GitVita
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

microsoft/hve-core

Public

mirrored fromhttps://github.com/microsoft/hve-coreAvailable

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
fix/1232-recursive-plugin

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

hve-core/.github/workflows

.github/workflows/dependency-review.yml

59lines · modecode

RawDownload
Latest commit unavailable.
1name: Dependency Review
2
3on:
4 pull_request:
5 branches: [ main, develop ]
6 paths:
7 - 'package.json'
8 - 'package-lock.json'
9 - '**/pyproject.toml'
10 - '**/uv.lock'
11 - '**/requirements*.txt'
12 - '.github/workflows/dependency-review.yml'
13 workflow_call:
14
15permissions:
16 contents: read
17
18jobs:
19 dependency-review:
20 name: Review Dependencies
21 runs-on: ubuntu-latest
22 permissions:
23 contents: write # Elevated for Dependency Submission API (uv.lock)
24 pull-requests: write
25
26 steps:
27 - name: Checkout code
28 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
29 with:
30 persist-credentials: false
31
32 - name: Submit uv.lock dependencies # Skipped on fork PRs (read-only token)
33 if: github.event.pull_request.head.repo.full_name == github.repository
34 uses: advanced-security/component-detection-dependency-submission-action@b876b8cc341a53970394b33ea0ca4e86c25542de # v0.1.3
35 with:
36 detectorArgs: 'UvLock=EnableIfDefaultOff'
37
38 - name: Dependency Review
39 uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
40 with:
41 fail-on-severity: moderate
42 comment-summary-in-pr: always
43 license-check: true
44 allow-licenses: >-
45 MIT, MIT-0, MIT-CMU, Apache-2.0,
46 BSD-2-Clause, BSD-3-Clause, ISC, 0BSD,
47 BlueOak-1.0.0, CC0-1.0, Unlicense,
48 CC-BY-4.0, CC-BY-3.0, PSF-2.0, Python-2.0,
49 HPND, LicenseRef-scancode-secret-labs-2011,
50 WTFPL, LicenseRef-scancode-unicode
51 # Packages with compound SPDX expressions containing GPL or MPL
52 # from bundled code; distributed licenses are permissive.
53 allow-dependencies-licenses: >-
54 pkg:pypi/lxml,
55 pkg:pypi/typing-extensions,
56 pkg:npm/dompurify,
57 pkg:npm/lunr-languages
58 show-openssf-scorecard: true
59 warn-on-openssf-scorecard-level: 3
60