1957 Commits

Author SHA1 Message Date
Kevin Dangoor 289863a7c4 GitHub Actions can't push to our protected main
Our main branch is protected, which means that our Actions workflow
cannot push changes directly to main. This removes the non-functional
workflow.
2025-11-10 17:46:39 -05:00
Kevin Dangoor 3c4e3dcb1a Merge pull request #1016 from actions/dra-release
4.8.2 release
v4.8.2
2025-11-10 17:45:29 -05:00
Kevin Dangoor 02930b2072 Update CONTRIBUTING to reflect new guidelines
External contributors should not build the project and commit
the build output any more.
2025-11-10 17:35:58 -05:00
Kevin Dangoor 49ffd9f636 Update CONTRIBUTING to reflect the need to build
Builds aren't happening automatically (or required to happen
manually), so we need to update the release steps to include
building the project.
2025-11-10 14:45:40 -05:00
Kevin Dangoor 70cb25ec56 4.8.2 release 2025-11-10 14:44:24 -05:00
Kevin Dangoor ebabd31cea Merge pull request #1008 from danielhardej/danielhardej-patch-20251023
Fix PURL parsing to prevent mismatch for scoped packages
2025-11-07 18:20:38 -05:00
Dan Hardej 19f9360983 Update package-lock.json 2025-11-08 07:15:17 +08:00
Dan Hardej 5fd2f98b4f Bump @types/jest to version 29.5.14 2025-11-07 12:39:28 +08:00
Dan Hardej 28647f4804 Fix PURL parsing by removing encodeURI 2025-11-07 12:32:03 +08:00
Kevin Dangoor f620fd175c Merge pull request #1013 from actions/dangoor/token-fix
Remove bad token reference
2025-11-06 08:40:41 -08:00
Kevin Dangoor 9b42b7e9a9 Remove bad token reference 2025-11-05 20:29:51 -05:00
Kevin Dangoor 4004cfa3a2 Merge pull request #1012 from actions/dangoor/saner-workflows
Generate dist files on main branch
2025-11-05 17:23:09 -08:00
Kevin Dangoor 94004c3444 Remove dist directory change blocking
We don't really need to prevent changes to the dist directory
being committed. If someone does push a change to the dist directory,
they'd be able to test with that. Plus the files will be regenerated
on main, so that we know the final dist files are correct.

