Thanks for reaching out. This sounds like a useful tool and I'm happy to hear about more development around establishing supply chain awareness. However, Arrow is an Apache Software Project and, as such, we don't manage all of the details of our Github repository. Some of these (including, I believe, selection of integrations) are managed by the ASF infrastructure team[1].
We can contact them to request this integration, but if your interest is primarily in getting feedback around the setup and configuration of integration, then I'm not sure we'd be very helpful as the process would be pretty opaque to us. You may instead want to contact the Infra team directly. [1] https://infra.apache.org/ On Tue, Jun 27, 2023 at 1:57 PM Michael Price <michael.pr...@microsoft.com.invalid> wrote: > Hello Apache Arrow project, > > > > The Microsoft C++ team has been working with our partners at GitHub to > improve the C and C++ user experience on their platform. As a part of that > effort, we have added vcpkg support for the GitHub dependency graph > feature. We are looking for feedback from GitHub repositories, like > apache/arrow, that are using vcpkg so we can identify improvements to this > new feature. > > > > Enabling this feature for your repositories brings a number of benefits, > now and in the future: > > > > * Visibility - Users can easily see which packages you depend on and > their versions. This includes transitive dependencies not listed in your > vcpkg.json manifest file. > * Compliance - Generate an SBOM from GitHub that includes C and C++ > dependencies as well as other supported ecosystems. > * Networking - A fully functional dependency graph allows you to not > only see your dependencies, but also other GitHub projects that depend on > you, letting you get an idea of how many people depend on your efforts. We > want to hear from you if we should prioritize enabling this. > * Security - The intention is to enable GitHub's secure supply chain > features< > https://docs.github.com/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security>. > Those features are not available yet, but when they are, you'll already be > ready to use them on day one. > > > > What's Involved? > > > > If you decide to help us out, here's how that would look: > > * Enable the integration following our documentation. See GitHub > integrations - The GitHub dependency graph< > https://aka.ms/vcpkg-dependency-graph> more information. > * Send us a follow-up email letting us know if the documentation > worked and was clear, and what missing functionality is most important to > you. > * If you have problem enabling the integration, we'll work directly > with you to resolve your issue. > * We will schedule a brief follow-up call (15-20) with you after the > feature is enabled to discuss your feedback. > * When we make improvements, we'd like you to try them out to let us > know if we are solving the important problems. > * Eventually, we'd like to get a "thumbs up" or "thumbs down" on > whether or not you think the feature is complete enough to no longer be an > experiment. > * We'll credit you for your help when we make the move out of > experimental and blog about the transition to fully supported. > > > > If you are interested in collaborating with us, let us know by replying to > this email. > > > > Thanks, > > > > Michael Price > Product Manager, Microsoft C++ Team > > >
