chore: enable dep-cooldown blocking check#160
Open
akshanshjaiswal-atlan wants to merge 4 commits into
Open
Conversation
|
We couldn't connect to your Atlan Instance, please make sure to set the valid Atlan Instance URL as Atlan Instance URL: https://beta-governance.atlan.dev Make sure your Atlan Instance URL is set in the following format. Set your repository action secrets here. For more information on how to setup the Atlan dbt Action, please read the setup documentation here. |
Some atlanhq repos use master / staging / develop as their default branch. Hardcoding branches:[main] in the workflow trigger silently skips those repos. Drop the filter — the check should run on every PR regardless of base.
Per team decision, accepting the operational simplicity of @main over SHA pinning. Each upstream change in atlanhq/.github will now propagate to every consumer instantly. Revisit when ready to adopt Dependabot for automated SHA bumps.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds the org-shared dep-cooldown CI check to this repo.
What it does
On every PR that modifies (or doesn't) a lockfile, the check runs in <15 seconds. If the PR introduces any dep version published less than 7 days ago, the check fails. Pairs with the org-level branch ruleset (currently in evaluate mode) — once that ruleset goes active for this repo, fresh-dep PRs will be blocked from merging.
Why we're doing this
Manual
npm install some-fresh-packageand committing the lockfile is a documented attack vector — it bypasses Renovate-style automation gates. Cooldown is the cheapest defense and applies uniformly across npm / pnpm / yarn lockfiles.What you need to do
securitylabel to the PR — cooldown is skipped for that PR.Where the policy lives
Reusable workflow in
atlanhq/.github, pinned to a specific SHA in this file. Bumping the SHA is a deliberate review action.Reference
atlanhq/.githubPR customer order logic fix #31 (initial) + fix: update fct_orders.sql #33 (security hardening)atlanhq/Security-AutomationsPR fix: add source url and links to terms #19 (production proof of working check)