Dep bump #53
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependency Review | |
| on: | |
| push: | |
| branches: [ "**" ] | |
| paths: | |
| - 'Cargo.toml' | |
| - 'Cargo.lock' | |
| - 'scripts/native_bench/bench_pecos/Cargo.toml' | |
| - 'scripts/native_bench/bench_pecos/Cargo.lock' | |
| - 'pyproject.toml' | |
| - 'python/**/pyproject.toml' | |
| - 'uv.lock' | |
| - 'requirements*.txt' | |
| - '**/requirements*.txt' | |
| - 'package.json' | |
| - 'package-lock.json' | |
| - 'pnpm-lock.yaml' | |
| - 'yarn.lock' | |
| - 'bun.lock' | |
| - 'bun.lockb' | |
| - '.github/dependabot.yml' | |
| - '.github/workflows/dependency-review.yml' | |
| pull_request: | |
| # No `paths:` filter here on purpose. `dependency-review` is a required | |
| # status check on protected branches; gating it by `paths:` blocks merges | |
| # of PRs that don't touch dep files (GitHub waits forever for a check | |
| # that doesn't fire). `actions/dependency-review-action` is cheap and | |
| # idempotent on no-diff PRs. | |
| branches: [ "main", "master", "development", "dev" ] | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| dependency-review: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Harden the runner (egress audit) | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Review dependency changes in pull request | |
| if: github.event_name == 'pull_request' | |
| uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 | |
| with: | |
| fail-on-severity: high | |
| - name: Review dependency changes in push | |
| if: github.event_name == 'push' && github.event.before != '0000000000000000000000000000000000000000' | |
| uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 | |
| with: | |
| fail-on-severity: high | |
| base-ref: ${{ github.event.before }} | |
| head-ref: ${{ github.sha }} | |
| - name: Skip dependency review for first push to a branch | |
| if: github.event_name == 'push' && github.event.before == '0000000000000000000000000000000000000000' | |
| run: echo "No previous commit exists for this pushed ref; dependency review will run on subsequent pushes." |