However, it might be tricky to call that API as part of a workflow because
In order to see the security_and_analysis block for a repository you must have admin permissions for the repository or be an owner or security manager for the organization that owns the repository.
Dependency Review is recommended by the GitHub Advanced Security folks.
To use it, we would add
actions/dependency-review-action
to one of our CI workflows.But... I'm not seeing a great way to introduce it to this repo without breaking things for users without GHAS licenses.
In order to use features that require a GHAS license, I see there's now a way to see if GHAS is enabled on a repo, where part of the response looks like:
However, it might be tricky to call that API as part of a workflow because