Dependency review improvements

mabar · mabar · commit 27c3873d2b18 · 2024-12-28T05:16:17.000+01:00
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -1,38 +1,40 @@
 name: "Dependency Review"
 
 on:
-  pull_request:
+  pull_request_target:
     types: [ "opened", "synchronize", "edited", "reopened" ]
-    paths-ignore:
-      - "docs/**"
+    paths:
+      - "*"
+      - ".github/**"
   push:
     branches:
       - "**"
-    paths-ignore:
-      - "docs/**"
+    paths:
+      - "*"
+      - ".github/**"
 
 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
   cancel-in-progress: true
 
 permissions:
   contents: "read"
+  pull-requests: "write"
 
 jobs:
   dependency-review:
     name: "Dependency Review"
     runs-on: "ubuntu-latest"
 
-    if: |
-      github.event_name != 'pull_request'
-      || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
-
     steps:
       - name: "Checkout"
         uses: "actions/checkout@v4"
 
       - name: "Dependency Review"
         uses: "actions/dependency-review-action@v4"
         with:
-          base-ref: "${{ github.event.before }}"
-          head-ref: "${{ github.sha }}"
+          base-ref: "${{ github.event_name == 'push' && github.event.before || '' }}"
+          head-ref: "${{ github.event_name == 'push' && github.sha || '' }}"
+          comment-summary-in-pr: "always"
+          fail-on-severity: "high"
+          show-openssf-scorecard: false
