Actions: Config dependabot on PRs

chaynHQ · Jun 3, 2024 · 41a87a2 · 41a87a2
1 parent fb6fea7
commit 41a87a2
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -29,4 +29,3 @@ updates:
       interval: "weekly"
       time: "09:00"
       timezone: "Europe/London"
-
diff --git a/...ub/workflows/create-dependabot-issues.yml → ...ub/workflows/dependabot-create-issues.yml b/...ub/workflows/create-dependabot-issues.yml → ...ub/workflows/dependabot-create-issues.yml
@@ -1,3 +1,6 @@
+# This workflow opens issues for pull requests opened by dependabot.
+# See for more info: https://github.com/actions/dependency-review-action
+
 name: Create Dependabot Issues # from pull requests
 
 on:

diff --git a/.github/workflows/dependabot-pr-review.yml b/.github/workflows/dependabot-pr-review.yml
@@ -0,0 +1,22 @@
+# This workflow enables dependency scans on pull requests.
+# When changes in dependencies are detected, it will raise an error
+# if any vulnerabilities or invalid licenses are introduced.
+# See for more info: https://github.com/actions/dependency-review-action
+
+name: "Dependency Review"
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@v4
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@v4
+        with:
+          # fails when moderate vulnerabilities are deteched
+          fail-on-severity: moderate