Add dependency review workflow and config

lucacome · lucacome · commit a61038d5999a · 2023-06-13T16:29:38.000-07:00
This Action will scan dependency manifest files that change as part of a
Pull Request, surfacing known-vulnerable versions of the packages
declared or updated in the PR.

Once installed, PRs introducing known-vulnerable packages or
dependencies not in the allow list will be blocked from merging.
diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml
@@ -0,0 +1,13 @@
+allow_licenses:
+  - Apache-1.1
+  - Apache-2.0
+  - BSD-2-Clause
+  - BSD-3-Clause
+  - BSL-1.0
+  - ISC
+  - MIT
+  - NCSA
+  - OpenSSL
+  - Python-2.0
+  - X11
+comment-summary-in-pr: true
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,20 @@
+name: "Dependency Review"
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6
+        with:
+          config-file: "./.github/dependency-review-config.yml"
