1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
name: Dependency review
# On every PR: diff the dependency manifests/lockfiles and BLOCK the PR if it
# introduces a dependency with a known vulnerability or a disallowed license.
# Complements Dependabot (which fixes vulns) by gating them at PR time.
#
# ── RUNNER / COST ─────────────────────────────────────────────────────────────
# `dependency-review-action` calls the GitHub Dependency Graph API, which
# requires the dependency graph feature. That feature is:
# * always on + FREE for PUBLIC repos (the OSS steady state),
# * available on private repos only with GitHub Advanced Security.
# So on this repo the workflow becomes fully effective once PUBLIC. It runs on
# `ubuntu-latest` (the action ships there); it's a tiny job.
on:
pull_request:
branches:
permissions:
contents: read
pull-requests: write # so the action can post its summary comment
jobs:
dependency-review:
name: Dependency review
# The Dependency Graph API this action calls needs GitHub Advanced Security
# on a PRIVATE repo (it errors "Dependency review is not supported on this
# repository" otherwise). Skip while private so it neither fails every PR
# nor burns Actions minutes; it auto-activates at the public flip, where the
# dependency graph is always-on + free. Mirrors the gate in scorecard.yml.
if: ${{ github.event.repository.private == false }}
runs-on: ubuntu-latest # GitHub-hosted; free once public
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- name: Dependency review
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5
with:
# Block on high+ severity vulns; summarise everything on the PR.
fail-on-severity: high
comment-summary-in-pr: on-failure
# Keep license policy aligned with deny.toml (AGPL-compatible set).
# Strong copyleft that this AGPL project can't absorb from a *dependency*
# is denied so a surprise GPL/SSPL dep can't slip in. (AGPL itself is
# NOT denied — it's this project's own license.)
deny-licenses: >-
GPL-2.0-only, GPL-3.0-only, LGPL-3.0-only, SSPL-1.0