microsoft/openvmm
Publicmirrored fromhttps://github.com/microsoft/openvmmAvailable
.github/workflows/dep-review.yml
47lines · modecode
| 1 | # Dependency Review — checks for external (3rd-party) crate changes in |
| 2 | # Cargo.lock and conditionally requests review from the dependency team. |
| 3 | # |
| 4 | # Replaces the blunt CODEOWNERS gate on Cargo.lock. Internal-only lockfile |
| 5 | # changes (adding/removing workspace crates) don't trigger a review request. |
| 6 | # External dependency additions or version bumps, and containment policy |
| 7 | # violations, cause the workflow to request review from |
| 8 | # @microsoft/openvmm-dependency-reviewers. If no issues are detected (or |
| 9 | # they're resolved), the review request is removed. |
| 10 | # |
| 11 | # SECURITY NOTE: This workflow uses pull_request_target so it can manage |
| 12 | # review requests. To avoid executing untrusted code, it checks out the |
| 13 | # BASE branch only (not the PR branch) and runs the script from there. |
| 14 | # All PR file contents are fetched via the GitHub API. |
| 15 | |
| 16 | name: "Dependency Review" |
| 17 | |
| 18 | on: |
| 19 | pull_request_target: |
| 20 | types: [opened, synchronize, reopened] |
| 21 | |
| 22 | concurrency: |
| 23 | group: dep-review-${{ github.event.pull_request.number }} |
| 24 | cancel-in-progress: true |
| 25 | |
| 26 | permissions: |
| 27 | contents: read |
| 28 | pull-requests: write |
| 29 | |
| 30 | jobs: |
| 31 | dep-review: |
| 32 | runs-on: ubuntu-latest |
| 33 | steps: |
| 34 | - name: Checkout base branch (safe — our own code) |
| 35 | uses: actions/checkout@v4 |
| 36 | with: |
| 37 | sparse-checkout: | |
| 38 | .github/scripts |
| 39 | .github/dep-policy.json |
| 40 | sparse-checkout-cone-mode: false |
| 41 | |
| 42 | - name: Review Cargo.lock changes |
| 43 | uses: actions/github-script@v7 |
| 44 | with: |
| 45 | script: | |
| 46 | const { run } = require('./.github/scripts/dep-review.js'); |
| 47 | await run(github, context, core); |