From bb3e014e0a37523cc0c652ff294830d05956b480 Mon Sep 17 00:00:00 2001 From: Federico Builes Date: Wed, 3 Aug 2022 11:22:48 +0200 Subject: [PATCH 1/5] Adding instructions for GHES 3.6. --- README.md | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a4e58d7..6295cbe 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,8 @@ The action is available for all public repositories, as well as private reposito ## Installation +**Please keep in mind that you need a GitHub Advanced Security license if you're running this action on private repos.** + 1. Add a new YAML workflow to your `.github/workflows` folder: ```yaml @@ -28,7 +30,32 @@ jobs: uses: actions/dependency-review-action@v2 ``` -Please keep in mind that you need a GitHub Advanced Security license if you're running this action on private repos. +### GitHub Enterprise Server + +This action is available in GHES starting with version 3.6. Make sure +[GitHub Advanced +Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise) +and [GitHub +Connect](https://docs.github.com/en/enterprise-server@3.1/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) +are enabled. + +You can use the same workflow as above, replacing the `runs-on` value +with the label of any of your runners (the default label +is `self-hosted`): + +```yaml + +# ... + +jobs: + dependency-review: + runs-on: self-hosted + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v2 +``` ## Configuration You can pass additional options to the Dependency Review From ea815ebddb8bfeb8bb98d360a31dad27149a4154 Mon Sep 17 00:00:00 2001 From: Federico Builes Date: Wed, 3 Aug 2022 11:25:03 +0200 Subject: [PATCH 2/5] Add link for GHAS. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6295cbe..e399918 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ The action is available for all public repositories, as well as private reposito ## Installation -**Please keep in mind that you need a GitHub Advanced Security license if you're running this action on private repos.** +**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repos.** 1. Add a new YAML workflow to your `.github/workflows` folder: From e66fd91484be4a0061cad68f5887f7ed707332ef Mon Sep 17 00:00:00 2001 From: Federico Builes Date: Wed, 3 Aug 2022 11:29:50 +0200 Subject: [PATCH 3/5] Point to the 3.6 docs for Connect. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e399918..1c828bb 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ This action is available in GHES starting with version 3.6. Make sure [GitHub Advanced Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise) and [GitHub -Connect](https://docs.github.com/en/enterprise-server@3.1/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) +Connect](https://docs.github.com/en/enterprise-server@3.6/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) are enabled. You can use the same workflow as above, replacing the `runs-on` value From e20b197c9333ecb67d3ed14ac3151b11d8f8569b Mon Sep 17 00:00:00 2001 From: Courtney Claessens Date: Wed, 3 Aug 2022 10:46:47 -0400 Subject: [PATCH 4/5] adding info on licenses not supported for GHES --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1c828bb..a534293 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ jobs: # Possible values: "critical", "high", "moderate", "low" # fail-on-severity: critical # - # You can only include one of these two options: `allow-licenses` and `deny-licenses` + # You can only include one of these two options: `allow-licenses` and `deny-licenses`. These options are not supported on GHES. # # Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses # allow-licenses: GPL-3.0, BSD-3-Clause, MIT @@ -109,7 +109,7 @@ This example will only fail on pull requests with `critical` and `high` vulnerab You can set the action to fail on pull requests based on the licenses of the dependencies they introduce. With `allow-licenses` you can define the list of licenses your repository will accept. Alternatively, you can use `deny-licenses` to only -forbid a subset of licenses. +forbid a subset of licenses. These options are not supported on GHES. You can use the [Licenses API](https://docs.github.com/en/rest/licenses) to see the full list of @@ -134,6 +134,7 @@ to filter. A couple of examples: **Important** +* Checking for licenses is not supported on GHES. * The action will only accept one of the two parameters; an error will be raised if you provide both. * By default both parameters are empty (no license checking is From be18317f9474acce0b8fdc43df30ac1c28b03abd Mon Sep 17 00:00:00 2001 From: Federico Builes Date: Wed, 3 Aug 2022 17:27:39 +0200 Subject: [PATCH 5/5] Update README.md Co-authored-by: Courtney Claessens --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a534293..3ba8bed 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ The action is available for all public repositories, as well as private reposito ## Installation -**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repos.** +**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.** 1. Add a new YAML workflow to your `.github/workflows` folder: