Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for checking transparency in CI #9

Open
monperrus opened this issue Sep 27, 2024 · 3 comments · May be fixed by chains-project/dirty-waters-action#1
Open

add support for checking transparency in CI #9

monperrus opened this issue Sep 27, 2024 · 3 comments · May be fixed by chains-project/dirty-waters-action#1
Assignees
@randomicecube
Labels
enhancement New feature or request

Comments

@monperrus
Copy link
Collaborator

once a supply chain is made fully transparent, this should be ensured in CI

if dirty-waters finds a high severity warning, we break the build and block the integration in master
@randomicecube randomicecube added the enhancement New feature or request label Sep 27, 2024
@randomicecube randomicecube self-assigned this Sep 27, 2024
@randomicecube
Copy link
Collaborator

For future reference (to-self), this refers to the following bullet points

  • Dependencies with no link to source code repositories (high severity)
  • Dependencies with no tag / commit sha for release, impossible to have reproducible builds (high severity)

@monperrus
Copy link
Collaborator Author

Good suggestion by @AEnguerrand

it is possible to integrate dirty waters, perhaps through a GitHub Action, which could be made available on the marketplace (https://docs.github.com/en/actions/sharing-automations/creating-actions/publishing-actions-in-github-marketplace).

@randomicecube randomicecube linked a pull request Dec 21, 2024 that will close this issue
Draft
@randomicecube
Copy link
Collaborator

FYI, created the repo dirty-waters-action to hold the action. It's still WIP (need to test, etc)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@randomicecube randomicecube

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add CI chains-project/dirty-waters-action
2 participants
@monperrus @randomicecube