INFRASTRUCTURE: update - dependency_review.yml

.github/workflows/dependency_review.yml

@@ -1,41 +1,21 @@
-# This workflow runs `actions/dependency-review-action`.
-# - [Dependency Review](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) is a supply-chain security feature of [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security).
-#
-# This is intended to help identify and block the use of low-quality open-source packages.
-# Many acceptance rules may be evaluated and result in a pass/fail status for PRs that update this repo's dependency tree.
-# For example, a package may be automatically blocked if it:
-#  - Is found to have a known vulnerability
-#  - Contains licensing requirements that are incompatible with the licensing policies set forth in our Engineering Standards documentation
-#  - Has an overall quality score that is deemed to be too low
-#
-# Additionally, this workflow will highlight changes to the dependency tree in its related PR.
-# This empowers developers and reviewers to make informed decisions about changes to the project's library dependencies.
-#
-# To provide adequate guardrails for developers,
-# this workflow must be standardized across many (or all) repositories across the organization.
-# Consequently changes to this workflow will need to be reviewed and approved at the organization level,
-# so that updates can be synchronized across all org repositories in a consistent manner.
-name: 'Dependency Review'
+name: "Dependency Review"
 on: [pull_request]
 
+# NOTE: THIS CONFIGURATION REDUCES THE PERMISSIONS OF THIS GITHUB ACTION.
+# --------------------------------------------------------------------------------------------------------------------
+# See:
+# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+# --------------------------------------------------------------------------------------------------------------------
+# Explicitly adds `pull-requests: write` so that this action can update a PR.
+# Retains `contents: read` for repo analysis.
+# All other permissions are withheld.
+
 permissions:
   contents: read
   pull-requests: write
 
+# This workflow runs `actions/dependency-review-action` from the `reusable-github-workflows` repo.
+# This resuable workflow approach is intended to speed up the process of deploying license updates
 jobs:
-  dependency-review:
-    runs-on: ubuntu-latest
-    steps:
-      - name: 'Checkout Repository'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
-        with:
-          comment-summary-in-pr: always
-          fail-on-scopes: runtime, development, unknown
-          allow-licenses: >-
-            MIT,
-            Apache-2.0,
-            ISC,
-            BSD-3-Clause,
-            BSD-2-Clause
+  dependency_review:
+    uses: the-control-group/reusable-github-workflows/.github/workflows/dependency_review.yml@ga