BC-9012 add dependabot ready-for-ci logic to push workflow (#283)

hpi-schul-cloud · Feb 19, 2025 · 50a6f6f · 50a6f6f
1 parent 268a0fb
commit 50a6f6f
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4
+        with:
+          allow-licenses: > 
+            AGPL-3.0-only,
+            LGPL-3.0,
+            MIT,
+            Apache-2.0,
+            BSD-2-Clause,
+            BSD-3-Clause,
+            ISC,
+            X11,
+            0BSD,
+            GPL-3.0,
+            AGPL-3.0
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -13,6 +13,16 @@ permissions:
 
 jobs:
   build_and_push:
+    # this basically means do not execute it as dependabot unless it is labeled as ready-for-ci
+    # because automated processes and pr from forks are dangerous, therefore those prs won't have access to secrets, labeling them acts like allow-listing them
+    # more details here https://docs.github.com/en/rest/dependabot/secrets?apiVersion=2022-11-28
+    # even when re-running an action manually the actor stays the same as of mid 2022, details here https://github.blog/changelog/2022-07-19-differentiating-triggering-actor-from-executing-actor/
+
+    #https://github.com/actions/runner/issues/1173#issuecomment-1354501147 when false equals true, you have to come up with something ...
+    if: |
+      (github.actor == 'dependabot[bot]' &&
+      contains(github.event.issue.labels.*.name, 'ready-for-ci') == 'true') ||
+      github.actor != 'dependabot[bot]'
     runs-on: ubuntu-latest
     permissions:
       packages: write