From 75be7f0c0cd9d1ca6346d8e757f75b9a07b9e58f Mon Sep 17 00:00:00 2001 From: laughedelic Date: Mon, 4 Mar 2024 18:52:57 +0100 Subject: [PATCH] clarify docs, add a usage example --- README.md | 8 ++++---- docs/examples.md | 19 ++++++++++++++----- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 94ea068..ae79ba0 100644 --- a/README.md +++ b/README.md @@ -160,10 +160,10 @@ The Dependency Review GitHub Action check will only block a pull request from be ## Outputs - `comment-content` is generated with the same content as would be present in a Dependency Review Action comment. -- `dependency-changes` holds all dependency changes in a JSON format. -- `vulnerable-changes` holds information about dependency changes with vulnerable dependencies in a JSON format. -- `invalid-license-changes` holds information about invalid or non-compliant license dependency changes in a JSON format. -- `denied-changes` holds information about denied dependency changes in a JSON format. +- `dependency-changes` holds all dependency changes in a JSON format. The following outputs are subsets of `dependency-changes` filtered based on the configuration: + - `vulnerable-changes` holds information about dependency changes with vulnerable dependencies in a JSON format. + - `invalid-license-changes` holds information about invalid or non-compliant license dependency changes in a JSON format. + - `denied-changes` holds information about denied dependency changes in a JSON format. ## Getting help diff --git a/docs/examples.md b/docs/examples.md index c8f5199..ce1a1cf 100644 --- a/docs/examples.md +++ b/docs/examples.md @@ -166,7 +166,8 @@ jobs: ## Getting the results of the action in a later step -Using the `comment-content` output you can get the results of the action in a workflow step. +- Using the `comment-content` output you can get the results of the action in a workflow step. +- Using other outputs like `dependency-changes`, `vulnerable-changes`, `invalid-license-changes` and `denied-changes` you can get the results of the action in JSON format and use them in a programmatic way. ```yaml name: 'Dependency Review' @@ -190,12 +191,20 @@ jobs: deny-licenses: LGPL-2.0, BSD-2-Clause - name: 'Report' # make sure this step runs even if the previous failed - if: ${{ failure() && steps.review.conclusion == 'failure' }} + if: always() shell: bash env: - comment: ${{ steps.review.outputs.comment-content }} - run: | - echo "$comment" # do something with the comment + COMMENT: ${{ steps.review.outputs.comment-content }} + run: | # do something with the comment: + echo "$COMMENT" + - name: 'List vulnerable dependencies' + # make sure this step runs even if the previous failed + if: always() + shell: bash + env: + VULNERABLE_CHANGES: ${{ steps.review.outputs.vulnerable-changes }} + run: | # do something with the JSON: + echo "$VULNERABLE_CHANGES" | jq '.[].package_url' ``` ## Exclude dependencies from the license check