Skip to content

Merge branch 'main' into dependabot/cargo/rustversion-1.0.16 #401

Merge branch 'main' into dependabot/cargo/rustversion-1.0.16

Merge branch 'main' into dependabot/cargo/rustversion-1.0.16 #401

name: Dependency Review
on:
push:
pull_request:
merge_group:
jobs:
dependency-review:
name: Github Dependency Review
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: read
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
# AND combinations are currently bugged and must be listed separately: https://github.com/actions/dependency-review-action/issues/263
# OR combinations are currently bugged and must be listed separately: https://github.com/actions/dependency-review-action/issues/670
allow-licenses: MIT, Apache-2.0, BSD-3-Clause, ISC, Unicode-DFS-2016, (MIT OR Apache-2.0) AND Unicode-DFS-2016, Unlicense OR MIT
# anstyle is licensed as (MIT OR Apache-2.0), but the Github api fails to detect it: https://github.com/rust-cli/anstyle/tree/main/crates/anstyle
allow-dependencies-licenses: 'pkg:cargo/[email protected]'
comment-summary-in-pr: on-failure
# Explicit refs required for merge_group and push triggers:
# https://github.com/actions/dependency-review-action/issues/456
# https://github.com/actions/dependency-review-action/issues/252
base-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || (github.event_name == 'push' && github.event.before || (github.event_name == 'merge_group' && 'main' || 'unsupported trigger' ) ) }}
head-ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || (github.event_name == 'push' && github.sha || (github.event_name == 'merge_group' && github.ref || 'unsupported trigger' ) ) }}