Bump actions/dependency-review-action from 2 to 3 (#26)

Bumps
[actions/dependency-review-action](https://github.com/actions/dependency-review-action)
from 2 to 3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/dependency-review-action/releases">actions/dependency-review-action's
releases</a>.</em></p>
<blockquote>
<h2>3.0.0</h2>
<h2>Breaking Changes</h2>
<p>By default the action now expects <a
href="https://spdx.org/licenses/">SPDX-compliant licenses</a>
everywhere. If you were previously using license names in the allow or
deny lists make sure they're valid!</p>
<h2>What's Changed</h2>
<h3>Support for external configuration files</h3>
<p>You can now specify a <a
href="https://github.com/actions/dependency-review-action/#configuration-file">configuration
file external to your repository</a>. This allows organizations to have
a single configuration file for all their repos.</p>
<h3>Broader license support</h3>
<p>We've added support for a much broader set of project licenses by
using GitHub's <a
href="https://docs.github.com/en/rest/licenses">Licenses API</a>.</p>
<h3>SPDX Compliance</h3>
<p>All of our license-related code now expects <a
href="https://spdx.org/licenses/">SPDX-compliant licenses or
expressions</a>. This allows us to standardize on a license naming
scheme that already supports <code>OR</code>/<code>AND</code>
expressions.</p>
<h3>Disable individual checks</h3>
<p>You can now use the boolean options <code>license-check</code> and
<code>vulnerability-check</code> to disable either one of the checks.
More information in <a
href="https://github.com/actions/dependency-review-action/#configuration-options">our
configuration options</a>.</p>
<h2>Thanks</h2>
<p>Contributors for this release include:</p>
<ul>
<li><a
href="https://github.com/cnagadya"><code>@​cnagadya</code></a></li>
<li><a
href="https://github.com/courtneycl"><code>@​courtneycl</code></a></li>
<li><a
href="https://github.com/ericcornelissen"><code>@​ericcornelissen</code></a></li>
<li><a
href="https://github.com/elireisman"><code>@​elireisman</code></a></li>
<li><a href="https://github.com/hmaurer"><code>@​hmaurer</code></a></li>
</ul>
<p>Thanks everyone!
<strong>Full Changelog</strong>: <a
href="https://github.com/actions/dependency-review-action/compare/v2...v3.0.0">https://github.com/actions/dependency-review-action/compare/v2...v3.0.0</a></p>
<h2>2.5.1</h2>
<p>Adding some quality-of-life improvements to the local development
experience. You can now pass a flag to the <code>scripts/scan_pr</code>
script using the <code>-c/--config-file</code> flags to use an external
configuration file:</p>
<p>Example:</p>
<pre><code> scripts/scan_pr
actions/dependency-review-action#294
</code></pre>
<h2>2.5.0</h2>
<p>Fallback on GitHub Licenses API data for missing Dependency Review
API Licenses. This should improve our license coverage.</p>
<h2>2.4.1</h2>
<p>This patch release fixes the bugs below:</p>
<ul>
<li>Display the dependency name instead of the manifest name in the
detailed list of dependents.</li>
<li>Fix an issue where undefined GHSAs would remove filter out all
changes.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/dependency-review-action/commit/1360a344ccb0ab6e9475edef90ad2f46bf8003b1"><code>1360a34</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/dependency-review-action/issues/494">#494</a>
from actions/fix-purl-bug</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/123b58703a431f33d883f837885cb70dbe435f0a"><code>123b587</code></a>
bumping to 3.0.6</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/cd559bc9841958743e66ca3f293831517e07c498"><code>cd559bc</code></a>
adding dist</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/70f8094bec321ee8c671688feed6114597ad5f1e"><code>70f8094</code></a>
adding a test for empty PURLs</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/0b306aef97af47ab3901b26ac49a0e69e8bca1d2"><code>0b306ae</code></a>
Don't try to create PURLs from empty strings.</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/554aaf5c3df777861fd6b5604c62ad618043e3f0"><code>554aaf5</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/dependency-review-action/issues/423">#423</a>
from theztefan/allow-list-dependencies</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/c6e94c1336e6957ad122ae01074386f30ab7a984"><code>c6e94c1</code></a>
External config files should use underscores, not dashes</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/88d6af3d4a2698ad9bd5d613b967efb661e131e0"><code>88d6af3</code></a>
latest build</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/f1c8401a597c115c514acffa9d43926686824f27"><code>f1c8401</code></a>
resolve merge conflicts</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/ef8ebf0eefdefbca016e6a60915e57c073a84f94"><code>ef8ebf0</code></a>
rebuild</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/dependency-review-action/compare/v2...v3">compare
view</a></li>
</ul>
</details>
<br />

.github/workflows/build-test-measure.yml

@@ -87,7 +87,7 @@ jobs:
       # Source repository: https://github.com/actions/dependency-review-action
       # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
       - name: Dependency Review
-        uses: actions/dependency-review-action@v2
+        uses: actions/dependency-review-action@v3
 
       - name: Install Composer dependencies
         run: composer install --prefer-dist --optimize-autoloader --no-progress --no-interaction