feat: run all CI jobs on push to main; add CI status badge to README#38
Merged
Conversation
ci.yml: - dependency-review: also run on push to main. Passes base-ref/head-ref from push event context (event.before → sha) so the composite action can compare the pushed range. On PRs, base-ref is empty and the action reads PR context. - storage-optimizer: also run on push to main to demonstrate end-to-end. Previously gated to workflow_dispatch only. dependency-review/action.yml: - Add base-ref and head-ref inputs (default empty) for non-PR invocation. - Two conditional steps: PR path (base-ref == '') uses built-in PR context; push path (base-ref != '') passes explicit commit range. scorecard/action.yml: - Add Print scorecard summary step that emits findings to the Actions log so maintainers do not need to download the SARIF artifact to see scores. README.md: - Add CI workflow status badge linking to the latest main branch run. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
deny-licenses is deprecated for removal in the next major release of actions/dependency-review-action (see upstream issue #997). Switch to the allow-licenses allowlist approach which is more robust — it catches unlisted copyleft and commercial licenses automatically rather than requiring all problem licenses to be enumerated explicitly. Default allow-list: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, Unlicense, CC0-1.0 — permissive licences appropriate for a commercial org. Update composite action inputs and both conditional steps (PR path and push path). Update README table and example snippet. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR expands the repo’s “dogfood” CI workflow so more composite actions run on push to main, and improves visibility by adding a CI status badge and logging a Scorecard summary directly in the Actions output.
Changes:
- Run
dependency-reviewandstorage-optimizerjobs onpushtomain(in addition to existing triggers). - Extend the
dependency-reviewcomposite action withbase-ref/head-refinputs to support non-PR invocations. - Print an OpenSSF Scorecard findings summary to the workflow logs and add a CI badge to the README.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
README.md |
Adds CI badge and updates Dependency Review docs/inputs (needs a small doc alignment fix). |
.github/workflows/ci.yml |
Runs additional jobs on push to main and passes commit range to dependency review. |
.github/actions/scorecard/action.yml |
Adds a log-summary step for Scorecard SARIF results. |
.github/actions/dependency-review/action.yml |
Adds non-PR base/head inputs and conditional invocation paths (needs input validation). |
Comments suppressed due to low confidence (1)
.github/workflows/ci.yml:77
- This job now runs on
push, but it still requestspull-requests: write. That permission is unnecessary on push runs and broadens the token scope beyond what's needed. Consider splitting into separatedependency-review-pranddependency-review-pushjobs so the push job can omit PR write permissions (or otherwise reduce permissions for non-PR runs).
permissions:
contents: read
pull-requests: write
steps:
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| name: Dependency Review | ||
| runs-on: ubuntu-latest | ||
| if: github.event_name == 'pull_request' | ||
| if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main') |
Comment on lines
22
to
35
| - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 | ||
| if: ${{ inputs.base-ref == '' }} | ||
| with: | ||
| fail-on-severity: ${{ inputs.fail-on-severity }} | ||
| deny-licenses: ${{ inputs.deny-licenses }} | ||
| allow-licenses: ${{ inputs.allow-licenses }} | ||
| comment-summary-in-pr: ${{ inputs.comment-summary-in-pr }} | ||
| - uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 | ||
| if: ${{ inputs.base-ref != '' }} | ||
| with: | ||
| base-ref: ${{ inputs.base-ref }} | ||
| head-ref: ${{ inputs.head-ref }} | ||
| fail-on-severity: ${{ inputs.fail-on-severity }} | ||
| allow-licenses: ${{ inputs.allow-licenses }} | ||
| comment-summary-in-pr: ${{ inputs.comment-summary-in-pr }} |
Comment on lines
+7
to
+9
| allow-licenses: | ||
| description: "Comma-separated list of SPDX license identifiers that are permitted. Dependencies using any other license will fail the check." | ||
| default: "MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, Unlicense, CC0-1.0" |
Comment on lines
+40
to
+50
| run: | | ||
| echo "=== OpenSSF Scorecard Results ===" | ||
| findings=$(jq -r ' | ||
| .runs[].results[]? | | ||
| " [\(.ruleId | gsub("ID$";""))] \(.message.text | split("\n")[0])" | ||
| ' scorecard-results.sarif) | ||
| if [[ -z "$findings" ]]; then | ||
| echo " All checks passed" | ||
| else | ||
| echo "$findings" | ||
| fi |
Comment on lines
28
to
30
| | OpenSSF Scorecard | [`scorecard`](.github/actions/scorecard/action.yml) | Runs OpenSSF Scorecard checks; uploads SARIF to the Security tab | `publish_results` (default: `false` — always fails with HTTP 400 if set to `true`; see action description) | | ||
| | Dependency Review | [`dependency-review`](.github/actions/dependency-review/action.yml) | Blocks PRs introducing dependencies with known vulnerabilities or denied licenses; posts a summary comment | `fail-on-severity` (default: `high`), `deny-licenses` (default: `GPL-2.0,GPL-3.0,AGPL-3.0`), `comment-summary-in-pr` (default: `on-failure`) | | ||
| | Dependency Review | [`dependency-review`](.github/actions/dependency-review/action.yml) | Blocks PRs introducing dependencies with known vulnerabilities or non-permitted licenses; posts a summary comment | `fail-on-severity` (default: `high`), `allow-licenses` (default: `MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, Unlicense, CC0-1.0`), `comment-summary-in-pr` (default: `on-failure`) | | ||
| | Storage Optimizer | [`storage-optimizer`](.github/actions/storage-optimizer/action.yml) | Frees disk space on GitHub-hosted runners by removing unused toolchains (JDK, .NET, Swift, Android SDK, etc.) and pruning Docker | None | |
Comment on lines
+89
to
+107
| comment-summary-in-pr: always # always | on-failure | never | ||
| fail-on-severity: high # critical | high | moderate | low | ||
| allow-licenses: MIT, Apache-2.0, BSD-2-Clause # SPDX identifiers; deps with other licenses fail | ||
| comment-summary-in-pr: always # always | on-failure | never |
ci.yml: - Skip dependency-review on push when event.before is the zero SHA (first push to branch — no base commit to compare against). dependency-review/action.yml: - Add validation step: fail fast with a clear error if exactly one of base-ref / head-ref is set. Both must be provided or both must be empty. - Pass ref values via env vars (not direct template expansion) to avoid script injection flagged by zizmor. scorecard/action.yml: - Add set -euo pipefail to print-summary step so jq parse failures do not silently print "All checks passed". - Guard against missing jq binary with an explicit check and warning. README.md: - Add base-ref / head-ref inputs to Dependency Review table row so consumers know how to invoke the action outside pull_request context. - Update Dependency Review section prose and example snippet to reflect non-PR support; replace stale "only meaningful on pull_request" note. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ci.yml:
dependency-review/action.yml:
scorecard/action.yml:
README.md: