fix: Alpine.js CSP build — eliminate unsafe-eval from script-src #8012
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # =============================================================== | |
| # 🔍 Dependency-Review Workflow - Vulnerabilities ⬧ Licenses | |
| # =============================================================== | |
| # | |
| # This workflow: | |
| # - Diffs any dependency changes introduced by pushes or PRs to `main` | |
| # - **Fails** when a change introduces either of the following: | |
| # ↳ A vulnerability of severity ≥ MODERATE | |
| # ↳ A dependency under a "strong-copyleft" license incompatible | |
| # with this project's Apache-2.0 license (see deny-list below) | |
| # - Uploads a SARIF report to "Security → Dependency review" | |
| # - Adds (or overwrites) a comment on the PR **only on failure** | |
| # | |
| # References | |
| # ────────── | |
| # - Marketplace: https://github.com/marketplace/actions/dependency-review | |
| # - Source code: https://github.com/github/dependency-review-action (MIT) | |
| # | |
| # NOTE ▸ The action is designed for PR events, but it can also run on | |
| # push & schedule if you supply explicit `base-ref` / `head-ref` | |
| # (see bottom of `with:` block). | |
| # =============================================================== | |
| name: Dependency Review | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, ready_for_review] | |
| branches: ["main"] | |
| paths: | |
| - "pyproject.toml" | |
| - "Cargo.lock" | |
| - "package.json" | |
| - "package-lock.json" | |
| - "requirements*.txt" | |
| - ".github/workflows/dependency-review.yml" | |
| # Weekly safety-net run - useful for catching newly-disclosed CVEs | |
| # or upstream license changes even when no PR is open. | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # ----------------------------------------------------------------- | |
| # Minimal permissions - principle of least privilege | |
| # ----------------------------------------------------------------- | |
| permissions: | |
| contents: read # for actions/checkout | |
| security-events: write # upload SARIF results | |
| pull-requests: write # post / overwrite PR comment | |
| jobs: | |
| dependency-review: | |
| if: github.event_name != 'pull_request' || !github.event.pull_request.draft | |
| runs-on: ubuntu-slim | |
| timeout-minutes: 15 | |
| steps: | |
| # ----------------------------------------------------------- | |
| # 0️⃣ Check out the repository | |
| # ----------------------------------------------------------- | |
| - name: ⬇️ Checkout code | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | |
| with: | |
| persist-credentials: false | |
| # ----------------------------------------------------------- | |
| # 1️⃣ Dependency & License gate | |
| # ----------------------------------------------------------- | |
| - name: 🔍 Dependency Review | |
| id: dep-scan | |
| uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 | |
| with: | |
| # ───────── Vulnerability policy ───────── | |
| fail-on-severity: moderate # MODERATE, HIGH, CRITICAL ⇒ ❌ | |
| vulnerability-check: true # (default) | |
| # ───────── License policy ───────── | |
| # Hard-deny strong- or service-copyleft licenses that would | |
| # "infect" an Apache-2.0 project. (LGPL/MPL/EPL are *not* | |
| # listed - they're weak/file-level copyleft. Add them here | |
| # if your org chooses to forbid them outright.) | |
| deny-licenses: > | |
| GPL-1.0, GPL-2.0, GPL-3.0, | |
| AGPL-3.0, | |
| SSPL-1.0, | |
| RPL-1.5, | |
| OSL-3.0, | |
| CPAL-1.0 | |
| # To whitelist a specific dependency whose license would otherwise | |
| # be denied (e.g. a transitively-pulled GPL package that has been | |
| # legally reviewed and approved), add it to `allow-dependencies-licenses` | |
| # as a comma-separated list of Package URLs (purl spec). Example: | |
| # | |
| # allow-dependencies-licenses: "pkg:pypi/some-package, pkg:npm/another-pkg" | |
| # | |
| # Each entry exempts that one package from the `deny-licenses` check | |
| # above while keeping the policy in force for every other dependency. | |
| # See: https://github.com/actions/dependency-review-action#configuration-options | |
| license-check: true # (default) | |
| # ───────── UX tweaks ───────── | |
| warn-only: false # actually fail the workflow | |
| comment-summary-in-pr: on-failure | |
| # ───────── Refs for non-PR events ───────── | |
| # These are ignored on pull_request events but allow the | |
| # scheduled run to compare HEAD against `main`. | |
| base-ref: main | |
| head-ref: ${{ github.sha }} |