Merge pull request #3 from advanced-security/depreview-config

Update DepReview to use config file

Author: GeekMasher

.github/dependency-review.yml

@@ -0,0 +1,13 @@
+# https://github.com/actions/dependency-review-action/tree/v4/?tab=readme-ov-file#configuration-file
+
+# Comment summary in PR
+comment-summary-in-pr: "always"
+
+# Set the severity level for the action to fail on.
+fail-on-severity: moderate
+
+# Set what scope to fail on.
+fail-on-scopes: runtime
+
+# Here is the list of licenses we want to deny and not use in our software. 
+deny-licenses: GPL-1.0-only,GPL-1.0-or-later,GPL-2.0-only,GPL-2.0-or-later,GPL-3.0-only,GPL-3.0-or-later,AGPL-1.0-only,AGPL-1.0-or-later,AGPL-3.0-only,AGPL-3.0-or-later,LGPL-2.0-only,LGPL-2.0-or-later,LGPL-2.1-only,LGPL-2.1-or-later,LGPL-3.0-only,LGPL-3.0-or-later

.github/workflows/dependency-review.yml

@@ -17,10 +17,25 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@v4
 
+      - name: 'Check for configuration file'
+        id: check-config
+        run: |
+          set -e
+          if [ -f "./.github/dependency-review.yml" ]; then
+            echo "Found local configuration file"
+            echo "config=./.github/labeler.yml" >> $GITHUB_STATE
+
+          else
+            echo "No local configuration file found"
+            echo "Downloading configuration file from advanced-security/reusable-workflows repository"
+
+            # download file using gh cli
+            gh api repos/advanced-security/reusable-workflows/contents/.github/dependency-review.yml --raw-field "ref=main" > .github/dependency-review.yml
+            echo "config=./.github/dependency-review.yml" >> $GITHUB_STATE
+
+          fi
+
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v4
         with:
-          comment-summary-in-pr: "always"
-          fail-on-scopes: runtime
-          fail-on-severity: moderate
-          deny-licenses: GPL-1.0-only,GPL-1.0-or-later,GPL-2.0-only,GPL-2.0-or-later,GPL-3.0-only,GPL-3.0-or-later,AGPL-1.0-only,AGPL-1.0-or-later,AGPL-3.0-only,AGPL-3.0-or-later,LGPL-2.0-only,LGPL-2.0-or-later,LGPL-2.1-only,LGPL-2.1-or-later,LGPL-3.0-only,LGPL-3.0-or-later
+          config-file: '${{ steps.check-config.outputs.config }}'