GitHub dependabot security alerts may sometimes become a chore especially when an abandoned project that is no longer in active use receives frequent security advisories. Is there an option to disable the active security monitoring?
Open you repo and go to Settings. Click on Code security and analysis in the Security subsection. There you will find dependabot settings with a Disable button for turning off the automated advisories.
The page is also available through direct link https://github.com/<USERNAME>/<REPO>/settings/security_analysis by replacing placeholders <USERNAME> and <REPO> with the corresponding identifiers.
Note that disabling the advisories will negatively impact the security of your software and should be avoided for any software with production deployments.
This is the top result on google.
I'm sick of getting alerts from dependabot. I have dependabot alerts disabled on all my repositories.
However, I think what we are not getting dependabot alerts but pull request alerts.
Even if we disable dependabot alerts, it continues to create pull requests.
Since we do want to receive pull request alerts, we get them.
In the official dependabot repository there are people commenting on how to disable it but all the links are outdated. Now most of them lead to the documentation or to parts of the options not related to dependabot.
At the moment I have found two possible solutions:
disable security updates:
https://github.com/settings/security_analysis
OR
Delete/truncate the dependabot configuration file:
https://github.com/USERNAME/REPOSITORY/blob/master/.github/dependabot.yml
(change USERNAME and REPOSITORY as appropriate)
I have not yet been able to verify that it works but I think that I will not receive any more PR from dependabot and, therefore, I will not receive the emails either.
Cyberixae's answer should work but if you're getting these alerts on a forked repository, I found a good fix here that involves deleting the dependabot.yml file in a different branch and setting that branch to the default branch.
The documentation for Dependabot version updates > Configure dependabot.yml > open-pull-requests-limit demonstrates how to disable version updates by setting this option to 0. Example .github/dependabot.yml file content:
version: 2
updates:
- package-ecosystem: "mix"
directory: "/"
schedule:
interval: "weekly"
# Disable version updates for hex dependencies
open-pull-requests-limit: 0
Just removing this file from the repository (as the official Github documentation about "Disabling Dependabot version updates" says) did not work for me.
Related
I am using Azure Devops in an IT environment with many different development teams and git repositories. Each development team owns one or more repositories. It's my job to work on various application components contained in said repositories. Because I do not own those repositories, I should not make any changes in build/release pipelines, build policies etc, all by myself because that can impact other people's work.
Now let's say I have a feature branch named UpgradedFeature in the repository FeatureRepository, containing my changes. Said changes also introduce a breaking change in the build pipeline used for that repository for the master branch. Let's say that pipeline is named MasterBuildPipeline.
So in order for my build based on the branch UpgradedFeature to succeed and not impact other people's work, I make a clone of the MasterBuildPipeline, name it UpgradedFeatureBuildPipeline and configure the breaking changes. This new build pipeline is used exclusively by me for the UpgradedFeature branch only.
The build, now using the new UpgradedFeatureBuildPipeline pipeline succeeds and now I want to merge into master , so I make a pull request to merge the changes contained in UpgradedFeature into master. The master branch has a branch policy in place named MasterBranchPolicy like described on https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops&tabs=browser. This branch policy contains the MasterBuildPipeline and prevents completion of that pull request when the build using that pipeline does not succeed.
So my problem is that my pull request triggers the MasterBranchPolicy containing the MasterBuildPipeline and not the UpgradedFeatureBuildPipeline containing the necessary breaking changes for the build to succeed. So the build fails and I cannot complete the pull request.
Of course I could edit the MasterBuildPipeline for a short time, introduce my breaking changes, run the build, then discard the breaking changes again. But there's a chance I may impact other people's work with that and somehow I have a feeling that's not the right approach. I could also edit or disable the MasterBranchPolicy for a short time but again, I may impact other people's work and I feel it's not the right approach.
How should I do this?
So the build fails and I cannot complete the pull request.
To complete the pull request even through the build fails, you could grant yourself Bypass permissions. Bypass permissions let you complete pull requests that don't satisfy branch policies. You can grant bypass permissions to yourself then complete the pull request. Here is Bypass branch policies for reference.
Please navigate to Project setting >> Repositories >> The repo >> Security >> user (yourself) >> Bypass policies when completing pull requests.
Then, you can Override branch policies and enable merge even the MasterBuildPipeline faild.
