From 68808567947f0cb5cb13d9ee0011128d7c7f5525 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Fri, 12 Sep 2025 15:51:22 +0000 Subject: [PATCH 1/3] feat: [SEC-7263] Add dependency-scan GitHub Actions workflow - Add dependency-scan workflow for Node.js SBOM generation - Include policy evaluation for license compliance - Use private repository workflow pattern with common-actions Co-Authored-By: Patrick Kaeding --- .github/workflows/dependency-scan.yml | 32 +++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/dependency-scan.yml diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml new file mode 100644 index 0000000..740184f --- /dev/null +++ b/.github/workflows/dependency-scan.yml @@ -0,0 +1,32 @@ +name: Dependency Scan + +on: + pull_request: + push: + branches: + - main + +jobs: + generate-sbom: + runs-on: ${{ github.run_id }}/runner=ubuntu22-2cpu-8gb-x64 + steps: + - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # v2.0.3 + - uses: launchdarkly/common-actions/init@main + + - name: Generate SBOM + uses: launchdarkly/common-actions/dependency-scan/generate-sbom@main + with: + types: 'nodejs' + + evaluate-policy: + runs-on: ${{ github.run_id }}/runner=ubuntu22-2cpu-8gb-x64 + needs: + - generate-sbom + steps: + - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # v2.0.3 + - uses: launchdarkly/common-actions/init@main + + - name: Evaluate SBOM Policy + uses: launchdarkly/common-actions/dependency-scan/evaluate-policy@main + with: + artifacts-pattern: bom-* From c4373d7ea20ea844b14ba6aeea2a692c1aadeeb4 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Mon, 15 Sep 2025 17:56:03 +0000 Subject: [PATCH 2/3] refactor: Update to use common-workflows reusable dependency-scan workflow Co-Authored-By: Patrick Kaeding --- .github/workflows/dependency-scan.yml | 28 +++++---------------------- 1 file changed, 5 insertions(+), 23 deletions(-) diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml index 740184f..5932ab2 100644 --- a/.github/workflows/dependency-scan.yml +++ b/.github/workflows/dependency-scan.yml @@ -7,26 +7,8 @@ on: - main jobs: - generate-sbom: - runs-on: ${{ github.run_id }}/runner=ubuntu22-2cpu-8gb-x64 - steps: - - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # v2.0.3 - - uses: launchdarkly/common-actions/init@main - - - name: Generate SBOM - uses: launchdarkly/common-actions/dependency-scan/generate-sbom@main - with: - types: 'nodejs' - - evaluate-policy: - runs-on: ${{ github.run_id }}/runner=ubuntu22-2cpu-8gb-x64 - needs: - - generate-sbom - steps: - - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # v2.0.3 - - uses: launchdarkly/common-actions/init@main - - - name: Evaluate SBOM Policy - uses: launchdarkly/common-actions/dependency-scan/evaluate-policy@main - with: - artifacts-pattern: bom-* + dependency-scan: + uses: launchdarkly/common-workflows/.github/workflows/dependency-scan.yml@main + with: + types: 'nodejs' + secrets: inherit From a2eba287297ff8c8a34cdca9b653c08ef7803842 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Mon, 15 Sep 2025 18:05:29 +0000 Subject: [PATCH 3/3] fix: Add runs-on parameter to resolve runner spec error Co-Authored-By: Patrick Kaeding --- .github/workflows/dependency-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml index 5932ab2..0e620ab 100644 --- a/.github/workflows/dependency-scan.yml +++ b/.github/workflows/dependency-scan.yml @@ -11,4 +11,5 @@ jobs: uses: launchdarkly/common-workflows/.github/workflows/dependency-scan.yml@main with: types: 'nodejs' + runs-on: 'ubuntu-latest' secrets: inherit