feather-reader 0.2.2

A minimalist, atproto-native RSS/Atom reader in Rust — your feed subscriptions live in your own PDS.
Documentation
name: Dependency review

# On every PR: diff the dependency manifests/lockfiles and BLOCK the PR if it
# introduces a dependency with a known vulnerability or a disallowed license.
# Complements Dependabot (which fixes vulns) by gating them at PR time.
#
# ── RUNNER / COST ─────────────────────────────────────────────────────────────
# `dependency-review-action` calls the GitHub Dependency Graph API, which
# requires the dependency graph feature. That feature is:
#   * always on + FREE for PUBLIC repos (the OSS steady state),
#   * available on private repos only with GitHub Advanced Security.
# So on this repo the workflow becomes fully effective once PUBLIC. It runs on
# `ubuntu-latest` (the action ships there); it's a tiny job.

on:
  pull_request:
    branches: [main]

permissions:
  contents: read
  pull-requests: write  # so the action can post its summary comment

jobs:
  dependency-review:
    name: Dependency review
    # The Dependency Graph API this action calls needs GitHub Advanced Security
    # on a PRIVATE repo (it errors "Dependency review is not supported on this
    # repository" otherwise). Skip while private so it neither fails every PR
    # nor burns Actions minutes; it auto-activates at the public flip, where the
    # dependency graph is always-on + free. Mirrors the gate in scorecard.yml.
    if: ${{ github.event.repository.private == false }}
    runs-on: ubuntu-latest  # GitHub-hosted; free once public
    steps:
      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7

      - name: Dependency review
        uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5
        with:
          # Block on high+ severity vulns; summarise everything on the PR.
          fail-on-severity: high
          comment-summary-in-pr: on-failure
          # Keep license policy aligned with deny.toml (AGPL-compatible set).
          # Strong copyleft that this AGPL project can't absorb from a *dependency*
          # is denied so a surprise GPL/SSPL dep can't slip in. (AGPL itself is
          # NOT denied — it's this project's own license.)
          deny-licenses: >-
            GPL-2.0-only, GPL-3.0-only, LGPL-3.0-only, SSPL-1.0