github: add a dependency review action

[raghavendra-talur]

This action provides information about

• Which dependencies were added, removed, or updated.
• How many projects use these components.
• Vulnerability data for these dependencies.
• License type and compatibility.

For more info, read

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review

https://github.com/actions/dependency-review-action

[nirs]

Based on the output:
https://github.com/RamenDR/ramen/actions/runs/11979895161

This checks the github actions used in a workflow, so adding it in a new workflows does not check the actions used in the ramen/tools/e2e workflows.

[raghavendra-talur]

Based on the output: https://github.com/RamenDR/ramen/actions/runs/11979895161

This checks the github actions used in a workflow, so adding it in a new workflows does not check the actions used in the ramen/tools/e2e workflows.

IMO, it is reporting that this PR added dependency on these two actions. If a subsequent PR adds dependency on a go package/module, it will report that.

I am not sure if the scoping is limited to the top most Go module in the repository. If that happens to be the case, we will fix it.

[nirs]

Based on the output: https://github.com/RamenDR/ramen/actions/runs/11979895161
This checks the github actions used in a workflow, so adding it in a new workflows does not check the actions used in the ramen/tools/e2e workflows.

IMO, it is reporting that this PR added dependency on these two actions. If a subsequent PR adds dependency on a go package/module, it will report that.

ok, make sense.

We can test this by adding a new dependency in another workflow or in ramen in a temporary commit.

[raghavendra-talur]

@nirs I added a temporary commit and here is the run output https://github.com/RamenDR/ramen/actions/runs/11980488467?pr=1665

diff --git a/cmd/main.go b/cmd/main.go
index 4aaa754e..e194072b 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -42,6 +42,8 @@ import (
        argocdv1alpha1hack "github.com/ramendr/ramen/internal/controller/argocd"
        rmnutil "github.com/ramendr/ramen/internal/controller/util"
        recipe "github.com/ramendr/recipe/api/v1alpha1"
+
+       "github.com/magefile/mage/sh"
        // +kubebuilder:scaffold:imports
 )

@@ -257,6 +259,10 @@ func main() {
        bindFlags(logOpts.BindFlags)
        flag.Parse()

+       if err := sh.Run("echo", "hello world"); err != nil {
+               panic(err)
+       }
+
        ctrl.SetLogger(zap.New(zap.UseFlagOptions(logOpts)))

        ctrlOptions, ramenConfig := buildOptions()
diff --git a/go.mod b/go.mod
index 63f8b34c..c0c8b449 100644
--- a/go.mod
+++ b/go.mod
@@ -69,6 +69,7 @@ require (
        github.com/json-iterator/go v1.1.12 // indirect
        github.com/klauspost/compress v1.17.10 // indirect
        github.com/kubernetes-csi/external-snapshotter/client/v6 v6.2.0 // indirect
+       github.com/magefile/mage v1.15.0 // indirect
        github.com/magiconair/properties v1.8.7 // indirect
        github.com/mailru/easyjson v0.7.7 // indirect
        github.com/mitchellh/mapstructure v1.5.0 // indirect

[nirs]

Nice!

[ShyamsundarR]

Checked default configurations for the action, they seem to cover adequately required severity and result in failures. I was wondering if we should add allowed license list, but that can come subsequently (just noting the thought for now).

LGTM! waiting for the test code to be undone, before an approval/merge.

[raghavendra-talur]

@ShyamsundarR GitHub has gone into a weird state. See the processing updates message in the top right corner. Hopefully it reconciles in a day or two.