name: Dependency Review

on:
  pull_request:
  merge_group:

jobs:
  dependency-review:
    uses: gravitational/shared-workflows/.github/workflows/dependency-review.yaml@main
    permissions:
      contents: read
      pull-requests: write
    with:
      base-ref: ${{ github.event.pull_request.base.sha || 'branch/v15' }}
      # 'GHSA-6xf3-5hp7-xqqg' is a false positive. That's an old Teleport Vuln,
      # but because of the replace, the dependency cannot find the correct
      # Teleport version.
      allow-ghsas: 'GHSA-xwh9-gc39-5298,GHSA-6xf3-5hp7-xqqg'
      allow-dependencies-licenses: >-
        pkg:cargo/curve25519-dalek-derive,
        pkg:cargo/ring,
        pkg:cargo/sspi,
        pkg:cargo/tokio-boring,
        pkg:cargo/asn1-rs,
        pkg:cargo/asn1-rs-derive,
        pkg:cargo/asn1-rs-impl,
        pkg:cargo/der-parser