Start implementation according to plan #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependency Review | |
| on: | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| # Detect dependency changes | |
| changes: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: read | |
| outputs: | |
| dependencies: ${{ steps.filter.outputs.dependencies }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dorny/paths-filter@v3 | |
| id: filter | |
| with: | |
| filters: | | |
| dependencies: | |
| - 'package.json' | |
| - 'package-lock.json' | |
| # Review dependency changes | |
| dependency-review: | |
| needs: changes | |
| if: needs.changes.outputs.dependencies == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| # Fail on critical and high vulnerabilities | |
| fail-on-severity: moderate | |
| # Warn on low OpenSSF Scorecard | |
| warn-on-openssf-scorecard-level: 3 | |
| # Comment on PR with results | |
| comment-summary-in-pr: always | |
| # Show OpenSSF Scorecard metrics | |
| show-openssf-scorecard: true | |
| # Deny licenses | |
| deny-licenses: GPL-2.0, GPL-3.0 | |
| # Allow licenses (optional - comment out to allow all) | |
| # allow-licenses: MIT, Apache-2.0, BSD-3-Clause | |
| # Summary | |
| review-summary: | |
| needs: dependency-review | |
| runs-on: ubuntu-latest | |
| if: always() | |
| steps: | |
| - name: Dependency Review Summary | |
| run: | | |
| echo "## 🔍 Dependency Review Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "- **Status:** ${{ needs.dependency-review.result }}" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| if [ "${{ needs.dependency-review.result }}" == "success" ]; then | |
| echo "✅ No security vulnerabilities or license issues found." >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "❌ Security vulnerabilities or license issues detected. Check the dependency review job for details." >> $GITHUB_STEP_SUMMARY | |
| fi |