Please also note that use caution when granting the ability to bypass policies, especially at the repo and project levels. Policies are a cornerstone of secure and compliant source code management. In your scenario, it's suggested to edit the MasterBuildPipeline and the MasterBranchPolicy or disable the MasterBranchPolicy as you mentioned.
Generally, workflow of DevOps Branching Strategy as follows
Developer will create a feature or bugfix branch out of develop. One feature or bugfix branch usually stands for one JIRA bug or feature item. These branches are personal
The changes will be pushed into the developer's feature or bugfix branch.
When the new feature or bugfix is complete.A developer will create a pull request. Pull requests open a code review phase.
Once a pull request has been approved, the team lead or development team will move it into development.
When the development branch has all the epics and bug fixes, i.e., the content planned for the next release, the development team or team lead will create a release branch. This initiates the release regression testing phase.At this stage, only bug fixes are accepted for release, and the workflow is similar to that of the development branch.
Having a separate release branch will enable future development towards the next release in the development branch. Features for the next release are not included in this release. However, bug fixes for this release will be incorporated into the development of the next release as well.
When release content meets the criteria, the release branch will be frozen, which means that it ends. Content from releases will be merged to master and tagged there. For the next release, a new release branch is created when needed.
As per my experience, I would suggest creating branching policies like
A pull request is requested to merge the develop, release, and master branches.
Pull request approvers should be leads.
All developers can create feature branches.
All developers can push to hotfix and feature branches. Commit messages must include the JIRA issue id.
I have a Cloudflare page that uses python-sphinxto build docs. For some of my commits, it downloads a different version of sphinx than others and fails to build docs correctly.
What I tried:
Adding a dummy commit on top of a failing build seems to fix an issue and force Cloudflare builder to download the correct sphinx version
re-running deployments doesn't fix the issue
creating a new branch with the same head(failing commit) and running another deployment doesn't fix the issue
changing between preview/production deployments has no impact on this issue
Here is a dummy commit I added to make the docs build correctly
Commit one result vs. Commit two result
The diff in deployment logs old commits, the left is Commit 1(not working), and the right, Commit two, correctly builds all three tasks and the releases.
https://www.diffchecker.com/ZpV8vE9D
I have tried making different branches and re-run deployments to check whether the sphinx version will change, but it seems like it's bounded the the "old commit". This is also an issue for other Cloudflare Pages, and using preview/production deployments has no impact on this problem.
The issue in this case was actually not with sphinx version but with the fact that I was using:
git fetch --all
Which does not guarantee pulling the tags with it.
The --all pull from all remotes instead of "everything" as I thought.
Using git fetch --tags instead fixed the issue
Indeed it seems to be a bug, in this case I recommend you to consult directly with CloudFlare support, sometimes they are errors that remain internally in your account and you unbug it, CloudFlare Pages for the moment continues to improve its system, there are details to be corrected.
We upgraded our self-hosted gitlab-ce to the latest 11.11 which brings in multiple reviewer merge request approval feature. Although this needs to be explicitly enabled via gitlab-rails console.
On the machine running our gitlab instance, I ran gitlab-rails console and got to a ruby console where I put in Feature.enable(:approval_rules) and hit Enter but I get:
>> Feature.enable(:approval_rules)
Nothing known about Feature.enable(
I do not have much experience with ruby so am not sure what am doing wrong. I searched on the web but I found documentation on how to develop with Ruby's "feature flags" but not how to enable them as a end user of the application.
You can do it via the GitLab api.
POST to https://gitlab.myhost.com/api/v4/features/approval_rules with the payload
{
"value": true
}
https://docs.gitlab.com/ee/api/features.html
Additionally, I found that the new approval rules workflow was automatically enabled upon upgrading from 11.9 to 11.10, though my experience may be different. If you perform a GET to that API endpoint, you will be able to see its current status.
If it is already enabled, perhaps you may be mistaking the new approval rules implementation with the EE feature Multiple Approval Rules. I only mention due to the -ce tag in your question.
With GitLab 13.5 (October 2020), actual feature flags are available for all:
Feature Flags made available in all tiers
In GitLab 11.4, we introduced Feature Flags.
In GitLab 12.2, we introduced percent rollout and user ID Feature Flag strategies.
In GitLab 13.1, we introduced Feature Flag user lists and support for multiple Feature Flag strategies per environment.
