Compare commits

...

25 Commits

Author SHA1 Message Date
Ahmed ElMallah 3b139cfc5f Merge pull request #851 from actions/ahmed3lmallah/prepare-for-4.5.0-release
Prepare for 4.5.0 release
2024-11-20 13:49:04 -08:00
Ahmed ElMallah d6807b6643 updating generated code 2024-11-20 21:42:05 +00:00
Ahmed ElMallah c89b41fdc6 addressing lint issues 2024-11-20 21:41:54 +00:00
Ahmed ElMallah eee97d8b03 incrementing project version 2024-11-20 21:41:43 +00:00
Ahmed ElMallah 9d101822a3 Merge pull request #827 from ebickle/fix/comment-warn-only
fix: add summary comment on failure when warn-only: true
2024-11-20 13:28:17 -08:00
Ahmed ElMallah 9192be9c72 Merge pull request #850 from actions/ahmed3lmallah/adressing-CVE-2024-21538
Overriding the cross-spawn dependency to use a safe version
2024-11-19 14:42:32 -08:00
Ahmed ElMallah 2fc8e23b12 Using cross-spawn safe version 2024-11-19 22:26:34 +00:00
Eric Bickle fb86db2043 fix: resolve race conditions in async core.group calls 2024-11-19 14:17:06 -08:00
Eric Bickle 0a198ab3ed fix: replace integer failureCount with boolean 2024-11-19 13:15:15 -08:00
Eric Bickle fc499fc13a Merge branch 'main' into fix/comment-warn-only 2024-11-19 12:51:47 -08:00
Ahmed ElMallah b02ea3a88b Merge pull request #849 from actions/dependabot/npm_and_yarn/vercel/ncc-0.38.3
Bump @vercel/ncc from 0.38.1 to 0.38.3
2024-11-18 15:14:46 -08:00
Ahmed ElMallah 612e96e757 updating dist code 2024-11-18 22:36:35 +00:00
Ahmed ElMallah 0adc9b8215 Merge pull request #847 from actions/dependabot/npm_and_yarn/nodemon-3.1.7
Bump nodemon from 3.1.0 to 3.1.7
2024-11-18 13:05:25 -08:00
dependabot[bot] 591cbf9044 Bump @vercel/ncc from 0.38.1 to 0.38.3
Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.38.1 to 0.38.3.
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](https://github.com/vercel/ncc/compare/0.38.1...0.38.3)

---
updated-dependencies:
- dependency-name: "@vercel/ncc"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-18 01:28:26 +00:00
dependabot[bot] c0a5e20c51 Bump nodemon from 3.1.0 to 3.1.7
Bumps [nodemon](https://github.com/remy/nodemon) from 3.1.0 to 3.1.7.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.1.0...v3.1.7)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-04 01:59:13 +00:00
Eli Reisman c82883d789 Merge pull request #844 from actions/dependabot/npm_and_yarn/got-14.4.3
Bump got from 14.4.2 to 14.4.3
2024-10-28 16:23:56 -07:00
Ahmed ElMallah 4081bf99e2 Merge pull request #846 from actions/merge-group-bug-fix
Fix for merge_group event bug
2024-10-28 11:42:18 -07:00
ahmed3lmallah 03e585eea7 fixing minor typo 2024-10-27 23:34:29 -07:00
ahmed3lmallah 08b4117924 updating dist code 2024-10-27 23:30:45 -07:00
ahmed3lmallah 9c3441f7ee updating dist code 2024-10-27 23:12:50 -07:00
ahmed3lmallah 304a544dca updating tests 2024-10-27 23:11:58 -07:00
ahmed3lmallah e99353b1e1 fixing merge_group schema bug 2024-10-27 22:56:44 -07:00
dependabot[bot] d8ae44e2a0 Bump got from 14.4.2 to 14.4.3
Bumps [got](https://github.com/sindresorhus/got) from 14.4.2 to 14.4.3.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.2...v14.4.3)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-28 01:10:40 +00:00
Ahmed ElMallah a6993e2c61 Merge pull request #840 from actions/dependabot-updates
Bump eslint-plugin-jest and ts-jest
2024-10-21 15:29:33 -07:00
Eric Bickle ac1d2d7d35 fix: add summary comment on failure when warn-only: true 2024-09-06 12:24:42 -07:00
11 changed files with 1709 additions and 1624 deletions
+33 -6
View File
@@ -124,11 +124,7 @@ test('it raises an error when no refs are provided and the event is not a pull r
