microsoft/openvmm

# Dependency Review — checks for external (3rd-party) crate changes in
# Cargo.lock and conditionally requests review from the dependency team.
#
# Replaces the blunt CODEOWNERS gate on Cargo.lock. Internal-only lockfile
# changes (adding/removing workspace crates) don't trigger a review request.
# External dependency additions or version bumps, and containment policy
# violations, cause the workflow to request review from
# @microsoft/openvmm-dependency-reviewers. If no issues are detected (or
# they're resolved), the review request is removed.
#
# SECURITY NOTE: This workflow uses pull_request_target so it can manage
# review requests. To avoid executing untrusted code, it checks out the
# BASE branch only (not the PR branch) and runs the script from there.
# All PR file contents are fetched via the GitHub API.

name: "Dependency Review"

on:
  pull_request_target:
    types: [opened, synchronize, reopened]

concurrency:
  group: dep-review-${{ github.event.pull_request.number }}
  cancel-in-progress: true

permissions:
  contents: read
  pull-requests: write

jobs:
  dep-review:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout base branch (safe — our own code)
        uses: actions/checkout@v4
        with:
          sparse-checkout: |
            .github/scripts
            .github/dep-policy.json
          sparse-checkout-cone-mode: false

      - name: Review Cargo.lock changes
        uses: actions/github-script@v7
        with:
          script: |
            const { run } = require('./.github/scripts/dep-review.js');
            await run(github, context, core);