gh: add dependency checks

.github/workflows/build.yaml

@@ -32,12 +32,6 @@ jobs:
     - name: Run linters
       run: bin/clojure -M:clj-kondo --lint src test
 
-    - name: Install NVD clojure
-      run: bin/clojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version "RELEASE"}' :as nvd;
-
-    - name: Check NVD
-      run: bin/clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :classpath \""$(bin/clojure -Spath)\""
-
   create_release:
     if: startsWith(github.ref, 'refs/tags/v0') || startsWith(github.ref, 'refs/tags/v1')
     runs-on: ubuntu-latest

.github/workflows/deps.yml

@@ -0,0 +1,35 @@
+name: Run dependency checks
+
+on:
+  push:
+  schedule:
+    - cron: '0 1 * * 1'
+
+jobs:
+  checks:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/cache@v4
+      with: { path: "~/.m2", key: "${{ runner.os }}-${{ hashFiles('deps.edn') }}-m2" }
+    - uses: actions/cache@v4
+      with:
+        key: "clojure-${{ runner.os }}-${{ hashFiles('.github/workflows/install-binaries.sh') }}"
+        path: |
+          ./bin
+          ./lib
+
+    - name: Install NVD clojure
+      run: bin/clojure -Ttools install nvd-clojure/nvd-clojure '{:mvn/version "RELEASE"}' :as nvd;
+
+    - name: Check NVD Secret is configured
+      env:
+        NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
+      if: ${{ env.NVD_API_TOKEN == '' }}
+      run: echo "NVD_API_TOKEN secret is empty"; exit 1
+
+    - name: Check NVD
+      env:
+        NVD_API_TOKEN: ${{ secrets.NVD_API_TOKEN }}
+      run: bin/clojure -J-Dclojure.main.report=stderr -Tnvd nvd.task/check :config-filename '".nvd-config.json"' :classpath "\"$(bin/clojure -Spath)\""

.nvd-config.json

@@ -0,0 +1 @@
+{"nvd": {"suppression-file": ".nvd-suppressions.xml"}}

.nvd-suppressions.xml

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+</suppressions>