Dependency Check #14

	name: Dependency Check

	on:
	schedule:
	- cron: '0 8 * * 1' # every Monday at 8am UTC
	workflow_dispatch:

	jobs:
	dependency-check:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Set up JDK 21
	uses: actions/setup-java@v4
	with:
	java-version: '21'
	distribution: 'temurin'

	- uses: sbt/setup-sbt@v1

	- name: Collect dependency JARs
	run: \|
	sbt 'show core/managedClasspath' 'show testkit/managedClasspath' \
	\| grep -oP '/.+?\.jar' \| sort -u > /tmp/dep-jars.txt
	mkdir -p build/deps
	while read jar; do cp "$jar" build/deps/ 2>/dev/null; done < /tmp/dep-jars.txt

	- name: Cache NVD database
	uses: actions/cache@v4
	with:
	path: ~/.dependency-check
	key: nvd-db-${{ github.run_id }}
	restore-keys: nvd-db-

	- name: Install OWASP Dependency-Check
	run: \|
	DC_VERSION=12.1.0
	curl -sL "https://github.com/jeremylong/DependencyCheck/releases/download/v${DC_VERSION}/dependency-check-${DC_VERSION}-release.zip" -o /tmp/dc.zip
	unzip -q /tmp/dc.zip -d /opt

	- name: Run dependency check
	run: \|
	/opt/dependency-check/bin/dependency-check.sh \
	--project zio-openfeature \
	--scan build/deps \
	--format HTML \
	--out build/reports \
	--data ~/.dependency-check \
	--nvdApiKey "$NVD_API_KEY" \
	--suppression dependency-check-suppressions.xml \
	--disableOssIndex \
	--failOnCVSS 7
	env:
	NVD_API_KEY: ${{ secrets.NVD_API_KEY }}

	- name: Upload report
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: dependency-check-report
	path: build/reports/

Provide feedback