ci: add dependency review (#4)

This pull request includes updates to GitHub Actions workflows to improve dependency reviews and semantic pull request checks. The changes involve adding a new workflow for dependency reviews and enhancing the existing semantic pull request workflow with more descriptive step names. ### New Workflow for Dependency Reviews: * [`.github/workflows/dependency-review.yml`](diffhunk://#diff-7cdd3ccec44c8ba176bdc3b9ef54c3f56aa210a1a4e2bb5f79d87b1e50314a18R1-R27): Added a new workflow to perform dependency reviews on pull requests, including checks for vulnerabilities and licenses, and displaying OpenSSF scorecards. ### Enhancements to Semantic Pull Request Workflow: * [`.github/workflows/semantic-pr.yml`](diffhunk://#diff-b461a4aae3e02f4e8cf48457c786aa2de1f6b8b50a64d8b1b2a95e7849759920L25-R33): Updated the semantic pull request workflow to include more descriptive names for steps and ensure proper commenting behavior based on PR title validation results. [[1]](diffhunk://#diff-b461a4aae3e02f4e8cf48457c786aa2de1f6b8b50a64d8b1b2a95e7849759920L25-R33) [[2]](diffhunk://#diff-b461a4aae3e02f4e8cf48457c786aa2de1f6b8b50a64d8b1b2a95e7849759920L45-R48)
microsoft · Sep 13, 2024 · f3a4e03 · f3a4e03
1 parent 7e25852
commit f3a4e03
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 3 deletions.
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+---
+name: 🕵️ Dependency Review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: write
+  checks: write
+
+jobs:
+  main:
+    name: 🕵️ Check Dependency
+    runs-on: ubuntu-latest
+    steps:
+      - name: ⤵️ Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: 🕵️ Run Dependency Review
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
+        with:
+          vulnerability-check: true
+          license-check: true
+          show-openssf-scorecard: true
+          comment-summary-in-pr: on-failure
diff --git a/.github/workflows/semantic-pr.yml b/.github/workflows/semantic-pr.yml
@@ -22,13 +22,15 @@ jobs:
     name: 🔍 Check PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
+      - name: 🔍 Run Semantic PR validation
+        uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         id: check_pr_title
         env:
           GITHUB_TOKEN: ${{ github.token }}
 
-      - uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
+      - name: 💬 Comment on PR
         if: always() && (steps.check_pr_title.outputs.error_message != null)
+        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
         with:
           header: pr-title-check-error
           message: |
@@ -42,7 +44,8 @@ jobs:
             ${{ steps.check_pr_title.outputs.error_message }}
             ```
 
-      - if: ${{ steps.check_pr_title.outputs.error_message == null }}
+      - name: 🗑 Delete PR comment
+        if: ${{ steps.check_pr_title.outputs.error_message == null }}
         uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
         with:
           header: pr-title-check-error