-
Notifications
You must be signed in to change notification settings - Fork 8
38 lines (31 loc) · 1.09 KB
/
dependencies.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# SPDX-License-Identifier: Apache-2.0
# Licensed to the Ed-Fi Alliance under one or more agreements.
# The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0.
# See the LICENSE and NOTICES files in the project root for more information.
name: Dependency Review
on:
pull_request:
branches:
- main
paths:
- 'src/**'
jobs:
scan-actions:
name: Scan Actions
uses: ed-fi-alliance-oss/ed-fi-actions/.github/workflows/repository-scanner.yml@main
analyze-code:
name: Analyze Code Dependencies
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
steps:
- name: Checkout code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
- name: Dependency Review ("Dependabot on PR")
uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
with:
allow-ghsas: GHSA-w596-4wvx-j9j6 # this refers a potential attack via Subversion; ignoring since we only use Git.