.github/workflows/check-dependencies.yml

name: "3rd-party"

on:
  push:
    branches:
      - /^release-.*$/
  pull_request:

permissions:
  contents: read

jobs:
  dependency-check:
    runs-on: ubuntu-latest
    env:
      USE_STAGE: 'false' # Whether to include the stage repository.
      SCRIPT_DEPENDENCY: install-dist/scripts/dependency
    steps:
      - name: Checkout source
        uses: actions/checkout@v4
      - name: Set up JDK 11
        uses: actions/setup-java@v3
        with:
          java-version: '11'
          distribution: 'adopt'

      - name: use staged maven repo settings
        if: ${{ env.USE_STAGE == 'true' }}
        run: |
          cp $HOME/.m2/settings.xml /tmp/settings.xml
          mv -vf .github/configs/settings.xml $HOME/.m2/settings.xml

      - name: mvn install
        run: |
          mvn install -Dmaven.test.skip=true -ntp --fail-at-end
      - name: generate current dependencies
        run: |
          bash $SCRIPT_DEPENDENCY/regenerate_known_dependencies.sh current-dependencies.txt
      - name: check third dependencies
        run: |
          bash $SCRIPT_DEPENDENCY/check_dependencies.sh

  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v4
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v3
        # Refer: https://github.com/actions/dependency-review-action
        with:
          # TODO: reset critical to low before releasing
          fail-on-severity: critical
          # Action will fail if dependencies don't match the list
          #allow-licenses: Apache-2.0, MIT
          #deny-licenses: GPL-3.0, AGPL-1.0, AGPL-3.0, LGPL-2.0, CC-BY-3.0