image-builder-frontend/.github/workflows/dependency-review.yml at main · osbuild/image-builder-frontend · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: Dependency Review

on:
  pull_request:
    branches: [ "main" ]
  merge_group:

# Cancel in-progress jobs for the same workflow and ref
concurrency:
  group: ${{github.workflow}}-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: read
  # Required for dependency-review-action to post comments
  pull-requests: write

jobs:
  dependency-review:
    name: Dependency Review
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      # GitHub's dependency-review-action checks for:
      # - Known vulnerabilities in the GHSA database
      # - License compliance issues
      # - Introduces new dependencies
      - name: Dependency Review
        uses: actions/dependency-review-action@v4
        with:
          # Fail on vulnerabilities with severity critical or high
          fail-on-severity: high
          # Also check for vulnerable transitive dependencies
          vulnerability-check: true
          # Warn about licenses that might be problematic
          license-check: true
          # Deny specific licenses if needed (uncomment and modify as needed)
          # deny-licenses: GPL-3.0, LGPL-2.0, BSD-2-Clause
          # Comment on PR with results
          comment-summary-in-pr: always
          # Set a custom configuration file path
          config-file: .github/dependency-review-config.yml

  check-blocked-packages:
    name: Check for Blocked Packages
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Setup Node.js with cached dependencies
        uses: ./.github/actions/setup-node-cached

      - name: Check for compromised packages
        run: npm run security:check