Add dependency review workflow and config (#737)

lucacome · web-flow · commit 0c74bd1a0fe2 · 2023-06-12T23:12:06.000Z
This Action will scan dependency manifest files that change as part of a
Pull Request, surfacing known-vulnerable versions of the packages
declared or updated in the PR.

Once installed, PRs introducing known-vulnerable packages or
dependencies not in the allow list will be blocked from merging.
diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml
@@ -0,0 +1,12 @@
+allow_licenses:
+  - Apache-1.1
+  - Apache-2.0
+  - BSD-2-Clause
+  - BSD-3-Clause
+  - BSL-1.0
+  - ISC
+  - MIT
+  - NCSA
+  - OpenSSL
+  - Python-2.0
+  - X11
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,17 @@
+name: "Dependency Review"
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
+        with:
+          config-file: "./.github/dependency-review-config.yml"
