From d83fe337bf315a4a39e3088c2149c2742f9f4e34 Mon Sep 17 00:00:00 2001 From: Kane Parkinson Date: Fri, 5 Jun 2026 00:05:14 +0000 Subject: [PATCH] feat: add dependency-scan reusable workflow Migrates the dependency-scan reusable workflow from the private common-workflows repo so that public repositories can also use it. The workflow calls the existing generate-sbom and evaluate-policy composite actions already present in this repo. --- .github/workflows/dependency-scan.yml | 39 +++++++++++++++++++++++++++ README.md | 10 ++++--- 2 files changed, 45 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/dependency-scan.yml diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml new file mode 100644 index 0000000..9724073 --- /dev/null +++ b/.github/workflows/dependency-scan.yml @@ -0,0 +1,39 @@ +name: Dependency Scan +# Call this by uses: launchdarkly/gh-actions/.github/workflows/dependency-scan.yml@main + +on: + workflow_call: + inputs: + types: + description: 'SBOM types to generate (e.g., "nodejs" or "nodejs,go"). See https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES' + required: false + default: 'nodejs' + type: string + runs-on: + description: 'Runner specification' + required: false + default: 'ubuntu-latest' + type: string + +jobs: + generate-sbom: + runs-on: ${{ inputs.runs-on }} + steps: + - uses: actions/checkout@v4 + + - name: Generate SBOM + uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main + with: + types: ${{ inputs.types }} + + evaluate-policy: + runs-on: ${{ inputs.runs-on }} + needs: + - generate-sbom + steps: + - uses: actions/checkout@v4 + + - name: Evaluate SBOM Policy + uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main + with: + artifacts-pattern: bom* diff --git a/README.md b/README.md index c749bdf..ce061f0 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ This repository contains LaunchDarkly shared GitHub Actions and Workflows for ot | Name | Description | |---------------------------------------------------------------|-----------------------------------------------| | [contract-tests](./actions/contract-tests/README.md) | Run SDK/SSE contract tests. | +| [dependency-scan](./actions/dependency-scan/README.md) | Generate SBOM and evaluate license policy. | | [persistent-stores](./actions/persistent-stores/README.md) | Start persistent stores on linux/mac/windows. | | [publish-pages](./actions/publish-pages/README.md) | Publishes documentation to Github Pages. | | [release-secrets](./actions/release-secrets/README.md) | Retrieve secrets from AWS Secrets Manager. | @@ -14,10 +15,11 @@ This repository contains LaunchDarkly shared GitHub Actions and Workflows for ot | [verify-hello-apps](./actions/verify-hello-app/README.md) | Run shared quality-checks for hello-apps. | ## Workflows -| Name | Description | -|--------------------------------------------------------|------------------------------------------------------------------------| -| [sdk-stale](./.github/workflows/sdk-stale.yml) | Warns about stale issues, and then closes when required. | -| [lint-pr-title](./.github/workflows/lint-pr-title.yml) | Ensures PR titles follow [Conventional Commits][conventional-commits]. | +| Name | Description | +|---------------------------------------------------------------------|------------------------------------------------------------------------| +| [dependency-scan](./.github/workflows/dependency-scan.yml) | Generates SBOM and evaluates license policy. | +| [sdk-stale](./.github/workflows/sdk-stale.yml) | Warns about stale issues, and then closes when required. | +| [lint-pr-title](./.github/workflows/lint-pr-title.yml) | Ensures PR titles follow [Conventional Commits][conventional-commits]. | [conventional-commits]: https://www.conventionalcommits.org/en/v1.0.0/