).toThrow()
})
const pullRequestLikeEvents = [
'pull_request',
'pull_request_target',
'merge_group'
]
const pullRequestLikeEvents = ['pull_request', 'pull_request_target']
test.each(pullRequestLikeEvents)(
'it uses the given refs even when the event is %s',
@@ -152,7 +148,7 @@ test.each(pullRequestLikeEvents)(
)
test.each(pullRequestLikeEvents)(
'it uses the event refs when the event is %s and the no refs are input',
'it uses the event refs when the event is %s and no refs are provided in config',
async eventName => {
const refs = getRefs(await readConfig(), {
payload: {
@@ -169,6 +165,37 @@ test.each(pullRequestLikeEvents)(
}
)
test('it uses the given refs even when the event is merge_group', async () => {
setInput('base-ref', 'a-custom-base-ref')
setInput('head-ref', 'a-custom-head-ref')
const refs = getRefs(await readConfig(), {
payload: {
merge_group: {
base_sha: 'pr-base-ref',
head_sha: 'pr-head-ref'
}
},
eventName: 'merge_group'
})
expect(refs.base).toEqual('a-custom-base-ref')
expect(refs.head).toEqual('a-custom-head-ref')
})
test('it uses the event refs when the event is merge_group and no refs are provided in config', async () => {
const refs = getRefs(await readConfig(), {
payload: {
merge_group: {
base_sha: 'pr-base-ref',
head_sha: 'pr-head-ref'
}
},
eventName: 'merge_group'
})
expect(refs.base).toEqual('pr-base-ref')
expect(refs.head).toEqual('pr-head-ref')
})
test('it defaults to runtime scope', async () => {
const config = await readConfig()
expect(config.fail_on_scopes).toEqual(['runtime'])
Generated Vendored
+1568 -1545
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+25 -25
View File
@@ -1,12 +1,12 @@
{
"name": "dependency-review-action",
"version": "4.3.5",
"version": "4.5.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "dependency-review-action",
"version": "4.3.5",
"version": "4.5.0",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.10.1",
@@ -15,7 +15,7 @@
"@octokit/request-error": "^5.0.1",
"@onebeyond/spdx-license-satisfies": "^1.0.1",
"ansi-styles": "^6.2.1",
"got": "^14.4.2",
"got": "^14.4.3",
"jest": "^29.7.0",
"octokit": "^3.1.2",
"spdx-expression-parse": "^3.0.1",
@@ -31,14 +31,14 @@
"@types/spdx-satisfies": "^0.1.1",
"@typescript-eslint/eslint-plugin": "^6.21.0",
"@typescript-eslint/parser": "^6.21.0",
"@vercel/ncc": "^0.38.0",
"@vercel/ncc": "^0.38.3",
"esbuild-register": "^3.5.0",
"eslint": "^8.57.0",
"eslint-plugin-github": "^4.10.2",
"eslint-plugin-jest": "^28.8.3",
"eslint-plugin-prettier": "^5.1.3",
"js-yaml": "^4.1.0",
"nodemon": "^3.1.0",
"nodemon": "^3.1.7",
"prettier": "3.2.5",
"typescript": "^5.4.5"
}
@@ -1956,9 +1956,9 @@
"integrity": "sha512-+Fj43pSMwJs4KRrH/938Uf+uAELIgVBmQzg/q1YG10djyfA3TnrU8N8XzqCh/okZdszqBQTZf96idMfE5lnwTA=="
},
"node_modules/@sindresorhus/is": {
"version": "7.0.0",
"resolved": "https://registry.npmjs.org/@sindresorhus/is/-/is-7.0.0.tgz",
"integrity": "sha512-WDTlVTyvFivSOuyvMeedzg2hdoBLZ3f1uNVuEida2Rl9BrfjrIRjWA/VZIrMRLvSwJYCAlCRA3usDt1THytxWQ==",
"version": "7.0.1",
"resolved": "https://registry.npmjs.org/@sindresorhus/is/-/is-7.0.1.tgz",
"integrity": "sha512-QWLl2P+rsCJeofkDNIT3WFmb6NrRud1SUYW8dIhXK/46XFV8Q/g7Bsvib0Askb0reRLe+WYPeeE+l5cH7SlkuQ==",
"engines": {
"node": ">=18"
},
@@ -2369,9 +2369,9 @@
"dev": true
},
"node_modules/@vercel/ncc": {
"version": "0.38.1",
"resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.1.tgz",
"integrity": "sha512-IBBb+iI2NLu4VQn3Vwldyi2QwaXt5+hTyh58ggAMoCGE6DJmPvwL3KPBWcJl1m9LYPChBLE980Jw+CS4Wokqxw==",
"version": "0.38.3",
"resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.3.tgz",
"integrity": "sha512-rnK6hJBS6mwc+Bkab+PGPs9OiS0i/3kdTO+CkI8V0/VrW3vmz7O2Pxjw/owOlmo6PKEIxRSeZKv/kuL9itnpYA==",
"dev": true,
"bin": {
"ncc": "dist/ncc/cli.js"
@@ -3187,9 +3187,9 @@
}
},
"node_modules/cross-spawn": {
"version": "7.0.3",
"resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz",
"integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==",
"version": "7.0.6",
"resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
"integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
"dependencies": {
"path-key": "^3.1.0",
"shebang-command": "^2.0.0",
@@ -4722,11 +4722,11 @@
}
},
"node_modules/got": {
"version": "14.4.2",
"resolved": "https://registry.npmjs.org/got/-/got-14.4.2.tgz",
"integrity": "sha512-+Te/qEZ6hr7i+f0FNgXx/6WQteSM/QqueGvxeYQQFm0GDfoxLVJ/oiwUKYMTeioColWUTdewZ06hmrBjw6F7tw==",
"version": "14.4.3",
"resolved": "https://registry.npmjs.org/got/-/got-14.4.3.tgz",
"integrity": "sha512-iTC0Z87yxSijWTh/IpvGpwOhIQK7+GgWkYrMRoN/hB9qeRj9RPuLGODwevs0p5idUf7nrxCVa5IlOmK3b8z+KA==",
"dependencies": {
"@sindresorhus/is": "^7.0.0",
"@sindresorhus/is": "^7.0.1",
"@szmarczak/http-timer": "^5.0.1",
"cacheable-lookup": "^7.0.0",
"cacheable-request": "^12.0.1",
@@ -4736,7 +4736,7 @@
"lowercase-keys": "^3.0.0",
"p-cancelable": "^4.0.1",
"responselike": "^3.0.0",
"type-fest": "^4.19.0"
"type-fest": "^4.26.1"
},
"engines": {
"node": ">=20"
@@ -4746,9 +4746,9 @@
}
},
"node_modules/got/node_modules/type-fest": {
"version": "4.20.0",
"resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.20.0.tgz",
"integrity": "sha512-MBh+PHUHHisjXf4tlx0CFWoMdjx8zCMLJHOjnV1prABYZFHqtFOyauCIK2/7w4oIfwkF8iNhLtnJEfVY2vn3iw==",
"version": "4.26.1",
"resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.26.1.tgz",
"integrity": "sha512-yOGpmOAL7CkKe/91I5O3gPICmJNLJ1G4zFYVAsRHg7M64biSnPtRj0WNQt++bRkjYOqjWXrhnUw1utzmVErAdg==",
"engines": {
"node": ">=16"
},
@@ -6349,9 +6349,9 @@
"integrity": "sha512-uYr7J37ae/ORWdZeQ1xxMJe3NtdmqMC/JZK+geofDrkLUApKRHPd18/TxtBOJ4A0/+uUIliorNrfYV6s1b02eQ=="
},
"node_modules/nodemon": {
"version": "3.1.0",
"resolved": "https://registry.npmjs.org/nodemon/-/nodemon-3.1.0.tgz",
"integrity": "sha512-xqlktYlDMCepBJd43ZQhjWwMw2obW/JRvkrLxq5RCNcuDDX1DbcPT+qT1IlIIdf+DhnWs90JpTMe+Y5KxOchvA==",
"version": "3.1.7",
"resolved": "https://registry.npmjs.org/nodemon/-/nodemon-3.1.7.tgz",
"integrity": "sha512-hLj7fuMow6f0lbB0cD14Lz2xNjwsyruH251Pk4t/yIitCFJbmY1myuLlHm/q06aST4jg6EgAh74PIBBrRqpVAQ==",
"dev": true,
"dependencies": {
"chokidar": "^3.5.2",
+7 -4
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "4.3.5",
"version": "4.5.0",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -31,7 +31,7 @@
"@octokit/request-error": "^5.0.1",
"@onebeyond/spdx-license-satisfies": "^1.0.1",
"ansi-styles": "^6.2.1",
"got": "^14.4.2",
"got": "^14.4.3",
"jest": "^29.7.0",
"octokit": "^3.1.2",
"spdx-expression-parse": "^3.0.1",
@@ -47,15 +47,18 @@
"@types/spdx-satisfies": "^0.1.1",
"@typescript-eslint/eslint-plugin": "^6.21.0",
"@typescript-eslint/parser": "^6.21.0",
"@vercel/ncc": "^0.38.0",
"@vercel/ncc": "^0.38.3",
"esbuild-register": "^3.5.0",
"eslint": "^8.57.0",
"eslint-plugin-github": "^4.10.2",
"eslint-plugin-jest": "^28.8.3",
"eslint-plugin-prettier": "^5.1.3",
"js-yaml": "^4.1.0",
"nodemon": "^3.1.0",
"nodemon": "^3.1.7",
"prettier": "3.2.5",
"typescript": "^5.4.5"
},
"overrides": {
"cross-spawn": ">=7.0.5"
}
}
+3 -3
View File
@@ -17,13 +17,13 @@ const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
