[
https://issues.apache.org/jira/browse/CALCITE-7260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18035429#comment-18035429
]
Julian Hyde commented on CALCITE-7260:
--------------------------------------
Are you proposing that, in order to push to main, the committer must apply any
critical dependency upgrades first (presumably in a separate commit).
It matches my criteria in that it finds a time when we have a human's time and
attention.
One concern is that it introduces a race condition. A PR that was valid on
Monday, or at 10:59 AM on Tuesday, may no longer be valid at 11 AM on Tuesday.
PRs will go stale due to external events, and it will be harder to see which
PRs are still "good".
I would love someone else's opinion on this.
> Add gradle/actions/dependency-submission GitHub action to track vulnerable
> dependencies
> ---------------------------------------------------------------------------------------
>
> Key: CALCITE-7260
> URL: https://issues.apache.org/jira/browse/CALCITE-7260
> Project: Calcite
> Issue Type: Improvement
> Reporter: Vladimir Sitnikov
> Priority: Major
>
> dependency-submission enables GitHub track all the used dependencies and show
> CVE alerts via https://github.com/apache/calcite/security/dependabot
> It would track both runtime, test, build-time, and even build-script
> dependencies which is the right thing from my point of view.
> See
> https://github.com/actions/gradle-build-tools-actions?tab=readme-ov-file#the-dependency-submission-action
> See
> https://github.com/apache/jmeter/blob/2c17f5d2b6b0fa7e0f69dbd56785386a785c8745/.github/workflows/gradle-dependency-submit.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
