Skip to content

Commit ea0de87

Browse files
ci: add dependency review job to all CI workflows
Refs: KEH-351 Co-authored-by: Tuomas Haapala <tuomas.haapala@anders.com>
1 parent 5db4332 commit ea0de87

9 files changed

Lines changed: 96 additions & 2 deletions

.github/workflows/ci-django-api-README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ This reusable workflow is part of the City of Helsinki’s GitHub Actions setup,
88
- **Code Style Checks**: Verifies code style and formatting using [pre-commit](https://pre-commit.com/).
99
- **Automated Testing**: Runs project tests using [pytest](https://docs.pytest.org/en/stable/).
1010
- **Code Quality Analysis**: Performs a [SonarQube Cloud](https://sonarcloud.io/) scan.
11+
- **Dependency Review**: Scans dependency changes in pull requests for known vulnerabilities using [GitHub's dependency review action](https://github.com/actions/dependency-review-action).
1112

1213
## 📋 Requirements for Projects Using the Workflow
1314

.github/workflows/ci-django-api.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -210,3 +210,23 @@ jobs:
210210
projectBaseDir: ${{ inputs.working-directory }}
211211
env:
212212
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
213+
214+
dependency-review:
215+
name: Dependency Review
216+
if: ${{ github.event_name == 'pull_request' }}
217+
runs-on: ubuntu-latest
218+
permissions:
219+
contents: read
220+
pull-requests: write
221+
steps:
222+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
223+
with:
224+
persist-credentials: false
225+
226+
- uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
227+
with:
228+
fail-on-severity: low
229+
license-check: false
230+
vulnerability-check: true
231+
comment-summary-in-pr: on-failure
232+
show-patched-versions: true

.github/workflows/ci-node-README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ This reusable workflow is part of the City of Helsinki’s GitHub Actions setup,
88
- **Build and Lint**: Build and verifies code style and formatting via yarn.
99
- **Automated Testing**: Runs project tests via yarn.
1010
- **Code Quality Analysis**: Performs a [SonarQube Cloud](https://sonarcloud.io/) scan.
11+
- **Dependency Review**: Scans dependency changes in pull requests for known vulnerabilities using [GitHub's dependency review action](https://github.com/actions/dependency-review-action).
1112

1213
## 📋 Requirements for Projects Using the Workflow
1314

.github/workflows/ci-node.yml

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -240,4 +240,23 @@ jobs:
240240
projectBaseDir: ${{ inputs.app-directory == '.' && inputs.working-directory || inputs.app-directory }}
241241
env:
242242
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
243-
243+
244+
dependency-review:
245+
name: Dependency Review
246+
if: ${{ github.event_name == 'pull_request' }}
247+
runs-on: ubuntu-latest
248+
permissions:
249+
contents: read
250+
pull-requests: write
251+
steps:
252+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
253+
with:
254+
persist-credentials: false
255+
256+
- uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
257+
with:
258+
fail-on-severity: low
259+
license-check: false
260+
vulnerability-check: true
261+
comment-summary-in-pr: on-failure
262+
show-patched-versions: true

.github/workflows/ci-pnpm-node-README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ Keeping both workflows allows projects to use the same CI structure while matchi
1515
- **Build and Lint**: Build and verifies code style and formatting via pnpm.
1616
- **Automated Testing**: Runs project tests via pnpm.
1717
- **Code Quality Analysis**: Performs a [SonarQube Cloud](https://sonarcloud.io/) scan.
18+
- **Dependency Review**: Scans dependency changes in pull requests for known vulnerabilities using [GitHub's dependency review action](https://github.com/actions/dependency-review-action).
1819

1920
## 📋 Requirements for Projects Using the Workflow
2021

.github/workflows/ci-pnpm-node.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -250,3 +250,23 @@ jobs:
250250
projectBaseDir: ${{ inputs.app-directory == '.' && inputs.working-directory || inputs.app-directory }}
251251
env:
252252
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
253+
254+
dependency-review:
255+
name: Dependency Review
256+
if: ${{ github.event_name == 'pull_request' }}
257+
runs-on: ubuntu-latest
258+
permissions:
259+
contents: read
260+
pull-requests: write
261+
steps:
262+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
263+
with:
264+
persist-credentials: false
265+
266+
- uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
267+
with:
268+
fail-on-severity: low
269+
license-check: false
270+
vulnerability-check: true
271+
comment-summary-in-pr: on-failure
272+
show-patched-versions: true

.github/workflows/ci-uv-django-api-README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ Keeping both workflows allows projects to use the same CI structure while matchi
1515
- **Code Style Checks**: Verifies code style and formatting using [pre-commit](https://pre-commit.com/).
1616
- **Automated Testing**: Runs project tests using [pytest](https://docs.pytest.org/en/stable/).
1717
- **Code Quality Analysis**: Performs a [SonarQube Cloud](https://sonarcloud.io/) scan.
18+
- **Dependency Review**: Scans dependency changes in pull requests for known vulnerabilities using [GitHub's dependency review action](https://github.com/actions/dependency-review-action).
1819

1920
## 📋 Requirements for Projects Using the Workflow
2021

.github/workflows/ci-uv-django-api.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -199,3 +199,23 @@ jobs:
199199
projectBaseDir: ${{ inputs.working-directory }}
200200
env:
201201
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
202+
203+
dependency-review:
204+
name: Dependency Review
205+
if: ${{ github.event_name == 'pull_request' }}
206+
runs-on: ubuntu-latest
207+
permissions:
208+
contents: read
209+
pull-requests: write
210+
steps:
211+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
212+
with:
213+
persist-credentials: false
214+
215+
- uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
216+
with:
217+
fail-on-severity: low
218+
license-check: false
219+
vulnerability-check: true
220+
comment-summary-in-pr: on-failure
221+
show-patched-versions: true

.github/workflows/test-reusable-workflows.yml

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,11 +10,13 @@ on:
1010

1111
permissions:
1212
contents: read
13-
pull-requests: read
1413

1514
jobs:
1615
test-ci-node:
1716
name: Test ci-node
17+
permissions:
18+
contents: read
19+
pull-requests: write
1820
uses: ./.github/workflows/ci-node.yml
1921
with:
2022
node-version: "24"
@@ -42,6 +44,9 @@ jobs:
4244

4345
test-ci-pnpm-node:
4446
name: Test ci-pnpm-node
47+
permissions:
48+
contents: read
49+
pull-requests: write
4550
uses: ./.github/workflows/ci-pnpm-node.yml
4651
with:
4752
node-version: "24"
@@ -69,6 +74,9 @@ jobs:
6974

7075
test-ci-django-api:
7176
name: Test ci-django-api
77+
permissions:
78+
contents: read
79+
pull-requests: write
7280
uses: ./.github/workflows/ci-django-api.yml
7381
with:
7482
python-version: "3.12"
@@ -83,6 +91,9 @@ jobs:
8391

8492
test-ci-uv-django-api:
8593
name: Test ci-uv-django-api
94+
permissions:
95+
contents: read
96+
pull-requests: write
8697
uses: ./.github/workflows/ci-uv-django-api.yml
8798
with:
8899
python-version: "3.12"

0 commit comments

Comments
 (0)