From 11f5772f81322d6870d68325745585232feb9f51 Mon Sep 17 00:00:00 2001 From: Chris Campbell <808531+ctcampbell@users.noreply.github.com> Date: Fri, 1 Dec 2023 16:09:10 +0000 Subject: [PATCH 1/8] Update dependency-review.yml --- code-scanning/dependency-review.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index b0dedc4..c2a26ee 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -7,6 +7,10 @@ name: 'Dependency Review' on: [pull_request] +# If using a dependency submission action in this workflow this permission will need to be set to: +# permissions: +# contents: write +# https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api permissions: contents: read @@ -15,6 +19,10 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: 'Dependency Review' uses: actions/dependency-review-action@v3 + # Commonly enabled options (https://github.com/actions/dependency-review-action#configuration-options) + # with: + # comment-summary-in-pr: true + # retry-on-snapshot-warnings: true From aa49bd30958867dd77e2c3b9e4448a5bba6229bb Mon Sep 17 00:00:00 2001 From: Chris Campbell <808531+ctcampbell@users.noreply.github.com> Date: Mon, 11 Dec 2023 09:48:24 +0000 Subject: [PATCH 2/8] Tidy up comments --- code-scanning/dependency-review.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index c2a26ee..d2110e5 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,6 +1,9 @@ # Dependency Review Action # -# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable +# packages will be blocked from merging. # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement @@ -8,8 +11,10 @@ name: 'Dependency Review' on: [pull_request] # If using a dependency submission action in this workflow this permission will need to be set to: +# # permissions: # contents: write +# # https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api permissions: contents: read From 0239269003a81d1a264262c63fa8e90016003e10 Mon Sep 17 00:00:00 2001 From: Chris Campbell <808531+ctcampbell@users.noreply.github.com> Date: Mon, 11 Dec 2023 10:37:22 +0000 Subject: [PATCH 3/8] Update to match standards in actions/starter-workflows/.../pull_request_template.md --- code-scanning/dependency-review.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index d2110e5..0f14196 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -7,8 +7,10 @@ # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement -name: 'Dependency Review' -on: [pull_request] +name: 'Dependency review' +on: + pull_request: + branches: [ $default-branch ] # If using a dependency submission action in this workflow this permission will need to be set to: # @@ -23,7 +25,7 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: - - name: 'Checkout Repository' + - name: 'Checkout repository' uses: actions/checkout@v4 - name: 'Dependency Review' uses: actions/dependency-review-action@v3 From 0d8fa6f490c38fa55d68d7805b5ce14327147a1e Mon Sep 17 00:00:00 2001 From: Chris Campbell <808531+ctcampbell@users.noreply.github.com> Date: Mon, 11 Dec 2023 10:38:54 +0000 Subject: [PATCH 4/8] Add $protected-branches to pull_request target --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 0f14196..2f98c51 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -10,7 +10,7 @@ name: 'Dependency review' on: pull_request: - branches: [ $default-branch ] + branches: [ $default-branch, $protected-branches ] # If using a dependency submission action in this workflow this permission will need to be set to: # From f9970771a8a4de97dd778bd03bd70004d35229d7 Mon Sep 17 00:00:00 2001 From: Chris Campbell <808531+ctcampbell@users.noreply.github.com> Date: Mon, 29 Jan 2024 08:47:36 +0000 Subject: [PATCH 5/8] Update dependency-review-action to v4 --- code-scanning/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 2f98c51..77f5b3b 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -28,7 +28,7 @@ jobs: - name: 'Checkout repository' uses: actions/checkout@v4 - name: 'Dependency Review' - uses: actions/dependency-review-action@v3 + uses: actions/dependency-review-action@v4 # Commonly enabled options (https://github.com/actions/dependency-review-action#configuration-options) # with: # comment-summary-in-pr: true From a6ab3d3f95328114cecaf0f88283911042c64a71 Mon Sep 17 00:00:00 2001 From: Chris Campbell <808531+ctcampbell@users.noreply.github.com> Date: Mon, 29 Jan 2024 09:05:18 +0000 Subject: [PATCH 6/8] Update dependency-review.yml --- code-scanning/dependency-review.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 77f5b3b..39d06e3 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -31,5 +31,7 @@ jobs: uses: actions/dependency-review-action@v4 # Commonly enabled options (https://github.com/actions/dependency-review-action#configuration-options) # with: + # fail-on-severity: moderate + # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later # comment-summary-in-pr: true # retry-on-snapshot-warnings: true From e67682c31c4865c050478a9813f2fd7f53c89ca7 Mon Sep 17 00:00:00 2001 From: Chris Campbell <808531+ctcampbell@users.noreply.github.com> Date: Mon, 29 Jan 2024 10:09:37 +0000 Subject: [PATCH 7/8] Add perms for comment-summary-in-pr --- code-scanning/dependency-review.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 39d06e3..82c1ef5 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -20,6 +20,8 @@ on: # https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api permissions: contents: read + # Required if `comment-summary-in-pr: true` is uncommented below + # pull-requests: write jobs: dependency-review: @@ -29,7 +31,7 @@ jobs: uses: actions/checkout@v4 - name: 'Dependency Review' uses: actions/dependency-review-action@v4 - # Commonly enabled options (https://github.com/actions/dependency-review-action#configuration-options) + # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. # with: # fail-on-severity: moderate # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later From cea0111003eb0a9d60577b022615a45886369fab Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 29 Jan 2024 14:38:17 -0600 Subject: [PATCH 8/8] Update dependency-review.yml removing extra whitespace --- code-scanning/dependency-review.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 82c1ef5..14255a9 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,7 +1,7 @@ # Dependency Review Action # -# This Action will scan dependency manifest files that change as part of a Pull Request, -# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. # Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable # packages will be blocked from merging. #