Enable a build check for bad dependencies and licenses. #32

	name: Dependencies

	on:
	push:
	branches: [ main ]
	tags: [ "v..*" ]
	schedule:
	- cron: "39 5 1,15 * *"
	pull_request:
	branches: [ main ]

	permissions: read-all

	jobs:
	submit-dependencies:
	permissions:
	contents: write # required to submit dependencies report
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
	- uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 # v1.1.0
	- name: Set up JDK
	uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0
	with:
	java-version: '17'
	distribution: 'adopt'
	- name: Setup Gradle
	uses: gradle/gradle-build-action@ef76a971e2fa3f867b617efd72f2fbd72cf6f8bc # v2.8.0
	with:
	dependency-graph: generate-and-submit
	gradle-home-cache-cleanup: true
	- name: Generate dependency report
	env:
	DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: runtimeClasspath
	DEPENDENCY_GRAPH_INCLUDE_PROJECTS: "^:(?!(buildSrc\|test-)).*"
	run: ./gradlew allDeps --configuration runtimeClasspath

	check-dependencies:
	if: github.event_name == 'pull_request'
	needs: submit-dependencies
	permissions:
	pull-requests: write
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.0.0
	- name: Dependency Review
	uses: actions/dependency-review-action@v3
	with:
	comment-summary-in-pr: true
	# Think carefully about the implications of adding dependencies with new licence types.
	# Licence ids: https://spdx.org/licenses/
	# License risks: https://brainhub.eu/library/open-source-licenses-to-avoid
	allow-licenses: MIT

Provide feedback