Compare commits

...

156 Commits

Author SHA1 Message Date
Federico Builes 8dc52cdbed update tests 2023-10-09 11:23:53 +02:00
dependabot[bot] ad34390f92 Bump @octokit/request-error from 2.1.0 to 5.0.1
Bumps [@octokit/request-error](https://github.com/octokit/request-error.js) from 2.1.0 to 5.0.1.
- [Release notes](https://github.com/octokit/request-error.js/releases)
- [Commits](https://github.com/octokit/request-error.js/compare/v2.1.0...v5.0.1)

---
updated-dependencies:
- dependency-name: "@octokit/request-error"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-25 01:31:40 +00:00
Federico Builes 6c530dbedd Merge pull request #570 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.7.2
Bump @typescript-eslint/eslint-plugin from 6.4.0 to 6.7.2
2023-09-18 14:42:50 -05:00
dependabot[bot] e5c6ae035a Bump @typescript-eslint/eslint-plugin from 6.4.0 to 6.7.2
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.4.0 to 6.7.2.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.7.2/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-18 19:41:12 +00:00
Federico Builes 9c66f1b1b1 Merge pull request #569 from actions/dependabot/npm_and_yarn/esbuild-register-3.5.0
Bump esbuild-register from 3.4.2 to 3.5.0
2023-09-18 14:39:13 -05:00
dependabot[bot] 9add2f12fa Bump esbuild-register from 3.4.2 to 3.5.0
Bumps esbuild-register from 3.4.2 to 3.5.0.

---
updated-dependencies:
- dependency-name: esbuild-register
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-18 01:47:43 +00:00
Federico Builes 079b962af9 Merge pull request #564 from actions/dependabot/npm_and_yarn/zod-3.22.2
Bump zod from 3.21.4 to 3.22.2
2023-09-11 07:17:25 -05:00
Federico Builes e6b5e83d4e adding dist 2023-09-11 07:16:56 -05:00
Federico Builes 3c40a50e4b Merge pull request #565 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.6.0
Bump @typescript-eslint/parser from 6.2.1 to 6.6.0
2023-09-11 07:13:54 -05:00
Federico Builes 886d1fcf5f Merge pull request #563 from actions/dependabot/github_actions/actions/checkout-4
Bump actions/checkout from 3 to 4
2023-09-11 07:13:45 -05:00
dependabot[bot] 615671754c Bump @typescript-eslint/parser from 6.2.1 to 6.6.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.2.1 to 6.6.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.6.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-11 01:42:06 +00:00
dependabot[bot] cd1bb8895d Bump zod from 3.21.4 to 3.22.2
Bumps [zod](https://github.com/colinhacks/zod) from 3.21.4 to 3.22.2.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.21.4...v3.22.2)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-11 01:41:45 +00:00
dependabot[bot] 7095391667 Bump actions/checkout from 3 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-11 01:14:30 +00:00
Justin Holguín 6c5ccdad46 Merge pull request #562 from actions/juxtin/v3.0.9
Update version to 3.1.0
2023-09-07 14:46:08 -07:00
Federico Builes 51da82b3f5 updating package-lock.json 2023-09-07 16:44:36 -05:00
Justin Holguín ca13810d94 Update version to 3.1.0 2023-09-07 21:42:29 +00:00
Justin Holguín 8447b31d38 Merge pull request #561 from actions/juxtin/dr-snaps-readme
Add new Dr Snaps config options to readme
2023-09-07 14:19:42 -07:00
Justin Holguín 85df23de2c Update readme with new parameters 2023-09-07 21:17:45 +00:00
Justin Holguín 5da6fdbdf9 Clean up markdown formatting 2023-09-07 21:11:56 +00:00
Justin Holguín 92837b0ca8 Merge pull request #560 from actions/juxtin/improve-warnings
Improve display of snapshot warnings
2023-09-07 14:09:36 -07:00
Justin Holguín 35a52fd146 Minor tweaks to snapshot warnings 2023-09-07 18:00:57 +00:00
Justin Holguín bed9726f78 Make snapshot warning messages clearer and more actionable 2023-09-07 17:54:42 +00:00
Justin Holguín e4d20ce9ad Merge pull request #556 from actions/juxtin/dr-snaps-pre-launch
Dr Snaps launch PR
2023-09-07 10:18:47 -07:00
Justin Holguín bb0ca79fcd Update action.yml to show retry default 2023-09-07 17:08:20 +00:00
Justin Holguín 07f52ce621 Add example with retry-on-snapshot-warnings to docs 2023-09-07 17:07:50 +00:00
Justin Holguín c7e8727af4 Update action.yml
Co-authored-by: Federico Builes <febuiles@github.com>
2023-09-07 09:50:44 -07:00
Federico Builes 5e4b90e080 add dist 2023-09-07 09:06:46 -05:00
Federico Builes 7d0e0f61e8 Update src/dependency-graph.ts
Co-authored-by: Justin Holguín <juxtin@github.com>
2023-09-07 07:08:21 -05:00
Justin Holguín ffaf251c92 update dist 2023-09-06 20:38:47 +00:00
Justin Holguín 726ffc8aa8 Merge remote-tracking branch 'origin/main' into juxtin/dr-snaps-pre-launch 2023-09-06 20:26:55 +00:00
Justin Holguín fcef41f1e0 Add docs link to snapshot warnings 2023-09-06 19:07:18 +00:00
Justin Holguín e81e6e582f Default retry-on-snapshot-warnings to false
Keeping this true by default means wasting actions minutes for
the vast majority of DR users
2023-09-06 18:04:16 +00:00
Federico Builes 511675e747 Merge pull request #558 from actions/dependabot/npm_and_yarn/types/node-16.18.48
Bump @types/node from 16.18.41 to 16.18.48
2023-09-05 16:15:52 -04:00
Federico Builes dcdbff2f84 Merge pull request #557 from actions/dependabot/npm_and_yarn/yaml-2.3.2
Bump yaml from 2.3.1 to 2.3.2
2023-09-05 11:55:49 -04:00
Federico Builes 29513b58ad updating dist 2023-09-05 08:28:43 -05:00
dependabot[bot] 347cb43687 Bump @types/node from 16.18.41 to 16.18.48
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.41 to 16.18.48.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-04 01:44:52 +00:00
dependabot[bot] dfe37bb356 Bump yaml from 2.3.1 to 2.3.2
Bumps [yaml](https://github.com/eemeli/yaml) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.3.1...v2.3.2)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-04 01:44:44 +00:00
Justin Holguín ada103783f Merge remote-tracking branch 'origin/retry-on-snapshot-warnings' into juxtin/dr-snaps-pre-launch 2023-08-31 16:31:44 +00:00
Justin Holguín abc80cf6a0 Merge branch 'juxtin/snapshot-warnings' into juxtin/dr-snaps-pre-launch 2023-08-31 16:06:14 +00:00
Federico Builes 15e91a3980 Merge pull request #554 from actions/dependabot/npm_and_yarn/eslint-8.48.0
Bump eslint from 8.47.0 to 8.48.0
2023-08-28 08:52:43 -05:00
Federico Builes c7d2795410 Merge pull request #553 from actions/dependabot/npm_and_yarn/prettier-3.0.2
Bump prettier from 3.0.1 to 3.0.2
2023-08-28 08:52:32 -05:00
dependabot[bot] eb07c6d763 Bump eslint from 8.47.0 to 8.48.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.47.0 to 8.48.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.47.0...v8.48.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-28 01:52:04 +00:00
dependabot[bot] 4d8fe1e464 Bump prettier from 3.0.1 to 3.0.2
Bumps [prettier](https://github.com/prettier/prettier) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.0.1...3.0.2)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-28 01:51:43 +00:00
Justin Holguín ee86529290 Show all non-empty snapshot warnings 2023-08-23 18:45:35 +00:00
Federico Builes c17dea4c51 Merge pull request #549 from actions/dependabot/npm_and_yarn/types/node-16.18.41
Bump @types/node from 16.18.39 to 16.18.41
2023-08-23 15:16:07 +02:00
Federico Builes 727ca667a3 Merge pull request #550 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.4.0
Bump @typescript-eslint/eslint-plugin from 6.3.0 to 6.4.0
2023-08-23 15:15:56 +02:00
Federico Builes 84cd472b61 Merge pull request #551 from oerd/update-inputs-documentation-and-links
Fix(docs): Correct action input name
2023-08-22 17:02:07 +02:00
Oerd Cukalla 366fffb717 Fix(docs): Correct article use. 2023-08-22 00:28:34 +02:00
Oerd Cukalla 62a1d2d370 Fix(docs): Correct action input name
Change input name used for passing the personal access token to
`external-repo-token`.
