From f3a4e036eb30e9cb97afe883977c340a88fde9f5 Mon Sep 17 00:00:00 2001 From: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com> Date: Fri, 13 Sep 2024 16:12:29 -0700 Subject: [PATCH] ci: add dependency review (#4) This pull request includes updates to GitHub Actions workflows to improve dependency reviews and semantic pull request checks. The changes involve adding a new workflow for dependency reviews and enhancing the existing semantic pull request workflow with more descriptive step names. ### New Workflow for Dependency Reviews: * [`.github/workflows/dependency-review.yml`](diffhunk://#diff-7cdd3ccec44c8ba176bdc3b9ef54c3f56aa210a1a4e2bb5f79d87b1e50314a18R1-R27): Added a new workflow to perform dependency reviews on pull requests, including checks for vulnerabilities and licenses, and displaying OpenSSF scorecards. ### Enhancements to Semantic Pull Request Workflow: * [`.github/workflows/semantic-pr.yml`](diffhunk://#diff-b461a4aae3e02f4e8cf48457c786aa2de1f6b8b50a64d8b1b2a95e7849759920L25-R33): Updated the semantic pull request workflow to include more descriptive names for steps and ensure proper commenting behavior based on PR title validation results. [[1]](diffhunk://#diff-b461a4aae3e02f4e8cf48457c786aa2de1f6b8b50a64d8b1b2a95e7849759920L25-R33) [[2]](diffhunk://#diff-b461a4aae3e02f4e8cf48457c786aa2de1f6b8b50a64d8b1b2a95e7849759920L45-R48) --- .github/workflows/dependency-review.yml | 27 +++++++++++++++++++++++++ .github/workflows/semantic-pr.yml | 9 ++++++--- 2 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..333e9ba --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json +--- +name: ๐Ÿ•ต๏ธ Dependency Review + +on: + pull_request: + +permissions: + contents: read + pull-requests: write + checks: write + +jobs: + main: + name: ๐Ÿ•ต๏ธ Check Dependency + runs-on: ubuntu-latest + steps: + - name: โคต๏ธ Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: ๐Ÿ•ต๏ธ Run Dependency Review + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 + with: + vulnerability-check: true + license-check: true + show-openssf-scorecard: true + comment-summary-in-pr: on-failure diff --git a/.github/workflows/semantic-pr.yml b/.github/workflows/semantic-pr.yml index 3e6aa4a..c81234b 100644 --- a/.github/workflows/semantic-pr.yml +++ b/.github/workflows/semantic-pr.yml @@ -22,13 +22,15 @@ jobs: name: ๐Ÿ” Check PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 + - name: ๐Ÿ” Run Semantic PR validation + uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 id: check_pr_title env: GITHUB_TOKEN: ${{ github.token }} - - uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0 + - name: ๐Ÿ’ฌ Comment on PR if: always() && (steps.check_pr_title.outputs.error_message != null) + uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0 with: header: pr-title-check-error message: | @@ -42,7 +44,8 @@ jobs: ${{ steps.check_pr_title.outputs.error_message }} ``` - - if: ${{ steps.check_pr_title.outputs.error_message == null }} + - name: ๐Ÿ—‘ Delete PR comment + if: ${{ steps.check_pr_title.outputs.error_message == null }} uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0 with: header: pr-title-check-error