diff --git a/.github/workflows/check-commit-signing.yml b/.github/workflows/check-commit-signing.yml new file mode 100644 index 0000000000..fa34811a67 --- /dev/null +++ b/.github/workflows/check-commit-signing.yml @@ -0,0 +1,29 @@ +name: 🚨 Check commit signing + +on: + push: + branches: + - long_lived/** + - main + - release/** + pull_request: + branches: + - "**" + +concurrency: + group: ${{ github.event_name == 'pull_request' && format('{0}-{1}', github.workflow_ref, github.event.pull_request.number) || github.run_id }} + cancel-in-progress: true + +jobs: + check-commit-signing: + name: Check commit signing + runs-on: [ubuntu-latest] + timeout-minutes: 5 + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: chia-network/actions/check-commit-signing@main diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..53a3bbdd86 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,25 @@ +# Managed by repo-content-updater +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: "🚨 Dependency Review" +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: "Checkout Repository" + uses: actions/checkout@v4 + + - name: "Dependency Review" + uses: actions/dependency-review-action@v4 + with: + allow-dependencies-licenses: pkg:pypi/pylint, pkg:pypi/pyinstaller + deny-licenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-1.0-or-later, AGPL-3.0-or-later, GPL-1.0-only, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-3.0-only, GPL-3.0-or-later