2023-08-22 00:20:26 +02:00
dependabot[bot] 42c2f7100f Bump @typescript-eslint/eslint-plugin from 6.3.0 to 6.4.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.3.0 to 6.4.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.4.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-21 01:04:16 +00:00
dependabot[bot] 608049acca Bump @types/node from 16.18.39 to 16.18.41
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.39 to 16.18.41.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-21 01:03:36 +00:00
Federico Builes 32037a1d97 bumping to 3.0.8 2023-08-15 10:11:44 +02:00
Federico Builes f6fff72a32 Merge pull request #540 from sgmurphy/comment-on-failure
Add `on-failure` option to `comment-summary-in-pr` setting
2023-08-15 10:08:44 +02:00
Federico Builes 61ee12c097 Merge pull request #548 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.3.0
Bump @typescript-eslint/eslint-plugin from 6.2.0 to 6.3.0
2023-08-14 06:39:45 +02:00
Federico Builes 7d5babfc38 Merge pull request #547 from actions/dependabot/npm_and_yarn/eslint-8.47.0
Bump eslint from 8.46.0 to 8.47.0
2023-08-14 06:39:28 +02:00
dependabot[bot] ddb1b9361c Bump @typescript-eslint/eslint-plugin from 6.2.0 to 6.3.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.2.0 to 6.3.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.3.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-14 01:26:56 +00:00
dependabot[bot] 7c3177d3c2 Bump eslint from 8.46.0 to 8.47.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.46.0 to 8.47.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.46.0...v8.47.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-14 01:26:22 +00:00
Sean Murphy 31afeba06d Add unit tests 2023-08-09 21:10:48 -04:00
Sean Murphy 7ef37f3853 Merge branch 'main' into comment-on-failure 2023-08-09 17:31:16 -04:00
Sean Murphy 2e59943778 Parse boolean to enum 2023-08-09 15:57:03 -04:00
Federico Builes 7d90b4f05f bumping to 3.0.7 2023-08-09 15:27:02 +02:00
Federico Builes 02aa4b66a7 Merge pull request #544 from adrienpessu/main
Add an option to deny packages or groups of packages
2023-08-09 15:25:21 +02:00
Federico Builes fe2a482baf Apply suggestions from code review 2023-08-09 15:24:26 +02:00
Adrien Pessu ce14e1f894 improve example 2023-08-08 17:21:30 +02:00
Adrien Pessu eacc0328b1 improve example 2023-08-08 17:10:23 +02:00
Adrien Pessu 98aae180cb debug 2023-08-08 16:56:01 +02:00
Adrien Pessu c280c303e6 debug 2023-08-08 16:51:40 +02:00
Adrien Pessu 1db9156f85 change from name of the package to the package url to avoid conflict between 2 dependencies with the same name but for different ecosystems 2023-08-08 16:34:23 +02:00
Adrien Pessu c462e2e50e add example 2023-08-08 10:12:55 +02:00
Adrien Pessu 0796abb9cf add changes on js.map file 2023-08-07 17:17:27 +02:00
Adrien Pessu eab07548a7 Merge remote-tracking branch 'upstream/main' 2023-08-07 14:25:57 +02:00
Adrien Pessu 00f1f5b642 add tests and docs 2023-08-07 14:07:46 +02:00
Adrien Pessu 6862f6f65f add groups 2023-08-07 14:07:26 +02:00
Adrien Pessu 2f38ecd3fd add deny_list as paramter 2023-08-07 14:07:26 +02:00
Adrien Pessu 309d082d5f initial commit 2023-08-07 14:07:26 +02:00
Federico Builes 0e6dece6c7 update more dependencies 2023-08-07 14:07:26 +02:00
dependabot[bot] 942409c937 Bump @typescript-eslint/eslint-plugin from 5.60.1 to 6.2.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.60.1 to 6.2.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.2.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-07 14:07:26 +02:00
Federico Builes 6af66592ad dependbot updates 2023-08-07 14:07:26 +02:00
dependabot[bot] d5a7e34e39 Bump prettier from 2.8.8 to 3.0.0
Bumps [prettier](https://github.com/prettier/prettier) from 2.8.8 to 3.0.0.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.8.8...3.0.0)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-07 14:07:25 +02:00
Federico Builes 328a08ea42 Merge pull request #541 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.2.1
Bump @typescript-eslint/parser from 6.2.0 to 6.2.1
2023-08-07 10:20:46 +02:00
Federico Builes 3f88e84ced Merge pull request #542 from actions/dependabot/npm_and_yarn/prettier-3.0.1
Bump prettier from 3.0.0 to 3.0.1
2023-08-07 10:07:55 +02:00
dependabot[bot] 4463280ae5 Bump prettier from 3.0.0 to 3.0.1
Bumps [prettier](https://github.com/prettier/prettier) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.0.0...3.0.1)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-07 01:49:54 +00:00
dependabot[bot] ae11b24682 Bump @typescript-eslint/parser from 6.2.0 to 6.2.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.2.0 to 6.2.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.2.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-07 01:49:41 +00:00
Sean Murphy 902e86c6f5 Add on-failure option to comment-summary-in-pr setting 2023-08-04 22:37:51 -04:00
Federico Builes 1e70f06e66 Merge pull request #537 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.2.0
Bump @typescript-eslint/eslint-plugin from 5.60.1 to 6.2.0
2023-07-31 18:03:04 +02:00
Federico Builes 0ea885e7c5 update more dependencies 2023-07-31 18:01:31 +02:00
dependabot[bot] 498c8717d3 Bump @typescript-eslint/eslint-plugin from 5.60.1 to 6.2.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.60.1 to 6.2.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.2.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-31 06:42:19 +00:00
Federico Builes fc8a06c798 Merge pull request #526 from actions/dependabot/npm_and_yarn/prettier-3.0.0
Bump prettier from 2.8.8 to 3.0.0
2023-07-31 08:40:45 +02:00
Federico Builes 8c593e9822 dependbot updates 2023-07-31 08:39:38 +02:00
Federico Builes 98d4fd7247 Merge pull request #534 from rajbos/main
Make GHES support / setup more clear
2023-07-19 16:27:05 +02:00
Federico Builes 0a68c5dfa6 Update README.md 2023-07-19 16:26:44 +02:00
Federico Builes f015f96b55 Update README.md 2023-07-19 16:26:39 +02:00
Rob Bos 3290c85b0f Make GHES support more clear 2023-07-19 13:05:42 +02:00
dependabot[bot] 6b0d5029d1 Bump prettier from 2.8.8 to 3.0.0
Bumps [prettier](https://github.com/prettier/prettier) from 2.8.8 to 3.0.0.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.8.8...3.0.0)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-10 01:39:16 +00:00
cnagadya 090b9fe2a1 Merge pull request #524 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.60.1
Bump @typescript-eslint/eslint-plugin from 5.60.0 to 5.60.1
2023-07-03 10:32:12 +02:00
dependabot[bot] c5e57016d8 Bump @typescript-eslint/eslint-plugin from 5.60.0 to 5.60.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.60.0 to 5.60.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.60.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-03 08:18:28 +00:00
cnagadya 8cf6fcb693 Merge pull request #523 from actions/dependabot/npm_and_yarn/eslint-8.44.0
Bump eslint from 8.43.0 to 8.44.0
2023-07-03 10:17:48 +02:00
cnagadya 9bf5053b8a Merge pull request #522 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.60.1
Bump @typescript-eslint/parser from 5.60.0 to 5.60.1
2023-07-03 10:17:36 +02:00
cnagadya a213934318 Merge pull request #521 from actions/dependabot/npm_and_yarn/types/node-16.18.38
Bump @types/node from 16.18.36 to 16.18.38
2023-07-03 10:17:27 +02:00
dependabot[bot] e301b1bd30 Bump eslint from 8.43.0 to 8.44.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.43.0 to 8.44.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.43.0...v8.44.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-03 01:29:06 +00:00
dependabot[bot] c730d72f23 Bump @typescript-eslint/parser from 5.60.0 to 5.60.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.60.0 to 5.60.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.60.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-03 01:28:46 +00:00
dependabot[bot] a65c766d12 Bump @types/node from 16.18.36 to 16.18.38
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.36 to 16.18.38.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-07-03 01:28:23 +00:00
Federico Builes 7599c4bc8e Merge pull request #519 from actions/dependabot/npm_and_yarn/octokit/plugin-retry-5.0.4
Bump @octokit/plugin-retry from 5.0.2 to 5.0.4
2023-06-26 15:38:01 +02:00
Federico Builes 0f4e96f7e8 adding build files 2023-06-26 15:36:01 +02:00
dependabot[bot] a234018432 Bump @octokit/plugin-retry from 5.0.2 to 5.0.4
Bumps [@octokit/plugin-retry](https://github.com/octokit/plugin-retry.js) from 5.0.2 to 5.0.4.
- [Release notes](https://github.com/octokit/plugin-retry.js/releases)
- [Commits](https://github.com/octokit/plugin-retry.js/compare/v5.0.2...v5.0.4)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-retry"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-26 13:29:15 +00:00
Federico Builes 328eb79003 Merge pull request #518 from actions/dependabot/npm_and_yarn/octokit-2.1.0
Bump octokit from 2.0.19 to 2.1.0
2023-06-26 15:28:32 +02:00
Federico Builes 5bb28e508e npm i 2023-06-26 15:26:17 +02:00
Federico Builes 11a4a75728 Merge pull request #516 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.60.0
Bump @typescript-eslint/eslint-plugin from 5.59.11 to 5.60.0
2023-06-26 07:10:03 +02:00
dependabot[bot] c5ac6e1eba Bump @typescript-eslint/eslint-plugin from 5.59.11 to 5.60.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.11 to 5.60.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.60.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-26 05:08:33 +00:00
Federico Builes a3753ba2c6 Merge pull request #520 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.2.2
Bump eslint-plugin-jest from 27.2.1 to 27.2.2
2023-06-26 07:03:16 +02:00
Federico Builes ec3136c4ba Merge pull request #517 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.60.0
Bump @typescript-eslint/parser from 5.59.11 to 5.60.0
2023-06-26 07:03:01 +02:00
dependabot[bot] 38b79e2fbe Bump eslint-plugin-jest from 27.2.1 to 27.2.2
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.2.1 to 27.2.2.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.2.1...v27.2.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-26 01:30:13 +00:00
dependabot[bot] 01a70a14e2 Bump octokit from 2.0.19 to 2.1.0
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.0.19 to 2.1.0.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.0.19...v2.1.0)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-26 01:29:16 +00:00
dependabot[bot] d32ada785e Bump @typescript-eslint/parser from 5.59.11 to 5.60.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.11 to 5.60.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.60.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-26 01:28:47 +00:00
Federico Builes c61b0a3941 Merge pull request #510 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.11
Bump @typescript-eslint/eslint-plugin from 5.59.9 to 5.59.11
2023-06-19 07:54:57 +02:00
Federico Builes 38c1dbdffa Merge branch 'main' into dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.11 2023-06-19 07:00:21 +02:00
Federico Builes 84fe280943 Merge pull request #512 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.11
Bump @typescript-eslint/parser from 5.59.9 to 5.59.11
2023-06-19 06:58:36 +02:00
Federico Builes cf65a75df3 Merge pull request #511 from actions/dependabot/npm_and_yarn/eslint-8.43.0
Bump eslint from 8.41.0 to 8.43.0
2023-06-19 06:58:17 +02:00
dependabot[bot] 3d532eeb2e Bump @typescript-eslint/eslint-plugin from 5.59.9 to 5.59.11
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.9 to 5.59.11.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.11/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-19 04:52:17 +00:00
dependabot[bot] 2a14180549 Bump @typescript-eslint/parser from 5.59.9 to 5.59.11
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.9 to 5.59.11.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.11/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-19 04:52:17 +00:00
dependabot[bot] 3958f9d2c8 Bump eslint from 8.41.0 to 8.43.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.41.0 to 8.43.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.41.0...v8.43.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-19 04:52:12 +00:00
Federico Builes d561324ef9 Merge pull request #509 from actions/dependabot/npm_and_yarn/types/node-16.18.36
Bump @types/node from 16.18.35 to 16.18.36
2023-06-19 06:51:36 +02:00
dependabot[bot] 5c03808159 Bump @types/node from 16.18.35 to 16.18.36
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.35 to 16.18.36.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-19 01:58:19 +00:00
Henri Maurer d3fa764646 fix 2023-06-14 10:38:45 +01:00
Henri Maurer 1856a6de19 fix 2023-06-14 10:26:22 +01:00
Henri Maurer 5573b58443 better logging 2023-06-14 10:24:40 +01:00
Henri Maurer c3c3c2e746 fix retry until 2023-06-14 10:12:19 +01:00
Federico Builes 9617594ce4 Merge pull request #506 from actions/dependabot/npm_and_yarn/octokit-2.0.19
update octokit, regenerate dist
2023-06-12 07:29:57 +02:00
