community/.github/workflows/reusable-dependency-review.yml at main · sigstore/community · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
name: 'Dependency Review'
on:
  workflow_call:
    inputs:
      fail-on-severity:
        type: string
        description: "Configure the severity level for vulnerability alerting. Possible values: critical, high, moderate, low."
        default: "high"
      allow-ghsas:
        type: string
        description: "A comma separated list of any GitHub Advisory IDs that can be skipped during detection. Example: 'GHSA-abcd-1234-5679, GHSA-efgh-1234-5679'"
      allow-deps:
        type: string
        description: "A comma separated list of packages to exclude from the check, specified in purl format"

permissions:
  contents: read

jobs:
  dependency-review:
    name: Scan dependencies for license compliance and vulnerabilities
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
        with:
          fail-on-severity: ${{ inputs.fail-on-severity }}
          allow-ghsas: ${{ inputs.allow-ghsas }}
          allow-dependencies-licenses: ${{ inputs.allow-deps }}
          deny-licenses: GPL-3.0, AGPL-3.0, LGPL-3.0 # these are hardcoded to be compliant with sigstore/community/LICENSING.md