Behnaz Hassanshahi
Behnaz Hassanshahi
@dependabot recreate
What are the additional checks that `ruff` offers, which would otherwise be missed by our checks?
> @behnazh what do you think of this comment: [pre-commit/pre-commit#2847 (comment)](https://github.com/pre-commit/pre-commit/issues/2847#issuecomment-1514683897) This solution seems to have similar issues for build isolation. We have designed `_build.yaml` reusable workflow in a way...
> I stumbled upon the [dependency-review-action](https://github.com/actions/dependency-review-action) which looked useful. Not sure if `build.yaml` is a good place, or better [`pr-change-set.yaml`](https://github.com/jenstroeger/python-package-template/blob/main/.github/workflows/pr-change-set.yaml). What do you think, @behnazh? Currently the dependencies might change...
> @behnazh would it make sense to store the Actions log (all jobs) from the `release.yaml` workflow as part of the release artifacts? It looks like the Github API allows...
Another tool too consider is [guarddog](https://github.com/DataDog/guarddog).
I think this would make sense if apart from the `main` and `staging` branches, there are additional ones for pre-releases.
While I understand the frustration if GitHub goes down, I'm afraid adding this target goes against the SLSA and build integrity principles. I'm not sure if it's a good idea...
Based on the recommendation, should we add the allowed list to every step or is it possible to specify it in a central policy?
We can also add this [SLSA](https://github.com/slsa-framework/slsa/blob/main/docs/images/gh-badge-level3.svg) badge now.