-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from the-control-group/infrastructure/update-de…
…pendency_review.yml INFRASTRUCTURE: update - dependency_review.yml
- Loading branch information
Showing
1 changed file
with
14 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,41 +1,21 @@ | ||
| # This workflow runs `actions/dependency-review-action`. | ||
| # - [Dependency Review](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) is a supply-chain security feature of [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security). | ||
| # | ||
| # This is intended to help identify and block the use of low-quality open-source packages. | ||
| # Many acceptance rules may be evaluated and result in a pass/fail status for PRs that update this repo's dependency tree. | ||
| # For example, a package may be automatically blocked if it: | ||
| # - Is found to have a known vulnerability | ||
| # - Contains licensing requirements that are incompatible with the licensing policies set forth in our Engineering Standards documentation | ||
| # - Has an overall quality score that is deemed to be too low | ||
| # | ||
| # Additionally, this workflow will highlight changes to the dependency tree in its related PR. | ||
| # This empowers developers and reviewers to make informed decisions about changes to the project's library dependencies. | ||
| # | ||
| # To provide adequate guardrails for developers, | ||
| # this workflow must be standardized across many (or all) repositories across the organization. | ||
| # Consequently changes to this workflow will need to be reviewed and approved at the organization level, | ||
| # so that updates can be synchronized across all org repositories in a consistent manner. | ||
| name: 'Dependency Review' | ||
| name: "Dependency Review" | ||
| on: [pull_request] | ||
|
|
||
| # NOTE: THIS CONFIGURATION REDUCES THE PERMISSIONS OF THIS GITHUB ACTION. | ||
| # -------------------------------------------------------------------------------------------------------------------- | ||
| # See: | ||
| # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | ||
| # -------------------------------------------------------------------------------------------------------------------- | ||
| # Explicitly adds `pull-requests: write` so that this action can update a PR. | ||
| # Retains `contents: read` for repo analysis. | ||
| # All other permissions are withheld. | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| # This workflow runs `actions/dependency-review-action` from the `reusable-github-workflows` repo. | ||
| # This resuable workflow approach is intended to speed up the process of deploying license updates | ||
| jobs: | ||
| dependency-review: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: 'Checkout Repository' | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| - name: 'Dependency Review' | ||
| uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 | ||
| with: | ||
| comment-summary-in-pr: always | ||
| fail-on-scopes: runtime, development, unknown | ||
| allow-licenses: >- | ||
| MIT, | ||
| Apache-2.0, | ||
| ISC, | ||
| BSD-3-Clause, | ||
| BSD-2-Clause | ||
| dependency_review: | ||
| uses: the-control-group/reusable-github-workflows/.github/workflows/dependency_review.yml@ga |