From f0a8aaad4125a57732b84c3a396d4592f3f2ad92 Mon Sep 17 00:00:00 2001 From: tdakkota Date: Tue, 18 Apr 2023 14:43:31 +0300 Subject: [PATCH 1/3] ci: drop deprecated `pkg` workflow --- .github/workflows/pkg.yml | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 .github/workflows/pkg.yml diff --git a/.github/workflows/pkg.yml b/.github/workflows/pkg.yml deleted file mode 100644 index 25411ce..0000000 --- a/.github/workflows/pkg.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: pkg - -on: - push: - tags: - - v* - -jobs: - run: - uses: go-faster/x/.github/workflows/release.yml@main From 22552343107d4ff48f85aa878884865b4a6ceb39 Mon Sep 17 00:00:00 2001 From: tdakkota Date: Tue, 18 Apr 2023 14:47:11 +0300 Subject: [PATCH 2/3] ci: drop nancy workflow --- .github/workflows/x.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/x.yml b/.github/workflows/x.yml index 01263ea..6473419 100644 --- a/.github/workflows/x.yml +++ b/.github/workflows/x.yml @@ -17,7 +17,5 @@ jobs: uses: go-faster/x/.github/workflows/lint.yml@main commit: uses: go-faster/x/.github/workflows/commit.yml@main - nancy: - uses: go-faster/x/.github/workflows/nancy.yml@main codeql: uses: go-faster/x/.github/workflows/codeql.yml@main From c83aa11f7acc198ade60365efc42ade7b135856e Mon Sep 17 00:00:00 2001 From: tdakkota Date: Tue, 18 Apr 2023 14:47:47 +0300 Subject: [PATCH 3/3] ci: use dependency review action --- .github/dependency-review-config.yml | 8 ++++++++ .github/workflows/pr.yml | 19 +++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 .github/dependency-review-config.yml create mode 100644 .github/workflows/pr.yml diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml new file mode 100644 index 0000000..fcb5551 --- /dev/null +++ b/.github/dependency-review-config.yml @@ -0,0 +1,8 @@ +fail_on_severity: "low" +allow_licenses: + - "MIT" + - "ISC" + - "MPL-2.0" + - "BSD-2-Clause" + - "BSD-3-Clause" + - "Apache-2.0" diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml new file mode 100644 index 0000000..c48c37b --- /dev/null +++ b/.github/workflows/pr.yml @@ -0,0 +1,19 @@ +name: "Dependency Review" +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: "Checkout Repository" + uses: actions/checkout@v3 + + # Their stupid action rely on PR event metadata, so + # there is no much sense to setup a re-usable workflow. + - name: "Dependency Review" + uses: actions/dependency-review-action@v3 + with: + config-file: "./.github/dependency-review-config.yml"