Federico Builes c10600ad00 update octokit, regenerate dist 2023-06-12 07:28:23 +02:00
Federico Builes 86477f1ea0 Merge pull request #504 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.9
Bump @typescript-eslint/eslint-plugin from 5.59.8 to 5.59.9
2023-06-12 07:19:03 +02:00
Federico Builes b6ef88155e Merge pull request #505 from actions/dependabot/npm_and_yarn/types/node-16.18.35
Bump @types/node from 16.18.34 to 16.18.35
2023-06-12 07:18:49 +02:00
Federico Builes 1c01b75438 Merge pull request #503 from actions/dependabot/npm_and_yarn/octokit/plugin-retry-5.0.2
Bump @octokit/plugin-retry from 5.0.0 to 5.0.2
2023-06-12 07:18:36 +02:00
dependabot[bot] 1590d3f795 Bump @typescript-eslint/eslint-plugin from 5.59.8 to 5.59.9
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.8 to 5.59.9.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.9/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-12 05:17:03 +00:00
Federico Builes 90de8e47b4 adding dist 2023-06-12 07:16:52 +02:00
Federico Builes 6d3699baca Merge pull request #502 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.9
Bump @typescript-eslint/parser from 5.59.8 to 5.59.9
2023-06-12 07:15:59 +02:00
dependabot[bot] 87e767d41f Bump @types/node from 16.18.34 to 16.18.35
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.34 to 16.18.35.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-12 01:59:53 +00:00
dependabot[bot] 554d5fa52b Bump @octokit/plugin-retry from 5.0.0 to 5.0.2
Bumps [@octokit/plugin-retry](https://github.com/octokit/plugin-retry.js) from 5.0.0 to 5.0.2.
- [Release notes](https://github.com/octokit/plugin-retry.js/releases)
- [Commits](https://github.com/octokit/plugin-retry.js/compare/v5.0.0...v5.0.2)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-retry"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-12 01:59:03 +00:00
dependabot[bot] 983fa12c36 Bump @typescript-eslint/parser from 5.59.8 to 5.59.9
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.8 to 5.59.9.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.9/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-12 01:58:41 +00:00
Henri Maurer f6f94a23a4 fix 2023-06-09 10:44:43 +01:00
Henri Maurer 50954e6a9a fix 2023-06-09 10:30:56 +01:00
Henri Maurer 66b6f67835 Add configs 2023-06-09 10:26:24 +01:00
Henri Maurer 1644401f8d rewrite retry logic 2023-06-08 18:11:13 +01:00
Henri Maurer 1a326fc7fa proceed even if warnings 2023-06-08 17:04:40 +01:00
Henri Maurer a82096e68a fix 2023-06-07 16:51:53 +01:00
Henri Maurer 90d3a94eb7 fix 2023-06-07 16:48:32 +01:00
Henri Maurer 9dde5949a8 retry every 10s 2023-06-07 16:39:16 +01:00
Henri Maurer cff142b535 includes_dependency_snapshots 2023-06-07 14:04:29 +01:00
Henri Maurer a4c5ac881a disable caching 2023-06-07 10:10:21 +01:00
Henri Maurer d35955ebf6 Prototype re-try on snapshot warnings 2023-06-06 16:44:27 +01:00
Federico Builes 0342e75832 Merge pull request #500 from actions/dependabot/npm_and_yarn/octokit/plugin-retry-5.0.0
Bump @octokit/plugin-retry from 4.1.3 to 5.0.0
2023-06-05 07:14:34 +02:00
Federico Builes 3daf1c6551 Updating dist 2023-06-05 07:13:53 +02:00
Federico Builes 16cbdf9d97 Merge pull request #498 from actions/dependabot/npm_and_yarn/eslint-plugin-github-4.8.0
Bump eslint-plugin-github from 4.7.0 to 4.8.0
2023-06-05 07:09:55 +02:00
Federico Builes 59a0ce5dc2 Merge pull request #497 from actions/dependabot/npm_and_yarn/got-13.0.0
Bump got from 12.6.0 to 13.0.0
2023-06-05 07:08:54 +02:00
dependabot[bot] 6cc98d3032 Bump @octokit/plugin-retry from 4.1.3 to 5.0.0
Bumps [@octokit/plugin-retry](https://github.com/octokit/plugin-retry.js) from 4.1.3 to 5.0.0.
- [Release notes](https://github.com/octokit/plugin-retry.js/releases)
- [Commits](https://github.com/octokit/plugin-retry.js/compare/v4.1.3...v5.0.0)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-retry"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-05 01:59:54 +00:00
dependabot[bot] 617fd3907e Bump eslint-plugin-github from 4.7.0 to 4.8.0
Bumps [eslint-plugin-github](https://github.com/github/eslint-plugin-github) from 4.7.0 to 4.8.0.
- [Release notes](https://github.com/github/eslint-plugin-github/releases)
- [Commits](https://github.com/github/eslint-plugin-github/compare/v4.7.0...v4.8.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-github
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-05 01:59:21 +00:00
dependabot[bot] 537fc8f28d Bump got from 12.6.0 to 13.0.0
Bumps [got](https://github.com/sindresorhus/got) from 12.6.0 to 13.0.0.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v12.6.0...v13.0.0)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-06-05 01:58:58 +00:00
22 changed files with 6706 additions and 3535 deletions
+1 -1
View File
@@ -21,7 +21,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Set Node.js 18.x
uses: actions/setup-node@v3
+2 -2
View File
@@ -14,7 +14,7 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
with:
node-version: 18
@@ -27,7 +27,7 @@ jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
with:
node-version: 18
+1 -1
View File
@@ -9,6 +9,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@main
+1 -1
View File
@@ -79,7 +79,7 @@ Here are a few things you can do that will increase the likelihood of your pull
- Write tests.
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
- Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
- Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
## Cutting a new release
+18 -14
View File
@@ -43,7 +43,7 @@ This action is available in Enterprise Server starting with version 3.6. Make su
Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
and [GitHub
Connect](https://docs.github.com/en/enterprise-server@3.6/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
are enabled.
are enabled, and that you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
You can use the same workflow as above, replacing the `runs-on` value
with the label of any of your runners (the default label
@@ -66,18 +66,22 @@ jobs:
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
| Option | Usage | Possible values | Default value |
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `true`, `false` | `false` |
| Option | Usage | Possible values | Default value |
| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
\*not supported for use with GitHub Enterprise Server
@@ -144,7 +148,7 @@ For more examples of how to use this action and its configuration options, see t
### Considerations
- Checking for licenses is not supported on Enterprise Server.
