Introduce the GitHub Advanced Security workflow #13828
Conversation
This can help to find security problems sooner.
This makes it consistent with the GitHub Advanced Security file and, more importantly, ensures that all steps have a proper name for better visibility.
|
Trivial since this is a minor fixup on the original PR, the workflows all pass and this forms the basis of more workflows. |
|
Is the intention now to basically "replace" the LGTM integration, by manually enabling the same rule-set in this new workflow? The reason for my question is that it feels a bit unfortunate to have two separate systems flagging (mostly) the same things, since we'll have deal with alert suppression twice now (which could be annoying and lead to inconsistencies). Also, should we perhaps go through the list in https://github.com/mozilla/pdf.js/security/code-scanning to decide/agree upon how to classify the listed alerts? |
For now the idea is that GitHub Advanced Security takes care of the security checks and LGTM takes care of the code quality checks. It might indeed be a good idea to replace LGTM later on and change GitHub Advanced Security to also enable the code quality suite, but since LGTM was just integrated it seemed best to defer that to a follow-up and to first get some experience with both tools; basically #13737 (comment) which I agree with. I'll file a follow-up issue to, now that the tooling is in place, take a look at the output and decide how to proceed. I'd be perfectly fine with replacing LGTM now and indeed classifying the current list that GitHub Advanced Security shows, especially since the latter is much easier to control given that alerts can be dismissed from the interface instead of needing to have comments in-code (which I find less ideal). |
Supersedes #13737.