Add dependency review workflow#121
Merged
Merged
Conversation
gtbuchanan
force-pushed
the
worktree-feature+dependency-review-action
branch
from
acb1c61 to
829d156
Compare
Scans PR dependency changes via actions/dependency-review-action, failing on moderate+ advisories and non-permissive licenses. Ships .github/dependency-review-config.yml as the shared license allowlist; consumer workflows inherit it via the config-file input default. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
gtbuchanan
force-pushed
the
worktree-feature+dependency-review-action
branch
from
829d156 to
ec8411d
Compare
Adds a version-check job to dependency-review.yml that diffs newly- added deps via GitHub's dependency-graph compare API (ecosystem- agnostic) and looks up the latest registry version via deps.dev. Fails the check on any stale add. Not wired into branch protection; consumers opt into "required" status per repo. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The version-check job was added without docs; README and AGENTS.md described only the dep-review action. Also calls out the GitHub Dependency Graph requirement and notes the coverage gap (mise tools and pre-commit hooks aren't indexed there — Renovate covers them). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
gtbuchanan
force-pushed
the
worktree-feature+dependency-review-action
branch
2 times, most recently
from
7027f5a to
5ff5abd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
dependency-review.yml— a reusable workflow with two PR-time gates against newly-changed dependencies.reviewjob — runsactions/dependency-review-action, fails on advisories atmoderateor higher and on non-permissive licenses per.github/dependency-review-config.yml. Ships the config as a shared license allowlist (0BSD, Apache-2.0, BlueOak-1.0.0, BSD-2/3-Clause, CC0-1.0, ISC, MIT, Unlicense); consumer wrappers inherit it automatically via theconfig-fileinput's remote-ref default.version-checkjob — fails if any newly-added dep isn't at its latest version. Resolves the change set via GitHub's dependency-graph compare API; looks up latest versions via deps.dev (npm, pip, maven, nuget, rubygems, go, cargo) and GitHub Releases (Actions). Handles@v6→6.*.*wildcard ranges that dep-graph emits for major/minor tags. SHA-pinned Actions are accepted as intentional immutable pinning.Both jobs require GitHub's Dependency Graph enabled (Settings → Code security and analysis). Coverage is limited to ecosystems the dep graph indexes — npm + GitHub Actions for JS/TS projects. mise tools and
.pre-commit-config.yamlhooks aren't covered; Renovate's managers handle those independently.Not wired into branch protection. Status checks show distinct red ✗ on failure; consumers opt into "required" per repo.
Known limitation: "Unknown License" warnings on GitHub Actions
The dep-review action's summary will list GitHub Actions deps as
⚠️ Unknown Licensebecause the dep graph doesn't expose license metadata for Action repos. These are informational only — they don't fail the check. The noise only appears in PR comments when the check is already failing for another reason (comment-summary-in-pr: on-failure). Source code review confirmed there's no config flag to globally accept null licenses; suppression would require an explicitallow-dependencies-licensesallowlist of every Action by PURL (no wildcards supported). Accepting the noise.Test plan
Dependency Reviewjob runs and passes (no vulnerable deps, no disallowed licenses)Version Checkjob runs and passes — dep-graph reported 2 added entries (actions/checkout,actions/dependency-review-action) from the new manifest; both validated against GitHub Releases as latestChangesetcheck passes (no package source files modified, sochangesets statusexits 0 without a changeset file)lodash@4.17.20(latest 4.18.1 per deps.dev) and was reverted after confirmingVersion Checkfailed with::error title=Stale dependency::npm:lodash pinned to 4.17.20, latest is 4.18.1and exit code 1🤖 Generated with Claude Code