Create separate workflows for license + vuln checking and vuln checking only (#4)

chainchad · web-flow · commit 319e90c9db5a · 2025-06-13T16:01:04.000-04:00
diff --git a/.github/workflows/dependency-review-vulnerability-license.yml b/.github/workflows/dependency-review-vulnerability-license.yml
@@ -1,4 +1,4 @@
-name: Dependency Review
+name: Dependency Review - License/Vulns
 
 ###
 # This workflow analyzes dependencies introduced by pull requests to help identify security vulnerabilities
@@ -8,9 +8,9 @@ name: Dependency Review
 # The default preset is "license-deny-vulnerability-high". This preset has this behavior:
 #
 #   Fail if a dependency is found with a license that is in the deny_licenses list and fails if vulnerabilities are found in the
-#   dependency tree with specified severity or greater.
+#   dependency tree with a high severity or greater.
 #
-# To set the DEPENDENCY_REVIEW_CONFIG_PRESET repo variable using the gh cli, see:
+# To override the config preset, set the DEPENDENCY_REVIEW_CONFIG_PRESET repo variable using the gh cli:
 #   gh variable set DEPENDENCY_REVIEW_CONFIG_PRESET --body "license-deny-vulnerability-high"
 ###
 
@@ -21,8 +21,8 @@ on:
 permissions: {}
 
 jobs:
-  dependency-review:
-    name: Review Dependencies
+  license-and-vulnerabilities:
+    name: License and Vulnerabilities
     permissions:
       contents: read
     runs-on: ubuntu-latest
diff --git a/.github/workflows/dependency-review-vulnerability.yml b/.github/workflows/dependency-review-vulnerability.yml
@@ -0,0 +1,35 @@
+name: Dependency Review - Vulnerability
+
+###
+# This workflow analyzes dependencies introduced by pull requests to help identify security vulnerabilities.
+#
+# To override the default configuration preset, set the `DEPENDENCY_REVIEW_CONFIG_PRESET` variable in the repository settings.
+# The default preset is "vulnerability-high". This preset has this behavior:
+#
+#   Fail if a dependency is found in the dependency tree with a high severity or greater.
+###
+
+on:
+  merge_group:
+  pull_request:
+
+permissions: {}
+
+jobs:
+  vulnerability:
+    name: Vulnerabilities
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    # Skip on merge group events
+    if: ${{ github.event_name == 'pull_request' }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Dependency Review
+        uses: smartcontractkit/.github/actions/dependency-review@dependency-review/v2
+        with:
+          config-preset: vulnerability-high
