Dependency Review #112
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependency Review | |
| on: | |
| workflow_run: | |
| workflows: ["PR Workflow"] | |
| types: | |
| - completed | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.workflow_run.pull_requests[0].number || github.event.workflow_run.head_sha }} | |
| cancel-in-progress: true | |
| permissions: | |
| actions: read # to download dependency graph artifact | |
| contents: write # to submit dependency graph | |
| pull-requests: read # to resolve PR info for fork PRs | |
| jobs: | |
| dependency-review: | |
| if: | | |
| !github.event.repository.private && | |
| github.event.workflow_run.event == 'pull_request' && | |
| github.event.workflow_run.conclusion == 'success' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 | |
| with: | |
| disable-telemetry: true | |
| disable-sudo-and-containers: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| api.deps.dev:443 | |
| api.securityscorecards.dev:443 | |
| - name: Get PR | |
| id: get-pr | |
| uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 | |
| with: | |
| retries: 3 | |
| script: | | |
| const wfRun = context.payload.workflow_run; | |
| const pr = wfRun.pull_requests[0]; | |
| let number, base_sha, head_sha; | |
| if (pr) { | |
| number = pr.number; | |
| base_sha = pr.base.sha; | |
| head_sha = pr.head.sha; | |
| } else { | |
| // Fork PR: pull_requests[] is empty, resolve via head branch filter | |
| const headLabel = `${wfRun.head_repository.owner.login}:${wfRun.head_branch}`; | |
| const { data: prs } = await github.rest.pulls.list({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| state: 'open', | |
| head: headLabel, | |
| }); | |
| const matched = prs[0]; | |
| if (!matched) throw new Error(`No open PR found for head ${headLabel}`); | |
| number = matched.number; | |
| base_sha = matched.base.sha; | |
| head_sha = wfRun.head_sha; | |
| } | |
| core.info(`is_fork: ${pr ? 'false' : 'true'}`); | |
| core.info(`number: ${number}`); | |
| core.info(`base_sha: ${base_sha}`); | |
| core.info(`head_sha: ${head_sha}`); | |
| core.setOutput('is_fork', pr ? 'false' : 'true'); | |
| core.setOutput('number', number); | |
| core.setOutput('base_sha', base_sha); | |
| core.setOutput('head_sha', head_sha); | |
| - name: Download and submit dependency graph | |
| uses: gradle/actions/dependency-submission@f29f5a9d7b09a7c6b29859002d29d24e1674c884 # v5.0.1 | |
| with: | |
| dependency-graph: download-and-submit | |
| - id: dependency-review | |
| uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 | |
| with: | |
| retry-on-snapshot-warnings: true | |
| retry-on-snapshot-warnings-timeout: 600 # let GitHub process both graphs up to 10 minutes | |
| base-ref: ${{ steps.get-pr.outputs.base_sha }} | |
| head-ref: ${{ steps.get-pr.outputs.head_sha }} | |
| warn-only: true # we don't want to fail the workflow, just to report the issues via comment | |
| show-patched-versions: true | |
| - if: ${{ steps.dependency-review.outputs.comment-content != null }} | |
| name: Save dependency review output report | |
| run: | | |
| cat << 'EOF' > openssf-report.html | |
| ${{ steps.dependency-review.outputs.comment-content }} | |
| EOF | |
| - if: ${{ steps.dependency-review.outputs.comment-content != null }} | |
| # Use separate action to comment because the original one can't do it without PR context | |
| uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4 | |
| with: | |
| number: ${{ steps.get-pr.outputs.number }} | |
| header: dependency-review | |
| hide_and_recreate: true | |
| path: openssf-report.html | |
| GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} | |
| - if: failure() | |
| # If the review fails, we still want to "outdate" the comment to avoid stale information | |
| uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0 # v3.0.4 | |
| with: | |
| number: ${{ steps.get-pr.outputs.number }} | |
| header: dependency-review | |
| hide_and_recreate: true | |
| message: "⚠️ Dependency review workflow failed - results may be outdated. [Check logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})" | |
| GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} |