Here is a link to a PDF containing my full response regarding PR usage. https://drive.google.com/file/d/12sHfOyXyU1fJzxvd5dBQRqAD6d9l4CBI/view?usp=sharing
Most of the security and code quality tools are server based these days, and licensed. CodeQL is owned by GitHub who make its use available for free to public repositories in GH; others, like SonarQube (owned by JetBrains) also make it available via GH Actions for no fee for public repositories. I am planning to configure our repos to also use SonarQube in addition to CodeQL via GH Actions. I can't speak to their availability to the community for local installations. I don't think we will have any trouble with PRs being blocked by 3rd party analysis tools, unless we choose to do so. So at this point, I'm not worried about PRs being blocked without any recourse on our part. On Wed, Mar 8, 2023 at 2:58 AM Simon Steiner <simonsteiner1...@gmail.com> wrote: > Hi, > > The images in your email are not displaying for me. > Can we run these security/quality checking tool locally? > I am not sure we should block all PRs based on new CVEs being released > which may require lots of work to upgrade dependancies. > > Thanks > > -----Original Message----- > From: Simon Steiner <simonsteiner1...@gmail.com> > Sent: 07 March 2023 20:50 > To: general@xmlgraphics.apache.org > Subject: RE: [GitMigration] Rename Git Mirrors for XML Graphics Project > > Hi, > > We are seeing so many emails after using the PR system today that its hard > to review changes. > > Thanks > > -----Original Message----- > From: Simon Steiner <simonsteiner1...@gmail.com> > Sent: 07 March 2023 20:49 > To: general@xmlgraphics.apache.org > Subject: RE: [GitMigration] Rename Git Mirrors for XML Graphics Project > > Hi, > > I think the overhead it adds, issues arounds CI failing for reasons > outside of your control. > Can you rerun github pr ci if it fails. > If your changing something that wont affect CI such as a small typo, > documentation? > > For large changes it is good to open a code review. > > Thanks > > -----Original Message----- > From: Glenn Adams <gl...@skynav.com> > Sent: 07 March 2023 20:33 > To: general@xmlgraphics.apache.org > Subject: Re: [GitMigration] Rename Git Mirrors for XML Graphics Project > > I haven't done that yet, though I would like to do so. There are a variety > of reasons for requiring PRs, including > > - ensure that GitHub actions, such as build, test, analyze, are > completed (in PR branch) successfully before merging into main > - ensure that PR conversation (including discussion resolution) and > changes are recorded and retained for future reference > - enable (optional) review processing, should it be desired > > Given that it takes only a few mouse clicks in GH to create a PR from a > commit on a private branch, is there any reason we shouldn't use PRs for > all prospective merges? We should take advantage of the tools gained from > migrating to Git, yes? > > On Tue, Mar 7, 2023 at 12:47 PM Simon Steiner <simonsteiner1...@gmail.com> > wrote: > > > Glenn are you making PRs required for the git repos, should this go > > thru a vote before being implemented? > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@xmlgraphics.apache.org > For additional commands, e-mail: general-h...@xmlgraphics.apache.org > >
