-
Notifications
You must be signed in to change notification settings - Fork 6
41 lines (39 loc) · 2.11 KB
/
dependency_review.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# This workflow runs `actions/dependency-review-action`.
# - [Dependency Review](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) is a supply-chain security feature of [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security).
#
# This is intended to help identify and block the use of low-quality open-source packages.
# Many acceptance rules may be evaluated and result in a pass/fail status for PRs that update this repo's dependency tree.
# For example, a package may be automatically blocked if it:
# - Is found to have a known vulnerability
# - Contains licensing requirements that are incompatible with the licensing policies set forth in our Engineering Standards documentation
# - Has an overall quality score that is deemed to be too low
#
# Additionally, this workflow will highlight changes to the dependency tree in its related PR.
# This empowers developers and reviewers to make informed decisions about changes to the project's library dependencies.
#
# To provide adequate guardrails for developers,
# this workflow must be standardized across many (or all) repositories across the organization.
# Consequently changes to this workflow will need to be reviewed and approved at the organization level,
# so that updates can be synchronized across all org repositories in a consistent manner.
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: 'Dependency Review'
uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
with:
comment-summary-in-pr: always
fail-on-scopes: runtime, development, unknown
allow-licenses: >-
MIT,
Apache-2.0,
ISC,
BSD-3-Clause,
BSD-2-Clause