From fa088bf98e6ce5f32b019e3da2c7ba53b70b7b3c Mon Sep 17 00:00:00 2001 From: Ethan Kent Date: Thu, 17 Oct 2024 12:07:12 -0700 Subject: [PATCH] INFRASTRUCTURE: update - dependency_review.yml --- .github/workflows/dependency_review.yml | 48 ++++++++----------------- 1 file changed, 14 insertions(+), 34 deletions(-) diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml index 9299338..fc444d8 100644 --- a/.github/workflows/dependency_review.yml +++ b/.github/workflows/dependency_review.yml @@ -1,41 +1,21 @@ -# This workflow runs `actions/dependency-review-action`. -# - [Dependency Review](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) is a supply-chain security feature of [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security). -# -# This is intended to help identify and block the use of low-quality open-source packages. -# Many acceptance rules may be evaluated and result in a pass/fail status for PRs that update this repo's dependency tree. -# For example, a package may be automatically blocked if it: -# - Is found to have a known vulnerability -# - Contains licensing requirements that are incompatible with the licensing policies set forth in our Engineering Standards documentation -# - Has an overall quality score that is deemed to be too low -# -# Additionally, this workflow will highlight changes to the dependency tree in its related PR. -# This empowers developers and reviewers to make informed decisions about changes to the project's library dependencies. -# -# To provide adequate guardrails for developers, -# this workflow must be standardized across many (or all) repositories across the organization. -# Consequently changes to this workflow will need to be reviewed and approved at the organization level, -# so that updates can be synchronized across all org repositories in a consistent manner. -name: 'Dependency Review' +name: "Dependency Review" on: [pull_request] +# NOTE: THIS CONFIGURATION REDUCES THE PERMISSIONS OF THIS GITHUB ACTION. +# -------------------------------------------------------------------------------------------------------------------- +# See: +# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token +# -------------------------------------------------------------------------------------------------------------------- +# Explicitly adds `pull-requests: write` so that this action can update a PR. +# Retains `contents: read` for repo analysis. +# All other permissions are withheld. + permissions: contents: read pull-requests: write +# This workflow runs `actions/dependency-review-action` from the `reusable-github-workflows` repo. +# This resuable workflow approach is intended to speed up the process of deploying license updates jobs: - dependency-review: - runs-on: ubuntu-latest - steps: - - name: 'Checkout Repository' - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: 'Dependency Review' - uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 - with: - comment-summary-in-pr: always - fail-on-scopes: runtime, development, unknown - allow-licenses: >- - MIT, - Apache-2.0, - ISC, - BSD-3-Clause, - BSD-2-Clause \ No newline at end of file + dependency_review: + uses: the-control-group/reusable-github-workflows/.github/workflows/dependency_review.yml@ga