Expose dependency comment content

This commit is contained in:
Josh Soref
2024-02-18 21:15:15 -05:00
parent 0ca1f606a4
commit 64f81cd2da
7 changed files with 68 additions and 17 deletions
+4
View File
@@ -157,6 +157,10 @@ For more examples of how to use this action and its configuration options, see t
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
## Outputs
`comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
## Getting help
If you have bug reports, questions or suggestions please [create a new issue](https://github.com/actions/dependency-review-action/issues/new/choose).
+3
View File
@@ -65,6 +65,9 @@ inputs:
description: When set to `true` this action will always complete with success, overriding the `fail-on-severity` parameter.
required: false
default: false
outputs:
comment-content:
description: Prepared dependency report comment
runs:
using: 'node20'
Generated Vendored
+10 -7
View File
@@ -56,13 +56,20 @@ const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
const octo = new retryingOctokit(githubUtils.getOctokitOptions(core.getInput('repo-token', { required: true })));
// Comment Marker to identify an existing comment to update, so we don't spam the PR with comments
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->';
function commentPr(summary) {
function commentPr(summary, config) {
return __awaiter(this, void 0, void 0, function* () {
const commentContent = summary.stringify();
core.setOutput('comment-content', commentContent);
if (config.comment_summary_in_pr !== 'always' &&
config.comment_summary_in_pr === 'on-failure' &&
process.exitCode !== core.ExitCode.Failure) {
return;
}
if (!github.context.payload.pull_request) {
core.warning('Not in the context of a pull request. Skipping comment creation.');
return;
}
const commentBody = `${summary.stringify()}\n\n${COMMENT_MARKER}`;
const commentBody = `${commentContent}\n\n${COMMENT_MARKER}`;
try {
const existingCommentId = yield findCommentByMarker(COMMENT_MARKER);
if (existingCommentId) {
@@ -646,11 +653,7 @@ function run() {
}
summary.addScannedDependencies(changes);
printScannedDependencies(changes);
if (config.comment_summary_in_pr === 'always' ||
(config.comment_summary_in_pr === 'on-failure' &&
process.exitCode === core.ExitCode.Failure)) {
yield (0, comment_pr_1.commentPr)(core.summary);
}
yield (0, comment_pr_1.commentPr)(core.summary, config);
}
catch (error) {
if (error instanceof request_error_1.RequestError && error.status === 404) {
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+31
View File
@@ -164,6 +164,37 @@ jobs:
comment-summary-in-pr: always
```
## Getting the results of the action in a later step
Using the `comment-content` output you can get the results of the action in a workflow step.
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
id: review
uses: actions/dependency-review-action@main
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
- name: 'Report'
shell: bash
env:
comment: ${{ steps.review.outputs.comment-content }}
run: |
echo "$comment"
```
## Exclude dependencies from the license check
Using the `allow-dependencies-licenses` you can exclude dependencies from the license check. The values should be provided in [purl](https://github.com/package-url/purl-spec) format.
+18 -2
View File
@@ -3,6 +3,7 @@ import * as core from '@actions/core'
import * as githubUtils from '@actions/github/lib/utils'
import * as retry from '@octokit/plugin-retry'
import {RequestError} from '@octokit/request-error'
import {ConfigurationOptions} from './schemas'
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
const octo = new retryingOctokit(
@@ -12,7 +13,22 @@ const octo = new retryingOctokit(
// Comment Marker to identify an existing comment to update, so we don't spam the PR with comments
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
export async function commentPr(summary: typeof core.summary): Promise<void> {
export async function commentPr(
summary: typeof core.summary,
config: ConfigurationOptions
): Promise<void> {
const commentContent = summary.stringify()
core.setOutput('comment-content', commentContent)
if (
config.comment_summary_in_pr !== 'always' &&
config.comment_summary_in_pr === 'on-failure' &&
process.exitCode !== core.ExitCode.Failure
) {
return
}
if (!github.context.payload.pull_request) {
core.warning(
'Not in the context of a pull request. Skipping comment creation.'
@@ -20,7 +36,7 @@ export async function commentPr(summary: typeof core.summary): Promise<void> {
return
}
const commentBody = `${summary.stringify()}\n\n${COMMENT_MARKER}`
const commentBody = `${commentContent}\n\n${COMMENT_MARKER}`
try {
const existingCommentId = await findCommentByMarker(COMMENT_MARKER)
+1 -7
View File
@@ -144,13 +144,7 @@ async function run(): Promise<void> {
summary.addScannedDependencies(changes)
printScannedDependencies(changes)
if (
config.comment_summary_in_pr === 'always' ||
(config.comment_summary_in_pr === 'on-failure' &&
process.exitCode === core.ExitCode.Failure)
) {
await commentPr(core.summary)
}
await commentPr(core.summary, config)
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
core.setFailed(