From b7090288e58745fc7dad89bd87c558209805b26f Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 11 Sep 2025 16:00:17 +0000
Subject: [PATCH 1/4] feat: [SEC-7263] Add dependency-scan GitHub Actions
 workflow

Generate Node.js SBOM using launchdarkly/gh-actions for SEC-7263.
Add policy evaluation step with bom-* artifacts pattern.
Configure triggers for pull requests and main branch pushes.

Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
---
 .github/workflows/dependency-scan.yml | 30 +++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 .github/workflows/dependency-scan.yml

diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml
new file mode 100644
index 0000000..2f15b38
--- /dev/null
+++ b/.github/workflows/dependency-scan.yml
@@ -0,0 +1,30 @@
+name: Dependency Scan
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  generate-nodejs-sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Generate SBOM
+        uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main
+        with:
+          types: 'nodejs'
+
+  evaluate-policy:
+    runs-on: ubuntu-latest
+    needs:
+      - generate-nodejs-sbom
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Evaluate SBOM Policy
+        uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main
+        with:
+          artifacts-pattern: bom-*

From bc04fb7c19a5f7f77bae302c633b448f74c079f1 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 11 Sep 2025 16:10:33 +0000
Subject: [PATCH 2/4] fix: use pinned SHA for actions/checkout instead of
 version tag

Address security best practice by using pinned commit SHA 692973e3d937129bcbf40652eb9f2f61becf3332
instead of actions/checkout@v4 version tag.

Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
---
 .github/workflows/dependency-scan.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml
index 2f15b38..3e24cd1 100644
--- a/.github/workflows/dependency-scan.yml
+++ b/.github/workflows/dependency-scan.yml
@@ -10,7 +10,7 @@ jobs:
   generate-nodejs-sbom:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
 
       - name: Generate SBOM
         uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main
@@ -22,7 +22,7 @@ jobs:
     needs:
       - generate-nodejs-sbom
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
 
       - name: Evaluate SBOM Policy
         uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main

From 68b090c0b04822657b4bf580394c99ca9ae089db Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 11 Sep 2025 16:14:12 +0000
Subject: [PATCH 3/4] fix: use correct pinned SHA for actions/checkout@v4

Address GitHub comment from kinyoklion requesting correct SHA.
Update to use 08eba0b27e820071cde6df949e0beb9ba4906955 instead of
692973e3d937129bcbf40652eb9f2f61becf3332.

Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
---
 .github/workflows/dependency-scan.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml
index 3e24cd1..76cec2c 100644
--- a/.github/workflows/dependency-scan.yml
+++ b/.github/workflows/dependency-scan.yml
@@ -10,7 +10,7 @@ jobs:
   generate-nodejs-sbom:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
       - name: Generate SBOM
         uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main
@@ -22,7 +22,7 @@ jobs:
     needs:
       - generate-nodejs-sbom
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
       - name: Evaluate SBOM Policy
         uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main

From aa8211217db6c61577cc9f2634997ae62e00b4f9 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Wed, 15 Oct 2025 18:36:29 +0000
Subject: [PATCH 4/4] chore: standardize to use reusable workflow from
 gh-actions

Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
---
 .github/workflows/dependency-scan.yml | 26 +++++---------------------
 1 file changed, 5 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml
index 76cec2c..4de7940 100644
--- a/.github/workflows/dependency-scan.yml
+++ b/.github/workflows/dependency-scan.yml
@@ -7,24 +7,8 @@ on:
       - main
 
 jobs:
-  generate-nodejs-sbom:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
-
-      - name: Generate SBOM
-        uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main
-        with:
-          types: 'nodejs'
-
-  evaluate-policy:
-    runs-on: ubuntu-latest
-    needs:
-      - generate-nodejs-sbom
-    steps:
-      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
-
-      - name: Evaluate SBOM Policy
-        uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main
-        with:
-          artifacts-pattern: bom-*
+  dependency-scan:
+    uses: launchdarkly/gh-actions/.github/workflows/dependency-scan.yml@main
+    with:
+      types: 'nodejs'
+    secrets: inherit