diff --git a/.github/workflows/dep_review.yml b/.github/workflows/dep_review.yml new file mode 100644 index 0000000000..b1449676e5 --- /dev/null +++ b/.github/workflows/dep_review.yml @@ -0,0 +1,42 @@ +name: Dependency Review + +on: + pull_request: + paths: + - "uv.lock" + - "pyproject.toml" + - "clients/package-lock.json" + - "clients/**/package-lock.json" + - "clients/**/package.json" + +permissions: + contents: read + pull-requests: write + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + dependency-review: + name: Dependency Review + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + # NOTE: uv.lock is not in GitHub's official supported ecosystems list, but + # appears to work in practice. Coverage of transitive Python deps should + # be verified. See: https://github.com/dependabot/dependabot-core/issues/11913 + - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 + with: + # Always post so that a clean push overwrites any previous warning + comment-summary-in-pr: always + # fail-on-severity causes the step to fail on HIGH+, but + # continue-on-error ensures the workflow never blocks merging. + # The intent is visibility (PR comment) only, not enforcement. + fail-on-severity: high + show-openssf-scorecard: false + show-patched-versions: true + retry-on-snapshot-warnings: false + license-check: false + continue-on-error: true diff --git a/changelog/7749-add-dependency-review-action.yaml b/changelog/7749-add-dependency-review-action.yaml new file mode 100644 index 0000000000..a3889dcbbf --- /dev/null +++ b/changelog/7749-add-dependency-review-action.yaml @@ -0,0 +1,4 @@ +type: Developer Experience +description: Added Dependency Review GitHub Actions workflow to surface new dependency vulnerabilities in PR comments +pr: 7749 +labels: []