From b447e465fbd9a01f091741009d83005d33c400c8 Mon Sep 17 00:00:00 2001 From: Austin Vazquez Date: Mon, 5 Aug 2024 19:09:16 -0700 Subject: [PATCH] ci: add review dependencies workflow Signed-off-by: Austin Vazquez --- .github/dependency-review-config.yml | 9 ++++++++ .github/workflows/ci-docs.yaml | 4 ---- .github/workflows/ci.yaml | 9 -------- .github/workflows/review-dependencies.yaml | 24 ++++++++++++++++++++++ Makefile | 7 +++++++ 5 files changed, 40 insertions(+), 13 deletions(-) create mode 100644 .github/dependency-review-config.yml create mode 100644 .github/workflows/review-dependencies.yaml diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml new file mode 100644 index 000000000..894e1af8b --- /dev/null +++ b/.github/dependency-review-config.yml @@ -0,0 +1,9 @@ +# Fail third party dependency usage if not covered by the curated set of pre-approved licenses. +# +# List was generated from guidance set forth by Amazon open source usage policies. +allow-licenses: + - 'Apache-2.0' + - 'BSD-2-Clause' + - 'BSD-3-Clause' + - 'ISC' + - 'MIT' diff --git a/.github/workflows/ci-docs.yaml b/.github/workflows/ci-docs.yaml index ab7086900..17621418b 100644 --- a/.github/workflows/ci-docs.yaml +++ b/.github/workflows/ci-docs.yaml @@ -67,10 +67,6 @@ jobs: runs-on: ubuntu-latest steps: - run: echo "Skipping CI for docs & contrib files" - check-licenses: - runs-on: ubuntu-latest - steps: - - run: echo "Skipping CI for docs & contrib files" e2e-tests: strategy: matrix: diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 720f63554..a21f8dc37 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -132,15 +132,6 @@ jobs: # TODO: Use `go mod tidy --check` after https://github.com/golang/go/issues/27005 is fixed. - run: go mod tidy - run: git diff --exit-code - check-licenses: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: go.mod - cache: true - - run: make check-licenses e2e-tests: strategy: fail-fast: false diff --git a/.github/workflows/review-dependencies.yaml b/.github/workflows/review-dependencies.yaml new file mode 100644 index 000000000..71cfafb1a --- /dev/null +++ b/.github/workflows/review-dependencies.yaml @@ -0,0 +1,24 @@ +name: Review dependencies + +on: + pull_request: + branches: ['main', 'release/**'] + paths: + - 'go.*' + +jobs: + review: + runs-on: ubuntu-latest + + permissions: + # Write permissions needed to comment review results on PR. + # Pwn request risk mitigated by using pull_request workflow trigger + # and external contributor workflow runs require maintainer approval. + pull-requests: write + + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 + with: + config-file: './.github/dependency-review-config.yml' + comment-summary-in-pr: always diff --git a/Makefile b/Makefile index f7b0753ce..b32c52edb 100644 --- a/Makefile +++ b/Makefile @@ -202,6 +202,13 @@ download-licenses: ### dependencies in release-please.yaml - end ### + ### dependencies in review-dependencies.yaml - start ### + + mkdir -p "$(LICENSEDIR)/github.com/actions/dependency-review-action" + curl https://github.com/actions/dependency-review-action/main/LICENSE --output "$(LICENSEDIR)/github.com/actions/dependency-review-action/LICENSE" + + ### dependencies in review-dependencies.yaml - end ### + ### system-level dependencies - start ### mkdir -p "$(LICENSEDIR)/github.com/lima-vm/lima"