Bump the pkg-updates group with 3 updates #776
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Dependency Review' | |
| on: [pull_request, push, workflow_dispatch] | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| # https://www.meziantou.net/how-to-cancel-github-workflows-when-pushing-new-commits-on-a-branch.htm | |
| concurrency: | |
| # pull request number or branch name if not a pull request | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| dependency-review: | |
| if: github.actor != 'app/dependabot' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: 'Checkout Repository' | |
| uses: actions/checkout@v4.2.2 | |
| - name: 'Dependency Review' | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| base-ref: master | |
| head-ref: master | |
| fail-on-severity: high | |
| comment-summary-in-pr: always | |
| - name: Set up .NET | |
| uses: actions/setup-dotnet@v4.1.0 | |
| with: | |
| global-json-file: global.json | |
| cache: true | |
| cache-dependency-path: '**/packages.lock.json' | |
| - name: Check for vulnerable packages | |
| run: | | |
| set -e # This will cause the script to exit on the first error | |
| dotnet restore --force-evaluate | |
| OUTPUT=$(dotnet list package --vulnerable --include-transitive) | |
| echo "$OUTPUT" | |
| if echo "$OUTPUT" | grep -q 'Vulnerable'; then | |
| echo "Vulnerable packages found" | |
| exit 1 | |
| else | |
| echo "No vulnerable packages found" | |
| fi |