From 0a444b40d1a5b36f0067a5a5951af4a7ddfafe44 Mon Sep 17 00:00:00 2001
From: Patrick Ziegler <ziegler.patrick@hotmail.de>
Date: Wed, 2 Jul 2025 22:52:29 +0200
Subject: [PATCH] Restrict execution of dash-license tool

This tool should only be executed when there are actual dependency
changes. For the sake of security, the tool is now only executed when
changes are done to the master and optionally on a PR, but only if the
"dash-license" label is set.

Closes https://github.com/eclipse-windowbuilder/windowbuilder/issues/1125
---
 .github/workflows/maven.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/maven.yaml b/.github/workflows/maven.yaml
index 3ca672a2a..960d530e8 100644
--- a/.github/workflows/maven.yaml
+++ b/.github/workflows/maven.yaml
@@ -1,5 +1,9 @@
 name: WindowBuilder verification build
 
+concurrency: 
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
+
 on:
   push:
     branches:
@@ -7,8 +11,15 @@ on:
   pull_request:
     branches:
       - master
+    types: 
+      - opened
+      - reopened
+      - synchronize
+      - labeled
+
 jobs:
   check-dash-licenses:
+    if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'dash-license')
     uses: eclipse-dash/dash-licenses/.github/workflows/mavenLicenseCheck.yml@cbd9bd5d78742d3c9772ace91b129424b418c342 # 1.1.0
     with:
       projectId: tools.windowbuilder