From 34372bcd366d87d95dd71081ecd4fb0c1c6a4f00 Mon Sep 17 00:00:00 2001
From: Ismo Vuorinen <ismo@ivuorinen.net>
Date: Sun, 8 Mar 2026 21:44:45 +0200
Subject: [PATCH] feat(pr-lint): consolidate dependency review into pr-lint
 action (#497)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat(pr-lint): consolidate dependency review into pr-lint action

Move dependency review from standalone workflow into the pr-lint
composite action. Adds repository visibility check via GitHub API
and runs dependency-review-action only on public repos during
pull_request events, before MegaLinter.

* fix(pr-lint): harden dependency review visibility check

Address PR review feedback from Copilot and CodeRabbit:
- Skip visibility check on non-PR events (if: pull_request)
- Add continue-on-error so API failures don't block MegaLinter
- Use curl --fail --show-error to surface HTTP errors in logs
- Use github.token directly instead of inputs.token fallback
- Add Accept header for GitHub API versioning
- Validate jq output type to fail closed on bad API responses

* fix(pr-lint): use event payload for visibility, unblock MegaLinter on dep review

Replace curl API call with local jq read from $GITHUB_EVENT_PATH for
the repository visibility check — simpler, faster, no auth needed.

Add continue-on-error to dependency review so MegaLinter always runs,
with a re-fail step after artifacts upload to preserve the failure signal.
---
 .github/workflows/dependency-review.yml | 18 -------------
 pr-lint/action.yml                      | 34 +++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 18 deletions(-)
 delete mode 100644 .github/workflows/dependency-review.yml

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
deleted file mode 100644
index d8bab15..0000000
--- a/.github/workflows/dependency-review.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
-name: 'Dependency Review'
-on:
-  - pull_request
-
-permissions: {}
-
-jobs:
-  dependency-review:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: 'Checkout Repository'
-        uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
-      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
diff --git a/pr-lint/action.yml b/pr-lint/action.yml
index bcb7363..c1b06d7 100644
--- a/pr-lint/action.yml
+++ b/pr-lint/action.yml
@@ -626,6 +626,33 @@ runs:
         go-version: ${{ steps.go-version.outputs.detected-version }}
         cache: true
 
+    #   ╭──────────────────────────────────────────────────────────╮
+    #   │                    Dependency Review                     │
+    #   ╰──────────────────────────────────────────────────────────╯
+    - name: Check Repository Visibility
+      id: repo-visibility
+      if: github.event_name == 'pull_request'
+      shell: sh
+      run: |
+        set -eu
+
+        is_private=$(jq -r '.repository.private' "$GITHUB_EVENT_PATH")
+
+        if [ "$is_private" = "false" ]; then
+          printf '%s\n' "is-public=true" >> "$GITHUB_OUTPUT"
+        fi
+
+    - name: Dependency Review
+      id: dependency-review
+      continue-on-error: true
+      if: >-
+        steps.repo-visibility.outputs.is-public == 'true'
+        && github.event_name == 'pull_request'
+      uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
+      with:
+        comment-summary-in-pr: always
+        fail-on-severity: critical
+
     #   ╭──────────────────────────────────────────────────────────╮
     #   │                        MegaLinter                        │
     #   ╰──────────────────────────────────────────────────────────╯
@@ -684,3 +711,10 @@ runs:
         path: |
           megalinter-reports
           mega-linter.log
+
+    - name: Fail if dependency review found critical issues
+      if: steps.dependency-review.outcome == 'failure'
+      shell: sh
+      run: |
+        printf '%s\n' "Dependency review found critical issues" >&2
+        exit 1