devsecops-reusable-workflows/.github/workflows/dependency-review.yml at main · githubabcs-devops/devsecops-reusable-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# 'Dependency Review' Reusable Workflow
#
# Note: If the default configuration isn't present in your repository, we use the centralised
# configurations.

name: 'Dependency Review'

on:
  pull_request:
  workflow_call:

permissions:
  contents: read
  # Required for writing a PR Comment
  pull-requests: write

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v6

      # [optional] This setup isn't required but if your repository have a configuration,
      # we use that versus the centralised config.
      - name: 'Check for configuration file'
        id: config
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          set -e
          if [ -f "./.github/dependency-review.yml" ]; then
            echo "Found local configuration file"

            echo "config=./.github/dependency-review.yml" >> $GITHUB_STATE

          else
            echo "No local configuration file found"
            echo "Using configuration file from advanced-security/reusable-workflows repository"

            echo "config=advanced-security/reusable-workflows/.github/dependency-review.yml@v0.1.0" >> $GITHUB_STATE

          fi

      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v4
        with:
          # this value can also be hardcoded to a remote repository
          # Example: advanced-security/reusable-workflows/.github/dependency-review.yml@v0.1.0
          config-file: ${{ steps.config.outputs.config }}
          comment-summary-in-pr: "always"