Add a new workflow to simplify dependency review

[JPLachance]

• Add a new workflow to simplify Java dependency review
• Add support for warn-on-openssf-scorecard-level
• Add a dependency review V2 that self detect parameters based on a script

J:DEF-3582

---

This pull request introduces new workflows and updates existing ones to enhance dependency review processes. The primary changes include adding a new workflow for dependency review, updating existing workflows to include OpenSSF Scorecard warnings, and improving configuration flexibility.

New Workflows:

• Added Coveo Dependency Reviewer workflow to .github/workflows/dependency-review-v2.yml for reviewing dependencies with various configuration options.
• Added Maven Dependency Review workflow to .github/workflows/java-maven-openjdk-dependency-review.yml for Maven projects, including dependency submission and review steps.

Updates to Existing Workflows:

• Updated .github/workflows/dependency-review.yml to include warn-on-openssf-scorecard-level input for OpenSSF Scorecard warnings. [1] [2]
• Modified .github/workflows/java-maven-openjdk-dependency-submission.yml to adjust permissions for dependency submission.
• Enhanced .github/workflows/test-dependency-review.yml to test the new dependency-review-v2.yml workflow with different configurations.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.
• ⚠️ 3 packages with OpenSSF Scorecard issues.

See the Details below.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	4.*.*	⚠️ 7.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 12 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 9 security policy file detected Pinned-Dependencies ⚠️ 3 dependency not pinned by hash detected -- score normalized to 3 Packaging 🟢 10 packaging workflow detected SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 9 1 existing vulnerabilities detected
actions/actions/dependency-review-action	4.3.3	⚠️ 7.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 23 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/github-script	7.*.*	⚠️ 6.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 7 6 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 9 security policy file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities ⚠️ 5 5 existing vulnerabilities detected

Scanned Manifest Files

.github/workflows/dependency-review-v2.yml

• actions/checkout@4.*.*
• actions/dependency-review-action@4.3.3
• actions/github-script@7.*.*

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/java-maven-openjdk-dependency-review.yml

Package	Version	License	Issue Type
coveo/public-actions/.github/workflows/dependency-review.yml	main	Null	Unknown License

Allowed Licenses: 0BSD, Apache-2.0, Apache-2.0 AND MIT, Apache-2.0 AND BSD-3-Clause AND Python-2.0, Beerware, BlueOak-1.0.0, BSD-1-Clause, BSD-2-Clause, BSD-1-Clause AND BSD-2-Clause, BSD-2-Clause-Patent, BSD-2-Clause-Views, BSD-2-Clause AND MIT, BSD-3-Clause, BSD-3-Clause-Attribution, BSD-3-Clause-Clear, BSL-1.0, CC-BY-3.0, CC-BY-4.0, CC0-1.0, CNRI-Python, curl, HPND, IBM-pibs, ImageMagick, ISC, JSON, MIT, MIT-0, MIT AND ISC, MIT AND Python-2.0, MIT-advertising, mpi-permissive, NCSA, ODC-By-1.0, PDDL-1.0, Plexus, PostgreSQL, PSF-2.0, Python-2.0, Python-2.0.1, SAX-PD, Unlicense, UPL-1.0, W3C, Wsuipa, WTFPL, X11, X11-distribute-modifications-variant, Xerox, Zlib, ZPL-2.1

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/github-script	7.*.*	🟢 6.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 7 6 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 9 security policy file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 5 5 existing vulnerabilities detected
actions/coveo/public-actions/.github/workflows/dependency-review.yml	main	🟢 6.5	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 17 out of 17 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 3 1 different organizations found -- score normalized to 3 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 6 8 commit(s) out of 30 and 0 issue activity out of 3 found in the last 90 days -- score normalized to 6 Packaging ⚠️ -1 no published package detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 SAST 🟢 7 SAST tool detected but not run on all commits Security-Policy ⚠️ 0 security policy file not detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities 🟢 10 no vulnerabilities detected
actions/coveo/public-actions/.github/workflows/java-maven-openjdk-dependency-submission.yml	main	🟢 6.5	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 17 out of 17 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 3 1 different organizations found -- score normalized to 3 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 6 8 commit(s) out of 30 and 0 issue activity out of 3 found in the last 90 days -- score normalized to 6 Packaging ⚠️ -1 no published package detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 SAST 🟢 7 SAST tool detected but not run on all commits Security-Policy ⚠️ 0 security policy file not detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities 🟢 10 no vulnerabilities detected

Scanned Manifest Files

.github/workflows/java-maven-openjdk-dependency-review.yml

• actions/github-script@7.*.*
• coveo/public-actions/.github/workflows/dependency-review.yml@main
• coveo/public-actions/.github/workflows/java-maven-openjdk-dependency-submission.yml@main

[JPLachance]

A proper test: https://github.com/coveo-platform/ratlabservice/pull/498/files

[louis-bompart]

Skipped everything Maven.
For dependency-review v. dependency-review-v2.
I like the auto-detect mechanism, it is nice.
I'm now thinking "how could we do it without breaking changes/a v2".
So, how about, for the current major we use the auto-detect scripts as a "default/fallback" values, and make the parameters of the workflow optional?

[jonapich]

I have a feeling these will only work in Pull Request events, and in none of the others. If this is intended it should be documented. If it's not, a workaround is to use '' as the default value, and then have a step that figures it out if: input.head == ''.

[JPLachance]

I have a feeling these will only work in Pull Request events, and in none of the others. If this is intended it should be documented. If it's not, a workaround is to use '' as the default value, and then have a step that figures it out if: input.head == ''.

👋🏼 Dependency review, by GitHub's design, can only run in a Pull Request context.

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization

And I'm pretty much trying to implement what's proposed in that documentation. My end goal is to fully remove dependency-review.yml from everyone's repo, enforce dependency review organizations wide, without relying on someone needing to remember to configure dependency review.

Does that make sense?

[JPLachance]

Skipped everything Maven. For dependency-review v. dependency-review-v2. I like the auto-detect mechanism, it is nice. I'm now thinking "how could we do it without breaking changes/a v2". So, how about, for the current major we use the auto-detect scripts as a "default/fallback" values, and make the parameters of the workflow optional?

Here, I'm pretty much trying to do a "smooth" rollout of the new Idea of using repository properties, without breaking everyone all at once.

So, Copilot and I created two scripts to populate properties in all repositories of the Coveo Platform organization: https://github.com/coveo-platform/acf/pull/413

So, in theory (:famouslastwords:), a migration to the V2 is non-breaking. In theory.

But at the same time, I learned the hard way not to trust myself 😅

Again, my end goal is to implement https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/enforcing-dependency-review-across-an-organization. Combined with https://github.com/coveo-platform/required-workflows/pull/5, I plan on fully removing the dependency-review.yml file from ALL repositories at Coveo.

So, at the end of this journey, repos won't have a dependency-review.yml file unless they truly want one.

And all this work is being done to unlock the "Renovate auto-merge" Idea.

[jonapich]

I have a feeling these will only work in Pull Request events, and in none of the others.
👋🏼 Dependency review, by GitHub's design, can only run in a Pull Request context.

Thanks for the explanation; TIL. I still think this should be documented; is there an example somewhere that people will copy/paste?

edit: a note was added here.