Compare commits

...

23 Commits

Author SHA1 Message Date
Eli Reisman 3c42649204 fix ws for linter 2024-06-04 12:33:48 -07:00
Eli Reisman 8e6ea8d29b update packaging 2024-06-04 12:30:34 -07:00
Eli Reisman 1b3d2772d0 post-review: add PR comment full summary test case 2024-06-04 12:30:05 -07:00
Eli Reisman 220872c81a Update src/main.ts
Co-authored-by: Brandon Teng <bteng22@github.com>
2024-06-04 12:14:40 -07:00
Eli Reisman 087d0f81a5 repackage to update dist 2024-06-04 11:50:22 -07:00
Eli Reisman 4531204be7 whitespace 2024-06-04 11:50:21 -07:00
Eli Reisman df1ca890c5 appease linter 2024-06-04 11:50:21 -07:00
Eli Reisman 97c6dd59c3 run prettier to clear linter warnings 2024-06-04 11:50:21 -07:00
Eli Reisman 0bec1ca5b4 clean up list formatting for PR comment 2024-06-04 11:21:15 -07:00
Eli Reisman 5460632ba9 WIP: summary test 2024-06-04 11:21:15 -07:00
Eli Reisman f7aca4f481 refactor to dedup min summary generation 2024-06-04 11:21:14 -07:00
Eli Reisman 1988567896 re-apply set output for comment-content 2024-06-04 11:20:29 -07:00
Justin Hutchings 1e26117d02 Fix extra whitespace in list 2024-06-04 11:20:27 -07:00
Justin Hutchings b1e704b9d6 Fix bug where I replaced the comment in the wrong spot 2024-06-04 11:20:19 -07:00
Justin Hutchings 48fae2e703 Add min-comment to fix max-comment length issue 2024-06-04 11:20:10 -07:00
Jon Janego 8d625cd32e Merge pull request #777 from actions/jonjanego-issue-templates
Create issue templates
2024-06-04 11:41:12 -05:00
Jon Janego 3afc0d4eaa Merge pull request #778 from actions/jonjanego-contribution-updates
Updates to the contribution guidelines
2024-06-04 09:59:36 -05:00
Jon Janego bc8dee91fe Update CONTRIBUTING.md
being consistent about using forks, minor style updates
2024-06-04 09:58:59 -05:00
Jon Janego 0669e2939d Update CONTRIBUTING.md
Co-authored-by: Barry Gordon <896971+brrygrdn@users.noreply.github.com>
2024-06-04 09:45:14 -05:00
Jon Janego fd46ab736e Update CONTRIBUTING.md
fixing example code for consistency
2024-06-04 09:01:11 -05:00
Jon Janego 551e0b82bd Update CONTRIBUTING.md
fixing a sentence fragment
2024-06-04 08:59:20 -05:00
Jon Janego fbfa3f19c8 Update SECURITY.md
linking to the main bounty site instead of h1
2024-06-03 16:59:30 -05:00
Jon Janego 4c5eeccebb Update CONTRIBUTING.md
Adding some explanations about contribution standards and local development
2024-06-03 16:18:38 -05:00
10 changed files with 258 additions and 110 deletions
+56 -38
View File
@@ -4,41 +4,52 @@
[pr]: https://github.com/actions/dependency-review-action/compare
[code-of-conduct]: CODE_OF_CONDUCT.md
Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
Hi there! We're thrilled that you'd like to contribute to this project.
Contributions to this project are
[released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license)
to the public under the [project's open source license](LICENSE).
Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE).
Please note that this project is released with a [Contributor Code of
Conduct][code-of-conduct]. By participating in this project you agree
to abide by its terms.
Please note that this project is released with a [Contributor Code of Conduct][code-of-conduct]. By participating in this project you agree to abide by its terms.
### How it works
## Bug reports and other issues
This Action makes an authenticated query to the Dependency Graph Diff
API endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`)
to find out the set of added and removed dependencies for each manifest.
If you've encountered a problem, please let us know by [submitting an issue](https://github.com/actions/dependency-review-action/issues/new)!
