Compare commits

...

61 Commits

Author SHA1 Message Date
Federico Builes 605a14dcda adding dist 2023-02-16 14:41:52 +01:00
David Losert f69167c9be Build files for current version 2023-02-16 10:04:56 +00:00
David Losert 1c85e9db8d Adds option to write summary into a pr comment 2023-02-16 10:03:16 +00:00
Federico Builes 5c771993de doing npm audit fix 2023-02-13 07:07:59 +01:00
Federico Builes 3f5300728c Merge pull request #403 from actions/dependabot/npm_and_yarn/zod-3.20.6
Bump zod from 3.20.2 to 3.20.6
2023-02-13 07:06:20 +01:00
Federico Builes 221de4a420 add dist 2023-02-13 07:06:09 +01:00
Federico Builes 9aa2640fd4 Merge pull request #401 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.51.0
Bump @typescript-eslint/parser from 5.50.0 to 5.51.0
2023-02-13 07:04:32 +01:00
dependabot[bot] d5ff038b8b Bump @typescript-eslint/parser from 5.50.0 to 5.51.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.50.0 to 5.51.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.51.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-13 06:02:15 +00:00
Federico Builes 63d79cae5c Merge pull request #402 from actions/dependabot/npm_and_yarn/eslint-8.34.0
Bump eslint from 8.33.0 to 8.34.0
2023-02-13 07:00:32 +01:00
Federico Builes ee7fefc22c Merge pull request #399 from actions/dependabot/npm_and_yarn/prettier-2.8.4
Bump prettier from 2.8.3 to 2.8.4
2023-02-13 06:59:53 +01:00
dependabot[bot] fa8de14daa Bump eslint from 8.33.0 to 8.34.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.33.0 to 8.34.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.33.0...v8.34.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-13 05:55:49 +00:00
Federico Builes eb8231dc40 Merge pull request #400 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.51.0
Bump @typescript-eslint/eslint-plugin from 5.50.0 to 5.51.0
2023-02-13 06:55:02 +01:00
dependabot[bot] fff46df8ec Bump zod from 3.20.2 to 3.20.6
Bumps [zod](https://github.com/colinhacks/zod) from 3.20.2 to 3.20.6.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.20.2...v3.20.6)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-13 02:52:22 +00:00
dependabot[bot] 9613501c27 Bump @typescript-eslint/eslint-plugin from 5.50.0 to 5.51.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.50.0 to 5.51.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.51.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-13 02:50:50 +00:00
dependabot[bot] 08d6d26179 Bump prettier from 2.8.3 to 2.8.4
Bumps [prettier](https://github.com/prettier/prettier) from 2.8.3 to 2.8.4.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.8.3...2.8.4)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-13 02:49:57 +00:00
Federico Builes 96d0e9ac03 Merge pull request #396 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.50.0
Bump @typescript-eslint/parser from 5.49.0 to 5.50.0
2023-02-06 06:34:53 +01:00
dependabot[bot] 189bf7bc26 Bump @typescript-eslint/parser from 5.49.0 to 5.50.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.49.0 to 5.50.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.50.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-06 05:32:26 +00:00
Federico Builes a2165983d1 Merge pull request #397 from actions/dependabot/npm_and_yarn/types/node-16.18.12
Bump @types/node from 16.18.11 to 16.18.12
2023-02-06 06:32:08 +01:00
Federico Builes 0a618d4025 Merge pull request #395 from actions/dependabot/npm_and_yarn/typescript-4.9.5
Bump typescript from 4.9.4 to 4.9.5
2023-02-06 06:31:45 +01:00
Federico Builes 71acb8773c Merge pull request #394 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.50.0
Bump @typescript-eslint/eslint-plugin from 5.48.2 to 5.50.0
2023-02-06 06:31:34 +01:00
dependabot[bot] 8ae3c6ccb4 Bump @types/node from 16.18.11 to 16.18.12
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.11 to 16.18.12.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-06 02:04:54 +00:00
dependabot[bot] 2ad07a3006 Bump typescript from 4.9.4 to 4.9.5
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.9.4 to 4.9.5.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v4.9.4...v4.9.5)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-06 02:03:23 +00:00
dependabot[bot] 5d0265a143 Bump @typescript-eslint/eslint-plugin from 5.48.2 to 5.50.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.48.2 to 5.50.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.50.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-06 02:02:45 +00:00
Federico Builes 9aeec9038b Merge pull request #388 from actions/dependabot/npm_and_yarn/octokit/plugin-retry-4.1.1
Bump @octokit/plugin-retry from 4.0.4 to 4.1.1
2023-01-30 08:36:50 +01:00
Federico Builes 579f2338ab update dist 2023-01-30 08:34:58 +01:00
dependabot[bot] 2cf5e60887 Bump @octokit/plugin-retry from 4.0.4 to 4.1.1
Bumps [@octokit/plugin-retry](https://github.com/octokit/plugin-retry.js) from 4.0.4 to 4.1.1.
