# Dependency Review Action # # This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement name: 'Dependency Review' on: [pull_request] permissions: contents: write actions: write checks: write pages: write packages: write issues: write statuses: write id-token: write deployments: write jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v3 - name: 'Dependency Review' uses: actions/dependency-review-action@v2 - name: Cache uses: actions/cache@v2.1.8 with: # A list of files, directories, and wildcard patterns to cache and restore path: # An explicit key for restoring and saving the cache key: # An ordered list of keys to use for restoring the cache if no cache hit occurred for key restore-keys: # optional # The chunk size used to split up large files during upload, in bytes upload-chunk-size: # optional - name: Setup .NET Core SDK uses: actions/setup-dotnet@v3.0.3 with: # Optional SDK version(s) to use. If not provided, will install global.json version when available. Examples: 2.2.104, 3.1, 3.1.x, 3.x dotnet-version: # optional # Optional quality of the build. The possible values are: daily, signed, validated, preview, ga. dotnet-quality: # optional # Optional global.json location, if your global.json isn't located in the root of the repo. global-json-file: # optional # Optional package source for which to set up authentication. Will consult any existing NuGet.config in the root of the repo and provide a temporary NuGet.config using the NUGET_AUTH_TOKEN environment variable as a ClearTextPassword source-url: # optional # Optional OWNER for using packages from GitHub Package Registry organizations/users other than the current repository's owner. Only used if a GPR URL is also provided in source-url owner: # optional # Optional NuGet.config location, if your NuGet.config isn't located in the root of the repo. config-file: # optional - name: Upload a Build Artifact uses: actions/upload-artifact@v3.1.2 with: # Artifact name name: # optional, default is artifact # A file, directory or wildcard pattern that describes what to upload path: # The desired behavior if no files are found using the provided path. Available Options: warn: Output a warning but do not fail the action error: Fail the action with an error message ignore: Do not output any warnings or errors, the action does not fail if-no-files-found: # optional, default is warn # Duration after which artifact will expire in days. 0 means using default retention. Minimum 1 day. Maximum 90 days unless changed from the repository settings page. retention-days: # optional - name: Setup .NET Core SDK uses: actions/setup-dotnet@v3.0.3 with: # Optional SDK version(s) to use. If not provided, will install global.json version when available. Examples: 2.2.104, 3.1, 3.1.x, 3.x dotnet-version: # optional # Optional quality of the build. The possible values are: daily, signed, validated, preview, ga. dotnet-quality: # optional # Optional global.json location, if your global.json isn't located in the root of the repo. global-json-file: # optional # Optional package source for which to set up authentication. Will consult any existing NuGet.config in the root of the repo and provide a temporary NuGet.config using the NUGET_AUTH_TOKEN environment variable as a ClearTextPassword source-url: # optional # Optional OWNER for using packages from GitHub Package Registry organizations/users other than the current repository's owner. Only used if a GPR URL is also provided in source-url owner: # optional # Optional NuGet.config location, if your NuGet.config isn't located in the root of the repo. config-file: # optional