from cd1f3cb to 88ac544 Compare October 11, 2023 01:12

r-hang force-pushed the rhang/fix-fossa-workflow branch from 88ac544 to e7e6599 Compare October 11, 2023 01:15

r-hang requested a review from JacobOaks October 11, 2023 01:20

sywhang approved these changes Oct 11, 2023

View reviewed changes

r-hang merged commit f3a3b27 into master Oct 11, 2023
6 checks passed

r-hang deleted the rhang/fix-fossa-workflow branch October 11, 2023 17:52

mway mentioned this pull request Oct 24, 2023

Release v1.5.0 #122

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update fossa action to v1.1.0 #118

Update fossa action to v1.1.0 #118

r-hang commented Oct 11, 2023 •

edited

Loading

codecov bot commented Oct 11, 2023 •

edited

Loading

abhinav commented Oct 12, 2023

r-hang commented Oct 12, 2023

Update fossa action to v1.1.0 #118

Update fossa action to v1.1.0 #118

Conversation

r-hang commented Oct 11, 2023 • edited Loading

codecov bot commented Oct 11, 2023 • edited Loading

Codecov Report

abhinav commented Oct 12, 2023

r-hang commented Oct 12, 2023

r-hang commented Oct 11, 2023 •

edited

Loading

codecov bot commented Oct 11, 2023 •

edited

Loading