Fix "no open security advisories" rule #74
Labels
P2
Nice to fix: non-critical items that should be evaluated and planned during issue triage
Comments
evankanderson
added
the
P2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In #72 the rule was updated to better reflect its functionality and to filter out "draft" GHSAs upon profile creation (this was done to keep it consistent with the GitHub webhooks).
There seems to be another problem with the rule, which is the following:
The profile correctly "fails" when a Triage GHSA is created, but never recovers from it if that exact GHSA is "closed" or accepted into "draft". Just to make it clear, there are 4 states a GHSA can be in: "triage", "draft", "published" and "closed". The ones that send a GitHub webhook event are "triage (reported)" and "published". The other two, do not.
Due to this, we don't bring the profile back to "Success" once a GHSA in "triage" is transferred to "closed" or accepted as a "draft", only when it's "published".
cc: @JAORMX
The text was updated successfully, but these errors were encountered: