mirror of
https://github.com/openclaw/openclaw.git
synced 2026-06-01 23:07:40 +00:00
34 lines
1.1 KiB
YAML
34 lines
1.1 KiB
YAML
name: Dependency Guard
|
|
|
|
on:
|
|
pull_request_target: # zizmor: ignore[dangerous-triggers] checks trusted base script only; never checks out PR head
|
|
types: [opened, reopened, synchronize, ready_for_review, labeled]
|
|
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
issues: write
|
|
|
|
concurrency:
|
|
group: dependency-guard-${{ github.event.pull_request.number }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
dependency-guard:
|
|
if: ${{ !github.event.pull_request.draft && (github.event.action != 'labeled' || github.event.label.name == 'dependency-guard-backfill') }}
|
|
runs-on: ubuntu-24.04
|
|
timeout-minutes: 5
|
|
steps:
|
|
- name: Check out trusted base workflow scripts
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
ref: ${{ github.event.pull_request.base.sha }}
|
|
persist-credentials: false
|
|
|
|
- name: Label, comment, and guard dependency changes
|
|
env:
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
OPENCLAW_SECURITY_APPROVERS: vincentkoc,steipete,joshavant
|
|
OPENCLAW_SECURITY_TEAM_SLUG: openclaw-secops
|
|
run: node scripts/github/dependency-guard.mjs
|