feat(pr-lint): consolidate dependency review into pr-lint action (#497)

* feat(pr-lint): consolidate dependency review into pr-lint action Move dependency review from standalone workflow into the pr-lint composite action. Adds repository visibility check via GitHub API and runs dependency-review-action only on public repos during pull_request events, before MegaLinter. * fix(pr-lint): harden dependency review visibility check Address PR review feedback from Copilot and CodeRabbit: - Skip visibility check on non-PR events (if: pull_request) - Add continue-on-error so API failures don't block MegaLinter - Use curl --fail --show-error to surface HTTP errors in logs - Use github.token directly instead of inputs.token fallback - Add Accept header for GitHub API versioning - Validate jq output type to fail closed on bad API responses * fix(pr-lint): use event payload for visibility, unblock MegaLinter on dep review Replace curl API call with local jq read from $GITHUB_EVENT_PATH for the repository visibility check — simpler, faster, no auth needed. Add continue-on-error to dependency review so MegaLinter always runs, with a re-fail step after artifacts upload to preserve the failure signal.
2026-03-09 16:57:06 +00:00 · 2026-03-08 21:44:45 +02:00
parent f995f89a21
commit 34372bcd36
2 changed files with 34 additions and 18 deletions
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -1,18 +0,0 @@
---
-# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
-name: 'Dependency Review'
-on:
-  - pull_request
-
-permissions: {}
-
-jobs:
-  dependency-review:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: 'Checkout Repository'
-        uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
-      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
--- a/pr-lint/action.yml
+++ b/pr-lint/action.yml
@@ -626,6 +626,33 @@ runs:
        go-version: ${{ steps.go-version.outputs.detected-version }}
        cache: true

+    #   ╭──────────────────────────────────────────────────────────╮
+    #   │                    Dependency Review                     │
+    #   ╰──────────────────────────────────────────────────────────╯
+    - name: Check Repository Visibility
+      id: repo-visibility
+      if: github.event_name == 'pull_request'
+      shell: sh
+      run: |
+        set -eu
+
+        is_private=$(jq -r '.repository.private' "$GITHUB_EVENT_PATH")
+
+        if [ "$is_private" = "false" ]; then
+          printf '%s\n' "is-public=true" >> "$GITHUB_OUTPUT"
+        fi
+
+    - name: Dependency Review
+      id: dependency-review
+      continue-on-error: true
+      if: >-
+        steps.repo-visibility.outputs.is-public == 'true'
+        && github.event_name == 'pull_request'
+      uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
+      with:
+        comment-summary-in-pr: always
+        fail-on-severity: critical
+
    #   ╭──────────────────────────────────────────────────────────╮
    #   │                        MegaLinter                        │
    #   ╰──────────────────────────────────────────────────────────╯
@@ -684,3 +711,10 @@ runs:
        path: |
          megalinter-reports
          mega-linter.log
+
+    - name: Fail if dependency review found critical issues
+      if: steps.dependency-review.outcome == 'failure'
+      shell: sh
+      run: |
+        printf '%s\n' "Dependency review found critical issues" >&2
+        exit 1