Add a new workflow to simplify dependency review

.github/workflows/dependency-review-v2.yml

@@ -0,0 +1,127 @@
+name: Coveo Dependency Reviewer
+
+on:
+  workflow_call:
+    inputs:
+      comment-summary-in-pr:
+        description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
+        required: false
+        default: on-failure
+        type: string
+      base-ref:
+        description: Provide custom git references for the git base
+        required: false
+        default: ${{ github.event.pull_request.base.sha }}
+        type: string
+      head-ref:
+        description: Provide custom git references for the git head
+        required: false
+        default: ${{ github.event.pull_request.head.sha }}
+        type: string
+      fail-on-severity:
+        description: Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher.
+        required: false
+        default: high
+        type: string
+      runs-on:
+        description: |
+          The type of machine to run the job on. Must be provided as a stringified list (e.g. public repos should specify `runs-on: '["ubuntu-latest"]'`)
+        default: '["coveo", "arm64" , "linux", "eks"]'
+        type: string
+      retry-on-snapshot-warnings:
+        description: Whether to retry on snapshot warnings (to be used for projects where a dependency submission Action is used)
+        required: false
+        type: boolean
+        default: false
+      retry-on-snapshot-warnings-timeout:
+        description: Number of seconds to wait before stopping snapshot retries.
+        required: false
+        type: number
+        default: 120
+      warn-on-openssf-scorecard-level:
+        description: Numeric threshold for the OpenSSF Scorecard score. If the score is below this threshold, the action will warn you.
+        required: false
+        type: number
+        default: 3
+
+permissions: { }
+
+jobs:
+  dependency-review:
+    name: Dependency Review
+    runs-on: ${{ fromJson(inputs.runs-on) }}
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Checkout scan target
+        uses: actions/checkout@v4
+
+      - name: Checkout licenses
+        uses: actions/checkout@v4
+        with:
+          repository: coveo/dependency-allowed-licenses
+          path: coveo-dependency-allowed-licenses
+
+      - name: Get Properties
+        uses: actions/github-script@v7
+        id: get-properties
+        with:
+          script: |
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+
+            const repoDetails = await github.request('GET /repos/' + owner + '/' + repo, {
+              owner: owner,
+              repo: repo
+            });
+            const isPublic = !repoDetails.data.private;
+            console.log(`Is this a public repo? ${isPublic}`);
+            core.setOutput('is_public', isPublic);
+
+            let distributedValue = isPublic;
+            if (!isPublic) {
+              const response = await github.request('GET /repos/' + owner + '/' + repo + '/properties/values', {
+                owner: owner,
+                repo: repo
+              });
+              console.log('Repository properties: ' + JSON.stringify(response.data, null, 2));
+              const distributedProperty = response.data.find(prop => prop.property_name === 'is_distributed');
+              distributedValue = distributedProperty ? distributedProperty.value === 'true' : true;
+            }
+            core.setOutput('is_distributed', distributedValue);
+
+      - name: Select configuration
+        id: select-config
+        uses: actions/github-script@v7
+        with:
+          result-encoding: string
+          script: |
+            const isPublic = ${{ steps.get-properties.outputs.is_public }} === 'true';
+            const isDistributed = ${{ steps.get-properties.outputs.is_distributed }} === 'true';
+
+            if (isPublic) {
+              return 'public.yml'
+            }
+            if (!isPublic && isDistributed) {
+              return 'private-distributed.yml'
+            }
+            if (!isPublic && !isDistributed) {
+              return 'private-undistributed.yml'
+            }
+
+            core.setFailure(`Could not determine configuration for inputs: ${inputs}`)
+
+      - name: Scan
+        uses: actions/dependency-review-action@v4.3.3
+        with:
+          comment-summary-in-pr: ${{ inputs.comment-summary-in-pr }}
+          fail-on-severity: ${{ inputs.fail-on-severity }}
+          config-file: ./coveo-dependency-allowed-licenses/${{ steps.select-config.outputs.result }}
+          base-ref: ${{ inputs.base-ref }}
+          head-ref: ${{ inputs.head-ref }}
+          retry-on-snapshot-warnings: ${{ inputs.retry-on-snapshot-warnings }}
+          retry-on-snapshot-warnings-timeout: ${{ inputs.retry-on-snapshot-warnings-timeout }}
+          warn-on-openssf-scorecard-level: ${{ inputs.warn-on-openssf-scorecard-level }}

.github/workflows/dependency-review.yml

@@ -46,6 +46,11 @@ on:
         required: false
         type: number
         default: 120
+      warn-on-openssf-scorecard-level:
+        description: Numeric threshold for the OpenSSF Scorecard score. If the score is below this threshold, the action will warn you.
+        required: false
+        type: number
+        default: 3
 
 jobs:
   dependency-review:
@@ -92,3 +97,4 @@ jobs:
           head-ref: ${{ inputs.head-ref }}
           retry-on-snapshot-warnings: ${{ inputs.retry-on-snapshot-warnings }}
           retry-on-snapshot-warnings-timeout: ${{ inputs.retry-on-snapshot-warnings-timeout }}
+          warn-on-openssf-scorecard-level: ${{ inputs.warn-on-openssf-scorecard-level }}

.github/workflows/java-maven-openjdk-dependency-review.yml

@@ -0,0 +1,101 @@
+name: 'Maven Dependency Review'
+
+on:
+  workflow_call:
+    inputs:
+      runs-on:
+        description: |
+          The type of machine to run the job on. Must be provided as a stringified list (e.g. `runs-on: '["ubuntu-latest","self-hosted"]'`)
+        required: true
+        type: string
+
+      # Dependency Submission inputs
+      directory:
+        description: 'The directory that contains the pom.xml that will be used to generate the dependency graph from'
+        default: '.'
+        required: false
+        type: string
+      mvn-version:
+        description: |
+          The Maven version used for the execution. You can specify minor or patch version (3.9 or 3.9.1). Default : 3.9
+        required: false
+        type: number
+        default: 3.9
+      jdk-version:
+        description: |
+          The JDK version to use for the build.
+        default: 21
+        required: false
+        type: number
+      mvn-additional-arguments:
+        description: |
+          The additional arguments to pass to the Maven invocation. You can use this to specify a custom profile for example.
+
+          If you wish to exclude certain modules from the scan, pass: -Dexcludes=groupId:artifactId:type:classifier
+
+        required: false
+        type: string
+
+      # Dependency Reviewer inputs
+      comment-summary-in-pr:
+        description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
+        required: false
+        default: on-failure
+        type: string
+      base-ref:
+        description: Provide custom git references for the git base
+        required: false
+        default: ${{ github.event.pull_request.base.sha }}
+        type: string
+      head-ref:
+        description: Provide custom git references for the git head
+        required: false
+        default: ${{ github.event.pull_request.head.sha }}
+        type: string
+      fail-on-severity:
+        description: Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher.
+        required: false
+        default: high
+        type: string
+      warn-on-openssf-scorecard-level:
+        description: Numeric threshold for the OpenSSF Scorecard score. If the score is below this threshold, the action will warn you.
+        required: false
+        type: number
+        default: 3
+
+permissions: { }
+
+jobs:
+  submit-dependencies:
+    name: Submit dependencies
+    uses: ./.github/workflows/java-maven-openjdk-dependency-submission.yml
+
+    permissions:
+      contents: write
+
+    with:
+      runs-on: ${{ inputs.runs-on }}
+      directory: ${{ inputs.directory }}
+      mvn-version: ${{ inputs.mvn-version }}
+      jdk-version: ${{ inputs.jdk-version }}
+      mvn-additional-arguments: ${{ inputs.mvn-additional-arguments }}
+
+  dependency-review:
+    needs: submit-dependencies
+
+    name: Dependency Review
+    uses: ./.github/workflows/dependency-review-v2.yml
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    with:
+      runs-on: ${{ inputs.runs-on }}
+      comment-summary-in-pr: ${{ inputs.comment-summary-in-pr }}
+      base-ref: ${{ inputs.base-ref }}
+      head-ref: ${{ inputs.head-ref }}
+      fail-on-severity: ${{ inputs.fail-on-severity }}
+      retry-on-snapshot-warnings: true
+      retry-on-snapshot-warnings-timeout: 120
+      warn-on-openssf-scorecard-level: ${{ inputs.warn-on-openssf-scorecard-level }}

.github/workflows/java-maven-openjdk-dependency-submission.yml

@@ -22,7 +22,8 @@ on:
       jdk-version:
         description: |
           The JDK version to use for the build.
-        required: true
+        default: 21
+        required: false
         type: number
       mvn-additional-arguments:
         description: |
@@ -43,9 +44,7 @@ jobs:
       image: maven:${{ inputs.mvn-version }}-eclipse-temurin-${{ inputs.jdk-version }}
 
     permissions:
-      actions: read
       contents: write
-      security-events: write
 
     steps:
       - name: Checkout repository

.github/workflows/test-dependency-review.yml

@@ -21,3 +21,16 @@ jobs:
       distributed: ${{ matrix.distributed }}
       comment-summary-in-pr: ${{ matrix.comment-summary-in-pr }}
       runs-on: '["ubuntu-latest"]'
+
+  test_v2:
+    strategy:
+      matrix:
+        warn-on-openssf-scorecard-level: [5, 8]
+        comment-summary-in-pr: [true, false]
+      fail-fast: false
+
+    uses: ./.github/workflows/dependency-review-v2.yml
+    with:
+      warn-on-openssf-scorecard-level: ${{ matrix.warn-on-openssf-scorecard-level }}
+      comment-summary-in-pr: ${{ matrix.comment-summary-in-pr }}
+      runs-on: '["ubuntu-latest"]'

.gitignore

@@ -0,0 +1 @@
+.idea