Earlier this year, we committed to moving 18 features to our open source Core product and took the first step in delivering on this promise by making Feature Flags available in Starter in the last release.
Now we’ve officially finished moving Feature Flags to our Core offering. We’re excited about making these features available to more of the GitLab community and seeing the positive impact it’ll have on your development workflow.
See Documentation and Issue.
That includes, still with GitLab 13.5 (October 2020):
Feature Flags flexible rollout strategy
When you use the percent rollout strategy today, the stickiness, or the experience consistency, is determined only by the user ID. This can be limiting; as an example, anonymous users cannot be affected by this strategy.
We have improved this rollout strategy by enabling you to define the stickiness based on session ID, user ID, or at random (no stickiness). This gives you more control over the rollout and allows you to support stickiness for anonymous users.
See Documentation and Issue.
The feature flag API is more about creation/update/deletion.
You will have to use a feature flag strategy in order to enable/disable a feature flag.
Feature.disable(:feature_flags_new_version)
Feature.enable(:feature_flags_new_version)
See also GitLab 13.6 (November 2020)
Fire Webhook on Feature Flag change
As a developer, you can use GitLab’s webhook features for various events, such as MR events, pipeline events, job events, and deployment events. In this release, you can now use webhook events when a feature flag is toggled either on or off. This addition streamlines the process to update your CI/CD pipelines, receive Slack notifications for events, and more. A huge thanks to Sashi for a great community contribution!
See Documentation and Issue.
I’m investigating alternatives in my projects for my team (20+ developers). i want something that can be run on server and has auditing (check) that logs
Push
Pull
Clone of projects
I can’t find anything in the docs about this for GitLab community
Does anyone here know if these features are supported? or any plugin ?
Currently, the level of logging you're requesting has not been implemented into GitLabs, but there are plans in place to implement them, though there is currently no estimated time of arrival.
Audit events are richer now, with GitLab 14.3 (September 2021)
Audit events for merge request approval setting changes
Audit events are now created if changes are made to the merge request approval settings
in a project. You can now see if a change is made to the following policies:
Requiring user password for approvals.
Allowing modifying merge request approvals in a merge request.
Needing to get new approvals when a new commit is added to a merge request.
You can now be confident that once you configure approval settings, you can quickly see
if they are changed. This is a great way to show auditors that controls were put in place
and have not been removed or modified.
Thanks to Adrien Gooris from Michelin for this contribution!
See Documentation and Issue.
And GitLab 15.2 (July 2022) adds (for non-CE only)
Audit events for group-level merge request settings
GitLab now records additional audit events when changes are made to group-level merge request settings. These are in addition to project
audit events that record changes to the same settings on projects. Specifically, audit events are now created when changes are made to groups to:
Prevent approval by author
Prevent approvals by users who add commits
Prevent editing approval rules in projects and merge requests.
Require user password to approve
Remove all approvals when commits are added to the source branch
These audit events can help you know that the settings and default configurations for your group-level merge request settings have been put in place correctly and that they have not been changed.
This is especially important because these group-level settings
will cascade down to child projects.
Governance and visibility over these changes will help you strengthen separation of duties and further simplify audits.
See Documentation and Issue.
GitLab 15.2 (July 2022) also propose to audit a special kind of clone: forks.
But only for GitLab Ultimate, so again, not CE.
Streaming audit events for project forks
You can now monitor the project forking inside your groups with new audit events that are recorded whenever
a project is forked. This includes information such as:
The user name of the user that forked the project.
The timestamp of when the project was forked.
Details of the forked project.
This gives you visibility on where your projects and source code are being copied to, and by
whom, so that you can take action if needed.
These events potentially generate a high volume of data, so they are only available as
streaming audit events.
Thank you Linjie Zhang for this contribution!
See Documentation and Issue.
Short version: In gitlab how do I view all issues resolved in a commit (or merge request) given that I close issues using git comments (e.g. 'fix #10')?
Long version: In case there is an alternative solution what I'm ultimately trying to accomplish is this. Let's say developer fixes 10 issues, commits, creates merge request and deploys to the staging server. Now QA team needs to know the list of issues that were released so that they can test them. I know this can be done by manually labeling each issue(or assigning a milestone). But since gitlab already knows what issues were resolved in a commit it should be easy to view all issues associated with a commit/merge request. Is it possible to view them?