"종속성 검토 작업"는 컨텍스트 내에서 GitHub Actions 끌어오기 요청의 차이점을 보고할 수 있는 특정 작업을 나타냅니다. 워크플로에 적용 메커니즘을 추가할 수도 있습니다 GitHub Actions . 자세한 내용은 종속성 검토을(를) 참조하세요.
일반적인 구성 옵션 목록은 에 대한 GitHub Marketplace 참조하세요.
종속성 검토 작업 구성
다음 두 가지 방법으로 구성합니다.종속성 검토 작업
- 워크플로 파일의 구성 옵션 인라인.
- 워크플로 파일에서 구성 파일 참조.
모든 예제에서는 semver 릴리스 번호(예: v3)가 아닌 작업(v3.0.8)에 짧은 버전 번호를 사용합니다. 이렇게 하면 작업의 최신 부 버전을 사용할 수 있습니다.
인라인 구성을 사용하여 종속성 검토 작업 설정하기
-
새로운 YAML 워크플로를
.github/workflows폴더에 추가합니다.YAML name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v6 - name: Dependency Review uses: actions/dependency-review-action@v4name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v6 - name: Dependency Review uses: actions/dependency-review-action@v4 -
설정을 지정합니다.
이 종속성 검토 작업 예제 파일은 사용 가능한 구성 옵션을 사용하는 방법을 보여 줍니다.
YAML name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v6 - name: Dependency Review uses: actions/dependency-review-action@v4 with: # Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # You can only include one of these two options: `allow-licenses` and `deny-licenses` # ([String]). Only allow these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ allow-licenses: GPL-3.0, BSD-3-Clause, MIT # ([String]). Block the pull request on these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ deny-licenses: LGPL-2.0, BSD-2-Clause # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: development, runtimename: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v6 - name: Dependency Review uses: actions/dependency-review-action@v4 with: # Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # You can only include one of these two options: `allow-licenses` and `deny-licenses` # ([String]). Only allow these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ allow-licenses: GPL-3.0, BSD-3-Clause, MIT # ([String]). Block the pull request on these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ deny-licenses: LGPL-2.0, BSD-2-Clause # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: development, runtime
구성 파일을 사용하여 설정 종속성 검토 작업
-
.github/workflows폴더에 새 YAML 워크플로를 추가하고config-file을 사용하여 구성 파일을 사용 중임을 지정합니다.YAML name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v6 - name: Dependency Review uses: actions/dependency-review-action@v4 with: # ([String]). Representing a path to a configuration file local to the repository or in an external repository. # Possible values: An absolute path to a local file or an external file. config-file: './.github/dependency-review-config.yml' # Optional alternative syntax for an external file: OWNER/REPOSITORY/FILENAME@BRANCH (uncomment if preferred) # config-file: 'github/octorepo/dependency-review-config.yml@main' # ([Token]) Use if your configuration file resides in a private external repository. # Possible values: Any GitHub token with read access to the private external repository. external-repo-token: 'ghp_123456789abcde'name: 'Dependency Review' on: [pull_request] permissions: contents: read jobs: dependency-review: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' uses: actions/checkout@v6 - name: Dependency Review uses: actions/dependency-review-action@v4 with: # ([String]). Representing a path to a configuration file local to the repository or in an external repository. # Possible values: An absolute path to a local file or an external file. config-file: './.github/dependency-review-config.yml' # Optional alternative syntax for an external file: OWNER/REPOSITORY/FILENAME@BRANCH (uncomment if preferred) # config-file: 'github/octorepo/dependency-review-config.yml@main' # ([Token]) Use if your configuration file resides in a private external repository. # Possible values: Any GitHub token with read access to the private external repository. external-repo-token: 'ghp_123456789abcde' -
지정한 경로에 구성 파일을 만듭니다.
이 YAML 예제 파일은 사용 가능한 구성 옵션을 사용하는 방법을 보여줍니다.
YAML # Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # You can only include one of these two options: `allow-licenses` and `deny-licenses` # ([String]). Only allow these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ allow-licenses: - GPL-3.0 - BSD-3-Clause - MIT # ([String]). Block the pull request on these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ deny-licenses: - LGPL-2.0 - BSD-2-Clause # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: - GHSA-abcd-1234-5679 - GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: - development - runtime# Possible values: "critical", "high", "moderate", "low" fail-on-severity: critical # You can only include one of these two options: `allow-licenses` and `deny-licenses` # ([String]). Only allow these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ allow-licenses: - GPL-3.0 - BSD-3-Clause - MIT # ([String]). Block the pull request on these licenses (optional) # Possible values: Any SPDX-compliant license identifiers or expressions from https://spdx.org/licenses/ deny-licenses: - LGPL-2.0 - BSD-2-Clause # ([String]). Skip these GitHub Advisory Database IDs during detection (optional) # Possible values: Any valid GitHub Advisory Database ID from https://github.com/advisories allow-ghsas: - GHSA-abcd-1234-5679 - GHSA-efgh-1234-5679 # ([String]). Block pull requests that introduce vulnerabilities in the scopes that match this list (optional) # Possible values: "development", "runtime", "unknown" fail-on-scopes: - development - runtime
구성 옵션에 대한 자세한 내용은 dependency-review-action를 참조하세요.