diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 93996eb5..ff6afeb6 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,33 +1,42 @@ -# Dependency Review Action -# -# This Action will scan dependency manifest files that change as part of a Pull Request, -# surfacing known-vulnerable versions of the packages declared or updated in the PR. -# Once installed, if the workflow run is marked as required, -# PRs introducing known-vulnerable packages will be blocked from merging. -# -# Source repository: https://github.com/actions/dependency-review-action -name: 'Dependency Review' -on: [pull_request] +name: Dependency Review + +on: + pull_request: permissions: - contents: read + contents: write jobs: dependency-review: - runs-on: ubuntu-latest if: github.repository_owner == 'Open-CMSIS-Pack' + runs-on: ubuntu-latest permissions: + contents: write pull-requests: write + steps: - name: Harden Runner uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit - - name: 'Checkout Repository' + - name: Checkout Repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: 'Dependency Review' + - name: Setup Go + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 + with: + go-version-file: go.mod + + - name: Submit Go dependency snapshot + uses: actions/go-dependency-submission@f35d5c9af13ce9cc32f7930b171e315e878f6921 # v2.0.3 + with: + go-mod-path: go.mod + + - name: Dependency Review uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 with: comment-summary-in-pr: true + retry-on-snapshot-warnings: true + retry-on-snapshot-warnings-timeout: 120 + fail-on-severity: moderate