From b7654930d00064abb2e6ed78a279556511cd1456 Mon Sep 17 00:00:00 2001
From: Venkata Ramyasri Kota <34170013+kvramyasri7@users.noreply.github.com>
Date: Tue, 21 Nov 2023 10:41:12 -0800
Subject: [PATCH] (chore): add dependency-review action in workflow #PR1
 (#12585)

* (chore): add dependency-review action in workflow #PR1
---
 .../workflows/callable-dependency-review.yml  | 19 +++++++++++++++++++
 .github/workflows/pr.yml                      |  4 ++++
 2 files changed, 23 insertions(+)
 create mode 100644 .github/workflows/callable-dependency-review.yml

diff --git a/.github/workflows/callable-dependency-review.yml b/.github/workflows/callable-dependency-review.yml
new file mode 100644
index 00000000000..67808edbb63
--- /dev/null
+++ b/.github/workflows/callable-dependency-review.yml
@@ -0,0 +1,19 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: Test Github Actions
+on: workflow_call
+
+jobs:
+  dependency_review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@e2a5a1afd5d7305b13671410c52a31819ab9fad9 # v4.0.0 https://github.com/actions/checkout/commit/e2a5a1afd5d7305b13671410c52a31819ab9fad9
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@7bbfa034e752445ea40215fff1c3bf9597993d3f # v3.1.3 https://github.com/actions/dependency-review-action/commit/7bbfa034e752445ea40215fff1c3bf9597993d3f
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 88f3a1c453b..63b64478467 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -36,6 +36,9 @@ jobs:
   tsc-compliance-test:
     needs: prebuild
     uses: ./.github/workflows/callable-test-tsc-compliance.yml
+  dependency-review:
+    needs: prebuild
+    uses: ./.github/workflows/callable-dependency-review.yml
   all-unit-tests-pass:
     name: Unit and Bundle tests have passed
     needs:
@@ -44,6 +47,7 @@ jobs:
       - license-test
       - github-actions-test
       - tsc-compliance-test
+      - dependency-review
     runs-on: ubuntu-latest
     if: success() # only run when all checks have passed
     # store success output flag for ci job