From 2b6cad11ca8df915249c86a2386aeb9846959875 Mon Sep 17 00:00:00 2001
From: Ole Kristian Pedersen <ole.pedersen@kartverket.no>
Date: Tue, 7 Jan 2025 17:01:00 +0100
Subject: [PATCH] Perform dependency review on PR

Dependency review will warn about vulnerabilities in new dependencies,
fail for new dependencies with moderate severity vulnerabilities and
supply information about licenses.
---
 .github/workflows/dependency-review.yaml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 .github/workflows/dependency-review.yaml

diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
new file mode 100644
index 00000000..c5c17df6
--- /dev/null
+++ b/.github/workflows/dependency-review.yaml
@@ -0,0 +1,23 @@
+name: Review dependencies
+
+on:
+  pull_request:
+    branches:
+      - 'main'
+
+jobs:
+  dependency-review:
+    permissions:
+      contents: write # Required for submitting dependencies
+      pull-requests: write # Required for dependency review comments
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Perform dependency review
+        uses: actions/dependency-review-action@v4
+        if: github.event_name == 'pull_request'
+        with:
+          comment-summary-in-pr: always
+          fail-on-severity: moderate