-
Notifications
You must be signed in to change notification settings - Fork 12
26 lines (24 loc) · 1.32 KB
/
dependecy-review.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # Version 4.3.3 # https://github.com/actions/dependency-review-action/releases/tag/v4.3.3
# Version 4.3.4 does not work with invalid license names in the config and since that version,
# SPDX expression licenses are considered invalid (see: https://github.com/actions/dependency-review-action/issues/792).
# In short, remove all SPDX expressions from the config!
#
# Note that if you have packages that use SPDX expressions, this will report them as invalid,
# as support is not yet implemented (see: https://github.com/actions/dependency-review-action/issues/263).
#
# In that case you need to downgrade to version 4.3.3 where SPDX expressions are handled as exact strings !!
# @source https://github.com/actions/dependency-review-action/issues/809#issuecomment-2285930024
with:
# Use comma-separated names to pass list arguments:
allow-licenses: Apache-2.0,BSD-3-Clause,BSD-2-Clause,MIT,Apache-2.0 AND MIT