Enable security vulnerability alerts for all repos

[icemac]

See https://github.blog/changelog/2019-05-01-sample-of-how-to-enable-security-vulnerability-alerts-for-organizations/

[mgedmin]

Two thoughts:

• I wonder how useful GitHub security alerts will be to us, because it's mostly based on parsing version pins in requirements.txt files, and we don't use those much

• this might be an interesting/useful sample of using the GitHub API to adjust the settings of multiple repositories, with node.js, if we decide to ditch zope.githubsupport and start from scratch using a different language?

[fgregg]

From my experience, github also parses setup.py's install_requires

[icemac]

@mgedmin I've never heard of zope.githubsupport. Is it able to do more than creating and migration repos?

[mgedmin]

@mgedmin I've never heard of zope.githubsupport. Is it able to do more than creating and migration repos?

All of my experience with it was zopefoundation/zope.githubsupport#1, where I learned about its existence, about the fact that it could configure GitHub webhooks for Travis CI integration, about how it was doing that incorrectly, and about the updaterepos command that can update existing repos. I then promptly forgot everything and am currently feeling very grateful to myself for writing out what I found and what I ran in the comments of that issue.

Any attempt to make further use of it would involve reading the source code again to figure out what it does and how, and ideally creating some documentation.

TL;DR: it can enumerate all GH repositories for the zopefoundation organisation and perform GitHub API requests for them using an auth token, so that's like 90% of the job right there.