From 2542edc521953e84aa1d1c794bfb96e0b7993207 Mon Sep 17 00:00:00 2001 From: Boy Steven Benaya Aritonang Date: Sun, 22 Mar 2026 03:16:00 +0700 Subject: [PATCH 1/2] Relax dependency review policy --- .github/dependency-review-config.yml | 20 ++------------------ 1 file changed, 2 insertions(+), 18 deletions(-) diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml index af4a487..0610f80 100644 --- a/.github/dependency-review-config.yml +++ b/.github/dependency-review-config.yml @@ -1,23 +1,7 @@ # Keep the initial policy focused on risky dependency changes first. -# This allowlist is intentionally based on the licenses already present in the -# current dependency tree so normal updates do not become noisy immediately. +# Avoid a strict license allowlist here because it tends to make normal +# Dependabot updates noisy across ecosystems and workflow dependencies. fail-on-severity: high fail-on-scopes: - runtime - - unknown license-check: true -allow-licenses: - - Apache-2.0 - - Apache-2.0 AND LGPL-3.0-or-later - - Apache-2.0 OR BSD-2-Clause - - BSD-2-Clause - - BSD-3-Clause - - BlueOak-1.0.0 - - CC-BY-4.0 - - CC0-1.0 - - ISC - - MIT - - MPL-2.0 - - PSF-2.0 - - Python-2.0 - - 0BSD From def97557442e26e394bfb6f5f0402c54c01d93c8 Mon Sep 17 00:00:00 2001 From: Boy Steven Benaya Aritonang Date: Sun, 22 Mar 2026 03:20:43 +0700 Subject: [PATCH 2/2] Reduce dependency review permissions --- .github/workflows/dependency-review.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f7233f6..b1c90b6 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -5,7 +5,6 @@ on: permissions: contents: read - pull-requests: write jobs: dependency-review: