forked from cosmos/cosmos-sdk
-
Notifications
You must be signed in to change notification settings - Fork 0
41 lines (39 loc) · 1.15 KB
/
dependencies-review.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
name: "Dependency Review"
on:
workflow_dispatch:
pull_request:
types:
- opened
- synchronize
- reopened
paths:
- "**/*.go"
- "go.mod"
- "go.sum"
- "**/go.mod"
- "**/go.sum"
- "**/Makefile"
- "Makefile"
merge_group:
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: "Checkout Repository"
uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: "1.23"
check-latest: true
- name: "Dependency Review"
uses: actions/dependency-review-action@v4
with:
base-ref: ${{ github.event.pull_request.base.sha || 'main' }}
head-ref: ${{ github.event.pull_request.head.sha || github.ref }}
fail-on-severity: high # otherwise we fail on ourselves due to https://github.com/advisories/GHSA-qfc5-6r3j-jj22, https://github.com/advisories/GHSA-w44m-8mv2-v78h TODO(@julienrbrt) submit a PR to the action to ignore packages
- name: "Dependency audit"
run: ./scripts/dep-assert.sh
- name: "Go vulnerability check"
run: make vulncheck