run dependabot scans on PR and push actions to check for new vulnerab…

…ilities
alphagov · Oct 24, 2023 · 79de594 · 79de594
1 parent b8b29b8
commit 79de594
Showing 1 changed file with 37 additions and 0 deletions.
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,37 @@
+name: "Dependabot Scan"
+
+on:
+  workflow_call:
+
+jobs:
+  dependency-review-pr:
+    if: ${{github.event_name == 'pull_request'}}
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout repository'
+        uses: actions/checkout@v4
+
+      - name: 'Review changes to repository supply chain'
+        uses: actions/dependency-review-action@v3
+        with:
+          # Fails only on critical findings as it is not possible to pass the build altogether
+          fail-on-severity: critical
+
+  dependency-review-push:
+    if: ${{github.event_name == 'push'}}
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout repository'
+        uses: actions/checkout@v4
+        with:
+          # Checkout this revision and the previous one
+          fetch-depth: 2
+
+      - name: 'Review changes to repository supply chain'
+        uses: actions/dependency-review-action@v3
+        with:
+          # Fails only on critical findings as it is not possible to pass the build altogether
+          fail-on-severity: critical
+          # Set the latest commit as the head-ref and the former as the base-ref for comparison
+          base-ref: refs/heads/main~1
+          head-ref: refs/heads/main