chore: hoist up dependency-review

rjaegers · rjaegers · commit 8a61915ced58 · 2025-06-16T07:54:36.000Z
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
@@ -18,6 +18,7 @@ jobs:
     uses: ./.github/workflows/wc-build-push-test.yml
     secrets: inherit
     permissions:
+      actions: read
       attestations: write
       checks: write
       contents: write
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -19,6 +19,7 @@ jobs:
     uses: ./.github/workflows/wc-build-push-test.yml
     secrets: inherit
     permissions:
+      actions: read
       attestations: write
       checks: write
       contents: write
diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml
@@ -15,6 +15,7 @@ jobs:
     uses: ./.github/workflows/wc-build-push.yml
     secrets: inherit
     permissions:
+      actions: read
       attestations: write
       contents: write
       id-token: write
@@ -23,6 +24,25 @@ jobs:
     with:
       flavor: ${{ matrix.flavor }}
 
+  dependency-review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    needs: build-push
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
+        with:
+          comment-summary-in-pr: on-failure
+          fail-on-severity: critical
+
   integration-test:
     strategy:
       matrix:
diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml
@@ -81,6 +81,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-push
     permissions:
+      actions: read
       attestations: write
       # dependency-submission needs contents write permission.
       contents: write
@@ -149,11 +150,6 @@ jobs:
         with:
           image: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}@${{ steps.inspect-manifest.outputs.digest }}
           dependency-snapshot: true
-      - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
-        if: github.event_name == 'pull_request'
-        with:
-          comment-summary-in-pr: on-failure
-          fail-on-severity: critical
       - uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
         with:
           subject-name: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}