- [Release notes](https://github.com/octokit/plugin-retry.js/releases)
- [Commits](https://github.com/octokit/plugin-retry.js/compare/v4.0.4...v4.1.1)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-retry"
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-30 07:30:33 +00:00
Federico Builes 4e761fd545 Merge pull request #387 from actions/dependabot/npm_and_yarn/octokit-2.0.14
Bump octokit from 2.0.13 to 2.0.14
2023-01-30 08:29:58 +01:00
Federico Builes 51951998f5 really gotta make a script out of this 2023-01-30 08:29:48 +01:00
Federico Builes b87919684c Merge pull request #389 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.49.0
Bump @typescript-eslint/parser from 5.48.2 to 5.49.0
2023-01-30 08:28:46 +01:00
dependabot[bot] 5cc528819d Bump @typescript-eslint/parser from 5.48.2 to 5.49.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.48.2 to 5.49.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.49.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-30 05:59:00 +00:00
Federico Builes e8bb60680f Merge pull request #390 from actions/dependabot/npm_and_yarn/eslint-8.33.0
Bump eslint from 8.32.0 to 8.33.0
2023-01-30 06:58:27 +01:00
Federico Builes 916da45422 Merge pull request #391 from actions/dependabot/npm_and_yarn/vercel/ncc-0.36.1
Bump @vercel/ncc from 0.36.0 to 0.36.1
2023-01-30 06:58:12 +01:00
dependabot[bot] 00c58871a0 Bump @vercel/ncc from 0.36.0 to 0.36.1
Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.36.0 to 0.36.1.
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](https://github.com/vercel/ncc/compare/0.36.0...0.36.1)

---
updated-dependencies:
- dependency-name: "@vercel/ncc"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-30 01:49:32 +00:00
dependabot[bot] 5232f0766f Bump eslint from 8.32.0 to 8.33.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.32.0 to 8.33.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.32.0...v8.33.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-30 01:49:16 +00:00
dependabot[bot] 649dad513a Bump octokit from 2.0.13 to 2.0.14
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.0.13 to 2.0.14.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.0.13...v2.0.14)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-30 01:47:40 +00:00
Federico Builes 1a5397226b Merge pull request #384 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.48.2
Bump @typescript-eslint/eslint-plugin from 5.48.1 to 5.48.2
2023-01-23 06:20:32 +01:00
Federico Builes 83db3fd780 Merge pull request #383 from actions/dependabot/npm_and_yarn/octokit/plugin-retry-4.0.4
Bump @octokit/plugin-retry from 4.0.3 to 4.0.4
2023-01-23 06:20:13 +01:00
Federico Builes 2bdc2cf95f Merge branch 'main' into dependabot/npm_and_yarn/octokit/plugin-retry-4.0.4 2023-01-23 06:19:03 +01:00
dependabot[bot] cebddc8ad2 Bump @typescript-eslint/eslint-plugin from 5.48.1 to 5.48.2
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.48.1 to 5.48.2.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.48.2/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-23 05:18:48 +00:00
Federico Builes caa6381bae add dist 2023-01-23 06:17:33 +01:00
Federico Builes 31520dc391 Merge pull request #382 from actions/dependabot/npm_and_yarn/octokit-2.0.13
Bump octokit from 2.0.11 to 2.0.13
2023-01-23 06:16:38 +01:00
Federico Builes 4f412af8fc adding dist 2023-01-23 06:16:21 +01:00
Federico Builes 5703934fec Merge pull request #381 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.48.2
Bump @typescript-eslint/parser from 5.48.1 to 5.48.2
2023-01-23 06:15:00 +01:00
dependabot[bot] e78e4ce152 Bump @octokit/plugin-retry from 4.0.3 to 4.0.4
Bumps [@octokit/plugin-retry](https://github.com/octokit/plugin-retry.js) from 4.0.3 to 4.0.4.