### Bootstrapping the project
## Enhancements and feature requests
```
git clone https://github.com/actions/dependency-review-action.git
cd dependency-review-action
npm install
```
If you've got an idea for a new feature, please submit as [an issue](https://github.com/actions/dependency-review-action/issues/new) so that the community can see it, and we can discuss it there. We may not be able to respond to every single issue, but will make a best effort!
### Running the tests
If you'd like to make a contribution yourself, we ask that before significant effort is put into code changes, that we have agreement that the change aligns with our strategy for the action. Since this is a verified Action owned by GitHub we want to make sure that contributions are high quality, and that they maintain consistency with the rest of the action's behavior.
```
npm run test
```
1. Create an [issue discussing the idea](https://github.com/actions/dependency-review-action/issues/new), so that we can discuss it there.
2. If we agree to incorporate the idea into the action, please write-up a high level summary of the approach that you plan to take so we can review
_Note_: We don't have any useful tests yet, contributions are welcome!
## Stalebot
## Local Development
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see the configuration [here](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
## Development lifecycle
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
### High level overview of the action
This action makes an authenticated query to the [Dependency Review API](https://docs.github.com/en/rest/dependency-graph/dependency-review) endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`) to find out the set of added and removed dependencies for each manifest.
The action then evaluates the differences between the pushes based on the the rules defined in the action configuration, and summarizes the differences and any violations of the rules you have defined as a comment in the pull request that triggered it and the action outputs.
### Local Development
Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed, minimum version 18.
#### Bootstrapping the project
0. [Fork][fork] and clone the repository
1. Change to the working directory: `cd dependency-review-action`
2. Install the dependencies: `npm install`
3. Make sure the tests pass on your machine: `npm run test`
#### Manually testing for vulnerabilities
It is recommended to have atleast [Node 18](https://nodejs.org/en/) installed.
We have a script to scan a given PR for vulnerabilities, this will
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
@@ -53,7 +64,7 @@ $ GITHUB_TOKEN=<token> ./scripts/scan_pr <pr_url>
Like this:
```sh
$ GITHUB_TOKEN=my-secret-token ./scripts/scan_pr https://github.com/actions/dependency-review-action/pull/3
$ GITHUB_TOKEN=<token> ./scripts/scan_pr https://github.com/actions/dependency-review-action/pull/3
```
[Configuration options](README.md#configuration-options) can be set by
@@ -64,16 +75,20 @@ passing an external YAML [configuration file](README.md#configuration-file) to t
$ GITHUB_TOKEN=<token> ./scripts/scan_pr --config-file my_custom_config.yml <pr_url>
```
## Submitting a pull request
#### Running unit tests
0. [Fork][fork] and clone the repository
1. Configure and install the dependencies: `npm install`
2. Make sure the tests pass on your machine: `npm run test`
3. Create a new branch: `git checkout -b my-branch-name`
4. Make your change, add tests, and make sure the tests still pass
5. Make sure to build and package before pushing: `npm run build && npm run package`
6. Push to your fork and [submit a pull request][pr]
7. Pat your self on the back and wait for your pull request to be reviewed and merged.
```
npm run test
```
_Note_: We don't a very comprehensive test suite, so any contributions to the existing tests are welcome!
### Submitting a pull request
1. Create a new branch: `git checkout -b my-branch-name`
2. Make your change, add tests, and make sure the tests still pass
3. Make sure to build and package before pushing: `npm run build && npm run package`
4. Push to your fork and [submit a pull request][pr]
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
@@ -82,9 +97,14 @@ Here are a few things you can do that will increase the likelihood of your pull
- Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
- Add examples of the usage to [examples.md](docs/examples.md)
- Link to a sample PR in a custom repository running your version of the Action.
- Please be responsive to any questions and feedback that you get from a maintainer of the repo!
