microsoft/hve-core
Publicmirrored fromhttps://github.com/microsoft/hve-coreAvailable
.github/workflows/dependency-review.yml
66lines · modecode
| 1 | name: Dependency Review |
| 2 | |
| 3 | on: |
| 4 | push: |
| 5 | branches: [ main, develop ] |
| 6 | pull_request: |
| 7 | branches: [ main, develop ] |
| 8 | paths: |
| 9 | - 'package.json' |
| 10 | - 'package-lock.json' |
| 11 | - '**/pyproject.toml' |
| 12 | - '**/uv.lock' |
| 13 | - '**/requirements*.txt' |
| 14 | - '.github/workflows/dependency-review.yml' |
| 15 | workflow_call: |
| 16 | |
| 17 | permissions: |
| 18 | contents: read |
| 19 | |
| 20 | jobs: |
| 21 | dependency-review: |
| 22 | name: Review Dependencies |
| 23 | runs-on: ubuntu-latest |
| 24 | permissions: |
| 25 | contents: write # Elevated for Dependency Submission API (uv.lock) |
| 26 | pull-requests: write |
| 27 | |
| 28 | steps: |
| 29 | - name: Checkout code |
| 30 | uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 |
| 31 | with: |
| 32 | persist-credentials: false |
| 33 | |
| 34 | - name: Submit uv.lock dependencies # Runs on push (base snapshots) and non-fork PRs |
| 35 | if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository |
| 36 | uses: advanced-security/component-detection-dependency-submission-action@b876b8cc341a53970394b33ea0ca4e86c25542de # v0.1.3 |
| 37 | with: |
| 38 | detectorArgs: 'UvLock=EnableIfDefaultOff' |
| 39 | |
| 40 | - name: Dependency Review |
| 41 | if: github.event_name == 'pull_request' |
| 42 | uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 |
| 43 | with: |
| 44 | retry-on-snapshot-warnings: true |
| 45 | retry-on-snapshot-warnings-timeout: 120 |
| 46 | fail-on-severity: moderate |
| 47 | comment-summary-in-pr: always |
| 48 | license-check: true |
| 49 | allow-licenses: >- |
| 50 | MIT, MIT-0, MIT-CMU, Apache-2.0, |
| 51 | BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, |
| 52 | BlueOak-1.0.0, CC0-1.0, Unlicense, |
| 53 | CC-BY-4.0, CC-BY-3.0, PSF-2.0, Python-2.0, |
| 54 | HPND, LicenseRef-scancode-secret-labs-2011, |
| 55 | WTFPL, LicenseRef-scancode-unicode |
| 56 | # Packages with compound SPDX expressions containing GPL or MPL |
| 57 | # from bundled code; distributed licenses are permissive. |
| 58 | # pkg:npm/hve-core is the private root package (never published to npm). |
| 59 | allow-dependencies-licenses: >- |
| 60 | pkg:pypi/lxml, |
| 61 | pkg:pypi/typing-extensions, |
| 62 | pkg:npm/dompurify, |
| 63 | pkg:npm/lunr-languages, |
| 64 | pkg:npm/hve-core |
| 65 | show-openssf-scorecard: true |
| 66 | warn-on-openssf-scorecard-level: 3 |
| 67 | |