microsoft/hve-core
Publicmirrored from https://github.com/microsoft/hve-coreAvailable
.github/workflows/dependency-review.yml
42lines · modecode
| 1 | name: Dependency Review |
| 2 | |
| 3 | on: |
| 4 | pull_request: |
| 5 | branches: [ main, develop ] |
| 6 | workflow_call: |
| 7 | |
| 8 | permissions: |
| 9 | contents: read |
| 10 | |
| 11 | jobs: |
| 12 | dependency-review: |
| 13 | name: Review Dependencies |
| 14 | runs-on: ubuntu-latest |
| 15 | permissions: |
| 16 | contents: write # Elevated for Dependency Submission API (uv.lock) |
| 17 | pull-requests: write |
| 18 | |
| 19 | steps: |
| 20 | - name: Checkout code |
| 21 | uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 |
| 22 | with: |
| 23 | persist-credentials: false |
| 24 | |
| 25 | - name: Submit uv.lock dependencies # Skipped on fork PRs (read-only token) |
| 26 | if: github.event.pull_request.head.repo.full_name == github.repository |
| 27 | uses: advanced-security/component-detection-dependency-submission-action@9c110eb34dee187cd9eca76a652b9f6a0ed22927 # v0.1.1 |
| 28 | with: |
| 29 | detectorArgs: 'UvLock=EnableIfDefaultOff' |
| 30 | |
| 31 | - name: Dependency Review |
| 32 | uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 |
| 33 | with: |
| 34 | fail-on-severity: moderate |
| 35 | comment-summary-in-pr: always |
| 36 | license-check: true |
| 37 | allow-licenses: >- |
| 38 | MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, |
| 39 | 0BSD, BlueOak-1.0.0, CC0-1.0, Unlicense, |
| 40 | CC-BY-4.0, CC-BY-3.0, PSF-2.0, Python-2.0 |
| 41 | show-openssf-scorecard: true |
| 42 | warn-on-openssf-scorecard-level: 3 |