ci: add review dependencies workflow

Signed-off-by: Austin Vazquez <[email protected]>
runfinch · Dec 24, 2024 · c62a511 · c62a511
1 parent 8a72057
commit c62a511
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 13 deletions.
diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml
@@ -0,0 +1,9 @@
+# Fail third party dependency usage if not covered by the curated set of pre-approved licenses.
+#
+# List was generated from guidance set forth by Amazon open source usage policies.
+allow-licenses:
+  - 'Apache-2.0'
+  - 'BSD-2-Clause'
+  - 'BSD-3-Clause'
+  - 'ISC'
+  - 'MIT'
diff --git a/.github/workflows/ci-docs.yaml b/.github/workflows/ci-docs.yaml
@@ -83,10 +83,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - run: echo "Skipping CI for docs & contrib files"
-  check-licenses:
-    runs-on: ubuntu-latest
-    steps:
-      - run: echo "Skipping CI for docs & contrib files"
   macos-e2e-tests:
     strategy:
       matrix:

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -150,15 +150,6 @@ jobs:
       # TODO: Use `go mod tidy --check` after https://github.com/golang/go/issues/27005 is fixed.
       - run: go mod tidy
       - run: git diff --exit-code
-  check-licenses:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-          cache: false
-      - run: make check-licenses
   macos-e2e-tests:
     strategy:
       fail-fast: false

diff --git a/.github/workflows/review-dependencies.yaml b/.github/workflows/review-dependencies.yaml
@@ -0,0 +1,24 @@
+name: Review dependencies
+
+on:
+  pull_request:
+    branches: ['main', 'release/**']
+    paths:
+      - 'go.*'
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+
+    permissions:
+      # Write permissions needed to comment review results on PR.
+      # Pwn request risk mitigated by using pull_request workflow trigger
+      # and external contributor workflow runs require maintainer approval.
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
+        with:
+          config-file: './.github/dependency-review-config.yml'
+          comment-summary-in-pr: always
diff --git a/Makefile b/Makefile
@@ -219,6 +219,13 @@ download-licenses:
 
     ### dependencies in release-please.yaml - end ###
 
+    ### dependencies in review-dependencies.yaml - start ###
+
+	mkdir -p "$(LICENSEDIR)/github.com/actions/dependency-review-action"
+	curl https://github.com/actions/dependency-review-action/main/LICENSE --output "$(LICENSEDIR)/github.com/actions/dependency-review-action/LICENSE"
+
+    ### dependencies in review-dependencies.yaml - end ###
+
     ### system-level dependencies - start ###
 
 	mkdir -p "$(LICENSEDIR)/github.com/lima-vm/lima"