Update README to include allow-dependencies-licenses example#1009
Merged
dangoor merged 1 commit intoactions:mainfrom Nov 4, 2025
Merged
Update README to include allow-dependencies-licenses example#1009dangoor merged 1 commit intoactions:mainfrom
allow-dependencies-licenses example#1009dangoor merged 1 commit intoactions:mainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR updates the README to provide concrete examples for configuring the allowed-dependencies-licenses option in the dependency review action. The update specifically addresses confusion around PURL (Package URL) formatting for GitHub Actions and scoped NPM packages, which previously lacked clear documentation.
Key Changes:
- Added an example line demonstrating the
allowed-dependencies-licensesconfiguration with proper PURL formatting for scoped NPM packages, regular NPM packages, and GitHub Actions
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
danielhardej
changed the title
allowed-dependencies-licenses exampleallow-dependencies-licenses example
juxtin
approved these changes
Nov 3, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I was recently working with a customer who needed help with setting up the DRA to use
deny-licensesalong withallow-dependencies-licenses.The problems that came up were mainly how to specify GitHub Actions, as there is virtually no guidance on how to specify the PURL for an Action. We went through a long list of wrong ways to do it, including (but not limited to):
pkg:github/org/action@v6pkg:actions/org/action@^6.0.0pkg:github/my-github-actionBefore landing on the right way only after inferring it from the dependency graph API.
I also add an example for scoped NPM packages as a nod to #1008.
This is just an idea, and totally appriciate if there's a better place for this so feedback/suggestions are welcome, but it's important that we have it somewhere.