diff --git a/.github/workflows/ci-django-api-README.md b/.github/workflows/ci-django-api-README.md index fd8f0b1..1724c7d 100644 --- a/.github/workflows/ci-django-api-README.md +++ b/.github/workflows/ci-django-api-README.md @@ -8,6 +8,7 @@ This reusable workflow is part of the City of Helsinki’s GitHub Actions setup, - **Code Style Checks**: Verifies code style and formatting using [pre-commit](https://pre-commit.com/). - **Automated Testing**: Runs project tests using [pytest](https://docs.pytest.org/en/stable/). - **Code Quality Analysis**: Performs a [SonarQube Cloud](https://sonarcloud.io/) scan. +- **Dependency Review**: Scans dependency changes in pull requests for known vulnerabilities using [GitHub's dependency review action](https://github.com/actions/dependency-review-action). ## 📋 Requirements for Projects Using the Workflow diff --git a/.github/workflows/ci-django-api.yml b/.github/workflows/ci-django-api.yml index 91a8df2..676da1e 100644 --- a/.github/workflows/ci-django-api.yml +++ b/.github/workflows/ci-django-api.yml @@ -210,3 +210,24 @@ jobs: projectBaseDir: ${{ inputs.working-directory }} env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + dependency-review: + name: Dependency Review + if: ${{ github.event_name == 'pull_request' }} + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + + - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 + with: + fail-on-severity: low + fail-on-scopes: runtime, development, unknown + license-check: false + vulnerability-check: true + comment-summary-in-pr: on-failure + show-patched-versions: true diff --git a/.github/workflows/ci-node-README.md b/.github/workflows/ci-node-README.md index d54ec4a..12d5e84 100644 --- a/.github/workflows/ci-node-README.md +++ b/.github/workflows/ci-node-README.md @@ -8,6 +8,7 @@ This reusable workflow is part of the City of Helsinki’s GitHub Actions setup, - **Build and Lint**: Build and verifies code style and formatting via yarn. - **Automated Testing**: Runs project tests via yarn. - **Code Quality Analysis**: Performs a [SonarQube Cloud](https://sonarcloud.io/) scan. +- **Dependency Review**: Scans dependency changes in pull requests for known vulnerabilities using [GitHub's dependency review action](https://github.com/actions/dependency-review-action). ## 📋 Requirements for Projects Using the Workflow diff --git a/.github/workflows/ci-node.yml b/.github/workflows/ci-node.yml index 49e8f7f..97dfacf 100644 --- a/.github/workflows/ci-node.yml +++ b/.github/workflows/ci-node.yml @@ -240,4 +240,24 @@ jobs: projectBaseDir: ${{ inputs.app-directory == '.' && inputs.working-directory || inputs.app-directory }} env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - + + dependency-review: + name: Dependency Review + if: ${{ github.event_name == 'pull_request' }} + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + + - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 + with: + fail-on-severity: low + fail-on-scopes: runtime, development, unknown + license-check: false + vulnerability-check: true + comment-summary-in-pr: on-failure + show-patched-versions: true diff --git a/.github/workflows/ci-pnpm-node-README.md b/.github/workflows/ci-pnpm-node-README.md index 30b12bb..bab749e 100644 --- a/.github/workflows/ci-pnpm-node-README.md +++ b/.github/workflows/ci-pnpm-node-README.md @@ -15,6 +15,7 @@ Keeping both workflows allows projects to use the same CI structure while matchi - **Build and Lint**: Build and verifies code style and formatting via pnpm. - **Automated Testing**: Runs project tests via pnpm. - **Code Quality Analysis**: Performs a [SonarQube Cloud](https://sonarcloud.io/) scan. +- **Dependency Review**: Scans dependency changes in pull requests for known vulnerabilities using [GitHub's dependency review action](https://github.com/actions/dependency-review-action). ## 📋 Requirements for Projects Using the Workflow diff --git a/.github/workflows/ci-pnpm-node.yml b/.github/workflows/ci-pnpm-node.yml index c102dee..2699bed 100644 --- a/.github/workflows/ci-pnpm-node.yml +++ b/.github/workflows/ci-pnpm-node.yml @@ -250,3 +250,24 @@ jobs: projectBaseDir: ${{ inputs.app-directory == '.' && inputs.working-directory || inputs.app-directory }} env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + dependency-review: + name: Dependency Review + if: ${{ github.event_name == 'pull_request' }} + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + + - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 + with: + fail-on-severity: low + fail-on-scopes: runtime, development, unknown + license-check: false + vulnerability-check: true + comment-summary-in-pr: on-failure + show-patched-versions: true diff --git a/.github/workflows/ci-uv-django-api-README.md b/.github/workflows/ci-uv-django-api-README.md index b3abf3e..2dc3098 100644 --- a/.github/workflows/ci-uv-django-api-README.md +++ b/.github/workflows/ci-uv-django-api-README.md @@ -15,6 +15,7 @@ Keeping both workflows allows projects to use the same CI structure while matchi - **Code Style Checks**: Verifies code style and formatting using [pre-commit](https://pre-commit.com/). - **Automated Testing**: Runs project tests using [pytest](https://docs.pytest.org/en/stable/). - **Code Quality Analysis**: Performs a [SonarQube Cloud](https://sonarcloud.io/) scan. +- **Dependency Review**: Scans dependency changes in pull requests for known vulnerabilities using [GitHub's dependency review action](https://github.com/actions/dependency-review-action). ## 📋 Requirements for Projects Using the Workflow diff --git a/.github/workflows/ci-uv-django-api.yml b/.github/workflows/ci-uv-django-api.yml index 7dda156..3c0bced 100644 --- a/.github/workflows/ci-uv-django-api.yml +++ b/.github/workflows/ci-uv-django-api.yml @@ -199,3 +199,24 @@ jobs: projectBaseDir: ${{ inputs.working-directory }} env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + dependency-review: + name: Dependency Review + if: ${{ github.event_name == 'pull_request' }} + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + + - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 + with: + fail-on-severity: low + fail-on-scopes: runtime, development, unknown + license-check: false + vulnerability-check: true + comment-summary-in-pr: on-failure + show-patched-versions: true diff --git a/.github/workflows/test-reusable-workflows.yml b/.github/workflows/test-reusable-workflows.yml index a049b40..059596f 100644 --- a/.github/workflows/test-reusable-workflows.yml +++ b/.github/workflows/test-reusable-workflows.yml @@ -10,11 +10,13 @@ on: permissions: contents: read - pull-requests: read jobs: test-ci-node: name: Test ci-node + permissions: + contents: read + pull-requests: write uses: ./.github/workflows/ci-node.yml with: node-version: "24" @@ -42,6 +44,9 @@ jobs: test-ci-pnpm-node: name: Test ci-pnpm-node + permissions: + contents: read + pull-requests: write uses: ./.github/workflows/ci-pnpm-node.yml with: node-version: "24" @@ -69,6 +74,9 @@ jobs: test-ci-django-api: name: Test ci-django-api + permissions: + contents: read + pull-requests: write uses: ./.github/workflows/ci-django-api.yml with: python-version: "3.12" @@ -83,6 +91,9 @@ jobs: test-ci-uv-django-api: name: Test ci-uv-django-api + permissions: + contents: read + pull-requests: write uses: ./.github/workflows/ci-uv-django-api.yml with: python-version: "3.12"