dependency-review.yml (1295B)
1 # Copyright (c) the JPEG XL Project Authors. All rights reserved. 2 # 3 # Use of this source code is governed by a BSD-style 4 # license that can be found in the LICENSE file. 5 6 # Dependency Review Action 7 # 8 # This Action will scan dependency manifest files that change as part of a Pull Request, 9 # surfacing known-vulnerable versions of the packages declared or updated in the PR. 10 # Once installed, if the workflow run is marked as required, 11 # PRs introducing known-vulnerable packages will be blocked from merging. 12 # 13 # Source repository: https://github.com/actions/dependency-review-action 14 name: 'Dependency Review' 15 on: [pull_request] 16 17 permissions: 18 contents: read 19 20 concurrency: 21 group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} 22 cancel-in-progress: ${{ github.event_name == 'pull_request' }} 23 24 jobs: 25 dependency-review: 26 runs-on: ubuntu-latest 27 steps: 28 - name: Harden Runner 29 uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 30 with: 31 egress-policy: audit 32 33 - name: 'Checkout Repository' 34 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 35 - name: 'Dependency Review' 36 uses: actions/dependency-review-action@fd07d42ce87ab09f10c61a2d1a5e59e6c655620a # v4.1.1