Merge pull request #16 from advanced-security/dep-review

GeekMasher · web-flow · commit 79b964f0f399 · 2024-04-18T12:26:01.000+01:00
Use repo ref versus downloading config file
diff --git a/.github/dependency-review.yml b/.github/dependency-review.yml
@@ -9,5 +9,52 @@ fail-on-severity: moderate
 # Set what scope to fail on.
 fail-on-scopes: runtime
 
-# Here is the list of licenses we want to deny and not use in our software. 
-deny-licenses: GPL-1.0-only,GPL-1.0-or-later,GPL-2.0-only,GPL-2.0-or-later,GPL-3.0-only,GPL-3.0-or-later,AGPL-1.0-only,AGPL-1.0-or-later,AGPL-3.0-only,AGPL-3.0-or-later,LGPL-2.0-only,LGPL-2.0-or-later,LGPL-2.1-only,LGPL-2.1-or-later,LGPL-3.0-only,LGPL-3.0-or-later
+# Use only certain licenses
+allow_licenses:
+  - 'BSD-2-Clause-Patent'
+  - 'ADSL'
+  - 'Apache-2.0'
+  - 'APAFML'
+  - 'BSD-1-Clause'
+  - 'BSD-2-Clause'
+  - 'BSD-2-Clause-FreeBSD'
+  - 'BSD-2-Clause-NetBSD'
+  - 'BSD-2-Clause-Views'
+  - 'BSL-1.0'
+  - 'DSDP'
+  - 'ECL-1.0'
+  - 'ECL-2.0'
+  - 'ImageMagick'
+  - 'ISC'
+  - 'Linux-OpenIB'
+  - 'MIT'
+  - 'MIT-Modern-Variant'
+  - 'MS-PL'
+  - 'MulanPSL-1.0'
+  - 'Mup'
+  - 'PostgreSQL'
+  - 'Spencer-99'
+  - 'UPL-1.0'
+  - 'Xerox'
+
+# Here is a sample list of licenses we want to deny and not use in our software.
+# deny-licenses:
+#   # GPL licenses
+#   - GPL-1.0-only
+#   - GPL-1.0-or-later
+#   - GPL-2.0-only
+#   - GPL-2.0-or-later
+#   - GPL-3.0-only
+#   - GPL-3.0-or-later
+#   # AGPL licenses
+#   - AGPL-1.0-only
+#   - AGPL-1.0-or-later
+#   - AGPL-3.0-only
+#   - AGPL-3.0-or-later
+#   # LGPL licenses
+#   - LGPL-2.0-only
+#   - LGPL-2.0-or-later
+#   - LGPL-2.1-only
+#   - LGPL-2.1-or-later
+#   - LGPL-3.0-only
+#   - LGPL-3.0-or-later
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -1,3 +1,7 @@
+# 'Dependency Review' Reusable Workflow
+#
+# Note: Override the default configuration by providing a './.github/dependency-review.yml' in your repo.
+
 name: 'Dependency Review'
 
 on:
@@ -15,23 +19,25 @@ jobs:
         uses: actions/checkout@v4
 
       - name: 'Check for configuration file'
+        id: config
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
           set -e
           if [ -f "./.github/dependency-review.yml" ]; then
             echo "Found local configuration file"
+            echo "config=./.github/labeler.yml" >> $GITHUB_STATE
+
           else
             echo "No local configuration file found"
-            echo "Downloading configuration file from advanced-security/reusable-workflows repository"
+            echo "Using configuration file from advanced-security/reusable-workflows repository"
 
-            # download file using gh cli
-            gh api repos/advanced-security/reusable-workflows/contents/.github/dependency-review.yml -q '.content' | base64 -d > .github/dependency-review.yml
+            echo "config=advanced-security/reusable-workflows/.github/dependency-review.yml@main" >> $GITHUB_STATE
 
           fi
 
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v4
         with:
-          config-file: './.github/dependency-review.yml'
+          config-file: ${{ steps.config.outputs.config }}
           comment-summary-in-pr: "always"