- Checking for licenses is not supported on Enterprise Server as the API does not return license information.
- The action will only accept one of the two `license` parameters; an error will be raised if you provide both.
- We don't have license information for all of your dependents. If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
+26
View File
@@ -171,3 +171,29 @@ describe('licenses that are not valid SPDX licenses', () => {
)
})
})
test('it parses the comment-summary-in-pr input', async () => {
setInput('comment-summary-in-pr', 'true')
let config = await readConfig()
expect(config.comment_summary_in_pr).toBe('always')
clearInputs()
setInput('comment-summary-in-pr', 'false')
config = await readConfig()
expect(config.comment_summary_in_pr).toBe('never')
clearInputs()
setInput('comment-summary-in-pr', 'always')
config = await readConfig()
expect(config.comment_summary_in_pr).toBe('always')
clearInputs()
setInput('comment-summary-in-pr', 'never')
config = await readConfig()
expect(config.comment_summary_in_pr).toBe('never')
clearInputs()
setInput('comment-summary-in-pr', 'on-failure')
config = await readConfig()
expect(config.comment_summary_in_pr).toBe('on-failure')
})
+166
View File
@@ -0,0 +1,166 @@
import {expect, jest, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
let getDeniedChanges: Function
const npmChange: Change = {
manifest: 'package.json',
change_type: 'added',
ecosystem: 'npm',
name: 'Reeuhq',
version: '1.0.2',
package_url: 'pkg:npm/reeuhq@1.0.2',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_summary: 'very dangerous',
advisory_url: 'github.com/future-funk'
}
]
}
const rubyChange: Change = {
change_type: 'added',
manifest: 'Gemfile.lock',
ecosystem: 'rubygems',
name: 'actionsomething',
version: '3.2.0',
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
const pipChange: Change = {
change_type: 'added',
manifest: 'requirements.txt',
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pip/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
const mvnChange: Change = {
change_type: 'added',
manifest: 'pom.xml',
ecosystem: 'maven',
name: 'org.apache.logging.log4j:log4j-core',
version: '2.15.0',
package_url: 'pkg:maven/org.apache.logging.log4j/log4j-core@2.14.7',
license: 'Apache-2.0',
source_repository_url:
'https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core',
scope: 'unknown',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
}
]
}
jest.mock('@actions/core')
const mockOctokit = {
rest: {
licenses: {
getForRepo: jest
.fn()
.mockReturnValue({data: {license: {spdx_id: 'AGPL'}}})
}
}
}
jest.mock('octokit', () => {
return {
// eslint-disable-next-line @typescript-eslint/no-extraneous-class
Octokit: class {
constructor() {
return mockOctokit
}
}
}
})
beforeEach(async () => {
jest.resetModules()
jest.doMock('spdx-satisfies', () => {
// mock spdx-satisfies return value
// true for BSD, false for all others
return jest.fn((license: string, _: string): boolean => license === 'BSD')
})
// eslint-disable-next-line @typescript-eslint/no-require-imports
;({getDeniedChanges} = require('../src/deny'))
})
test('it adds packages in the deny packages list', async () => {
const changes: Changes = [npmChange, rubyChange]
const deniedChanges = await getDeniedChanges(
changes,
['pkg:gem/actionsomething'],
[]
)
expect(deniedChanges[0]).toBe(rubyChange)
expect(deniedChanges.length).toEqual(1)
})
test('it adds packages in the deny group list', async () => {
const changes: Changes = [mvnChange, rubyChange]
const deniedChanges = await getDeniedChanges(
changes,
[],
['pkg:maven/org.apache.logging.log4j']
)
expect(deniedChanges[0]).toBe(mvnChange)
expect(deniedChanges.length).toEqual(1)
})
test('it adds packages outside of the deny lists', async () => {
const changes: Changes = [npmChange, pipChange]
const deniedChanges = await getDeniedChanges(
changes,
['pkg:gem/actionsomething'],
['pkg:maven:org.apache.logging.log4j']
)
expect(deniedChanges.length).toEqual(0)
})
+2 -1
View File
@@ -24,6 +24,7 @@ test('it properly catches RequestError type', async () => {
headRef: 'refs/heads/master'
})
} catch (error) {
expect(error).toBeInstanceOf(RequestError)
const err = error as RequestError
expect(err.status).toBe(401)
}
})
+34 -5
View File
@@ -24,7 +24,11 @@ const defaultConfig: ConfigurationOptions = {
allow_ghsas: [],
allow_licenses: [],
deny_licenses: [],
comment_summary_in_pr: true
deny_packages: [],
deny_groups: [],
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
retry_on_snapshot_warnings_timeout: 120
}
const changesWithEmptyManifests: Changes = [
@@ -70,6 +74,7 @@ test('prints headline as h1', () => {
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
defaultConfig
)
const text = core.summary.stringify()
@@ -81,6 +86,7 @@ test('only includes "No vulnerabilities or license issues found"-message if both
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
defaultConfig
)
const text = core.summary.stringify()
@@ -90,7 +96,12 @@ test('only includes "No vulnerabilities or license issues found"-message if both
test('only includes "No vulnerabilities found"-message if "license_check" is set to false and nothing was found', () => {
const config = {...defaultConfig, license_check: false}
summary.addSummaryToSummary(emptyChanges, emptyInvalidLicenseChanges, config)
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
config
)
const text = core.summary.stringify()
expect(text).toContain('✅ No vulnerabilities found.')
@@ -98,7 +109,12 @@ test('only includes "No vulnerabilities found"-message if "license_check" is set
test('only includes "No license issues found"-message if "vulnerability_check" is set to false and nothing was found', () => {
const config = {...defaultConfig, vulnerability_check: false}
summary.addSummaryToSummary(emptyChanges, emptyInvalidLicenseChanges, config)
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
config
)
const text = core.summary.stringify()
expect(text).toContain('✅ No license issues found.')
@@ -108,6 +124,7 @@ test('groups dependencies with empty manifest paths together', () => {
summary.addSummaryToSummary(
changesWithEmptyManifests,
emptyInvalidLicenseChanges,
emptyChanges,
defaultConfig
)
summary.addScannedDependencies(changesWithEmptyManifests)
@@ -124,6 +141,7 @@ test('does not include status section if nothing was found', () => {
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
defaultConfig
)
const text = core.summary.stringify()
@@ -142,7 +160,12 @@ test('includes count and status icons for all findings', () => {
unlicensed: [createTestChange(), createTestChange(), createTestChange()]
}
summary.addSummaryToSummary(vulnerabilities, licenseIssues, defaultConfig)
summary.addSummaryToSummary(
vulnerabilities,
licenseIssues,
emptyChanges,
defaultConfig
)
const text = core.summary.stringify()
expect(text).toContain('❌ 2 vulnerable package(s)')
@@ -159,6 +182,7 @@ test('uses checkmarks for license issues if only vulnerabilities were found', ()
summary.addSummaryToSummary(
vulnerabilities,
emptyInvalidLicenseChanges,
emptyChanges,
defaultConfig
)
@@ -178,7 +202,12 @@ test('uses checkmarks for vulnerabilities if only license issues were found', ()
unlicensed: []
}
summary.addSummaryToSummary(emptyChanges, licenseIssues, defaultConfig)
summary.addSummaryToSummary(
emptyChanges,
licenseIssues,
emptyChanges,
defaultConfig
)
const text = core.summary.stringify()
expect(text).toContain('✅ 0 vulnerable package(s)')
+15 -1
View File
@@ -45,8 +45,22 @@ inputs:
description: A boolean to determine if vulnerability checks should be performed
required: false
comment-summary-in-pr:
description: A boolean to determine if the report should be posted as a comment in the PR itself. Setting this to true requires you to give the workflow the write permissions for pull-requests
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
required: false
deny-packages:
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
required: false
deny-groups:
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
required: false
retry-on-snapshot-warnings:
description: Whether to retry on snapshot warnings
required: false
default: false
retry-on-snapshot-warnings-timeout:
description: Number of seconds to wait before stopping snapshot retries.
required: false
default: 120
runs:
using: 'node16'
main: 'dist/index.js'
Generated Vendored
+4090 -2211
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+70 -6
View File
@@ -83,7 +83,7 @@ jobs:
config-file: './.github/dependency-review-config.yml'
```
## Using a configuration file from a external repository
## Using a configuration file from an external repository
The following example will use a configuration file from an external public GitHub repository to configure the action.
@@ -110,7 +110,7 @@ jobs:
config-file: 'github/octorepo/dependency-review-config.yml@main'
```
## Using a configuration file from a external repository with a personal access token
## Using a configuration file from an external repository with a personal access token
The following example will use a configuration file from an external private GtiHub repository to configure the action.
@@ -135,7 +135,7 @@ jobs:
uses: actions/dependency-review-action@v3
with:
config-file: 'github/octorepo-private/dependency-review-config.yml@main'
config-file-token: ${{ secrets.GITHUB_TOKEN }} # or a personal access token
external-repo-token: ${{ secrets.GITHUB_TOKEN }} # or a personal access token
```
## Getting the results of the action in the PR as a comment
@@ -161,7 +161,7 @@ jobs:
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: true
comment-summary-in-pr: always
```
## Exclude dependencies from the license check
@@ -189,7 +189,7 @@ jobs:
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: true
comment-summary-in-pr: always
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pip/requests'
```
@@ -227,6 +227,70 @@ jobs:
uses: actions/dependency-review-action@v3
with:
fail-on-severity: critical
comment-summary-in-pr: true
comment-summary-in-pr: always
license-check: false
```
## Exclude dependencies from their name or groups
Using the `deny-packages` option you can exclude dependencies by their PURL. You can add multiple values separated by a commas.
Using the `deny-groups` option you can exclude dependencies by their group name/namespace. You can add multiple values separated by a comma.
In this example, we are excluding `pkg:maven/org.apache.logging.log4j:log4j-api` and `pkg:maven/org.apache.logging.log4j/log4j-core` from `maven` and all packages in the group `pkg:maven/com.bazaarvoice.maven`
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core'
deny-groups: 'pkg:maven/com.bazaarvoice.jolt'
```
## Waiting for dependency submission jobs to complete
When possible, this action will [include dependencies submitted through the dependency submission API][DSAPI]. In this case,
it's important for the action not to complete until all of the relevant dependencies have been submitted for both the base
and head commits.
When this action runs before one or more of the dependency submission actions, there will be an unequal number of dependency
snapshots between the base and head commits. For example, there may be one snapshot available for the tip of `main` and none
for the PR branch. In that case, the API response will contain a "snapshot warning" explaining the discrepancy.
In this example, when the action encounters one of these warnings it will retry every 10 seconds after that for 60 seconds
or until there is no warning in the response.
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
retry-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 60
```
[DSAPI]: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together
+2024 -1240
View File
File diff suppressed because it is too large Load Diff
+17 -19
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "3.0.6",
"version": "3.1.0",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -27,36 +27,34 @@
"dependencies": {
"@actions/core": "^1.10.0",
"@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^4.1.1",
"@octokit/request-error": "^2.1.0",
"@octokit/plugin-retry": "^5.0.4",
"@octokit/request-error": "^5.0.1",
"ansi-styles": "^6.2.1",
"got": "^12.6.0",
"nodemon": "^2.0.22",
"octokit": "^2.0.16",
"got": "^13.0.0",
"octokit": "^2.1.0",
"packageurl-js": "^1.0.2",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"yaml": "^2.3.1",
"zod": "^3.21.4"
"yaml": "^2.3.2",
"zod": "^3.22.2"
},
"devDependencies": {
"@types/jest": "^27.5.2",
"@types/node": "^16.18.34",
"@typescript-eslint/eslint-plugin": "^5.48.1",
"@typescript-eslint/parser": "^5.48.0",
"@types/node": "^16.18.48",
"@types/spdx-expression-parse": "^3.0.2",
"@types/spdx-satisfies": "^0.1.0",
"@typescript-eslint/eslint-plugin": "^5.59.8",
"@typescript-eslint/parser": "^5.59.8",
"@typescript-eslint/eslint-plugin": "^6.7.2",
"@typescript-eslint/parser": "^6.6.0",
"@vercel/ncc": "^0.36.1",
"esbuild-register": "^3.4.2",
"eslint": "^8.41.0",