export async function commentPr(
commentContent: string,
config: ConfigurationOptions
config: ConfigurationOptions,
issueFound: boolean
): Promise<void> {
if (
!(
config.comment_summary_in_pr === 'always' ||
(config.comment_summary_in_pr === 'on-failure' &&
process.exitCode === core.ExitCode.Failure)
(config.comment_summary_in_pr === 'on-failure' && issueFound)
)
) {
return
-9
View File
@@ -9,7 +9,6 @@ export async function getDeniedChanges(
): Promise<Change[]> {
const changesDenied: Change[] = []
let hasDeniedPackage = false
for (const change of changes) {
for (const denied of deniedPackages) {
if (
@@ -17,7 +16,6 @@ export async function getDeniedChanges(
change.name === denied.name
) {
changesDenied.push(change)
hasDeniedPackage = true
}
}
@@ -30,17 +28,10 @@ export async function getDeniedChanges(
}
if (namespace && namespace === denied.namespace) {
changesDenied.push(change)
hasDeniedPackage = true
}
}
}
if (hasDeniedPackage) {
core.setFailed('Dependency review detected denied packages.')
} else {
core.info('Dependency review did not detect any denied packages')
}
return changesDenied
}
+22 -10
View File
@@ -1,22 +1,34 @@
import {PullRequestSchema, ConfigurationOptions} from './schemas'
import {
PullRequestSchema,
ConfigurationOptions,
MergeGroupSchema
} from './schemas'
export function getRefs(
config: ConfigurationOptions,
context: {payload: {pull_request?: unknown}; eventName: string}
context: {
payload: {pull_request?: unknown; merge_group?: unknown}
eventName: string
}
): {base: string; head: string} {
let base_ref = config.base_ref
let head_ref = config.head_ref
// If possible, source default base & head refs from the GitHub event.
// The base/head ref from the config take priority, if provided.
if (
context.eventName === 'pull_request' ||
context.eventName === 'pull_request_target' ||
context.eventName === 'merge_group'
) {
const pull_request = PullRequestSchema.parse(context.payload.pull_request)
base_ref = base_ref || pull_request.base.sha
head_ref = head_ref || pull_request.head.sha
if (!base_ref && !head_ref) {
if (
context.eventName === 'pull_request' ||
context.eventName === 'pull_request_target'
) {
const pull_request = PullRequestSchema.parse(context.payload.pull_request)
base_ref = base_ref || pull_request.base.sha
head_ref = head_ref || pull_request.head.sha
} else if (context.eventName === 'merge_group') {
const merge_group = MergeGroupSchema.parse(context.payload.merge_group)
base_ref = base_ref || merge_group.base_sha
head_ref = head_ref || merge_group.head_sha
}
}
if (!base_ref && !head_ref) {
+44 -20
View File
@@ -141,10 +141,16 @@ async function run(): Promise<void> {
summary.addSnapshotWarnings(config, snapshot_warnings)
}
let issueFound = false
if (config.vulnerability_check) {
core.setOutput('vulnerable-changes', JSON.stringify(vulnerableChanges))
summary.addChangeVulnerabilitiesToSummary(vulnerableChanges, minSeverity)
printVulnerabilitiesBlock(vulnerableChanges, minSeverity, warnOnly)
issueFound ||= await printVulnerabilitiesBlock(
vulnerableChanges,
minSeverity,
warnOnly
)
}
if (config.license_check) {
core.setOutput(
@@ -152,12 +158,12 @@ async function run(): Promise<void> {
JSON.stringify(invalidLicenseChanges)
)
summary.addLicensesToSummary(invalidLicenseChanges, config)
printLicensesBlock(invalidLicenseChanges, warnOnly)
issueFound ||= await printLicensesBlock(invalidLicenseChanges, warnOnly)
}
if (config.deny_packages || config.deny_groups) {
core.setOutput('denied-changes', JSON.stringify(deniedChanges))
summary.addDeniedToSummary(deniedChanges)