## Cutting a new release
<details>
_Note: these instructions are for maintainers_
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
1. Go to [Draft a new
release](https://github.com/actions/dependency-review-action/releases/new)
@@ -117,13 +137,11 @@ To do this just checkout `main`, force-create a new annotated tag, and push it:
git tag -fa v4 -m "Updating v4 to 4.0.1"
git push origin v4 --force
```
</details>
## Stalebot
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see the configuration [here](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
## Resources
- [Creating JavaScript GitHub actions](https://docs.github.com/en/actions/creating-actions/creating-a-javascript-action)
- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
- [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
- [GitHub Help](https://help.github.com)
+1 -1
View File
@@ -1,3 +1,3 @@
If you discover a security issue in this repo, please submit it through the [GitHub Security Bug Bounty](https://hackerone.com/github)
If you discover a security issue in this repo, please submit it through the [GitHub Security Bug Bounty](https://bounty.github.com/)
Thanks for helping make GitHub Actions safe for everyone.
+2 -2
View File
@@ -1,4 +1,4 @@
fail_on_severity: critical
allow_licenses:
- "BSD"
- "GPL 2"
- 'BSD'
- 'GPL 2'
@@ -1 +1 @@
allow-licenses: "MIT, GPL-2.0-only"
allow-licenses: 'MIT, GPL-2.0-only'
+75 -1
View File
@@ -1,5 +1,5 @@
import {expect, jest, test} from '@jest/globals'
import {Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
import {Change, Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
import * as summary from '../src/summary'
import * as core from '@actions/core'
import {createTestChange} from './fixtures/create-test-change'
@@ -109,6 +109,80 @@ test('prints headline as h1', () => {
expect(text).toContain('<h1>Dependency Review</h1>')
})
test('returns minimal summary in case the core.summary is too large for a PR comment', () => {
let changes: Changes = [
createTestChange({name: 'lodash', version: '1.2.3'}),
createTestChange({name: 'colors', version: '2.3.4'}),
createTestChange({name: '@foo/bar', version: '*'})
]
let minSummary: string = summary.addSummaryToSummary(
changes,
emptyInvalidLicenseChanges,
emptyChanges,
scorecard,
defaultConfig
)
// side effect DR report into core.summary as happens in main.ts
summary.addScannedDependencies(changes)
const text = core.summary.stringify()
expect(text).toContain('<h1>Dependency Review</h1>')
expect(minSummary).toContain('# Dependency Review')
expect(text).toContain('❌ 3 vulnerable package(s)')
expect(text).not.toContain('* ❌ 3 vulnerable package(s)')
expect(text).toContain('lodash')
expect(text).toContain('colors')
expect(text).toContain('@foo/bar')
expect(minSummary).toContain('* ❌ 3 vulnerable package(s)')
expect(minSummary).not.toContain('lodash')
expect(minSummary).not.toContain('colors')
expect(minSummary).not.toContain('@foo/bar')
expect(text.length).toBeGreaterThan(minSummary.length)
})
test('returns minimal summary formatted for posting as a PR comment', () => {
const OLD_ENV = process.env
let changes: Changes = [
createTestChange({name: 'lodash', version: '1.2.3'}),
createTestChange({name: 'colors', version: '2.3.4'}),
createTestChange({name: '@foo/bar', version: '*'})
]
process.env.GITHUB_SERVER_URL = 'https://github.com'
process.env.GITHUB_REPOSITORY = 'owner/repo'
process.env.GITHUB_RUN_ID = 'abc-123-xyz'
let minSummary: string = summary.addSummaryToSummary(
changes,
emptyInvalidLicenseChanges,
emptyChanges,
scorecard,
defaultConfig
)
process.env = OLD_ENV
// note: no Actions context values in unit test env
const expected = `
# Dependency Review
The following issues were found:
* ❌ 3 vulnerable package(s)
* ✅ 0 package(s) with incompatible licenses
* ✅ 0 package(s) with invalid SPDX license definitions
* ✅ 0 package(s) with unknown licenses.
