- Disable routine Dependabot PR creation while keeping grouped security update handling for npm and GitHub Actions. - Add dependency-review workflow for dependency manifest and lockfile pull requests. - Checked current upstream action majors before committing: actions/checkout v6 and dependency-review-action v5.
28 lines
581 B
YAML
28 lines
581 B
YAML
name: Dependency Review
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- "**/package.json"
|
|
- "**/package-lock.json"
|
|
- "**/pnpm-lock.yaml"
|
|
- "pnpm-workspace.yaml"
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
dependency-review:
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v6
|
|
|
|
- name: Dependency Review
|
|
uses: actions/dependency-review-action@v5
|
|
with:
|
|
fail-on-severity: high
|
|
fail-on-scopes: runtime, development, unknown
|
|
license-check: false
|
|
show-patched-versions: true
|