feather-reader 0.2.4

A minimalist, atproto-native RSS/Atom reader in Rust — your feed subscriptions live in your own PDS.
Documentation
name: Dependency review

# On every PR: diff the dependency manifests/lockfiles and BLOCK the PR if it
# introduces a dependency with a known vulnerability or a disallowed license.
# Complements Dependabot (which fixes vulns) by gating them at PR time.
#
# ── RUNNER / COST ─────────────────────────────────────────────────────────────
# `dependency-review-action` calls the GitHub Dependency Graph API, which
# requires the dependency graph feature. That feature is:
#   * always on + FREE for PUBLIC repos (the OSS steady state),
#   * available on private repos only with GitHub Advanced Security.
# So on this repo the workflow becomes fully effective once PUBLIC. It runs on
# `ubuntu-latest` (the action ships there); it's a tiny job.

on:
  pull_request:
    branches: [main]

permissions:
  contents: read
  pull-requests: write  # so the action can post its summary comment

jobs:
  dependency-review:
    name: Dependency review
    # The Dependency Graph API this action calls needs GitHub Advanced Security
    # on a PRIVATE repo (it errors "Dependency review is not supported on this
    # repository" otherwise). Skip while private so it neither fails every PR
    # nor burns Actions minutes; it auto-activates at the public flip, where the
    # dependency graph is always-on + free. Mirrors the gate in scorecard.yml.
    if: ${{ github.event.repository.private == false }}
    runs-on: ubuntu-latest  # GitHub-hosted; free once public
    steps:
      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7

      - name: Dependency review
        uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5
        with:
          # Block on high+ severity vulns; summarise everything on the PR.
          fail-on-severity: high
          comment-summary-in-pr: on-failure
          # Keep license policy aligned with deny.toml (AGPL-compatible set).
          # Strong copyleft that this AGPL project can't absorb from a *dependency*
          # is denied so a surprise GPL/SSPL dep can't slip in. (AGPL itself is
          # NOT denied — it's this project's own license.)
          deny-licenses: >-
            GPL-2.0-only, GPL-3.0-only, LGPL-3.0-only, SSPL-1.0
          # Per-package license exemptions (version-pinned purls). Each is a
          # transitive crate the action mis-flags; cargo-deny (the REQUIRED gate,
          # deny.toml) resolves all three correctly — these unblock the advisory-only
          # dependency-review action to match.
          #   * r-efi 6.0.0 — UEFI-target-only crate pulled by the rustls TLS stack
          #     (getrandom → r-efi); NEVER compiles on this project's Linux/Fly
          #     targets. Its SPDX `MIT OR Apache-2.0 OR LGPL-2.1-or-later` is an OR
          #     with a permissive branch we take, but the action naively matches the
          #     LGPL term against deny-licenses and blocks.
          #   * webpki-root-certs 1.0.8 — Mozilla root store, license CDLA-Permissive-2.0
          #     (a permissive DATA license the action can't map → reads as unknown).
          #   * zmij 1.0.23 — dtolnay's Schubfach double→string formatter, a genuine
          #     transitive dep of serde_json ≥1.0.145. Real license is MIT (verified
          #     on crates.io: published by dtolnay, repo github.com/dtolnay/zmij);
          #     the action reads it as null/unknown, so pin-exempt it.
          allow-dependencies-licenses: >-
            pkg:cargo/r-efi@6.0.0,
            pkg:cargo/webpki-root-certs@1.0.8,
            pkg:cargo/zmij@1.0.23