You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I run recurring SCA scans to supplement Depandabot, because Dependabot's CVE database is incomplete. I run these on a recurring schedule, as new vulnerabiities are often discovered on a cadence completely unrelated to release cycles.
However, GitHub has a nasty habit of automatically disabling scheduled GitHub Actions when the repository code remains unchanged for two months. This is unacceptable. Just because the first party code does not change, does not mean that CVE's stop accumulating. Until Dependabot's database becomes a proper superset of CVE's reported by Snyk, safety, bundle audit, X-Ray, NPM audit, Docker Scout, and numerous other SCA tools, I do not trust Dependabot alone to accurately report the security status of my projects.
Other important use cases for scheduled GitHub Actions on otherwise unchanging codebases, involves futureprofing software against bleeding edge dependency updates. For example, by rerunning the unit test suite of an application against HEAD versions of the programming language. Or rerunning trunk versions of compiler toolchains and SAST tools, in order to proactively detect new build warnings. Please do not disable scheduled jobs for unchanging code bases, just because you feel like saving a nickel. If you absolutely have to do this for some bean counter, then at least set a more reasonable time buffer, such as two years of inactivity, rather than a mere two months.
ActionsBuild, test, and automate your deployment pipeline with world-class CI/CDProduct FeedbacknpmTagging to track for future npm category
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
GitHub Community
-
Select Topic Area
Product Feedback
Body
Hi,
I run recurring SCA scans to supplement Depandabot, because Dependabot's CVE database is incomplete. I run these on a recurring schedule, as new vulnerabiities are often discovered on a cadence completely unrelated to release cycles.
However, GitHub has a nasty habit of automatically disabling scheduled GitHub Actions when the repository code remains unchanged for two months. This is unacceptable. Just because the first party code does not change, does not mean that CVE's stop accumulating. Until Dependabot's database becomes a proper superset of CVE's reported by Snyk, safety, bundle audit, X-Ray, NPM audit, Docker Scout, and numerous other SCA tools, I do not trust Dependabot alone to accurately report the security status of my projects.
Other important use cases for scheduled GitHub Actions on otherwise unchanging codebases, involves futureprofing software against bleeding edge dependency updates. For example, by rerunning the unit test suite of an application against HEAD versions of the programming language. Or rerunning trunk versions of compiler toolchains and SAST tools, in order to proactively detect new build warnings. Please do not disable scheduled jobs for unchanging code bases, just because you feel like saving a nickel. If you absolutely have to do this for some bean counter, then at least set a more reasonable time buffer, such as two years of inactivity, rather than a mere two months.
Beta Was this translation helpful? Give feedback.
All reactions