"eslint-plugin-github": "^4.7.0",
"eslint-plugin-jest": "^27.2.1",
"esbuild-register": "^3.5.0",
"eslint": "^8.48.0",
"eslint-plugin-github": "^4.8.0",
"eslint-plugin-jest": "^27.2.2",
"eslint-plugin-prettier": "^5.0.0",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^2.0.22",
"prettier": "2.8.8",
"nodemon": "^3.0.1",
"prettier": "3.0.2",
"ts-jest": "^27.1.4",
"typescript": "^4.9.5"
}
+10 -4
View File
@@ -6,7 +6,7 @@
* npx ts-node scripts/create_summary.ts
*/
import {Changes, ConfigurationOptions} from '../src/schemas'
import {Change, Changes, ConfigurationOptions} from '../src/schemas'
import {createTestChange} from '../__tests__/fixtures/create-test-change'
import {InvalidLicenseChanges} from '../src/licenses'
import * as fs from 'fs'
@@ -22,13 +22,17 @@ const defaultConfig: ConfigurationOptions = {
allow_ghsas: [],
allow_licenses: ['MIT'],
deny_licenses: [],
deny_packages: [],
deny_groups: [],
allow_dependencies_licenses: [
'pkg:npm/express@4.17.1',
'pkg:pip/requests',
'pkg:pip/certifi',
'pkg:pip/pycrypto@2.6.1'
],
comment_summary_in_pr: true
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
retry_on_snapshot_warnings_timeout: 120
}
const tmpDir = path.resolve(__dirname, '../tmp')
@@ -44,6 +48,7 @@ const createNonIssueSummary = async (): Promise<void> => {
await createSummary(
[],
{forbidden: [], unresolved: [], unlicensed: []},
[],
defaultConfig,
'non-issue-summary.md'
)
@@ -85,16 +90,17 @@ const createFullSummary = async (): Promise<void> => {
]
}
await createSummary(changes, licenses, defaultConfig, 'full-summary.md')
await createSummary(changes, licenses, [], defaultConfig, 'full-summary.md')
}
async function createSummary(
vulnerabilities: Changes,
licenseIssues: InvalidLicenseChanges,
denied: Change[],
config: ConfigurationOptions,
fileName: string
): Promise<void> {
summary.addSummaryToSummary(vulnerabilities, licenseIssues, config)
summary.addSummaryToSummary(vulnerabilities, licenseIssues, denied, config)
summary.addChangeVulnerabilitiesToSummary(
vulnerabilities,
config.fail_on_severity
+2 -2
View File
@@ -74,8 +74,8 @@ async function findCommentByMarker(
)
for await (const {data: comments} of commentsIterator) {
const existingComment = comments.find(comment =>
comment.body?.includes(commentBodyIncludes)
const existingComment = comments.find(
comment => comment.body?.includes(commentBodyIncludes)
)
if (existingComment) return existingComment.id
}
+23 -3
View File
@@ -33,12 +33,20 @@ function readInlineConfig(): ConfigurationOptionsPartial {
const allow_dependencies_licenses = parseList(
getOptionalInput('allow-dependencies-licenses')
)
const deny_packages = parseList(getOptionalInput('deny-packages'))
const deny_groups = parseList(getOptionalInput('deny-groups'))
const allow_ghsas = parseList(getOptionalInput('allow-ghsas'))
const license_check = getOptionalBoolean('license-check')
const vulnerability_check = getOptionalBoolean('vulnerability-check')
const base_ref = getOptionalInput('base-ref')
const head_ref = getOptionalInput('head-ref')
const comment_summary_in_pr = getOptionalBoolean('comment-summary-in-pr')
const comment_summary_in_pr = getOptionalInput('comment-summary-in-pr')
const retry_on_snapshot_warnings = getOptionalBoolean(
'retry-on-snapshot-warnings'
)
const retry_on_snapshot_warnings_timeout = getOptionalNumber(
'retry-on-snapshot-warnings-timeout'
)
validatePURL(allow_dependencies_licenses)
validateLicenses('allow-licenses', allow_licenses)
@@ -49,13 +57,17 @@ function readInlineConfig(): ConfigurationOptionsPartial {
fail_on_scopes,
allow_licenses,
deny_licenses,
deny_packages,
deny_groups,
allow_dependencies_licenses,
allow_ghsas,
license_check,
vulnerability_check,
base_ref,
head_ref,
comment_summary_in_pr
comment_summary_in_pr,
retry_on_snapshot_warnings,
retry_on_snapshot_warnings_timeout
}
return Object.fromEntries(
@@ -63,6 +75,12 @@ function readInlineConfig(): ConfigurationOptionsPartial {
)
}
function getOptionalNumber(name: string): number | undefined {
const value = core.getInput(name)
const parsed = z.string().regex(/^\d+$/).transform(Number).safeParse(value)
return parsed.success ? parsed.data : undefined
}
function getOptionalBoolean(name: string): boolean | undefined {
const value = core.getInput(name)
return value.length > 0 ? core.getBooleanInput(name) : undefined
@@ -137,7 +155,9 @@ function parseConfigFile(configData: string): ConfigurationOptionsPartial {
'deny-licenses',
'fail-on-scopes',
'allow-ghsas',
'allow-dependencies-licenses'
'allow-dependencies-licenses',
'deny-packages',
'deny-groups'
]
for (const key of Object.keys(data)) {
+42
View File
@@ -0,0 +1,42 @@
import {Change} from './schemas'
import * as core from '@actions/core'
export async function getDeniedChanges(
changes: Change[],
deniedPackages: string[],
deniedGroups: string[]
): Promise<Change[]> {
const changesDenied: Change[] = []
let failed = false
for (const change of changes) {
change.name = change.name.toLowerCase()
const packageUrl = change.package_url.toLowerCase().split('@')[0]
if (deniedPackages) {
for (const denied of deniedPackages) {
if (packageUrl === denied.split('@')[0].toLowerCase()) {
changesDenied.push(change)
failed = true
}
}
}
if (deniedGroups) {
for (const denied of deniedGroups) {
if (packageUrl.startsWith(denied.toLowerCase())) {
changesDenied.push(change)
failed = true
}
}
}
}
if (failed) {
core.setFailed('Dependency review detected denied packages.')
} else {
core.info('Dependency review did not detect any denied packages')
}
return changesDenied
}
+86 -9
View File
@@ -3,7 +3,7 @@ import * as dependencyGraph from './dependency-graph'
import * as github from '@actions/github'
import styles from 'ansi-styles'
import {RequestError} from '@octokit/request-error'
import {Change, Severity, Changes} from './schemas'
import {Change, Severity, Changes, ConfigurationOptions} from './schemas'
import {readConfig} from '../src/config'
import {
filterChangesBySeverity,
@@ -16,6 +16,43 @@ import {getRefs} from './git-refs'
import {groupDependenciesByManifest} from './utils'
import {commentPr} from './comment-pr'
import {getDeniedChanges} from './deny'
async function delay(ms: number): Promise<void> {
return new Promise(resolve => setTimeout(resolve, ms))
}
async function getComparison(
baseRef: string,
headRef: string,
retryOpts?: {
retryUntil: number
retryDelay: number
}
): ReturnType<typeof dependencyGraph.compare> {
const comparison = await dependencyGraph.compare({
owner: github.context.repo.owner,
repo: github.context.repo.repo,
baseRef,
headRef
})
if (comparison.snapshot_warnings.trim() !== '') {
core.info(comparison.snapshot_warnings)
if (retryOpts !== undefined) {
if (retryOpts.retryUntil < Date.now()) {
core.info(`Retry timeout exceeded. Proceeding...`)
return comparison
} else {
core.info(`Retrying in ${retryOpts.retryDelay} seconds...`)
await delay(retryOpts.retryDelay * 1000)
return getComparison(baseRef, headRef, retryOpts)
}
}
}
return comparison
}
async function run(): Promise<void> {
try {