This also fixes up some paths in the ci-update-dist.yml workflow
which generates the dist files on main.
2025-11-05 18:04:42 -05:00
Kevin Dangoor 75e65b4d81 Generate dist files on main branch
This adapts an approach taken by the Gradle actions in order to
generate the dist files on the main branch rather than having
every contributor need to generate them. (In fact, people will no
longer be able to submit PRs with the dist files updated). This
change is important because the current approach means that
people encounter merge conflicts all the time and will need to
keep regenerating the dist files in order to land their change.
2025-11-05 17:30:02 -05:00
Kevin Dangoor 355d25e5a7 Merge pull request #921 from jsoref/spelling
Spelling
2025-11-04 18:48:20 -08:00
Josh Soref d456baec30 spelling: vulnerabilities
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 21:39:50 -05:00
Josh Soref 66054da10b spelling: vuln
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 21:39:50 -05:00
Josh Soref 247f07b0c8 spelling: summary
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 21:39:50 -05:00
Josh Soref 5975520ad2 spelling: statement
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:17:52 -05:00
Josh Soref b4849e7628 spelling: lodash
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:17:52 -05:00
Josh Soref 752c04656e spelling: github
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:17:52 -05:00
Josh Soref 4fa8b92807 Add alt text for screen to create a PAT
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:17:44 -05:00
Josh Soref 3660056ed3 Add alt text for screen showing Release Action
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:17:34 -05:00
Josh Soref 5f8348ab03 Add alt text for screen to create arelease
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:16:44 -05:00
Josh Soref 6b5a983daf link: full list of configuration options
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:08:49 -05:00
Josh Soref 8fd9b22286 link: the configuration
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:08:49 -05:00
Josh Soref c4b82d3047 Reword comment-summary-in-pr description
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:08:49 -05:00
Josh Soref 622445f2a8 Remove unused import
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:08:49 -05:00
Kevin Dangoor 3f464ea511 Merge pull request #1009 from danielhardej/patch-1
Update README to include `allow-dependencies-licenses` example
2025-11-04 14:35:46 -08:00
Lewis Jones 8e51299cdf Merge pull request #1007 from gitulisca/gitulisca/summary-size-limit
Make handleLargeSummary also update core.summary
2025-10-27 12:51:46 +00:00
Art Leo 7a990117b1 Add dist files 2025-10-27 17:41:42 +11:00
Dan Hardej 99ce29f02e Update README with allowed-dependencies-licenses example 2025-10-23 16:31:35 +08:00
gitulisca 140b44b7bf Remove trailing whitespace from blank line
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-10-22 19:12:18 +11:00
Art Leo 4603a62e00 Make handleLargeSummary also update core.summary 2025-10-22 17:52:52 +11:00
Eric Sorenson 07b91577a3 Merge pull request #920 from jsoref/issue-919 2025-10-17 14:30:12 -07:00
Josh Soref 3084754c49 Scope warning about private repositories 2025-10-15 14:16:01 -04:00
dependabot[bot] 0f943b29ae Bump github/codeql-action from 3 to 4
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-10-13 01:01:57 +00:00
Eric Sorenson 40c09b7dc9 Merge pull request #1001 from actions/ahpook/v4.8.1-release v4.8.1 2025-10-10 14:06:00 -07:00
Eric Sorenson 45529485b5 Bump version for 4.8.1 release 2025-10-10 12:55:32 -07:00
Eric Sorenson e63da9a041 Merge pull request #1000 from actions/ahpook/deprecation-redux 2025-10-10 12:21:31 -07:00
Eric Sorenson 71365c76bc (bug) Fix spamming link test in deprecation warning (again)
We'd thought that the syntax in #974 would avoid auto-linking
but didn't check closely enough, and now the deprecation issue
it links to cannot be loaded due to having too many references.

This updates the text to point to a new issue in a way that...
I hope... will not be auto-linked.
2025-10-10 09:37:13 -07:00
dependabot[bot] 2440f520c8 Bump actions/stale from 9.1.0 to 10.1.0
Bumps [actions/stale](https://github.com/actions/stale) from 9.1.0 to 10.1.0.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/stale/compare/v9.1.0...v10.1.0)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-version: 10.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-10-06 01:01:54 +00:00
Barry Gordon 56339e523c Merge pull request #988 from actions/brrygrdn/rc-4.8.0
Bump to 4.8.0
v4.8.0
2025-09-26 16:05:17 +01:00
Barry Gordon 1688b745f3 Bump to a 4.8.0 2025-09-26 15:45:28 +01:00
Barry Gordon 31c9f175b9 Merge pull request #987 from actions/rc-4.7.4
Prepare release of v4.7.4
v4.7.4
2025-09-26 15:20:06 +01:00
Barry Gordon eacde7836e Update version 2025-09-26 14:42:22 +01:00
Barry Gordon 81510090e4 Merge pull request #986 from actions/brrygrdn/rc-4.7.4
Batch some contributions for release
2025-09-26 14:32:46 +01:00
Barry Gordon b472ec914b Add a quick regression test for the artefact summary 2025-09-26 13:34:03 +01:00
Matt Mencel e0cedc52dc feat: add large summary handling with artifact upload
When the dependency review summary exceeds GitHub's size limit (1024k), upload it as an artifact and provide a link in the comment. This ensures users can still access the full review details even when the summary is too large to display directly.
2025-09-26 12:55:14 +01:00
Jasper Kamerling e3fdf0f899 This ensures large allow or deny lists don't create huge comments 2025-09-26 12:49:38 +01:00