29 lines
954 B
YAML
29 lines
954 B
YAML
name: "Dependency Review"
|
|
on:
|
|
pull_request:
|
|
merge_group:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
dependency-review:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: "Checkout Repository"
|
|
uses: actions/checkout@v4
|
|
- uses: actions/setup-go@v5
|
|
with:
|
|
go-version: "1.23"
|
|
check-latest: true
|
|
- name: "Dependency Review"
|
|
uses: actions/dependency-review-action@v4
|
|
with:
|
|
base-ref: ${{ github.event.pull_request.base.sha || 'main' }}
|
|
head-ref: ${{ github.event.pull_request.head.sha || github.ref }}
|
|
fail-on-severity: high # otherwise we fail on ourselves due to https://github.com/advisories/GHSA-qfc5-6r3j-jj22, https://github.com/advisories/GHSA-w44m-8mv2-v78h TODO(@julienrbrt) submit a PR to the action to ignore packages
|
|
- name: "Dependency audit"
|
|
run: ./scripts/dep-assert.sh
|
|
- name: "Go vulnerability check"
|
|
run: make vulncheck
|