- [Release notes](https://github.com/octokit/plugin-retry.js/releases)
- [Commits](https://github.com/octokit/plugin-retry.js/compare/v4.0.3...v4.0.4)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-retry"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-23 02:23:06 +00:00
dependabot[bot] a4da452f33 Bump octokit from 2.0.11 to 2.0.13
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.0.11 to 2.0.13.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.0.11...v2.0.13)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-23 02:22:40 +00:00
dependabot[bot] d92ca08767 Bump @typescript-eslint/parser from 5.48.1 to 5.48.2
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.48.1 to 5.48.2.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.48.2/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-23 02:22:13 +00:00
Federico Builes 0b30e242cd Merge pull request #379 from actions/dependabot/npm_and_yarn/eslint-8.32.0
Bump eslint from 8.31.0 to 8.32.0
2023-01-16 09:19:54 +01:00
Federico Builes f668822520 Merge pull request #378 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.48.1
Bump @typescript-eslint/parser from 5.48.0 to 5.48.1
2023-01-16 09:19:40 +01:00
Federico Builes 898008ba83 Merge pull request #377 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.48.1
Bump @typescript-eslint/eslint-plugin from 5.47.1 to 5.48.1
2023-01-16 09:19:28 +01:00
Federico Builes 4105edb24b Merge pull request #376 from actions/dependabot/npm_and_yarn/prettier-2.8.3
Bump prettier from 2.8.2 to 2.8.3
2023-01-16 09:19:12 +01:00
dependabot[bot] 2f20ab0305 Bump eslint from 8.31.0 to 8.32.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.31.0 to 8.32.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.31.0...v8.32.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-16 02:05:01 +00:00
dependabot[bot] fa94fed3e7 Bump @typescript-eslint/parser from 5.48.0 to 5.48.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.48.0 to 5.48.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.48.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-16 02:04:23 +00:00
dependabot[bot] 65e82f802d Bump @typescript-eslint/eslint-plugin from 5.47.1 to 5.48.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.47.1 to 5.48.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.48.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-16 02:03:33 +00:00
dependabot[bot] 06d9a244cc Bump prettier from 2.8.2 to 2.8.3
Bumps [prettier](https://github.com/prettier/prettier) from 2.8.2 to 2.8.3.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.8.2...2.8.3)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-16 02:02:24 +00:00
Federico Builes c090f4e553 release for 3.0.3 2023-01-09 08:21:47 +01:00
Federico Builes 42ee3c8f53 Merge pull request #370 from felickz/fix-request-error-handling
Fix Dependency Review API response error handling
2023-01-09 08:18:23 +01:00
Federico Builes 6855e6ed4e Merge branch 'main' of gh into fix-request-error-handling 2023-01-09 08:16:48 +01:00
Chad Bentz 60e20b95c9 npm run build && npm run package 2023-01-05 17:41:37 +00:00
Chad Bentz e6aba92fb0 Enhance failure message to include GHAS note 2023-01-05 17:26:46 +00:00
Chad Bentz 4b2cf01947 integration test to ensure RequestError catch 2023-01-05 17:22:27 +00:00
Chad Bentz 33b11b63b3 downgrade octokit/request-error to ^2.1.0
- supported by actions/core ^1.10.0
2023-01-04 20:55:58 +00:00
12 changed files with 1284 additions and 653 deletions
+18 -18
View File
@@ -66,25 +66,25 @@ jobs:
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
| Option | Usage | Possible values | Default value |
|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|---------------|
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. |`runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| Option | Usage | Possible values | Default value |
| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `true`, `false` | `false` |
*not supported for use with GitHub Enterprise Server
†will be supported with GitHub Enterprise Server 3.8
†will be supported with GitHub Enterprise Server 3.8
### Inline Configuration
You can pass options to the Dependency Review GitHub Action using your workflow file.
You can pass options to the Dependency Review GitHub Action using your workflow file.
