| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| --- |
| name: Dependency License Review |
| on: |
| pull_request: |
| types: [opened, synchronize, reopened] |
| permissions: |
| contents: read |
| jobs: |
| dependency-review: |
| runs-on: ubuntu-latest |
| steps: |
| - name: 'Checkout Repository' |
| uses: actions/checkout@v5 |
| - name: Dependency Review |
| uses: actions/dependency-review-action@v4 |
| with: |
| # Possible values: "critical", "high", "moderate", "low" |
| fail-on-severity: moderate |
| # You can only include one of these two options: `allow-licenses` and `deny-licenses` |
| # ([String]). Only allow these licenses (optional) |
| # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ |
| allow-licenses: BSD-2-Clause, BSD-3-Clause, MIT, Apache-2.0, EPL-2.0, MPL-2.0, CC0-1.0 |
| #allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679 |
| # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) |
| # Possible values: "development", "runtime", "unknown" |
| fail-on-scopes: development, runtime |
