|
| 1 | +# =============================================================== |
| 2 | +# 🔍 Dependency-Review Workflow – Vulnerabilities ⬧ Licenses |
| 3 | +# =============================================================== |
| 4 | +# |
| 5 | +# This workflow: |
| 6 | +# • Diffs any dependency changes introduced by pushes or PRs to `main` |
| 7 | +# • **Fails** when a change introduces either of the following: |
| 8 | +# ↳ A vulnerability of severity ≥ MODERATE |
| 9 | +# ↳ A dependency under a "strong-copyleft" license incompatible |
| 10 | +# with this project’s Apache-2.0 license (see deny-list below) |
| 11 | +# • Uploads a SARIF report to "Security → Dependency review" |
| 12 | +# • Adds (or overwrites) a comment on the PR **only on failure** |
| 13 | +# |
| 14 | +# References |
| 15 | +# ────────── |
| 16 | +# • Marketplace: https://github.com/marketplace/actions/dependency-review |
| 17 | +# • Source code: https://github.com/github/dependency-review-action (MIT) |
| 18 | +# |
| 19 | +# NOTE ▸ The action is designed for PR events, but it can also run on |
| 20 | +# push & schedule if you supply explicit `base-ref` / `head-ref` |
| 21 | +# (see bottom of `with:` block). |
| 22 | +# =============================================================== |
| 23 | + |
| 24 | +name: Dependency Review |
| 25 | + |
| 26 | +on: |
| 27 | + push: |
| 28 | + branches: [ "main" ] |
| 29 | + pull_request: |
| 30 | + branches: [ "main" ] |
| 31 | + # Weekly safety-net run — useful for catching newly-disclosed CVEs |
| 32 | + # or upstream license changes even when no PR is open. |
| 33 | + schedule: |
| 34 | + - cron: '31 12 * * 6' # Saturday @ 12:31 UTC |
| 35 | + |
| 36 | +# ----------------------------------------------------------------- |
| 37 | +# Minimal permissions – principle of least privilege |
| 38 | +# ----------------------------------------------------------------- |
| 39 | +permissions: |
| 40 | + contents: read # for actions/checkout |
| 41 | + security-events: write # upload SARIF results |
| 42 | + pull-requests: write # post / overwrite PR comment |
| 43 | + |
| 44 | +jobs: |
| 45 | + dependency-review: |
| 46 | + runs-on: ubuntu-latest |
| 47 | + |
| 48 | + steps: |
| 49 | + # ----------------------------------------------------------- |
| 50 | + # 0️⃣ Check out the repository |
| 51 | + # ----------------------------------------------------------- |
| 52 | + - name: ⬇️ Checkout code |
| 53 | + uses: actions/checkout@v4 |
| 54 | + |
| 55 | + # ----------------------------------------------------------- |
| 56 | + # 1️⃣ Dependency & License gate |
| 57 | + # ----------------------------------------------------------- |
| 58 | + - name: 🔍 Dependency Review |
| 59 | + id: dep-scan |
| 60 | + uses: actions/dependency-review-action@v4 |
| 61 | + with: |
| 62 | + # ───────── Vulnerability policy ───────── |
| 63 | + fail-on-severity: moderate # MODERATE, HIGH, CRITICAL ⇒ ❌ |
| 64 | + vulnerability-check: true # (default) |
| 65 | + |
| 66 | + # ───────── License policy ───────── |
| 67 | + # Hard-deny strong- or service-copyleft licenses that would |
| 68 | + # "infect" an Apache-2.0 project. (LGPL/MPL/EPL are *not* |
| 69 | + # listed — they’re weak/file-level copyleft. Add them here |
| 70 | + # if your org chooses to forbid them outright.) |
| 71 | + deny-licenses: > |
| 72 | + GPL-1.0, GPL-2.0, GPL-3.0, |
| 73 | + AGPL-3.0, |
| 74 | + SSPL-1.0, |
| 75 | + RPL-1.5, |
| 76 | + OSL-3.0, |
| 77 | + CPAL-1.0, |
| 78 | + CeCILL-C, |
| 79 | + LicenseRef-clearlydefined-OTHER |
| 80 | + license-check: true # (default) |
| 81 | + |
| 82 | + # ───────── UX tweaks ───────── |
| 83 | + warn-only: false # actually fail the workflow |
| 84 | + comment-summary-in-pr: on-failure |
| 85 | + |
| 86 | + # ───────── Refs for non-PR events ───────── |
| 87 | + # These are ignored on pull_request events but allow the |
| 88 | + # scheduled run to compare HEAD against `main`. |
| 89 | + base-ref: main |
| 90 | + head-ref: ${{ github.sha }} |
0 commit comments