printDeniedDependencies(deniedChanges, config)
issueFound ||= await printDeniedDependencies(deniedChanges, config)
}
if (config.show_openssf_scorecard) {
summary.addScorecardToSummary(scorecard, config)
@@ -182,7 +188,7 @@ async function run(): Promise<void> {
}
// update the PR comment if needed with the right-sized summary
await commentPr(rendered, config)
await commentPr(rendered, config, issueFound)
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
core.setFailed(
@@ -204,18 +210,16 @@ async function run(): Promise<void> {
}
}
function printVulnerabilitiesBlock(
async function printVulnerabilitiesBlock(
addedChanges: Changes,
minSeverity: Severity,
warnOnly: boolean
): void {
let vulFound = false
core.group('Vulnerabilities', async () => {
if (addedChanges.length > 0) {
for (const change of addedChanges) {
printChangeVulnerabilities(change)
}
vulFound = true
): Promise<boolean> {
return core.group('Vulnerabilities', async () => {
let vulFound = false
for (const change of addedChanges) {
vulFound ||= printChangeVulnerabilities(change)
}
if (vulFound) {
@@ -230,10 +234,12 @@ function printVulnerabilitiesBlock(
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
)
}
return vulFound
})
}
function printChangeVulnerabilities(change: Change): void {
function printChangeVulnerabilities(change: Change): boolean {
for (const vuln of change.vulnerabilities) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${
@@ -244,14 +250,18 @@ function printChangeVulnerabilities(change: Change): void {
)
core.info(`${vuln.advisory_url}`)
}
return change.vulnerabilities.length > 0
}
function printLicensesBlock(
async function printLicensesBlock(
invalidLicenseChanges: Record<string, Changes>,
warnOnly: boolean
): void {
core.group('Licenses', async () => {
): Promise<boolean> {
return core.group('Licenses', async () => {
let issueFound = false
if (invalidLicenseChanges.forbidden.length > 0) {
issueFound = true
core.info('\nThe following dependencies have incompatible licenses:')
printLicensesError(invalidLicenseChanges.forbidden)
const msg = 'Dependency review detected incompatible licenses.'
@@ -262,6 +272,7 @@ function printLicensesBlock(
}
}
if (invalidLicenseChanges.unresolved.length > 0) {
issueFound = true
core.warning(
'\nThe validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses:'
)
@@ -271,6 +282,8 @@ function printLicensesBlock(
)
}
printNullLicenses(invalidLicenseChanges.unlicensed)
return issueFound
})
}
@@ -370,11 +383,13 @@ function printScannedDependencies(changes: Changes): void {
})
}
function printDeniedDependencies(
async function printDeniedDependencies(
changes: Changes,
config: ConfigurationOptions
): void {
core.group('Denied', async () => {
): Promise<boolean> {
return core.group('Denied', async () => {
let issueFound = false
for (const denied of config.deny_packages) {
core.info(`Config: ${denied}`)
}
@@ -383,6 +398,15 @@ function printDeniedDependencies(
core.info(`Change: ${change.name}@${change.version} is denied`)
core.info(`Change: ${change.package_url} is denied`)
}
if (changes.length > 0) {
issueFound = true
core.setFailed('Dependency review detected denied packages.')
} else {
core.info('Dependency review did not detect any denied packages')
}
return issueFound
})
}
+5
View File
@@ -91,6 +91,11 @@ export const PullRequestSchema = z.object({
head: z.object({sha: z.string()})
})
export const MergeGroupSchema = z.object({
base_sha: z.string(),
head_sha: z.string()
})
export const ConfigurationOptionsSchema = z
.object({
fail_on_severity: SeveritySchema,