"依赖项审查操作" 是指可在 GitHub Actions 上下文中报告拉取请求中的差异的特定操作。 它还可将强制机制添加到 GitHub Actions 工作流。 有关详细信息,请参阅“依赖项审查”。
有关常见配置选项的列表,请参阅依赖项审查(位于GitHub Marketplace)。
配置 依赖项审查操作
有两种配置 依赖项审查操作方法:
- 在工作流文件中内联配置选项。
- 在工作流文件中引用配置文件。
请注意,所有示例使用操作 (v3) 的短版本号,而不是 semver 版本号(例如,v3.0.8)。 这可确保使用操作的最新次要版本。
使用内联配置设置 依赖项审查操作
-
将新的 YAML 工作流添加到
.github/workflows文件夹。
对于 runs-on,默认标签为 self-hosted。 你可以用任何运行器的标签替换默认标签。
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: [self-hosted]
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v6
- name: Dependency Review
uses: actions/dependency-review-action@v4
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: [self-hosted]
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v6
- name: Dependency Review
uses: actions/dependency-review-action@v4
-
指定你的设置。
此示例 依赖项审查操作 文件演示如何使用可用的配置选项。
YAML name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: [self-hosted] steps: - name: 'Checkout Repository' uses: actions/checkout@v6 - name: Dependency Review uses: actions/dependency-review-action@v4 with: # Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: development, runtimename: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: [self-hosted] steps: - name: 'Checkout Repository' uses: actions/checkout@v6 - name: Dependency Review uses: actions/dependency-review-action@v4 with: # Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: development, runtime
使用配置文件设置 依赖项审查操作
-
将新的 YAML 工作流添加到
.github/workflows文件夹,并使用config-file指定正在使用配置文件。
对于 runs-on,默认标签为 self-hosted。 你可以用任何运行器的标签替换默认标签。
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: [self-hosted]
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v6
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
# ([String]). Representing a path to a configuration file local to the repository or in an external repository.
# Possible values: An absolute path to a local file or an external file.
config-file: './.github/dependency-review-config.yml'
# Optional alternative syntax for an external file: OWNER/REPOSITORY/FILENAME@BRANCH (uncomment if preferred)
# config-file: 'github/octorepo/dependency-review-config.yml@main'
# ([Token]) Use if your configuration file resides in a private external repository.
# Possible values: Any GitHub token with read access to the private external repository.
external-repo-token: 'ghp_123456789abcde'
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: [self-hosted]
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v6
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
# ([String]). Representing a path to a configuration file local to the repository or in an external repository.
# Possible values: An absolute path to a local file or an external file.
config-file: './.github/dependency-review-config.yml'
# Optional alternative syntax for an external file: OWNER/REPOSITORY/FILENAME@BRANCH (uncomment if preferred)
# config-file: 'github/octorepo/dependency-review-config.yml@main'
# ([Token]) Use if your configuration file resides in a private external repository.
# Possible values: Any GitHub token with read access to the private external repository.
external-repo-token: 'ghp_123456789abcde'
-
在指定路径中创建配置文件。
此 YAML 示例文件说明了如何使用可用的配置选项。
YAML # Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: - GHSA-abcd-1234-5679 - GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: - development - runtime# Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: - GHSA-abcd-1234-5679 - GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: - development - runtime
有关配置选项的更多详细信息,请参阅dependency-review-action。