[View full job summary](https://github.com/owner/repo/actions/runs/abc-123-xyz)
`.trim()
expect(minSummary).toEqual(expected)
})
test('only includes "No vulnerabilities or license issues found"-message if both are configured and nothing was found', () => {
summary.addSummaryToSummary(
emptyChanges,
Generated Vendored
+38 -15
View File
@@ -46,20 +46,19 @@ var __asyncValues = (this && this.__asyncValues) || function (o) {
function settle(resolve, reject, d, v) { Promise.resolve(v).then(function(v) { resolve({ value: v, done: d }); }, reject); }
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.commentPr = void 0;
exports.commentPr = exports.MAX_COMMENT_LENGTH = void 0;
const github = __importStar(__nccwpck_require__(5438));
const core = __importStar(__nccwpck_require__(2186));
const githubUtils = __importStar(__nccwpck_require__(3030));
const retry = __importStar(__nccwpck_require__(6298));
const request_error_1 = __nccwpck_require__(537);
exports.MAX_COMMENT_LENGTH = 65536;
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
const octo = new retryingOctokit(githubUtils.getOctokitOptions(core.getInput('repo-token', { required: true })));
// Comment Marker to identify an existing comment to update, so we don't spam the PR with comments
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->';
function commentPr(summary, config) {
function commentPr(commentContent, config) {
return __awaiter(this, void 0, void 0, function* () {
const commentContent = summary.stringify();
core.setOutput('comment-content', commentContent);
if (!(config.comment_summary_in_pr === 'always' ||
(config.comment_summary_in_pr === 'on-failure' &&
process.exitCode === core.ExitCode.Failure))) {
@@ -648,7 +647,7 @@ function run() {
core.debug(`Config Deny Packages: ${JSON.stringify(config)}`);
const deniedChanges = yield (0, deny_1.getDeniedChanges)(filteredChanges, config.deny_packages, config.deny_groups);
const scorecard = yield (0, scorecard_1.getScorecardLevels)(filteredChanges);
summary.addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedChanges, scorecard, config);
const minSummary = summary.addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedChanges, scorecard, config);
if (snapshot_warnings) {
summary.addSnapshotWarnings(config, snapshot_warnings);
}
@@ -675,7 +674,16 @@ function run() {
core.setOutput('dependency-changes', JSON.stringify(changes));
summary.addScannedDependencies(changes);
printScannedDependencies(changes);
yield (0, comment_pr_1.commentPr)(core.summary, config);
// include full summary in output; Actions will truncate if oversized
let rendered = core.summary.stringify();
core.setOutput('comment-content', rendered);
// if the summary is oversized, replace with minimal version
if (rendered.length >= comment_pr_1.MAX_COMMENT_LENGTH) {
core.debug('The comment was too big for the GitHub API. Falling back on a minimum comment');
rendered = minSummary;
}
// update the PR comment if needed with the right-sized summary
yield (0, comment_pr_1.commentPr)(rendered, config);
}
catch (error) {
if (error instanceof request_error_1.RequestError && error.status === 404) {
@@ -1313,10 +1321,15 @@ const icons = {
cross: '❌',
warning: '⚠️'
};
// generates the DR report summmary and caches it to the Action's core.summary.
