Skip to content

chore: introduce Dependency Management Policy (DEPENDENCIES.md)#10066

Merged
sxd merged 4 commits intomainfrom
dev/10063
Feb 26, 2026
Merged

chore: introduce Dependency Management Policy (DEPENDENCIES.md)#10066
sxd merged 4 commits intomainfrom
dev/10063

Conversation

@gbartolini
Copy link
Contributor

@gbartolini gbartolini commented Feb 25, 2026
edited by mnencia
Loading

Descriptive statement of how we select, obtain, and track our dependencies to ensure supply chain integrity.

Assisted-by: Google Gemini

Closes #10063

@gbartolini gbartolini requested a review from a team as a code owner February 25, 2026 10:35
@dosubot dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Feb 25, 2026
@cnpg-bot cnpg-bot added backport-requested ◀️ This pull request should be backported to all supported releases release-1.25 release-1.27 release-1.28 labels Feb 25, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 25, 2026

❗ By default, the pull request is configured to backport to all release branches.

  • To stop backporting this pr, remove the label: backport-requested ◀️ or add the label 'do not backport'
  • To stop backporting this pr to a certain release branch, remove the specific branch label: release-x.y

@dosubot dosubot bot added the chore Intangible work to reduce technical debt label Feb 25, 2026
@gbartolini gbartolini force-pushed the dev/10063 branch 2 times, most recently from 7cea680 to 59a5f25 Compare February 25, 2026 10:37
mnencia
mnencia reviewed Feb 25, 2026
View reviewed changes
DEPENDENCIES.md Outdated
Comment on lines +37 to +38
triggers automated scans using [Snyk](https://snyk.io/),
[Trivy](https://github.com/aquasecurity/trivy), and
Copy link
Member

@mnencia mnencia Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not have Trivy scan yet in this repository. We will add it soon, but I think we should stick to what we have right now, so I propose to remove the trrivy mention.

Copy link
Member

@sxd sxd Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've created this #10077 probably could help ?

@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Feb 25, 2026
@sxd sxd mentioned this pull request Feb 25, 2026
Merged
@mnencia
Copy link
Member

mnencia commented Feb 25, 2026

/ok-to-merge

@cnpg-bot cnpg-bot added the ok to merge 👌 This PR can be merged label Feb 25, 2026
sxd
sxd reviewed Feb 26, 2026
View reviewed changes
Copy link
Member

@sxd sxd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a couple of comments

gbartolini and others added 4 commits February 26, 2026 10:30
@gbartolini @sxd
chore: introduce Dependency Management Policy (DEPENDENCIES.md)
2833db8 
Descriptive statement of how we select, obtain, and track our dependencies to
ensure supply chain integrity.

Assisted-by: Google Gemini

Closes #10063

Signed-off-by: Gabriele Bartolini <[email protected]>
@mnencia @sxd
chore: review
c8020bf 
Signed-off-by: Marco Nenciarini <[email protected]>
@gbartolini @sxd
chore: add OSPS references
fa23144 
Signed-off-by: Gabriele Bartolini <[email protected]>
@gbartolini @sxd
fix: review OSPS codes
dfe5471 
Signed-off-by: Gabriele Bartolini <[email protected]>
@sxd sxd merged commit 48e370c into main Feb 26, 2026
23 of 26 checks passed
@sxd sxd deleted the dev/10063 branch February 26, 2026 10:07
cnpg-bot pushed a commit that referenced this pull request Feb 26, 2026
@gbartolini @mnencia
chore: introduce Dependency Management Policy (DEPENDENCIES.md) (#1…
765e9af 
…0066)

Descriptive statement of how we select, obtain, and track our
dependencies to ensure supply chain integrity.

Assisted-by: Google Gemini

Closes #10063

Signed-off-by: Gabriele Bartolini <[email protected]>
Signed-off-by: Marco Nenciarini <[email protected]>
Co-authored-by: Marco Nenciarini <[email protected]>
(cherry picked from commit 48e370c)
cnpg-bot pushed a commit that referenced this pull request Feb 26, 2026
@gbartolini @mnencia
chore: introduce Dependency Management Policy (DEPENDENCIES.md) (#1…
27cf562 
…0066)

Descriptive statement of how we select, obtain, and track our
dependencies to ensure supply chain integrity.

Assisted-by: Google Gemini

Closes #10063

Signed-off-by: Gabriele Bartolini <[email protected]>
Signed-off-by: Marco Nenciarini <[email protected]>
Co-authored-by: Marco Nenciarini <[email protected]>
(cherry picked from commit 48e370c)
cnpg-bot pushed a commit that referenced this pull request Feb 26, 2026
@gbartolini @mnencia
chore: introduce Dependency Management Policy (DEPENDENCIES.md) (#1…
17b09d7 
…0066)

Descriptive statement of how we select, obtain, and track our
dependencies to ensure supply chain integrity.

Assisted-by: Google Gemini

Closes #10063

Signed-off-by: Gabriele Bartolini <[email protected]>
Signed-off-by: Marco Nenciarini <[email protected]>
Co-authored-by: Marco Nenciarini <[email protected]>
(cherry picked from commit 48e370c)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mnencia mnencia mnencia approved these changes

@sxd sxd sxd approved these changes

Assignees

No one assigned

Labels

backport-requested ◀️ This pull request should be backported to all supported releases chore Intangible work to reduce technical debt lgtm This PR has been approved by a maintainer ok to merge 👌 This PR can be merged release-1.25 release-1.27 release-1.28 size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security Slam 26] Achievement 2 - Create Dependency Management Policy (DEPENDENCIES.md)

4 participants

@gbartolini @mnencia @sxd @cnpg-bot