#### Example
@@ -112,10 +112,10 @@ jobs:
You can use an external configuration file to specify the settings for this action. It can be a local file or a file in an external repository. Refer to the following options for the specification.
| Option | Usage | Possible values |
|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
| `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml` <br> **External repo**: `github/octorepo/dependency-review-config.yml@main` |
| `external-repo-token` | Specifies a token for fetching the configuration file. It is required if the file resides in a private external repository and for all GitHub Enterprise Server repositories. Create a token in [developer settings](https://github.com/settings/tokens). | Any token with `read` permissions to the repository hosting the config file. |
| Option | Usage | Possible values |
| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
| `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml` <br> **External repo**: `github/octorepo/dependency-review-config.yml@main` |
| `external-repo-token` | Specifies a token for fetching the configuration file. It is required if the file resides in a private external repository and for all GitHub Enterprise Server repositories. Create a token in [developer settings](https://github.com/settings/tokens). | Any token with `read` permissions to the repository hosting the config file. |
#### Example
@@ -128,7 +128,7 @@ Start by specifying that you will be using an external configuration file:
config-file: './.github/dependency-review-config.yml'
```
And then create the file in the path you just specified:
And then create the file in the path you just specified:
```yaml
fail-on-severity: 'critical'
+2 -1
View File
@@ -22,7 +22,8 @@ function clearInputs() {
'VULNERABILITY-CHECK',
'CONFIG-FILE',
'BASE-REF',
'HEAD-REF'
'HEAD-REF',
'COMMENT-SUMMARY-IN-PR'
]
allowedOptions.forEach(option => {
+29
View File
@@ -0,0 +1,29 @@
import {RequestError} from '@octokit/request-error'
import * as dependencyGraph from '../src/dependency-graph'
import * as core from '@actions/core'
// mock call to core.getInput('repo-token'.. to avoid environment setup - Input required and not supplied: repo-token
jest.mock('@actions/core', () => ({
getInput: (input: string) => {
if (input === 'repo-token') {
return 'gh_testtoken'
}
}
}))
test('it properly catches RequestError type', async () => {
const token = core.getInput('repo-token', {required: true})
expect(token).toBe('gh_testtoken')
//Integration test to make an API request using current dependencies and ensure response can parse into RequestError
try {
await dependencyGraph.compare({
owner: 'actions',
repo: 'dependency-review-action',
baseRef: 'refs/heads/master',
headRef: 'refs/heads/master'
})
} catch (error) {
expect(error).toBeInstanceOf(RequestError)
}
})
+3
View File
@@ -41,6 +41,9 @@ inputs:
vulnerability-check:
description: A boolean to determine if vulnerability checks should be performed
required: false
comment-summary-in-pr:
description: A boolean to determine if the report should be posted as a comment in the PR itself. Setting this to true requires you to give the workflow the write permissions for pull-requests
required: false
runs:
using: 'node16'
main: 'dist/index.js'
Generated Vendored
+652 -271
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+472 -348
View File
File diff suppressed because it is too large Load Diff
+13 -11
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "3.0.2",
"version": "3.0.3",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -27,34 +27,36 @@
"dependencies": {
"@actions/core": "^1.10.0",
"@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^4.0.3",
"@octokit/request-error": "^3.0.2",
"@octokit/plugin-retry": "^4.1.1",
"@octokit/request-error": "^2.1.0",
"ansi-styles": "^6.2.1",
"got": "^12.5.3",
"nodemon": "^2.0.20",
"octokit": "^2.0.11",
"octokit": "^2.0.14",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"yaml": "^2.2.1",
"zod": "^3.20.2"
"zod": "^3.20.6"
},
"devDependencies": {
"@types/jest": "^27.5.2",
"@types/node": "^16.18.11",
"@typescript-eslint/eslint-plugin": "^5.45.0",
"@types/node": "^16.18.12",
"@typescript-eslint/eslint-plugin": "^5.48.1",
"@typescript-eslint/parser": "^5.48.0",
"@types/spdx-expression-parse": "^3.0.2",
"@types/spdx-satisfies": "^0.1.0",
"@vercel/ncc": "^0.36.0",
"@typescript-eslint/eslint-plugin": "^5.51.0",
"@typescript-eslint/parser": "^5.51.0",
"@vercel/ncc": "^0.36.1",
"esbuild-register": "^3.4.2",
"eslint": "^8.31.0",
"eslint": "^8.34.0",
"eslint-plugin-github": "^4.6.0",
"eslint-plugin-jest": "^27.2.1",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^2.0.20",
"prettier": "2.8.2",
"prettier": "2.8.4",
"ts-jest": "^27.1.4",
"typescript": "^4.9.4"
"typescript": "^4.9.5"
}
}
+84
View File
@@ -0,0 +1,84 @@
import * as github from '@actions/github'
import * as core from '@actions/core'
import * as githubUtils from '@actions/github/lib/utils'
import * as retry from '@octokit/plugin-retry'
import {RequestError} from '@octokit/request-error'
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
const octo = new retryingOctokit(
githubUtils.getOctokitOptions(core.getInput('repo-token', {required: true}))
)
// Comment Marker to identify an existing comment to update, so we don't spam the PR with comments
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
export async function commentPr(summary: typeof core.summary): Promise<void> {
if (!github.context.payload.pull_request) {
core.warning(
'Not in the context of a pull request. Skipping comment creation.'
