Skip to content

ci(go-ci): drop dependency-review job (nox OSV owns dep CVEs)#21

Merged
felixgeelhaar merged 1 commit into
mainfrom
chore/go-ci-drop-depreview
Jun 22, 2026
Merged

ci(go-ci): drop dependency-review job (nox OSV owns dep CVEs)#21
felixgeelhaar merged 1 commit into
mainfrom
chore/go-ci-drop-depreview

Conversation

@felixgeelhaar

Copy link
Copy Markdown
Contributor

Supersedes the continue-on-error band-aid (#20). Removes the GitHub dependency-review job from the reusable:

  • Redundant: nox's OSV scan (Security job) is the org's single dependency-CVE source of truth — golangci.reference.yml's security note already states nox owns deps. dependency-review was a second, overlapping tool.
  • Breaks adoption: the action errors hard ("Dependency review is not supported on this repository") on repos without a Dependency Graph — surfaced while rolling go-ci out to the 10 rollops-plugin repos.
  • Cheaper: one fewer job per PR across every adopter.

Dependency-CVE gating stays with nox. No caller changes.

dependency-review duplicated nox's OSV scan, which the org designates as
the single dependency-CVE source of truth (golangci.reference.yml security
note). It also errors hard ('not supported on this repository') on repos
without a Dependency Graph, blocking adoption of this workflow. Remove it;
one fewer billable job per PR and dep-CVE gating stays with nox.
Copilot AI review requested due to automatic review settings June 22, 2026 08:35
@felixgeelhaar felixgeelhaar merged commit 32d893a into main Jun 22, 2026
1 check passed
@felixgeelhaar felixgeelhaar deleted the chore/go-ci-drop-depreview branch June 22, 2026 08:36

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Removes the dependency-review job from the reusable Go CI workflow to avoid redundant dependency-CVE scanning (owned org-wide by the nox OSV scan) and to prevent hard failures in repositories without GitHub Dependency Graph support.

Changes:

  • Deleted the dependency-review job from .github/workflows/go-ci.yml.
  • Added an inline note documenting why dependency-CVE gating is routed exclusively through nox.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants