Skip to content

Revert "chore: Revert updates to honor maintenance mode " #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
FidelusAleksander wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Revert "chore: Revert updates to honor maintenance mode " #94

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/steps/-step.txt
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion .github/steps/0-welcome.md
View file
Open in desktop

This file was deleted.

24 changes: 13 additions & 11 deletions .github/steps/1-dependency-graph.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
## Step 1: Review and add dependencies using dependency graph

_Welcome to "Secure your repository's supply chain"! :wave:_

**What's the big deal about securing your repository's supply chain?**: With the accelerated use of open source, most projects depend on hundreds of open-source dependencies. This poses a security problem: what if the dependencies you're using are vulnerable? You could be putting your users at risk of a supply chain attack. One of the most important things you can do to protect your supply chain is to patch your vulnerable dependencies and replace any malware.

GitHub offers a range of features to help you understand the dependencies in your environment, know about vulnerabilities in those dependencies, and patch them. The supply chain features on GitHub are:
Expand All @@ -22,28 +20,32 @@ GitHub offers a range of features to help you understand the dependencies in you

**We recommend opening another browser tab to work through the following activities so you can keep these instructions open for reference.**

Dependency graph is enabled by default for all new public repositories. If you're working in a public repository, you can go straight to "Activity 1.2: Add a new dependency and view your dependency graph." For private or internal repositories, you'll need to enable Dependency graph.
>[!NOTE]
> Dependency graph is enabled by default for all new public repositories.

1. Navigate to the **Settings** tab.
1. Click **Code security and analysis**.
1. **Enable** "Dependency graph."
1. Click **Advanced Security**.
1. Verify **Dependency Graph** is **Enabled**

### :keyboard: Activity 1.2: Add a new dependency and view your dependency graph

1. Navigate to the **Code** tab and locate the `code/src/AttendeeSite` folder.
1. Add the following content to the `package-lock.json` file after the third to last bracket `}` and before the last two brackets.
```
,
1. Commit the following content on the `main` branch to the `package-lock.json` file as the last item on the `dependencies` map _(after the third to last bracket `}` and before the last two brackets)_

> 🪧 **Note:** You can edit and commit the file on github.com directly or hit the `.` key to open the lightweight editor to edit and commit changes.

```json
,
"follow-redirects": {
"version": "1.14.1",
"resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.1.tgz",
"integrity": "sha512-HWqDgT7ZEkqRzBvc2s64vSZ/hfOceEol3ac/7tKwzuvEyWx3/4UegXh5oBOIotkGsObyk3xznnSRVADBgWSQVg=="
}
```
```

1. Navigate to the **Insights** tab.
1. Select **Dependency graph** from the side navigation bar.
1. Review all the dependencies on the **Dependencies** tab.
1. Search for `follow-redirects` and review the new dependency you just added.
![Screen Shot showing the "follow-redirects" dependency.](https://user-images.githubusercontent.com/6351798/196288729-734e3319-c5d7-4f35-a19c-676c12f0e27d.png)

Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to display the next step.
1. With the new dependency added, Mona should already be busy checking your work. Give her a moment and keep watch in the comments. You will see her respond with progress info and the next lesson.
9 changes: 5 additions & 4 deletions .github/steps/2-dependabot-alerts.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ _Nice work! :tada: You added and viewed a dependency using Dependency graph!_

Given how many dependencies our repository uses, maintaining them needs to become an automated task. Keeping our code secure is a top priority, so the first thing we need to do is set up a way to be notified when a dependency we are using is vulnerable or malware. We can do this by enabling Dependabot alerts.

**What are Dependabot alerts?**: Dependabot alerts tell you that your code depends on a package that is insecure. These Dependabot alerts reference the [GitHub Advisory Database](https://github.com/advisories), which contains a list of known security vulnerabilities and malware, grouped in two categories: **GitHub reviewed advisories** and **unreviewed advisories**.
**What are Dependabot alerts?**

Dependabot alerts tell you that your code depends on a package that is insecure. These Dependabot alerts reference the [GitHub Advisory Database](https://github.com/advisories), which contains a list of known security vulnerabilities and malware, grouped in two categories: **GitHub reviewed advisories** and **unreviewed advisories**.

If your code depends on a package that has a security vulnerability, this can cause a range of problems for your project or the people who use it. You should upgrade to a secure version of the package as soon as possible. If your code uses malware, you need to replace the package with a secure alternative.

Expand All @@ -24,7 +26,7 @@ Let's enable Dependabot alerts on our repository!
### :keyboard: Activity 2.2: Enable Dependabot alerts

1. Navigate to the **Settings** tab.
1. Display the settings for **Code security and analysis**.
1. Display the settings for **Advanced Security**.
1. **Enable** Dependabot alerts.
1. **Wait about 60 seconds for Dependabot to check for alerts.**
1. Navigate to the **Security** tab.
Expand All @@ -42,5 +44,4 @@ Let's see how this would work by using Dependabot to create a pull request for o
1. Click the **Review security update** button to display the pull request.
- You can view the pull request and **Files changed** tab to review the update.
1. Navigate back to the **Conversation** tab and merge the pull request.

Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to display the next step.
1. With the pull request merged, Mona should already be busy checking your work. Give her a moment and keep watch in the comments. You will see her respond with progress info and the next lesson.
14 changes: 8 additions & 6 deletions .github/steps/3-dependabot-security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,17 @@ _Nice work enabling, viewing, and creating Dependabot alerts :sparkles:_

Enabling Dependabot alerts on our repository was a great step toward improving our code security, but we still had to manually select an alert and then manually select the option to create the pull request. It would be nice to further improve the automation and maintenance of our dependencies! Well, with Dependabot security updates, we can do just that.

**What are Dependabot security updates?**: When this feature is enabled, Dependabot detects *and* fixes vulnerable dependencies for you by opening pull requests automatically to resolve Dependabot alerts.
**What are Dependabot security updates?**

When this feature is enabled, Dependabot detects *and* fixes vulnerable dependencies for you by opening pull requests automatically to resolve Dependabot alerts.

We manually created a pull request to fix the "Prototype Pollution in minimist" alert, but let's enable Dependabot security updates to automate this process for future alerts!

### :keyboard: Activity 3.1: Enable and trigger Dependabot security updates

1. Navigate to the **Settings** tab and select **Code security and analysis**.
1. Enable Dependabot security updates. You may need to wait 30-60 seconds before you see any new pull requests.
1. Navigate to the **Pull requests** repository tab and select the newly created pull request that updates axios from version 0.21.1 to a patched version.
1. Navigate to the **Settings** tab and select **Advanced Security**.
1. Enable **Dependabot security updates**. You may need to wait 30-60 seconds before you see any new pull requests.
1. Navigate to the **Pull requests** repository tab to view the what Dependabot has found.
Copy link

Copilot AI Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Grammar: “to view the what Dependabot has found” should be “to view what Dependabot has found”.

Suggested change
1. Navigate to the **Pull requests** repository tab to view the what Dependabot has found.
1. Navigate to the **Pull requests** repository tab to view what Dependabot has found.

Copilot uses AI. Check for mistakes.
1. Find the new pull request that requests to patch the **axios** dependency.
1. Review and merge the pull request.

Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update this page to display the next step.
1. With the pull request merged, Mona should already be busy checking your work. Give her a moment and keep watch in the comments. You will see her respond with progress info and the next lesson.
27 changes: 15 additions & 12 deletions .github/steps/4-dependabot-versions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ _Nicely done!_ :partying_face:

You now have automated the process for Dependabot to alert you to vulnerabilities with your dependencies and to create pull requests to update them to secure versions! At this point, you only need to review the pull request and then merge it to stay on top of security problems with Dependencies.

> [!NOTE]
> Did you notice that there were several pull requests suggested by Dependabot? You only merged the one related to the **axios** dependency, but the others disappeared from the **Pull requests** panel. That's because the upgrade of the axios dependency triggered changes of other transitive dependencies, that might be either removed or updated to other versions. Whenever there is a change in your dependency graph, Dependabot will automatically review the existing pull requests and close the ones that are no longer relevant. So don't merge everything at once, let Dependabot do the job for you!
<img width="955" alt="Screenshot showing that the axios PR was merged and that the 2 others were closed" src="https://github.com/user-attachments/assets/6c97f90b-c6e2-4865-b1eb-dd7053383f07" />


The security updates feature helps automate the process to resolve alerts, but what about just keeping up-to-date with version updates? We can also automate pull request generation for updated versions of dependencies using the Dependabot version updates feature.

**What are Dependabot version updates?**: In addition to security alerts, Dependabot can also take the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on. Similar to security alerts, Dependabot will identify an outdated dependency and create a pull request to update the manifest to the latest version of the dependency.
Expand All @@ -12,16 +17,11 @@ Let's see how this works!

### :keyboard: Activity 4.1: Enable and trigger Dependabot version updates

1. Navigate to the **Settings** tab and select **Code security and analysis**.
1. Locate "Dependabot version updates" and click **Configure** to open a new file editor with pre-poplulated contents. The file is called `dependabot.yml`.
1. Navigate to the **Settings** tab and select **Advanced Security**.
1. Locate **Dependabot version updates** and click **Configure** to open a new file editor with pre-poplulated contents. The file is called `dependabot.yml`.
Copy link

Copilot AI Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo: “pre-poplulated” should be “pre-populated”.

Suggested change
1. Locate **Dependabot version updates** and click **Configure** to open a new file editor with pre-poplulated contents. The file is called `dependabot.yml`.
1. Locate **Dependabot version updates** and click **Configure** to open a new file editor with pre-populated contents. The file is called `dependabot.yml`.

Copilot uses AI. Check for mistakes.
1. Notice that the file is prepopulated to update the GitHub actions in the repository, the `github-actions` package ecosystem.
1. Copy the lines that define the GitHub actions updates and append them to the file.
1. Edit your copy of the content:
- Change the `package-ecosystem` to `nuget`.
- Change the `directory` to `/code/`.
- Change the `interval` to `weekly`.

The `dependabot.yml` file should now look like this.
1. Edit your `dependabot.yml` configuration file to include another entry. It should look like:

```yaml
version: 2
updates:
Expand All @@ -33,11 +33,14 @@ Let's see how this works!
directory: "/code/"
schedule:
interval: "weekly"
```
```

> 💡 **Tip:** While, you can edit and commit a file directly on github.com, you can also press the period key `.` to open a lightweight VS Code editor directly in browser.

1. Commit your changes directly to the `main` branch.
1. With the configuration file updated, Mona should already be busy checking your work. Give her a moment and keep watch in the comments. You will see her respond with progress info and the next lesson.

You have now configured Dependabot version updates to run and check for updates as follows:

- Check once a month for updates to GitHub Actions and create pull requests to update any that are out of date.
- Check once a week for updates to .NET packages and create pull requests to update any that are out of date. By default, this check runs on a Monday, to run the check on a different day, see [schedule.day](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleday).

Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to display the next step.
10 changes: 4 additions & 6 deletions .github/steps/X-finish.md → .github/steps/x-review.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
## Finish
## Review

_Congratulations friend, you've completed this course!_

<img src="https://octodex.github.com/images/welcometocat.png" alt=celebrate width=300 align=right>
_Congratulations, you've completed this exercise and learned a lot securing your supply chain!_

<img src="https://octodex.github.com/images/jetpacktocat.png" alt="celebrate" width=200 align=right>
Here's a recap of all the tasks you've accomplished in your repository:

- You've learned how to view and use dependency graph.
Expand All @@ -22,7 +21,6 @@ Here's a recap of all the tasks you've accomplished in your repository:
### What's next?

- Learn more about securing your supply chain by reading: [Securing your supply chain](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security).
- [We'd love to hear what you thought of this course](https://github.com/skills/.github/discussions).
- [Learn another GitHub skill](https://github.com/skills).
- Check out other security focused [GitHub Skills exercises](https://skills.github.com/#code-security-and-analysis).
- [Read the Get started with GitHub docs](https://docs.github.com/en/get-started).
- To find projects to contribute to, check out [GitHub Explore](https://github.com/explore).
89 changes: 89 additions & 0 deletions .github/workflows/0-start-exercise.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
name: Step 0 # Start Exercise

on:
push:
branches:
- main

permissions:
contents: write # Update Readme
actions: write # Disable/enable workflows
issues: write # Create issue and comment on issues

env:
STEP_1_FILE: ".github/steps/1-dependency-graph.md"

jobs:
disable_workflows:
name: Disable workflows
runs-on: ubuntu-latest

Comment on lines +17 to +20
Copy link

Copilot AI Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The disable_workflows job runs unconditionally on every push to main, including in the template repository. Since it calls gh workflow disable across .github/workflows, merging this will disable the workflows in the template repo itself. Add the same if: !github.event.repository.is_template guard (and/or a more specific condition) to this job so workflow disabling only occurs in learner copies.

Copilot uses AI. Check for mistakes.
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Disable all workflows
run: |
workflows=$(git ls-files .github/workflows | grep -E '\.yml$|\.yaml$')
for workflow in $workflows; do
workflow_name=$(basename "$workflow")
gh workflow disable "$workflow_name" || true
done
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

start_exercise:
if: |
!github.event.repository.is_template
name: Start Exercise
uses: skills/exercise-toolkit/.github/workflows/start-exercise.yml@v0.6.0
with:
exercise-title: "Secure your Repository's Supply Chain"
intro-message: "Let's explore how to secure your repository's supply chain, understand dependencies in your environment, and find vulnerabilities in those dependencies and patch them. 💻✨"

post_next_step_content:
name: Post next step content
runs-on: ubuntu-latest
needs: [start_exercise]
env:
ISSUE_URL: ${{ needs.start_exercise.outputs.issue-url }}

steps:
- name: Checkout
uses: actions/checkout@v4

- name: Get response templates
uses: actions/checkout@v4
with:
repository: skills/exercise-toolkit
path: exercise-toolkit
ref: v0.6.0

- name: Build comment - add step content
id: build-comment
uses: skills/action-text-variables@v2
with:
template-file: "${{ env.STEP_1_FILE }}"
template-vars: |
full_repo_name: "${{ github.repository }}"
- name: Create comment - add step content
run: |
gh issue comment "$ISSUE_URL" \
--body "$ISSUE_BODY"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ISSUE_BODY: ${{ steps.build-comment.outputs.updated-text }}

- name: Create comment - watching for progress
run: |
gh issue comment "$ISSUE_URL" \
--body-file exercise-toolkit/markdown-templates/step-feedback/watching-for-progress.md
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Disable current workflow and enable next one
run: |
gh workflow enable "Step 1"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
63 changes: 0 additions & 63 deletions .github/workflows/0-welcome.yml
View file
Open in desktop

This file was deleted.

Loading