Skip to content

ci(go-ci): make dependency-review non-blocking#20

Merged
felixgeelhaar merged 1 commit into
mainfrom
chore/go-ci-depreview-nonblocking
Jun 22, 2026
Merged

ci(go-ci): make dependency-review non-blocking#20
felixgeelhaar merged 1 commit into
mainfrom
chore/go-ci-depreview-nonblocking

Conversation

@felixgeelhaar

Copy link
Copy Markdown
Contributor

The dependency-review action fails hard with "Dependency review is not supported on this repository" when a repo's Dependency Graph isn't available — blocking adoption of the shared workflow on newer/org-restricted repos (hit while rolling go-ci out to the rollops-plugin repos).

nox's OSV scan (Security job) is the org's gating dependency-CVE source of truth, so dependency-review is supplementary. Marking it continue-on-error: true keeps the GitHub advisory view where the graph exists and skips (not fails) where it doesn't. No caller changes.

The dependency-review action errors hard ('not supported on this
repository') when a repo's Dependency Graph isn't available — which blocks
adoption of the shared workflow on newer/restricted repos. nox's OSV check
is the org's gating dependency-CVE source of truth; dependency-review is
supplementary, so mark it continue-on-error: report where the graph exists,
skip (not fail) where it doesn't.
Copilot AI review requested due to automatic review settings June 22, 2026 08:30
@felixgeelhaar felixgeelhaar merged commit 1fad1d9 into main Jun 22, 2026
1 check passed
@felixgeelhaar felixgeelhaar deleted the chore/go-ci-depreview-nonblocking branch June 22, 2026 08:30

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the shared Go CI workflow to ensure the Dependency Review job doesn’t block PRs on repositories where GitHub’s Dependency Graph (and therefore dependency-review) isn’t supported, aligning with the org’s primary gating CVE signal coming from the nox OSV scan.

Changes:

  • Marks the dependency-review job as non-blocking via continue-on-error: true.
  • Adds inline documentation explaining why dependency-review is supplementary and why failures shouldn’t block adoption.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +198 to 201
continue-on-error: true
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants