name: "🔍 Dependency Review"
on:
pull_request:
branches: [main, develop]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
name: Dependency Review
steps:
- name: "📥 Checkout Repository"
uses: actions/checkout@v6
- name: "🔍 Dependency Review"
uses: actions/dependency-review-action@v4
with:
# Fail the workflow if vulnerabilities are found
fail-on-severity: moderate
# Allow specific licenses (Python ecosystem friendly)
allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, Python-2.0, PSF-2.0, CC0-1.0, Unlicense
# Deny specific licenses that might be problematic
# deny-licenses: GPL-3.0, AGPL-3.0
# Create an issue if vulnerabilities are found
comment-summary-in-pr: always
# Show full details in the PR comment
show-openssf-scorecard: true
# Warn if dependency doesn't have a license
warn-on-openssf-scorecard-level: 3
- name: "📊 Generate Dependency Report"
if: always()
run: |
echo "## 🔍 Dependency Review Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Review Configuration:" >> $GITHUB_STEP_SUMMARY
echo "- Fail on severity: moderate and above" >> $GITHUB_STEP_SUMMARY
echo "- Allowed licenses: MIT, Apache-2.0, BSD, ISC, Python-2.0, PSF, CC0, Unlicense" >> $GITHUB_STEP_SUMMARY
echo "- OpenSSF Scorecard: Enabled" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Check the PR comment for detailed results." >> $GITHUB_STEP_SUMMARY