// returns the DR summary string, ready to be posted as a PR comment if the
// final DR report is too large
function addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedChanges, scorecard, config) {
const out = [];
const scorecardWarnings = countScorecardWarnings(scorecard, config);
const licenseIssues = countLicenseIssues(invalidLicenseChanges);
core.summary.addHeading('Dependency Review', 1);
out.push('# Dependency Review');
if (vulnerableChanges.length === 0 &&
licenseIssues === 0 &&
deniedChanges.length === 0 &&
@@ -1326,17 +1339,21 @@ function addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedCha
config.license_check ? 'license issues' : '',
config.show_openssf_scorecard ? 'OpenSSF Scorecard issues' : ''
];
let msg = '';
if (issueTypes.filter(Boolean).length === 0) {
core.summary.addRaw(`${icons.check} No issues found.`);
msg = `${icons.check} No issues found.`;
}
else {
core.summary.addRaw(`${icons.check} No ${issueTypes.filter(Boolean).join(' or ')} found.`);
msg = `${icons.check} No ${issueTypes.filter(Boolean).join(' or ')} found.`;
}
return;
core.summary.addRaw(msg);
out.push(msg);
return out.join('\n');
}
core.summary
.addRaw('The following issues were found:')
.addList([
const foundIssuesHeader = 'The following issues were found:';
core.summary.addRaw(foundIssuesHeader);
out.push(foundIssuesHeader);
const summaryList = [
...(config.vulnerability_check
? [
`${checkOrFailIcon(vulnerableChanges.length)} ${vulnerableChanges.length} vulnerable package(s)`
@@ -1351,7 +1368,7 @@ function addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedCha
: []),
...(deniedChanges.length > 0
? [
`${checkOrFailIcon(deniedChanges.length)} ${deniedChanges.length} package(s) denied.`
`${checkOrWarnIcon(deniedChanges.length)} ${deniedChanges.length} package(s) denied.`
]
: []),
...(config.show_openssf_scorecard && scorecardWarnings > 0
@@ -1359,8 +1376,14 @@ function addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedCha
`${checkOrWarnIcon(scorecardWarnings)} ${scorecardWarnings ? scorecardWarnings : 'No'} packages with OpenSSF Scorecard issues.`
]
: [])
])
.addRaw('See the Details below.');
];
core.summary.addList(summaryList);
for (const line of summaryList) {
out.push(`* ${line}`);
}
core.summary.addRaw('See the Details below.');
out.push(`\n[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`);
return out.join('\n');
}
exports.addSummaryToSummary = addSummaryToSummary;
function countScorecardWarnings(scorecard, config) {
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+3 -5
View File
@@ -5,6 +5,8 @@ import * as retry from '@octokit/plugin-retry'
import {RequestError} from '@octokit/request-error'
import {ConfigurationOptions} from './schemas'
export const MAX_COMMENT_LENGTH = 65536
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
const octo = new retryingOctokit(
githubUtils.getOctokitOptions(core.getInput('repo-token', {required: true}))
@@ -14,13 +16,9 @@ const octo = new retryingOctokit(
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
export async function commentPr(
summary: typeof core.summary,
commentContent: string,
config: ConfigurationOptions
): Promise<void> {
const commentContent = summary.stringify()
core.setOutput('comment-content', commentContent)
if (
!(
config.comment_summary_in_pr === 'always' ||
+17 -3
View File
@@ -22,7 +22,7 @@ import * as summary from './summary'
import {getRefs} from './git-refs'
import {groupDependenciesByManifest} from './utils'
import {commentPr} from './comment-pr'
import {commentPr, MAX_COMMENT_LENGTH} from './comment-pr'
import {getDeniedChanges} from './deny'
async function delay(ms: number): Promise<void> {
@@ -127,7 +127,7 @@ async function run(): Promise<void> {
const scorecard = await getScorecardLevels(filteredChanges)
summary.addSummaryToSummary(
const minSummary = summary.addSummaryToSummary(
vulnerableChanges,
invalidLicenseChanges,
deniedChanges,
@@ -166,7 +166,21 @@ async function run(): Promise<void> {
core.setOutput('dependency-changes', JSON.stringify(changes))
summary.addScannedDependencies(changes)
printScannedDependencies(changes)
await commentPr(core.summary, config)
// include full summary in output; Actions will truncate if oversized
let rendered = core.summary.stringify()
core.setOutput('comment-content', rendered)
// if the summary is oversized, replace with minimal version
if (rendered.length >= MAX_COMMENT_LENGTH) {
core.debug(
'The comment was too big for the GitHub API. Falling back on a minimum comment'
)
rendered = minSummary
}
// update the PR comment if needed with the right-sized summary
await commentPr(rendered, config)
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
core.setFailed(
+64 -43
View File
@@ -10,17 +10,23 @@ const icons = {
warning: '⚠️'
}
// generates the DR report summmary and caches it to the Action's core.summary.