@@ -23,12 +60,18 @@ async function run(): Promise<void> {
const refs = getRefs(config, github.context)
const comparison = await dependencyGraph.compare({
owner: github.context.repo.owner,
repo: github.context.repo.repo,
baseRef: refs.base,
headRef: refs.head
})
const comparison = await getComparison(
refs.base,
refs.head,
config.retry_on_snapshot_warnings
? {
retryUntil:
Date.now() + config.retry_on_snapshot_warnings_timeout * 1000,
retryDelay: 10
}
: undefined
)
const changes = comparison.changes
const snapshot_warnings = comparison.snapshot_warnings
@@ -63,14 +106,24 @@ async function run(): Promise<void> {
}
)
core.debug(`Filtered Changes: ${JSON.stringify(filteredChanges)}`)
core.debug(`Config Deny Packages: ${JSON.stringify(config)}`)
const deniedChanges = await getDeniedChanges(
filteredChanges,
config.deny_packages,
config.deny_groups
)
summary.addSummaryToSummary(
vulnerableChanges,
invalidLicenseChanges,
deniedChanges,
config
)
if (snapshot_warnings) {
summary.addSnapshotWarnings(snapshot_warnings)
summary.addSnapshotWarnings(config, snapshot_warnings)
}
if (config.vulnerability_check) {
@@ -81,10 +134,18 @@ async function run(): Promise<void> {
summary.addLicensesToSummary(invalidLicenseChanges, config)
printLicensesBlock(invalidLicenseChanges)
}
if (config.deny_packages || config.deny_groups) {
summary.addDeniedToSummary(deniedChanges)
printDeniedDependencies(deniedChanges, config)
}
summary.addScannedDependencies(changes)
printScannedDependencies(changes)
if (config.comment_summary_in_pr) {
if (
config.comment_summary_in_pr === 'always' ||
(config.comment_summary_in_pr === 'on-failure' &&
process.exitCode === core.ExitCode.Failure)
) {
await commentPr(core.summary)
}
} catch (error) {
@@ -239,4 +300,20 @@ function printScannedDependencies(changes: Changes): void {
})
}
function printDeniedDependencies(
changes: Change[],
config: ConfigurationOptions
): void {
core.group('Denied', async () => {
for (const denied of config.deny_packages) {
core.info(`Config: ${denied}`)
}
for (const change of changes) {
core.info(`Change: ${change.name}@${change.version} is denied`)
core.info(`Change: ${change.package_url} is denied`)
}
})
}
run()
+21 -1
View File
@@ -42,12 +42,32 @@ export const ConfigurationOptionsSchema = z
deny_licenses: z.array(z.string()).optional(),
allow_dependencies_licenses: z.array(z.string()).optional(),
allow_ghsas: z.array(z.string()).default([]),
deny_packages: z.array(z.string()).default([]),
deny_groups: z.array(z.string()).default([]),
license_check: z.boolean().default(true),
vulnerability_check: z.boolean().default(true),
config_file: z.string().optional(),
base_ref: z.string().optional(),
head_ref: z.string().optional(),
comment_summary_in_pr: z.boolean().default(false)
retry_on_snapshot_warnings: z.boolean().default(false),
retry_on_snapshot_warnings_timeout: z.number().default(120),
comment_summary_in_pr: z
.union([
z.preprocess(
val => (val === 'true' ? true : val === 'false' ? false : val),
z.boolean()
),
z.enum(['always', 'never', 'on-failure'])
])
.default('never')
})
.transform(config => {
if (config.comment_summary_in_pr === true) {
config.comment_summary_in_pr = 'always'
} else if (config.comment_summary_in_pr === false) {
config.comment_summary_in_pr = 'never'
}
return config
})
.superRefine((config, context) => {
if (config.allow_licenses && config.deny_licenses) {
+54 -13
View File
@@ -1,5 +1,5 @@
import * as core from '@actions/core'
import {ConfigurationOptions, Changes} from './schemas'
import {ConfigurationOptions, Changes, Change} from './schemas'
import {SummaryTableRow} from '@actions/core/lib/summary'
import {InvalidLicenseChanges, InvalidLicenseChangeTypes} from './licenses'
import {groupDependenciesByManifest, getManifestsSet, renderUrl} from './utils'
@@ -13,13 +13,15 @@ const icons = {
export function addSummaryToSummary(
vulnerableChanges: Changes,
invalidLicenseChanges: InvalidLicenseChanges,
deniedChanges: Changes,
config: ConfigurationOptions
): void {
core.summary.addHeading('Dependency Review', 1)
if (
vulnerableChanges.length === 0 &&
countLicenseIssues(invalidLicenseChanges) === 0
countLicenseIssues(invalidLicenseChanges) === 0 &&
deniedChanges.length === 0
) {
if (!config.license_check) {
core.summary.addRaw(`${icons.check} No vulnerabilities found.`)
@@ -56,6 +58,13 @@ export function addSummaryToSummary(
invalidLicenseChanges.unlicensed.length
} package(s) with unknown licenses.`
]
: []),
...(deniedChanges.length > 0
? [
`${checkOrWarnIcon(deniedChanges.length)} ${
deniedChanges.length
} package(s) denied.`
]
: [])
])
.addRaw('See the Details below.')
@@ -222,21 +231,34 @@ export function addScannedDependencies(changes: Changes): void {
}
}
export function addSnapshotWarnings(warnings: string): void {
// For now, we want to ignore warnings that just complain
// about missing snapshots on the head SHA. This is a product
// decision to avoid presenting warnings to users who simply
// don't use snapshots.
const ignore_regex = new RegExp(/No.*snapshot.*found.*head.*/, 'i')
if (ignore_regex.test(warnings)) {
return
function snapshotWarningRecommendation(
config: ConfigurationOptions,
warnings: string
): string {
const no_pr_snaps = warnings.includes(
'No snapshots were found for the head SHA'
)
const retries_disabled = !config.retry_on_snapshot_warnings
if (no_pr_snaps && retries_disabled) {
return 'Ensure that dependencies are being submitted on PR branches and consider enabling <em>retry-on-snapshot-warnings</em>.'
} else if (no_pr_snaps) {
return 'Ensure that dependencies are being submitted on PR branches. Re-running this action after a short time may resolve the issue.'
} else if (retries_disabled) {
return 'Consider enabling <em>retry-on-snapshot-warnings</em>.'
}
return 'Re-running this action after a short time may resolve the issue.'
}
export function addSnapshotWarnings(
config: ConfigurationOptions,
warnings: string
): void {
core.summary.addHeading('Snapshot Warnings', 2)
core.summary.addQuote(`${icons.warning}: ${warnings}`)
core.summary.addRaw(
'Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice.'
)
const recommendation = snapshotWarningRecommendation(config, warnings)
const docsLink =
'See <a href="https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together">the documentation</a> for more information and troubleshooting advice.'
core.summary.addRaw(`${recommendation} ${docsLink}`)
}
function countLicenseIssues(
@@ -248,6 +270,25 @@ function countLicenseIssues(
)
}
export function addDeniedToSummary(deniedChanges: Change[]): void {
if (deniedChanges.length === 0) {
return
}
core.summary.addHeading('Denied dependencies', 2)
for (const change of deniedChanges) {
core.summary.addHeading(`<em>Denied dependencies</em>`, 4)
core.summary.addTable([
['Package', 'Version', 'License'],
[
renderUrl(change.source_repository_url, change.name),
change.version,
change.license || ''
]
])
}
}
function checkOrFailIcon(count: number): string {
return count === 0 ? icons.check : icons.cross
}