)
return
}
const commentBody = `${summary.stringify()}\n\n${COMMENT_MARKER}`
try {
const existingCommentId = await findCommentByMarker(COMMENT_MARKER)
if (existingCommentId) {
await octo.rest.issues.updateComment({
owner: github.context.repo.owner,
repo: github.context.repo.repo,
comment_id: existingCommentId,
body: commentBody
})
} else {
await octo.rest.issues.createComment({
owner: github.context.repo.owner,
repo: github.context.repo.repo,
issue_number: github.context.payload.pull_request.number,
body: commentBody
})
}
} catch (error) {
if (error instanceof RequestError && error.status === 403) {
core.warning(
`Unable to write summary to pull-request. Make sure you are giving this workflow the permission 'pull-requests: write'.`
)
} else {
if (error instanceof Error) {
core.warning(
`Unable to comment summary to pull-request, received error: ${error.message}`
)
} else {
core.warning(
'Unable to comment summary to pull-request: Unexpected fatal error'
)
}
}
}
}
async function findCommentByMarker(
commentBodyIncludes: string
): Promise<number | undefined> {
const commentsIterator = octo.paginate.iterator(
octo.rest.issues.listComments,
{
owner: github.context.repo.owner,
repo: github.context.repo.repo,
// We are already checking if we are in the context of a pull request in the caller
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
issue_number: github.context.payload.pull_request!.number
}
)
for await (const {data: comments} of commentsIterator) {
const existingComment = comments.find(comment =>
comment.body?.includes(commentBodyIncludes)
)
if (existingComment) return existingComment.id
}
return undefined
}
+3 -1
View File
@@ -34,6 +34,7 @@ function readInlineConfig(): ConfigurationOptionsPartial {
const vulnerability_check = getOptionalBoolean('vulnerability-check')
const base_ref = getOptionalInput('base-ref')
const head_ref = getOptionalInput('head-ref')
const comment_summary_in_pr = getOptionalBoolean('comment-summary-in-pr')
validateLicenses('allow-licenses', allow_licenses)
validateLicenses('deny-licenses', deny_licenses)
@@ -47,7 +48,8 @@ function readInlineConfig(): ConfigurationOptionsPartial {
license_check,
vulnerability_check,
base_ref,
head_ref
head_ref,
comment_summary_in_pr
}
return Object.fromEntries(
+5 -1
View File
@@ -15,6 +15,7 @@ import * as summary from './summary'
import {getRefs} from './git-refs'
import {groupDependenciesByManifest} from './utils'
import {commentPr} from './comment-pr'
async function run(): Promise<void> {
try {
@@ -69,6 +70,9 @@ async function run(): Promise<void> {
summary.addScannedDependencies(changes)
printScannedDependencies(changes)
if (config.comment_summary_in_pr) {
await commentPr(core.summary)
}
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
core.setFailed(
@@ -76,7 +80,7 @@ async function run(): Promise<void> {
)
} else if (error instanceof RequestError && error.status === 403) {
core.setFailed(
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see https://github.com/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see https://github.com/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
)
} else {
if (error instanceof Error) {
+2 -1
View File
@@ -45,7 +45,8 @@ export const ConfigurationOptionsSchema = z
vulnerability_check: z.boolean().default(true),
config_file: z.string().optional(),
base_ref: z.string().optional(),
head_ref: z.string().optional()
head_ref: z.string().optional(),
comment_summary_in_pr: z.boolean().default(false)
})
.superRefine((config, context) => {
if (config.allow_licenses && config.deny_licenses) {