// returns the DR summary string, ready to be posted as a PR comment if the
// final DR report is too large
export function addSummaryToSummary(
vulnerableChanges: Changes,
invalidLicenseChanges: InvalidLicenseChanges,
deniedChanges: Changes,
scorecard: Scorecard,
config: ConfigurationOptions
): void {
): string {
const out: string[] = []
const scorecardWarnings = countScorecardWarnings(scorecard, config)
const licenseIssues = countLicenseIssues(invalidLicenseChanges)
core.summary.addHeading('Dependency Review', 1)
out.push('# Dependency Review')
if (
vulnerableChanges.length === 0 &&
@@ -33,54 +39,69 @@ export function addSummaryToSummary(
config.license_check ? 'license issues' : '',
config.show_openssf_scorecard ? 'OpenSSF Scorecard issues' : ''
]
let msg = ''
if (issueTypes.filter(Boolean).length === 0) {
core.summary.addRaw(`${icons.check} No issues found.`)
msg = `${icons.check} No issues found.`
} else {
core.summary.addRaw(
`${icons.check} No ${issueTypes.filter(Boolean).join(' or ')} found.`
)
msg = `${icons.check} No ${issueTypes.filter(Boolean).join(' or ')} found.`
}
return
core.summary.addRaw(msg)
out.push(msg)
return out.join('\n')
}
core.summary
.addRaw('The following issues were found:')
.addList([
...(config.vulnerability_check
? [
`${checkOrFailIcon(vulnerableChanges.length)} ${
vulnerableChanges.length
} vulnerable package(s)`
]
: []),
...(config.license_check
? [
`${checkOrFailIcon(invalidLicenseChanges.forbidden.length)} ${
invalidLicenseChanges.forbidden.length
} package(s) with incompatible licenses`,
`${checkOrFailIcon(invalidLicenseChanges.unresolved.length)} ${
invalidLicenseChanges.unresolved.length
} package(s) with invalid SPDX license definitions`,
`${checkOrWarnIcon(invalidLicenseChanges.unlicensed.length)} ${
invalidLicenseChanges.unlicensed.length
} package(s) with unknown licenses.`
]
: []),
...(deniedChanges.length > 0
? [
`${checkOrFailIcon(deniedChanges.length)} ${
deniedChanges.length
} package(s) denied.`
]
: []),
...(config.show_openssf_scorecard && scorecardWarnings > 0
? [
`${checkOrWarnIcon(scorecardWarnings)} ${scorecardWarnings ? scorecardWarnings : 'No'} packages with OpenSSF Scorecard issues.`
]
: [])
])
.addRaw('See the Details below.')
const foundIssuesHeader = 'The following issues were found:'
core.summary.addRaw(foundIssuesHeader)
out.push(foundIssuesHeader)
const summaryList: string[] = [
...(config.vulnerability_check
? [
`${checkOrFailIcon(vulnerableChanges.length)} ${
vulnerableChanges.length
} vulnerable package(s)`
]
: []),
...(config.license_check
? [
`${checkOrFailIcon(invalidLicenseChanges.forbidden.length)} ${
invalidLicenseChanges.forbidden.length
} package(s) with incompatible licenses`,
`${checkOrFailIcon(invalidLicenseChanges.unresolved.length)} ${
invalidLicenseChanges.unresolved.length
} package(s) with invalid SPDX license definitions`,
`${checkOrWarnIcon(invalidLicenseChanges.unlicensed.length)} ${
invalidLicenseChanges.unlicensed.length
} package(s) with unknown licenses.`
]
: []),
...(deniedChanges.length > 0
? [
`${checkOrWarnIcon(deniedChanges.length)} ${
deniedChanges.length
} package(s) denied.`
]
: []),
...(config.show_openssf_scorecard && scorecardWarnings > 0
? [
`${checkOrWarnIcon(scorecardWarnings)} ${scorecardWarnings ? scorecardWarnings : 'No'} packages with OpenSSF Scorecard issues.`
]
: [])
]
core.summary.addList(summaryList)
for (const line of summaryList) {
out.push(`* ${line}`)
}
core.summary.addRaw('See the Details below.')
out.push(
`\n[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`
)
return out.join('\n')
}
function countScorecardWarnings(