Details
-
Question
-
Status: Closed
-
Major
-
Resolution: Resolved
-
None
-
None
Description
Dependabot is tool owned and provided by Github. This tool scans dependencies that are used in a repository and can create either alerts or help by creating a PR in case you're using a dependency that has a security vulnerability.
More information about alerts can be found at https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies and more information about creating a PR can be found at https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-pull-requests-for-dependency-updates
The way Dependabot works when it comes to creating a PR, is that it creates branches inside the repository and then opens up a PR. Since March 1st of 2021, these PRs are specifically created with read only permissions and therefore the PRs are treated as they were coming from a repository fork. This can be found at https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
When asking Infra to enable option for Dependabot to create an automatic PR for a repository, this was rejected because the current policy is that we don't allow 3rd party write access to ASF Project repositories. I have been reading up on past tickets, I've only came across https://issues.apache.org/jira/browse/LEGAL-491 in the Legal Jira tickets.
I think enabling Dependabot can help ASF Projects to deal with supply chain security and help with fixing vulnerable dependencies. Can it be allowed that Dependabot creates branches inside a repo, so that ASF Projects can use Dependabot for creating Alerts (which is currently already possible) and for creating PRs for outdated/vulnerable dependencies (which is currently not allowed), especially now that these PRs are created with read only permissions and therefore are treated as coming from a repository fork?
Attachments
Issue Links
- is related to
-
LEGAL-599 Using GitHub's "Merge Queue" functionality
- Open