open-codesign/.github/workflows/dependency-review.yml at main · OpenCoworkAI/open-codesign · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
name: Dependency Review

# Dependency Review needs the Dependency graph + (for private repos) GitHub
# Advanced Security. Skipped while the repo is private.

on:
  pull_request:
    branches: [main]

permissions:
  contents: read

jobs:
  review:
    if: github.event.repository.visibility == 'public'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
      - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
        with:
          fail-on-severity: moderate
          deny-licenses: GPL-2.0-only, GPL-2.0-or-later, GPL-3.0-only, GPL-3.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later, SSPL-1.0
          # Workflow-only release tooling is not bundled, linked, vendored, or
          # distributed with the app. Keep shipped/runtime deps under the deny
          # list above, but allow this action so winget automation can run.
          allow-dependencies-licenses: pkg:githubactions/vedantmgoyal9/winget-releaser