From b642174b39e3a03c74dbc7c37a696d9815f974bb Mon Sep 17 00:00:00 2001 From: Sourabh Mehta Date: Tue, 31 Mar 2026 10:29:24 +0200 Subject: [PATCH 1/4] Added Go dependency submittion step --- .github/workflows/dependency-review.yml | 38 ++++++++++++++++--------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 93996eb5..02d3a496 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,33 +1,43 @@ -# Dependency Review Action -# -# This Action will scan dependency manifest files that change as part of a Pull Request, -# surfacing known-vulnerable versions of the packages declared or updated in the PR. -# Once installed, if the workflow run is marked as required, -# PRs introducing known-vulnerable packages will be blocked from merging. -# -# Source repository: https://github.com/actions/dependency-review-action -name: 'Dependency Review' -on: [pull_request] +name: Dependency Review + +on: + pull_request: permissions: - contents: read + contents: write jobs: dependency-review: runs-on: ubuntu-latest - if: github.repository_owner == 'Open-CMSIS-Pack' permissions: + contents: write pull-requests: write + if: github.repository_owner == 'Open-CMSIS-Pack' + steps: - name: Harden Runner uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 with: egress-policy: audit - - name: 'Checkout Repository' + - name: Checkout Repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: 'Dependency Review' + - name: Setup Go + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 + with: + go-version-file: go.mod + check-latest: true + + - name: Submit Go dependency snapshot + uses: actions/go-dependency-submission@f35d5c9af13ce9cc32f7930b171e315e878f6921 # v2.0.3 + with: + go-mod-path: go.mod + go-build-target: ./cmd/cbuild/main.go + + - name: Dependency Review uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 with: comment-summary-in-pr: true + retry-on-snapshot-warnings: true + retry-on-snapshot-warnings-timeout: 120 From 5e425d35bc2125545558ee4b2a1bdade70fae343 Mon Sep 17 00:00:00 2001 From: Sourabh Mehta Date: Tue, 31 Mar 2026 11:16:44 +0200 Subject: [PATCH 2/4] Added deny list --- .github/workflows/dependency-review.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 02d3a496..912d2aa7 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -8,11 +8,12 @@ permissions: jobs: dependency-review: + if: github.repository_owner == 'Open-CMSIS-Pack' runs-on: ubuntu-latest + permissions: contents: write pull-requests: write - if: github.repository_owner == 'Open-CMSIS-Pack' steps: - name: Harden Runner @@ -27,13 +28,11 @@ jobs: uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: go.mod - check-latest: true - name: Submit Go dependency snapshot uses: actions/go-dependency-submission@f35d5c9af13ce9cc32f7930b171e315e878f6921 # v2.0.3 with: go-mod-path: go.mod - go-build-target: ./cmd/cbuild/main.go - name: Dependency Review uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 @@ -41,3 +40,5 @@ jobs: comment-summary-in-pr: true retry-on-snapshot-warnings: true retry-on-snapshot-warnings-timeout: 120 + fail-on-severity: moderate + deny-licenses: GPL-2.0, GPL-2.0-only, GPL-2.0-or-later, GPL-3.0, GPL-3.0-only, GPL-3.0-or-later, AGPL-3.0, AGPL-3.0-only, AGPL-3.0-or-later From 0bf363cee3d1fe19f509b7e83b2b286bc025bc32 Mon Sep 17 00:00:00 2001 From: Sourabh Mehta <73165318+soumeh01@users.noreply.github.com> Date: Tue, 31 Mar 2026 10:56:12 +0200 Subject: [PATCH 3/4] Update dependency-review.yml for permissions --- .github/workflows/dependency-review.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 912d2aa7..64206a87 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -10,7 +10,6 @@ jobs: dependency-review: if: github.repository_owner == 'Open-CMSIS-Pack' runs-on: ubuntu-latest - permissions: contents: write pull-requests: write From f6ca5a6d74f54269964a4695fc0af38bd88393c8 Mon Sep 17 00:00:00 2001 From: Sourabh Mehta Date: Tue, 31 Mar 2026 11:19:40 +0200 Subject: [PATCH 4/4] cleanup --- .github/workflows/dependency-review.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 64206a87..ff6afeb6 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -40,4 +40,3 @@ jobs: retry-on-snapshot-warnings: true retry-on-snapshot-warnings-timeout: 120 fail-on-severity: moderate - deny-licenses: GPL-2.0, GPL-2.0-only, GPL-2.0-or-later, GPL-3.0, GPL-3.0-only, GPL-3.0-or-later, AGPL-3.0, AGPL-3.0-only, AGPL-3.0-or-later