diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml index fa379b68..33b2734c 100644 --- a/.github/workflows/dependency-scan.yml +++ b/.github/workflows/dependency-scan.yml @@ -1,6 +1,7 @@ # Fails CI when OneWare Studio depends on a NuGet package with a known # vulnerability. Supports the EU Cyber Resilience Act (Regulation (EU) 2024/2847), -# Annex I Part I(1) and Part II. See compliance/cra/ for details. +# Annex I Part I(1) and Part II. Also exposed as a reusable workflow +# (workflow_call) so the release pipeline can use it as a required gate. name: Dependency Vulnerability Scan @@ -12,6 +13,7 @@ on: schedule: - cron: "17 6 * * 1" workflow_dispatch: + workflow_call: permissions: contents: read diff --git a/.github/workflows/publish-studio-all.yml b/.github/workflows/publish-studio-all.yml index 57796882..9ba7109d 100644 --- a/.github/workflows/publish-studio-all.yml +++ b/.github/workflows/publish-studio-all.yml @@ -5,8 +5,16 @@ on: workflow_dispatch: jobs: + # CRA Annex I Part I(1) release gate: block the release — and the platform + # publish pipelines that cascade from it — if any dependency has a known + # vulnerability. + scan: + name: Dependency vulnerability gate + uses: ./.github/workflows/dependency-scan.yml + release: name: Release + needs: scan runs-on: ubuntu-latest permissions: contents: write