From 4159208e9f3f00d229144f66f5b8f74e4c8b08ca Mon Sep 17 00:00:00 2001
From: Simon Templer <simon@wetransform.to>
Date: Tue, 10 Oct 2023 14:28:26 +0200
Subject: [PATCH] ci: add PR workflow for checking dependencies

---
 .github/workflows/check.yml | 25 +++++++++++++++++++++++++
 build.gradle                |  3 +++
 2 files changed, 28 insertions(+)
 create mode 100644 .github/workflows/check.yml

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
new file mode 100644
index 0000000..5df705a
--- /dev/null
+++ b/.github/workflows/check.yml
@@ -0,0 +1,25 @@
+name: Check
+
+on:
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  check:
+    uses: wetransform/gha-workflows/.github/workflows/gradle-library.yml@master
+    with:
+      gradle-tasks: ''
+      java-version: 17
+      notify-failure: false
+      # skip-build: true
+      expect-tests: false
+      submodules: 'recursive'
+
+      # work around issue with new Zip validation
+      java-options: '-Djdk.util.zip.disableZip64ExtraFieldValidation=true'
+
+      # rename lockfile so trivy picks it up
+      pre-build-command: mv gradle/dependency-locks/platform.lockfile gradle/dependency-locks/platform-gradle.lockfile
+    secrets: inherit
+
diff --git a/build.gradle b/build.gradle
index d51c154..bb98678 100644
--- a/build.gradle
+++ b/build.gradle
@@ -212,6 +212,9 @@ configurations {
 				details.useTarget "com.hierynomus:sshj:${details.requested.version}"
 			}
 		}
+
+		// activate dependency locking for generating a lockfile for security scanning
+		resolutionStrategy.activateDependencyLocking()
 	}
 }