Compare commits

...

76 Commits

Author SHA1 Message Date
Federico Builes 8dc52cdbed update tests 2023-10-09 11:23:53 +02:00
dependabot[bot] ad34390f92 Bump @octokit/request-error from 2.1.0 to 5.0.1
Bumps [@octokit/request-error](https://github.com/octokit/request-error.js) from 2.1.0 to 5.0.1.
- [Release notes](https://github.com/octokit/request-error.js/releases)
- [Commits](https://github.com/octokit/request-error.js/compare/v2.1.0...v5.0.1)

---
updated-dependencies:
- dependency-name: "@octokit/request-error"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-25 01:31:40 +00:00
Federico Builes 6c530dbedd Merge pull request #570 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.7.2
Bump @typescript-eslint/eslint-plugin from 6.4.0 to 6.7.2
2023-09-18 14:42:50 -05:00
dependabot[bot] e5c6ae035a Bump @typescript-eslint/eslint-plugin from 6.4.0 to 6.7.2
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.4.0 to 6.7.2.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.7.2/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-18 19:41:12 +00:00
Federico Builes 9c66f1b1b1 Merge pull request #569 from actions/dependabot/npm_and_yarn/esbuild-register-3.5.0
Bump esbuild-register from 3.4.2 to 3.5.0
2023-09-18 14:39:13 -05:00
dependabot[bot] 9add2f12fa Bump esbuild-register from 3.4.2 to 3.5.0
Bumps esbuild-register from 3.4.2 to 3.5.0.

---
updated-dependencies:
- dependency-name: esbuild-register
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-18 01:47:43 +00:00
Federico Builes 079b962af9 Merge pull request #564 from actions/dependabot/npm_and_yarn/zod-3.22.2
Bump zod from 3.21.4 to 3.22.2
2023-09-11 07:17:25 -05:00
Federico Builes e6b5e83d4e adding dist 2023-09-11 07:16:56 -05:00
Federico Builes 3c40a50e4b Merge pull request #565 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.6.0
Bump @typescript-eslint/parser from 6.2.1 to 6.6.0
2023-09-11 07:13:54 -05:00
Federico Builes 886d1fcf5f Merge pull request #563 from actions/dependabot/github_actions/actions/checkout-4
Bump actions/checkout from 3 to 4
2023-09-11 07:13:45 -05:00
dependabot[bot] 615671754c Bump @typescript-eslint/parser from 6.2.1 to 6.6.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.2.1 to 6.6.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.6.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-11 01:42:06 +00:00
dependabot[bot] cd1bb8895d Bump zod from 3.21.4 to 3.22.2
Bumps [zod](https://github.com/colinhacks/zod) from 3.21.4 to 3.22.2.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.21.4...v3.22.2)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-11 01:41:45 +00:00
dependabot[bot] 7095391667 Bump actions/checkout from 3 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-11 01:14:30 +00:00
Justin Holguín 6c5ccdad46 Merge pull request #562 from actions/juxtin/v3.0.9
Update version to 3.1.0
2023-09-07 14:46:08 -07:00
Federico Builes 51da82b3f5 updating package-lock.json 2023-09-07 16:44:36 -05:00
Justin Holguín ca13810d94 Update version to 3.1.0 2023-09-07 21:42:29 +00:00
Justin Holguín 8447b31d38 Merge pull request #561 from actions/juxtin/dr-snaps-readme
Add new Dr Snaps config options to readme
2023-09-07 14:19:42 -07:00
Justin Holguín 85df23de2c Update readme with new parameters 2023-09-07 21:17:45 +00:00
Justin Holguín 5da6fdbdf9 Clean up markdown formatting 2023-09-07 21:11:56 +00:00
Justin Holguín 92837b0ca8 Merge pull request #560 from actions/juxtin/improve-warnings
Improve display of snapshot warnings
2023-09-07 14:09:36 -07:00
Justin Holguín 35a52fd146 Minor tweaks to snapshot warnings 2023-09-07 18:00:57 +00:00
Justin Holguín bed9726f78 Make snapshot warning messages clearer and more actionable 2023-09-07 17:54:42 +00:00
Justin Holguín e4d20ce9ad Merge pull request #556 from actions/juxtin/dr-snaps-pre-launch
Dr Snaps launch PR
2023-09-07 10:18:47 -07:00
Justin Holguín bb0ca79fcd Update action.yml to show retry default 2023-09-07 17:08:20 +00:00
Justin Holguín 07f52ce621 Add example with retry-on-snapshot-warnings to docs 2023-09-07 17:07:50 +00:00
Justin Holguín c7e8727af4 Update action.yml
Co-authored-by: Federico Builes <febuiles@github.com>
2023-09-07 09:50:44 -07:00
Federico Builes 5e4b90e080 add dist 2023-09-07 09:06:46 -05:00
Federico Builes 7d0e0f61e8 Update src/dependency-graph.ts
Co-authored-by: Justin Holguín <juxtin@github.com>
2023-09-07 07:08:21 -05:00
Justin Holguín ffaf251c92 update dist 2023-09-06 20:38:47 +00:00
Justin Holguín 726ffc8aa8 Merge remote-tracking branch 'origin/main' into juxtin/dr-snaps-pre-launch 2023-09-06 20:26:55 +00:00
Justin Holguín fcef41f1e0 Add docs link to snapshot warnings 2023-09-06 19:07:18 +00:00
Justin Holguín e81e6e582f Default retry-on-snapshot-warnings to false
Keeping this true by default means wasting actions minutes for
the vast majority of DR users
2023-09-06 18:04:16 +00:00
Federico Builes 511675e747 Merge pull request #558 from actions/dependabot/npm_and_yarn/types/node-16.18.48
Bump @types/node from 16.18.41 to 16.18.48
2023-09-05 16:15:52 -04:00
Federico Builes dcdbff2f84 Merge pull request #557 from actions/dependabot/npm_and_yarn/yaml-2.3.2
Bump yaml from 2.3.1 to 2.3.2
2023-09-05 11:55:49 -04:00
Federico Builes 29513b58ad updating dist 2023-09-05 08:28:43 -05:00
dependabot[bot] 347cb43687 Bump @types/node from 16.18.41 to 16.18.48
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.41 to 16.18.48.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-04 01:44:52 +00:00
dependabot[bot] dfe37bb356 Bump yaml from 2.3.1 to 2.3.2
Bumps [yaml](https://github.com/eemeli/yaml) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.3.1...v2.3.2)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-04 01:44:44 +00:00
Justin Holguín ada103783f Merge remote-tracking branch 'origin/retry-on-snapshot-warnings' into juxtin/dr-snaps-pre-launch 2023-08-31 16:31:44 +00:00
Justin Holguín abc80cf6a0 Merge branch 'juxtin/snapshot-warnings' into juxtin/dr-snaps-pre-launch 2023-08-31 16:06:14 +00:00
Federico Builes 15e91a3980 Merge pull request #554 from actions/dependabot/npm_and_yarn/eslint-8.48.0
Bump eslint from 8.47.0 to 8.48.0
2023-08-28 08:52:43 -05:00
Federico Builes c7d2795410 Merge pull request #553 from actions/dependabot/npm_and_yarn/prettier-3.0.2
Bump prettier from 3.0.1 to 3.0.2
2023-08-28 08:52:32 -05:00
dependabot[bot] eb07c6d763 Bump eslint from 8.47.0 to 8.48.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.47.0 to 8.48.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.47.0...v8.48.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-28 01:52:04 +00:00
dependabot[bot] 4d8fe1e464 Bump prettier from 3.0.1 to 3.0.2
Bumps [prettier](https://github.com/prettier/prettier) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.0.1...3.0.2)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-28 01:51:43 +00:00
Justin Holguín ee86529290 Show all non-empty snapshot warnings 2023-08-23 18:45:35 +00:00
Federico Builes c17dea4c51 Merge pull request #549 from actions/dependabot/npm_and_yarn/types/node-16.18.41
Bump @types/node from 16.18.39 to 16.18.41
2023-08-23 15:16:07 +02:00
Federico Builes 727ca667a3 Merge pull request #550 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.4.0
Bump @typescript-eslint/eslint-plugin from 6.3.0 to 6.4.0
2023-08-23 15:15:56 +02:00
Federico Builes 84cd472b61 Merge pull request #551 from oerd/update-inputs-documentation-and-links
Fix(docs): Correct action input name
2023-08-22 17:02:07 +02:00
Oerd Cukalla 366fffb717 Fix(docs): Correct article use. 2023-08-22 00:28:34 +02:00
Oerd Cukalla 62a1d2d370 Fix(docs): Correct action input name
Change input name used for passing the personal access token to
`external-repo-token`.
2023-08-22 00:20:26 +02:00
dependabot[bot] 42c2f7100f Bump @typescript-eslint/eslint-plugin from 6.3.0 to 6.4.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.3.0 to 6.4.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.4.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-21 01:04:16 +00:00
dependabot[bot] 608049acca Bump @types/node from 16.18.39 to 16.18.41
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.39 to 16.18.41.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-21 01:03:36 +00:00
Federico Builes 32037a1d97 bumping to 3.0.8 2023-08-15 10:11:44 +02:00
Federico Builes f6fff72a32 Merge pull request #540 from sgmurphy/comment-on-failure
Add `on-failure` option to `comment-summary-in-pr` setting
2023-08-15 10:08:44 +02:00
Federico Builes 61ee12c097 Merge pull request #548 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.3.0
Bump @typescript-eslint/eslint-plugin from 6.2.0 to 6.3.0
2023-08-14 06:39:45 +02:00
Federico Builes 7d5babfc38 Merge pull request #547 from actions/dependabot/npm_and_yarn/eslint-8.47.0
Bump eslint from 8.46.0 to 8.47.0
2023-08-14 06:39:28 +02:00
dependabot[bot] ddb1b9361c Bump @typescript-eslint/eslint-plugin from 6.2.0 to 6.3.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.2.0 to 6.3.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.3.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-14 01:26:56 +00:00
dependabot[bot] 7c3177d3c2 Bump eslint from 8.46.0 to 8.47.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.46.0 to 8.47.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.46.0...v8.47.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-14 01:26:22 +00:00
Sean Murphy 31afeba06d Add unit tests 2023-08-09 21:10:48 -04:00
Sean Murphy 7ef37f3853 Merge branch 'main' into comment-on-failure 2023-08-09 17:31:16 -04:00
Sean Murphy 2e59943778 Parse boolean to enum 2023-08-09 15:57:03 -04:00
Sean Murphy 902e86c6f5 Add on-failure option to comment-summary-in-pr setting 2023-08-04 22:37:51 -04:00
Henri Maurer d3fa764646 fix 2023-06-14 10:38:45 +01:00
Henri Maurer 1856a6de19 fix 2023-06-14 10:26:22 +01:00
Henri Maurer 5573b58443 better logging 2023-06-14 10:24:40 +01:00
Henri Maurer c3c3c2e746 fix retry until 2023-06-14 10:12:19 +01:00
Henri Maurer f6f94a23a4 fix 2023-06-09 10:44:43 +01:00
Henri Maurer 50954e6a9a fix 2023-06-09 10:30:56 +01:00
Henri Maurer 66b6f67835 Add configs 2023-06-09 10:26:24 +01:00
Henri Maurer 1644401f8d rewrite retry logic 2023-06-08 18:11:13 +01:00
Henri Maurer 1a326fc7fa proceed even if warnings 2023-06-08 17:04:40 +01:00
Henri Maurer a82096e68a fix 2023-06-07 16:51:53 +01:00
Henri Maurer 90d3a94eb7 fix 2023-06-07 16:48:32 +01:00
Henri Maurer 9dde5949a8 retry every 10s 2023-06-07 16:39:16 +01:00
Henri Maurer cff142b535 includes_dependency_snapshots 2023-06-07 14:04:29 +01:00
Henri Maurer a4c5ac881a disable caching 2023-06-07 10:10:21 +01:00
Henri Maurer d35955ebf6 Prototype re-try on snapshot warnings 2023-06-06 16:44:27 +01:00
19 changed files with 536 additions and 241 deletions
+1 -1
View File
@@ -21,7 +21,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Set Node.js 18.x
uses: actions/setup-node@v3
+2 -2
View File
@@ -14,7 +14,7 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
with:
node-version: 18
@@ -27,7 +27,7 @@ jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
with:
node-version: 18
+1 -1
View File
@@ -9,6 +9,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@main
+1 -1
View File
@@ -79,7 +79,7 @@ Here are a few things you can do that will increase the likelihood of your pull
- Write tests.
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
- Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
- Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
## Cutting a new release
+17 -15
View File
@@ -1,4 +1,4 @@
# dependency-review-action
# dependency-review-action
This action scans your pull requests for dependency changes, and will
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions on your default branch.
@@ -66,20 +66,22 @@ jobs:
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
| Option | Usage | Possible values | Default value |
|---------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|---------------|
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `true`, `false` | `false` |
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| Option | Usage | Possible values | Default value |
| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
\*not supported for use with GitHub Enterprise Server
+26
View File
@@ -171,3 +171,29 @@ describe('licenses that are not valid SPDX licenses', () => {
)
})
})
test('it parses the comment-summary-in-pr input', async () => {
setInput('comment-summary-in-pr', 'true')
let config = await readConfig()
expect(config.comment_summary_in_pr).toBe('always')
clearInputs()
setInput('comment-summary-in-pr', 'false')
config = await readConfig()
expect(config.comment_summary_in_pr).toBe('never')
clearInputs()
setInput('comment-summary-in-pr', 'always')
config = await readConfig()
expect(config.comment_summary_in_pr).toBe('always')
clearInputs()
setInput('comment-summary-in-pr', 'never')
config = await readConfig()
expect(config.comment_summary_in_pr).toBe('never')
clearInputs()
setInput('comment-summary-in-pr', 'on-failure')
config = await readConfig()
expect(config.comment_summary_in_pr).toBe('on-failure')
})
+2 -1
View File
@@ -24,6 +24,7 @@ test('it properly catches RequestError type', async () => {
headRef: 'refs/heads/master'
})
} catch (error) {
expect(error).toBeInstanceOf(RequestError)
const err = error as RequestError
expect(err.status).toBe(401)
}
})
+3 -1
View File
@@ -26,7 +26,9 @@ const defaultConfig: ConfigurationOptions = {
deny_licenses: [],
deny_packages: [],
deny_groups: [],
comment_summary_in_pr: true
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
retry_on_snapshot_warnings_timeout: 120
}
const changesWithEmptyManifests: Changes = [
+9 -1
View File
@@ -45,7 +45,7 @@ inputs:
description: A boolean to determine if vulnerability checks should be performed
required: false
comment-summary-in-pr:
description: A boolean to determine if the report should be posted as a comment in the PR itself. Setting this to true requires you to give the workflow the write permissions for pull-requests
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
required: false
deny-packages:
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
@@ -53,6 +53,14 @@ inputs:
deny-groups:
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
required: false
retry-on-snapshot-warnings:
description: Whether to retry on snapshot warnings
required: false
default: false
retry-on-snapshot-warnings-timeout:
description: Number of seconds to wait before stopping snapshot retries.
required: false
default: 120
runs:
using: 'node16'
main: 'dist/index.js'
Generated Vendored
+177 -56
View File
@@ -564,17 +564,47 @@ const git_refs_1 = __nccwpck_require__(1086);
const utils_1 = __nccwpck_require__(918);
const comment_pr_1 = __nccwpck_require__(5842);
const deny_1 = __nccwpck_require__(2134);
function delay(ms) {
return __awaiter(this, void 0, void 0, function* () {
return new Promise(resolve => setTimeout(resolve, ms));
});
}
function getComparison(baseRef, headRef, retryOpts) {
return __awaiter(this, void 0, void 0, function* () {
const comparison = yield dependencyGraph.compare({
owner: github.context.repo.owner,
repo: github.context.repo.repo,
baseRef,
headRef
});
if (comparison.snapshot_warnings.trim() !== '') {
core.info(comparison.snapshot_warnings);
if (retryOpts !== undefined) {
if (retryOpts.retryUntil < Date.now()) {
core.info(`Retry timeout exceeded. Proceeding...`);
return comparison;
}
else {
core.info(`Retrying in ${retryOpts.retryDelay} seconds...`);
yield delay(retryOpts.retryDelay * 1000);
return getComparison(baseRef, headRef, retryOpts);
}
}
}
return comparison;
});
}
function run() {
return __awaiter(this, void 0, void 0, function* () {
try {
const config = yield (0, config_1.readConfig)();
const refs = (0, git_refs_1.getRefs)(config, github.context);
const comparison = yield dependencyGraph.compare({
owner: github.context.repo.owner,
repo: github.context.repo.repo,
baseRef: refs.base,
headRef: refs.head
});
const comparison = yield getComparison(refs.base, refs.head, config.retry_on_snapshot_warnings
? {
retryUntil: Date.now() + config.retry_on_snapshot_warnings_timeout * 1000,
retryDelay: 10
}
: undefined);
const changes = comparison.changes;
const snapshot_warnings = comparison.snapshot_warnings;
if (!changes) {
@@ -597,7 +627,7 @@ function run() {
const deniedChanges = yield (0, deny_1.getDeniedChanges)(filteredChanges, config.deny_packages, config.deny_groups);
summary.addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedChanges, config);
if (snapshot_warnings) {
summary.addSnapshotWarnings(snapshot_warnings);
summary.addSnapshotWarnings(config, snapshot_warnings);
}
if (config.vulnerability_check) {
summary.addChangeVulnerabilitiesToSummary(vulnerableChanges, minSeverity);
@@ -613,7 +643,9 @@ function run() {
}
summary.addScannedDependencies(changes);
printScannedDependencies(changes);
if (config.comment_summary_in_pr) {
if (config.comment_summary_in_pr === 'always' ||
(config.comment_summary_in_pr === 'on-failure' &&
process.exitCode === core.ExitCode.Failure)) {
yield (0, comment_pr_1.commentPr)(core.summary);
}
}
@@ -816,7 +848,23 @@ exports.ConfigurationOptionsSchema = z
config_file: z.string().optional(),
base_ref: z.string().optional(),
head_ref: z.string().optional(),
comment_summary_in_pr: z.boolean().default(false)
retry_on_snapshot_warnings: z.boolean().default(false),
retry_on_snapshot_warnings_timeout: z.number().default(120),
comment_summary_in_pr: z
.union([
z.preprocess(val => (val === 'true' ? true : val === 'false' ? false : val), z.boolean()),
z.enum(['always', 'never', 'on-failure'])
])
.default('never')
})
.transform(config => {
if (config.comment_summary_in_pr === true) {
config.comment_summary_in_pr = 'always';
}
else if (config.comment_summary_in_pr === false) {
config.comment_summary_in_pr = 'never';
}
return config;
})
.superRefine((config, context) => {
if (config.allow_licenses && config.deny_licenses) {
@@ -1044,18 +1092,26 @@ function addScannedDependencies(changes) {
}
}
exports.addScannedDependencies = addScannedDependencies;
function addSnapshotWarnings(warnings) {
// For now, we want to ignore warnings that just complain
// about missing snapshots on the head SHA. This is a product
// decision to avoid presenting warnings to users who simply
// don't use snapshots.
const ignore_regex = new RegExp(/No.*snapshot.*found.*head.*/, 'i');
if (ignore_regex.test(warnings)) {
return;
function snapshotWarningRecommendation(config, warnings) {
const no_pr_snaps = warnings.includes('No snapshots were found for the head SHA');
const retries_disabled = !config.retry_on_snapshot_warnings;
if (no_pr_snaps && retries_disabled) {
return 'Ensure that dependencies are being submitted on PR branches and consider enabling <em>retry-on-snapshot-warnings</em>.';
}
else if (no_pr_snaps) {
return 'Ensure that dependencies are being submitted on PR branches. Re-running this action after a short time may resolve the issue.';
}
else if (retries_disabled) {
return 'Consider enabling <em>retry-on-snapshot-warnings</em>.';
}
return 'Re-running this action after a short time may resolve the issue.';
}
function addSnapshotWarnings(config, warnings) {
core.summary.addHeading('Snapshot Warnings', 2);
core.summary.addQuote(`${icons.warning}: ${warnings}`);
core.summary.addRaw('Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice.');
const recommendation = snapshotWarningRecommendation(config, warnings);
const docsLink = 'See <a href="https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together">the documentation</a> for more information and troubleshooting advice.';
core.summary.addRaw(`${recommendation} ${docsLink}`);
}
exports.addSnapshotWarnings = addSnapshotWarnings;
function countLicenseIssues(invalidLicenseChanges) {
@@ -44255,7 +44311,8 @@ class ParseStatus {
status.dirty();
if (value.status === "dirty")
status.dirty();
if (typeof value.value !== "undefined" || pair.alwaysSet) {
if (key.value !== "__proto__" &&
(typeof value.value !== "undefined" || pair.alwaysSet)) {
finalObject[key.value] = value.value;
}
}
@@ -44622,8 +44679,8 @@ exports["default"] = errorMap;
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.discriminatedUnion = exports.date = exports.boolean = exports.bigint = exports.array = exports.any = exports.coerce = exports.ZodFirstPartyTypeKind = exports.late = exports.ZodSchema = exports.Schema = exports.custom = exports.ZodPipeline = exports.ZodBranded = exports.BRAND = exports.ZodNaN = exports.ZodCatch = exports.ZodDefault = exports.ZodNullable = exports.ZodOptional = exports.ZodTransformer = exports.ZodEffects = exports.ZodPromise = exports.ZodNativeEnum = exports.ZodEnum = exports.ZodLiteral = exports.ZodLazy = exports.ZodFunction = exports.ZodSet = exports.ZodMap = exports.ZodRecord = exports.ZodTuple = exports.ZodIntersection = exports.ZodDiscriminatedUnion = exports.ZodUnion = exports.ZodObject = exports.ZodArray = exports.ZodVoid = exports.ZodNever = exports.ZodUnknown = exports.ZodAny = exports.ZodNull = exports.ZodUndefined = exports.ZodSymbol = exports.ZodDate = exports.ZodBoolean = exports.ZodBigInt = exports.ZodNumber = exports.ZodString = exports.ZodType = void 0;
exports.NEVER = exports["void"] = exports.unknown = exports.union = exports.undefined = exports.tuple = exports.transformer = exports.symbol = exports.string = exports.strictObject = exports.set = exports.record = exports.promise = exports.preprocess = exports.pipeline = exports.ostring = exports.optional = exports.onumber = exports.oboolean = exports.object = exports.number = exports.nullable = exports["null"] = exports.never = exports.nativeEnum = exports.nan = exports.map = exports.literal = exports.lazy = exports.intersection = exports["instanceof"] = exports["function"] = exports["enum"] = exports.effect = void 0;
exports.date = exports.boolean = exports.bigint = exports.array = exports.any = exports.coerce = exports.ZodFirstPartyTypeKind = exports.late = exports.ZodSchema = exports.Schema = exports.custom = exports.ZodReadonly = exports.ZodPipeline = exports.ZodBranded = exports.BRAND = exports.ZodNaN = exports.ZodCatch = exports.ZodDefault = exports.ZodNullable = exports.ZodOptional = exports.ZodTransformer = exports.ZodEffects = exports.ZodPromise = exports.ZodNativeEnum = exports.ZodEnum = exports.ZodLiteral = exports.ZodLazy = exports.ZodFunction = exports.ZodSet = exports.ZodMap = exports.ZodRecord = exports.ZodTuple = exports.ZodIntersection = exports.ZodDiscriminatedUnion = exports.ZodUnion = exports.ZodObject = exports.ZodArray = exports.ZodVoid = exports.ZodNever = exports.ZodUnknown = exports.ZodAny = exports.ZodNull = exports.ZodUndefined = exports.ZodSymbol = exports.ZodDate = exports.ZodBoolean = exports.ZodBigInt = exports.ZodNumber = exports.ZodString = exports.ZodType = void 0;
exports.NEVER = exports["void"] = exports.unknown = exports.union = exports.undefined = exports.tuple = exports.transformer = exports.symbol = exports.string = exports.strictObject = exports.set = exports.record = exports.promise = exports.preprocess = exports.pipeline = exports.ostring = exports.optional = exports.onumber = exports.oboolean = exports.object = exports.number = exports.nullable = exports["null"] = exports.never = exports.nativeEnum = exports.nan = exports.map = exports.literal = exports.lazy = exports.intersection = exports["instanceof"] = exports["function"] = exports["enum"] = exports.effect = exports.discriminatedUnion = void 0;
const errors_1 = __nccwpck_require__(9566);
const errorUtil_1 = __nccwpck_require__(2513);
const parseUtil_1 = __nccwpck_require__(888);
@@ -44713,6 +44770,7 @@ class ZodType {
this.catch = this.catch.bind(this);
this.describe = this.describe.bind(this);
this.pipe = this.pipe.bind(this);
this.readonly = this.readonly.bind(this);
this.isNullable = this.isNullable.bind(this);
this.isOptional = this.isOptional.bind(this);
}
@@ -44929,6 +44987,9 @@ class ZodType {
pipe(target) {
return ZodPipeline.create(this, target);
}
readonly() {
return ZodReadonly.create(this);
}
isOptional() {
return this.safeParse(undefined).success;
}
@@ -44942,8 +45003,8 @@ exports.ZodSchema = ZodType;
const cuidRegex = /^c[^\s-]{8,}$/i;
const cuid2Regex = /^[a-z][a-z0-9]*$/;
const ulidRegex = /[0-9A-HJKMNP-TV-Z]{26}/;
const uuidRegex = /^([a-f0-9]{8}-[a-f0-9]{4}-[1-5][a-f0-9]{3}-[a-f0-9]{4}-[a-f0-9]{12}|00000000-0000-0000-0000-000000000000)$/i;
const emailRegex = /^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[(((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2}))\.){3}((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2}))\])|(\[IPv6:(([a-f0-9]{1,4}:){7}|::([a-f0-9]{1,4}:){0,6}|([a-f0-9]{1,4}:){1}:([a-f0-9]{1,4}:){0,5}|([a-f0-9]{1,4}:){2}:([a-f0-9]{1,4}:){0,4}|([a-f0-9]{1,4}:){3}:([a-f0-9]{1,4}:){0,3}|([a-f0-9]{1,4}:){4}:([a-f0-9]{1,4}:){0,2}|([a-f0-9]{1,4}:){5}:([a-f0-9]{1,4}:){0,1})([a-f0-9]{1,4}|(((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2}))\.){3}((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2})))\])|([A-Za-z0-9]([A-Za-z0-9-]*[A-Za-z0-9])*(\.[A-Za-z]{2,})+))$/;
const uuidRegex = /^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$/i;
const emailRegex = /^([A-Z0-9_+-]+\.?)*[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$/i;
const emojiRegex = /^(\p{Extended_Pictographic}|\p{Emoji_Component})+$/u;
const ipv4Regex = /^(((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2}))\.){3}((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2}))$/;
const ipv6Regex = /^(([a-f0-9]{1,4}:){7}|::([a-f0-9]{1,4}:){0,6}|([a-f0-9]{1,4}:){1}:([a-f0-9]{1,4}:){0,5}|([a-f0-9]{1,4}:){2}:([a-f0-9]{1,4}:){0,4}|([a-f0-9]{1,4}:){3}:([a-f0-9]{1,4}:){0,3}|([a-f0-9]{1,4}:){4}:([a-f0-9]{1,4}:){0,2}|([a-f0-9]{1,4}:){5}:([a-f0-9]{1,4}:){0,1})([a-f0-9]{1,4}|(((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2}))\.){3}((25[0-5])|(2[0-4][0-9])|(1[0-9]{2})|([0-9]{1,2})))$/;
@@ -46919,6 +46980,12 @@ class ZodRecord extends ZodType {
}
exports.ZodRecord = ZodRecord;
class ZodMap extends ZodType {
get keySchema() {
return this._def.keyType;
}
get valueSchema() {
return this._def.valueType;
}
_parse(input) {
const { status, ctx } = this._processInputParams(input);
if (ctx.parsedType !== util_1.ZodParsedType.map) {
@@ -47117,16 +47184,17 @@ class ZodFunction extends ZodType {
const params = { errorMap: ctx.common.contextualErrorMap };
const fn = ctx.data;
if (this._def.returns instanceof ZodPromise) {
return (0, parseUtil_1.OK)(async (...args) => {
const me = this;
return (0, parseUtil_1.OK)(async function (...args) {
const error = new ZodError_1.ZodError([]);
const parsedArgs = await this._def.args
const parsedArgs = await me._def.args
.parseAsync(args, params)
.catch((e) => {
error.addIssue(makeArgsIssue(args, e));
throw error;
});
const result = await fn(...parsedArgs);
const parsedReturns = await this._def.returns._def.type
const result = await Reflect.apply(fn, this, parsedArgs);
const parsedReturns = await me._def.returns._def.type
.parseAsync(result, params)
.catch((e) => {
error.addIssue(makeReturnsIssue(result, e));
@@ -47136,13 +47204,14 @@ class ZodFunction extends ZodType {
});
}
else {
return (0, parseUtil_1.OK)((...args) => {
const parsedArgs = this._def.args.safeParse(args, params);
const me = this;
return (0, parseUtil_1.OK)(function (...args) {
const parsedArgs = me._def.args.safeParse(args, params);
if (!parsedArgs.success) {
throw new ZodError_1.ZodError([makeArgsIssue(args, parsedArgs.error)]);
}
const result = fn(...parsedArgs.data);
const parsedReturns = this._def.returns.safeParse(result, params);
const result = Reflect.apply(fn, this, parsedArgs.data);
const parsedReturns = me._def.returns.safeParse(result, params);
if (!parsedReturns.success) {
throw new ZodError_1.ZodError([makeReturnsIssue(result, parsedReturns.error)]);
}
@@ -47233,7 +47302,7 @@ ZodLiteral.create = (value, params) => {
};
function createZodEnum(values, params) {
return new ZodEnum({
values: values,
values,
typeName: ZodFirstPartyTypeKind.ZodEnum,
...processCreateParams(params),
});
@@ -47378,8 +47447,29 @@ class ZodEffects extends ZodType {
_parse(input) {
const { status, ctx } = this._processInputParams(input);
const effect = this._def.effect || null;
const checkCtx = {
addIssue: (arg) => {
(0, parseUtil_1.addIssueToContext)(ctx, arg);
if (arg.fatal) {
status.abort();
}
else {
status.dirty();
}
},
get path() {
return ctx.path;
},
};
checkCtx.addIssue = checkCtx.addIssue.bind(checkCtx);
if (effect.type === "preprocess") {
const processed = effect.transform(ctx.data);
const processed = effect.transform(ctx.data, checkCtx);
if (ctx.common.issues.length) {
return {
status: "dirty",
value: ctx.data,
};
}
if (ctx.common.async) {
return Promise.resolve(processed).then((processed) => {
return this._def.schema._parseAsync({
@@ -47397,21 +47487,6 @@ class ZodEffects extends ZodType {
});
}
}
const checkCtx = {
addIssue: (arg) => {
(0, parseUtil_1.addIssueToContext)(ctx, arg);
if (arg.fatal) {
status.abort();
}
else {
status.dirty();
}
},
get path() {
return ctx.path;
},
};
checkCtx.addIssue = checkCtx.addIssue.bind(checkCtx);
if (effect.type === "refinement") {
const executeRefinement = (acc) => {
const result = effect.refinement(acc, checkCtx);
@@ -47720,6 +47795,23 @@ class ZodPipeline extends ZodType {
}
}
exports.ZodPipeline = ZodPipeline;
class ZodReadonly extends ZodType {
_parse(input) {
const result = this._def.innerType._parse(input);
if ((0, parseUtil_1.isValid)(result)) {
result.value = Object.freeze(result.value);
}
return result;
}
}
exports.ZodReadonly = ZodReadonly;
ZodReadonly.create = (type, params) => {
return new ZodReadonly({
innerType: type,
typeName: ZodFirstPartyTypeKind.ZodReadonly,
...processCreateParams(params),
});
};
const custom = (check, params = {}, fatal) => {
if (check)
return ZodAny.create().superRefine((data, ctx) => {
@@ -47778,6 +47870,7 @@ var ZodFirstPartyTypeKind;
ZodFirstPartyTypeKind["ZodPromise"] = "ZodPromise";
ZodFirstPartyTypeKind["ZodBranded"] = "ZodBranded";
ZodFirstPartyTypeKind["ZodPipeline"] = "ZodPipeline";
ZodFirstPartyTypeKind["ZodReadonly"] = "ZodReadonly";
})(ZodFirstPartyTypeKind = exports.ZodFirstPartyTypeKind || (exports.ZodFirstPartyTypeKind = {}));
class Class {
constructor(..._) { }
@@ -47951,7 +48044,9 @@ function readInlineConfig() {
const vulnerability_check = getOptionalBoolean('vulnerability-check');
const base_ref = getOptionalInput('base-ref');
const head_ref = getOptionalInput('head-ref');
const comment_summary_in_pr = getOptionalBoolean('comment-summary-in-pr');
const comment_summary_in_pr = getOptionalInput('comment-summary-in-pr');
const retry_on_snapshot_warnings = getOptionalBoolean('retry-on-snapshot-warnings');
const retry_on_snapshot_warnings_timeout = getOptionalNumber('retry-on-snapshot-warnings-timeout');
validatePURL(allow_dependencies_licenses);
validateLicenses('allow-licenses', allow_licenses);
validateLicenses('deny-licenses', deny_licenses);
@@ -47968,10 +48063,17 @@ function readInlineConfig() {
vulnerability_check,
base_ref,
head_ref,
comment_summary_in_pr
comment_summary_in_pr,
retry_on_snapshot_warnings,
retry_on_snapshot_warnings_timeout
};
return Object.fromEntries(Object.entries(keys).filter(([_, value]) => value !== undefined));
}
function getOptionalNumber(name) {
const value = core.getInput(name);
const parsed = z.string().regex(/^\d+$/).transform(Number).safeParse(value);
return parsed.success ? parsed.data : undefined;
}
function getOptionalBoolean(name) {
const value = core.getInput(name);
return value.length > 0 ? core.getBooleanInput(name) : undefined;
@@ -48255,7 +48357,23 @@ exports.ConfigurationOptionsSchema = z
config_file: z.string().optional(),
base_ref: z.string().optional(),
head_ref: z.string().optional(),
comment_summary_in_pr: z.boolean().default(false)
retry_on_snapshot_warnings: z.boolean().default(false),
retry_on_snapshot_warnings_timeout: z.number().default(120),
comment_summary_in_pr: z
.union([
z.preprocess(val => (val === 'true' ? true : val === 'false' ? false : val), z.boolean()),
z.enum(['always', 'never', 'on-failure'])
])
.default('never')
})
.transform(config => {
if (config.comment_summary_in_pr === true) {
config.comment_summary_in_pr = 'always';
}
else if (config.comment_summary_in_pr === false) {
config.comment_summary_in_pr = 'never';
}
return config;
})
.superRefine((config, context) => {
if (config.allow_licenses && config.deny_licenses) {
@@ -52541,6 +52659,8 @@ function debug(logLevel, ...messages) {
}
function warn(logLevel, warning) {
if (logLevel === 'debug' || logLevel === 'warn') {
// https://github.com/typescript-eslint/typescript-eslint/issues/7478
// eslint-disable-next-line @typescript-eslint/prefer-optional-chain
if (typeof process !== 'undefined' && process.emitWarning)
process.emitWarning(warning);
else
@@ -53322,7 +53442,7 @@ function stringifyKey(key, jsKey, ctx) {
return '';
if (typeof jsKey !== 'object')
return String(jsKey);
if (identity.isNode(key) && ctx && ctx.doc) {
if (identity.isNode(key) && ctx?.doc) {
const strCtx = stringify.createStringifyContext(ctx.doc, {});
strCtx.anchors = new Set();
for (const node of ctx.anchors.keys())
@@ -56701,8 +56821,9 @@ function createPairs(schema, iterable, ctx) {
key = keys[0];
value = it[key];
}
else
throw new TypeError(`Expected { key: value } tuple: ${it}`);
else {
throw new TypeError(`Expected tuple with one key, not ${keys.length} keys`);
}
}
else {
key = it;
@@ -57377,7 +57498,7 @@ function stringifyFlowCollection({ comment, items }, ctx, { flowChars, itemInden
if (iv.commentBefore)
reqNewline = true;
}
else if (item.value == null && ik && ik.comment) {
else if (item.value == null && ik?.comment) {
comment = ik.comment;
}
}
@@ -58003,7 +58124,7 @@ function blockString({ comment, type, value }, ctx, onComment, onChompKeep) {
function plainString(item, ctx, onComment, onChompKeep) {
const { type, value } = item;
const { actualString, implicitKey, indent, indentStep, inFlow } = ctx;
if ((implicitKey && /[\n[\]{},]/.test(value)) ||
if ((implicitKey && value.includes('\n')) ||
(inFlow && /[[\]{},]/.test(value))) {
return quotedString(value, ctx);
}
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+43 -7
View File
@@ -83,7 +83,7 @@ jobs:
config-file: './.github/dependency-review-config.yml'
```
## Using a configuration file from a external repository
## Using a configuration file from an external repository
The following example will use a configuration file from an external public GitHub repository to configure the action.
@@ -110,7 +110,7 @@ jobs:
config-file: 'github/octorepo/dependency-review-config.yml@main'
```
## Using a configuration file from a external repository with a personal access token
## Using a configuration file from an external repository with a personal access token
The following example will use a configuration file from an external private GtiHub repository to configure the action.
@@ -135,7 +135,7 @@ jobs:
uses: actions/dependency-review-action@v3
with:
config-file: 'github/octorepo-private/dependency-review-config.yml@main'
config-file-token: ${{ secrets.GITHUB_TOKEN }} # or a personal access token
external-repo-token: ${{ secrets.GITHUB_TOKEN }} # or a personal access token
```
## Getting the results of the action in the PR as a comment
@@ -161,7 +161,7 @@ jobs:
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: true
comment-summary-in-pr: always
```
## Exclude dependencies from the license check
@@ -189,7 +189,7 @@ jobs:
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: true
comment-summary-in-pr: always
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pip/requests'
```
@@ -227,7 +227,7 @@ jobs:
uses: actions/dependency-review-action@v3
with:
fail-on-severity: critical
comment-summary-in-pr: true
comment-summary-in-pr: always
license-check: false
```
@@ -257,4 +257,40 @@ jobs:
with:
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core'
deny-groups: 'pkg:maven/com.bazaarvoice.jolt'
```
```
## Waiting for dependency submission jobs to complete
When possible, this action will [include dependencies submitted through the dependency submission API][DSAPI]. In this case,
it's important for the action not to complete until all of the relevant dependencies have been submitted for both the base
and head commits.
When this action runs before one or more of the dependency submission actions, there will be an unequal number of dependency
snapshots between the base and head commits. For example, there may be one snapshot available for the tip of `main` and none
for the PR branch. In that case, the API response will contain a "snapshot warning" explaining the discrepancy.
In this example, when the action encounters one of these warnings it will retry every 10 seconds after that for 60 seconds
or until there is no warning in the response.
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
retry-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 60
```
[DSAPI]: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together
+127 -121
View File
@@ -1,44 +1,44 @@
{
"name": "dependency-review-action",
"version": "3.0.7",
"version": "3.1.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "dependency-review-action",
"version": "3.0.7",
"version": "3.1.0",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.10.0",
"@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^5.0.4",
"@octokit/request-error": "^2.1.0",
"@octokit/request-error": "^5.0.1",
"ansi-styles": "^6.2.1",
"got": "^13.0.0",
"octokit": "^2.1.0",
"packageurl-js": "^1.0.2",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"yaml": "^2.3.1",
"zod": "^3.21.4"
"yaml": "^2.3.2",
"zod": "^3.22.2"
},
"devDependencies": {
"@types/jest": "^27.5.2",
"@types/node": "^16.18.38",
"@types/node": "^16.18.48",
"@types/spdx-expression-parse": "^3.0.2",
"@types/spdx-satisfies": "^0.1.0",
"@typescript-eslint/eslint-plugin": "^6.2.0",
"@typescript-eslint/parser": "^6.2.1",
"@typescript-eslint/eslint-plugin": "^6.7.2",
"@typescript-eslint/parser": "^6.6.0",
"@vercel/ncc": "^0.36.1",
"esbuild-register": "^3.4.2",
"eslint": "^8.44.0",
"esbuild-register": "^3.5.0",
"eslint": "^8.48.0",
"eslint-plugin-github": "^4.8.0",
"eslint-plugin-jest": "^27.2.2",
"eslint-plugin-prettier": "^5.0.0",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^3.0.1",
"prettier": "3.0.1",
"prettier": "3.0.2",
"ts-jest": "^27.1.4",
"typescript": "^4.9.5"
}
@@ -132,6 +132,16 @@
"universal-user-agent": "^6.0.0"
}
},
"node_modules/@actions/github/node_modules/@octokit/request-error": {
"version": "2.1.0",
"resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-2.1.0.tgz",
"integrity": "sha512-1VIvgXxs9WHSjicsRwq8PlR2LR2x6DwsJAaFgzdi0JfJoGSO8mYI/cHJQ+9FbN21aa+DrgNLnwObmyeSC8Rmpg==",
"dependencies": {
"@octokit/types": "^6.0.3",
"deprecation": "^2.0.0",
"once": "^1.4.0"
}
},
"node_modules/@actions/github/node_modules/@octokit/types": {
"version": "6.41.0",
"resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.41.0.tgz",
@@ -1122,9 +1132,9 @@
}
},
"node_modules/@eslint/eslintrc": {
"version": "2.1.1",
"resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.1.tgz",
"integrity": "sha512-9t7ZA7NGGK8ckelF0PQCfcxIUzs1Md5rrO6U/c+FIQNanea5UZC0wqKXH4vHBccmu4ZJgZ2idtPeW7+Q2npOEA==",
"version": "2.1.2",
"resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.2.tgz",
"integrity": "sha512-+wvgpDsrB1YqAMdEUCcnTlpfVBH7Vqn6A/NT3D8WVXFIaKMlErPIZT3oCIAVCOtarRpMtelZLqJeU3t7WY6X6g==",
"dev": true,
"dependencies": {
"ajv": "^6.12.4",
@@ -1145,9 +1155,9 @@
}
},
"node_modules/@eslint/js": {
"version": "8.46.0",
"resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.46.0.tgz",
"integrity": "sha512-a8TLtmPi8xzPkCbp/OGFUo5yhRkHM2Ko9kOWP4znJr0WAhWyThaw3PnwX4vOTWOAMsV2uRt32PPDcEz63esSaA==",
"version": "8.48.0",
"resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.48.0.tgz",
"integrity": "sha512-ZSjtmelB7IJfWD2Fvb7+Z+ChTIKWq6kjda95fLcQKNS5aheVHn4IkfgRQE3sIIzTcSLwLcLZUD9UBt+V7+h+Pw==",
"dev": true,
"engines": {
"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
@@ -2015,26 +2025,29 @@
}
},
"node_modules/@octokit/request-error": {
"version": "2.1.0",
"resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-2.1.0.tgz",
"integrity": "sha512-1VIvgXxs9WHSjicsRwq8PlR2LR2x6DwsJAaFgzdi0JfJoGSO8mYI/cHJQ+9FbN21aa+DrgNLnwObmyeSC8Rmpg==",
"version": "5.0.1",
"resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-5.0.1.tgz",
"integrity": "sha512-X7pnyTMV7MgtGmiXBwmO6M5kIPrntOXdyKZLigNfQWSEQzVxR4a4vo49vJjTWX70mPndj8KhfT4Dx+2Ng3vnBQ==",
"dependencies": {
"@octokit/types": "^6.0.3",
"@octokit/types": "^12.0.0",
"deprecation": "^2.0.0",
"once": "^1.4.0"
},
"engines": {
"node": ">= 18"
}
},
"node_modules/@octokit/request-error/node_modules/@octokit/openapi-types": {
"version": "12.11.0",
"resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-12.11.0.tgz",
"integrity": "sha512-VsXyi8peyRq9PqIz/tpqiL2w3w80OgVMwBHltTml3LmVvXiphgeqmY9mvBw9Wu7e0QWk/fqD37ux8yP5uVekyQ=="
"version": "19.0.0",
"resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-19.0.0.tgz",
"integrity": "sha512-PclQ6JGMTE9iUStpzMkwLCISFn/wDeRjkZFIKALpvJQNBGwDoYYi2fFvuHwssoQ1rXI5mfh6jgTgWuddeUzfWw=="
},
"node_modules/@octokit/request-error/node_modules/@octokit/types": {
"version": "6.41.0",
"resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.41.0.tgz",
"integrity": "sha512-eJ2jbzjdijiL3B4PrSQaSjuF2sPEQPVCPzBvTHJD9Nz+9dw2SGH4K4xeQJ77YfTq5bRQ+bD8wT11JbeDPmxmGg==",
"version": "12.0.0",
"resolved": "https://registry.npmjs.org/@octokit/types/-/types-12.0.0.tgz",
"integrity": "sha512-EzD434aHTFifGudYAygnFlS1Tl6KhbTynEWELQXIbTY8Msvb5nEqTZIm7sbPEt4mQYLZwu3zPKVdeIrw0g7ovg==",
"dependencies": {
"@octokit/openapi-types": "^12.11.0"
"@octokit/openapi-types": "^19.0.0"
}
},
"node_modules/@octokit/request/node_modules/@octokit/request-error": {
@@ -2292,9 +2305,9 @@
}
},
"node_modules/@types/node": {
"version": "16.18.39",
"resolved": "https://registry.npmjs.org/@types/node/-/node-16.18.39.tgz",
"integrity": "sha512-8q9ZexmdYYyc5/cfujaXb4YOucpQxAV4RMG0himLyDUOEr8Mr79VrqsFI+cQ2M2h89YIuy95lbxuYjxT4Hk4kQ=="
"version": "16.18.48",
"resolved": "https://registry.npmjs.org/@types/node/-/node-16.18.48.tgz",
"integrity": "sha512-mlaecDKQ7rIZrYD7iiKNdzFb6e/qD5I9U1rAhq+Fd+DWvYVs+G2kv74UFHmSOlg5+i/vF3XxuR522V4u8BqO+Q=="
},
"node_modules/@types/prettier": {
"version": "2.7.3",
@@ -2342,21 +2355,20 @@
"dev": true
},
"node_modules/@typescript-eslint/eslint-plugin": {
"version": "6.2.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-6.2.0.tgz",
"integrity": "sha512-rClGrMuyS/3j0ETa1Ui7s6GkLhfZGKZL3ZrChLeAiACBE/tRc1wq8SNZESUuluxhLj9FkUefRs2l6bCIArWBiQ==",
"version": "6.7.2",
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-6.7.2.tgz",
"integrity": "sha512-ooaHxlmSgZTM6CHYAFRlifqh1OAr3PAQEwi7lhYhaegbnXrnh7CDcHmc3+ihhbQC7H0i4JF0psI5ehzkF6Yl6Q==",
"dev": true,
"dependencies": {
"@eslint-community/regexpp": "^4.5.1",
"@typescript-eslint/scope-manager": "6.2.0",
"@typescript-eslint/type-utils": "6.2.0",
"@typescript-eslint/utils": "6.2.0",
"@typescript-eslint/visitor-keys": "6.2.0",
"@typescript-eslint/scope-manager": "6.7.2",
"@typescript-eslint/type-utils": "6.7.2",
"@typescript-eslint/utils": "6.7.2",
"@typescript-eslint/visitor-keys": "6.7.2",
"debug": "^4.3.4",
"graphemer": "^1.4.0",
"ignore": "^5.2.4",
"natural-compare": "^1.4.0",
"natural-compare-lite": "^1.4.0",
"semver": "^7.5.4",
"ts-api-utils": "^1.0.1"
},
@@ -2378,15 +2390,15 @@
}
},
"node_modules/@typescript-eslint/parser": {
"version": "6.2.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.2.1.tgz",
"integrity": "sha512-Ld+uL1kYFU8e6btqBFpsHkwQ35rw30IWpdQxgOqOh4NfxSDH6uCkah1ks8R/RgQqI5hHPXMaLy9fbFseIe+dIg==",
"version": "6.6.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.6.0.tgz",
"integrity": "sha512-setq5aJgUwtzGrhW177/i+DMLqBaJbdwGj2CPIVFFLE0NCliy5ujIdLHd2D1ysmlmsjdL2GWW+hR85neEfc12w==",
"dev": true,
"dependencies": {
"@typescript-eslint/scope-manager": "6.2.1",
"@typescript-eslint/types": "6.2.1",
"@typescript-eslint/typescript-estree": "6.2.1",
"@typescript-eslint/visitor-keys": "6.2.1",
"@typescript-eslint/scope-manager": "6.6.0",
"@typescript-eslint/types": "6.6.0",
"@typescript-eslint/typescript-estree": "6.6.0",
"@typescript-eslint/visitor-keys": "6.6.0",
"debug": "^4.3.4"
},
"engines": {
@@ -2406,13 +2418,13 @@
}
},
"node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/scope-manager": {
"version": "6.2.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.2.1.tgz",
"integrity": "sha512-UCqBF9WFqv64xNsIEPfBtenbfodPXsJ3nPAr55mGPkQIkiQvgoWNo+astj9ZUfJfVKiYgAZDMnM6dIpsxUMp3Q==",
"version": "6.6.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.6.0.tgz",
"integrity": "sha512-pT08u5W/GT4KjPUmEtc2kSYvrH8x89cVzkA0Sy2aaOUIw6YxOIjA8ilwLr/1fLjOedX1QAuBpG9XggWqIIfERw==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "6.2.1",
"@typescript-eslint/visitor-keys": "6.2.1"
"@typescript-eslint/types": "6.6.0",
"@typescript-eslint/visitor-keys": "6.6.0"
},
"engines": {
"node": "^16.0.0 || >=18.0.0"
@@ -2423,9 +2435,9 @@
}
},
"node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/types": {
"version": "6.2.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.2.1.tgz",
"integrity": "sha512-528bGcoelrpw+sETlyM91k51Arl2ajbNT9L4JwoXE2dvRe1yd8Q64E4OL7vHYw31mlnVsf+BeeLyAZUEQtqahQ==",
"version": "6.6.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.6.0.tgz",
"integrity": "sha512-CB6QpJQ6BAHlJXdwUmiaXDBmTqIE2bzGTDLADgvqtHWuhfNP3rAOK7kAgRMAET5rDRr9Utt+qAzRBdu3AhR3sg==",
"dev": true,
"engines": {
"node": "^16.0.0 || >=18.0.0"
@@ -2436,13 +2448,13 @@
}
},
"node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/typescript-estree": {
"version": "6.2.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.2.1.tgz",
"integrity": "sha512-G+UJeQx9AKBHRQBpmvr8T/3K5bJa485eu+4tQBxFq0KoT22+jJyzo1B50JDT9QdC1DEmWQfdKsa8ybiNWYsi0Q==",
"version": "6.6.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.6.0.tgz",
"integrity": "sha512-hMcTQ6Al8MP2E6JKBAaSxSVw5bDhdmbCEhGW/V8QXkb9oNsFkA4SBuOMYVPxD3jbtQ4R/vSODBsr76R6fP3tbA==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "6.2.1",
"@typescript-eslint/visitor-keys": "6.2.1",
"@typescript-eslint/types": "6.6.0",
"@typescript-eslint/visitor-keys": "6.6.0",
"debug": "^4.3.4",
"globby": "^11.1.0",
"is-glob": "^4.0.3",
@@ -2463,12 +2475,12 @@
}
},
"node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/visitor-keys": {
"version": "6.2.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.2.1.tgz",
"integrity": "sha512-iTN6w3k2JEZ7cyVdZJTVJx2Lv7t6zFA8DCrJEHD2mwfc16AEvvBWVhbFh34XyG2NORCd0viIgQY1+u7kPI0WpA==",
"version": "6.6.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.6.0.tgz",
"integrity": "sha512-L61uJT26cMOfFQ+lMZKoJNbAEckLe539VhTxiGHrWl5XSKQgA0RTBZJW2HFPy5T0ZvPVSD93QsrTKDkfNwJGyQ==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "6.2.1",
"@typescript-eslint/types": "6.6.0",
"eslint-visitor-keys": "^3.4.1"
},
"engines": {
@@ -2480,13 +2492,13 @@
}
},
"node_modules/@typescript-eslint/scope-manager": {
"version": "6.2.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.2.0.tgz",
"integrity": "sha512-1ZMNVgm5nnHURU8ZSJ3snsHzpFeNK84rdZjluEVBGNu7jDymfqceB3kdIZ6A4xCfEFFhRIB6rF8q/JIqJd2R0Q==",
"version": "6.7.2",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.7.2.tgz",
"integrity": "sha512-bgi6plgyZjEqapr7u2mhxGR6E8WCzKNUFWNh6fkpVe9+yzRZeYtDTbsIBzKbcxI+r1qVWt6VIoMSNZ4r2A+6Yw==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "6.2.0",
"@typescript-eslint/visitor-keys": "6.2.0"
"@typescript-eslint/types": "6.7.2",
"@typescript-eslint/visitor-keys": "6.7.2"
},
"engines": {
"node": "^16.0.0 || >=18.0.0"
@@ -2497,13 +2509,13 @@
}
},
"node_modules/@typescript-eslint/type-utils": {
"version": "6.2.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-6.2.0.tgz",
"integrity": "sha512-DnGZuNU2JN3AYwddYIqrVkYW0uUQdv0AY+kz2M25euVNlujcN2u+rJgfJsBFlUEzBB6OQkUqSZPyuTLf2bP5mw==",
"version": "6.7.2",
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-6.7.2.tgz",
"integrity": "sha512-36F4fOYIROYRl0qj95dYKx6kybddLtsbmPIYNK0OBeXv2j9L5nZ17j9jmfy+bIDHKQgn2EZX+cofsqi8NPATBQ==",
"dev": true,
"dependencies": {
"@typescript-eslint/typescript-estree": "6.2.0",
"@typescript-eslint/utils": "6.2.0",
"@typescript-eslint/typescript-estree": "6.7.2",
"@typescript-eslint/utils": "6.7.2",
"debug": "^4.3.4",
"ts-api-utils": "^1.0.1"
},
@@ -2524,9 +2536,9 @@
}
},
"node_modules/@typescript-eslint/types": {
"version": "6.2.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.2.0.tgz",
"integrity": "sha512-1nRRaDlp/XYJQLvkQJG5F3uBTno5SHPT7XVcJ5n1/k2WfNI28nJsvLakxwZRNY5spuatEKO7d5nZWsQpkqXwBA==",
"version": "6.7.2",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.7.2.tgz",
"integrity": "sha512-flJYwMYgnUNDAN9/GAI3l8+wTmvTYdv64fcH8aoJK76Y+1FCZ08RtI5zDerM/FYT5DMkAc+19E4aLmd5KqdFyg==",
"dev": true,
"engines": {
"node": "^16.0.0 || >=18.0.0"
@@ -2537,13 +2549,13 @@
}
},
"node_modules/@typescript-eslint/typescript-estree": {
"version": "6.2.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.2.0.tgz",
"integrity": "sha512-Mts6+3HQMSM+LZCglsc2yMIny37IhUgp1Qe8yJUYVyO6rHP7/vN0vajKu3JvHCBIy8TSiKddJ/Zwu80jhnGj1w==",
"version": "6.7.2",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.7.2.tgz",
"integrity": "sha512-kiJKVMLkoSciGyFU0TOY0fRxnp9qq1AzVOHNeN1+B9erKFCJ4Z8WdjAkKQPP+b1pWStGFqezMLltxO+308dJTQ==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "6.2.0",
"@typescript-eslint/visitor-keys": "6.2.0",
"@typescript-eslint/types": "6.7.2",
"@typescript-eslint/visitor-keys": "6.7.2",
"debug": "^4.3.4",
"globby": "^11.1.0",
"is-glob": "^4.0.3",
@@ -2564,17 +2576,17 @@
}
},
"node_modules/@typescript-eslint/utils": {
"version": "6.2.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.2.0.tgz",
"integrity": "sha512-RCFrC1lXiX1qEZN8LmLrxYRhOkElEsPKTVSNout8DMzf8PeWoQG7Rxz2SadpJa3VSh5oYKGwt7j7X/VRg+Y3OQ==",
"version": "6.7.2",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.7.2.tgz",
"integrity": "sha512-ZCcBJug/TS6fXRTsoTkgnsvyWSiXwMNiPzBUani7hDidBdj1779qwM1FIAmpH4lvlOZNF3EScsxxuGifjpLSWQ==",
"dev": true,
"dependencies": {
"@eslint-community/eslint-utils": "^4.4.0",
"@types/json-schema": "^7.0.12",
"@types/semver": "^7.5.0",
"@typescript-eslint/scope-manager": "6.2.0",
"@typescript-eslint/types": "6.2.0",
"@typescript-eslint/typescript-estree": "6.2.0",
"@typescript-eslint/scope-manager": "6.7.2",
"@typescript-eslint/types": "6.7.2",
"@typescript-eslint/typescript-estree": "6.7.2",
"semver": "^7.5.4"
},
"engines": {
@@ -2589,12 +2601,12 @@
}
},
"node_modules/@typescript-eslint/visitor-keys": {
"version": "6.2.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.2.0.tgz",
"integrity": "sha512-QbaYUQVKKo9bgCzpjz45llCfwakyoxHetIy8CAvYCtd16Zu1KrpzNHofwF8kGkpPOxZB2o6kz+0nqH8ZkIzuoQ==",
"version": "6.7.2",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.7.2.tgz",
"integrity": "sha512-uVw9VIMFBUTz8rIeaUT3fFe8xIUx8r4ywAdlQv1ifH+6acn/XF8Y6rwJ7XNmkNMDrTW+7+vxFFPIF40nJCVsMQ==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "6.2.0",
"@typescript-eslint/types": "6.7.2",
"eslint-visitor-keys": "^3.4.1"
},
"engines": {
@@ -4043,9 +4055,9 @@
}
},
"node_modules/esbuild-register": {
"version": "3.4.2",
"resolved": "https://registry.npmjs.org/esbuild-register/-/esbuild-register-3.4.2.tgz",
"integrity": "sha512-kG/XyTDyz6+YDuyfB9ZoSIOOmgyFCH+xPRtsCa8W85HLRV5Csp+o3jWVbOSHgSLfyLc5DmP+KFDNwty4mEjC+Q==",
"version": "3.5.0",
"resolved": "https://registry.npmjs.org/esbuild-register/-/esbuild-register-3.5.0.tgz",
"integrity": "sha512-+4G/XmakeBAsvJuDugJvtyF1x+XJT4FMocynNpxrvEBViirpfUn2PgNpCHedfWhF4WokNsO/OvMKrmJOIJsI5A==",
"dev": true,
"dependencies": {
"debug": "^4.3.4"
@@ -4097,15 +4109,15 @@
}
},
"node_modules/eslint": {
"version": "8.46.0",
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.46.0.tgz",
"integrity": "sha512-cIO74PvbW0qU8e0mIvk5IV3ToWdCq5FYG6gWPHHkx6gNdjlbAYvtfHmlCMXxjcoVaIdwy/IAt3+mDkZkfvb2Dg==",
"version": "8.48.0",
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.48.0.tgz",
"integrity": "sha512-sb6DLeIuRXxeM1YljSe1KEx9/YYeZFQWcV8Rq9HfigmdDEugjLEVEa1ozDjL6YDjBpQHPJxJzze+alxi4T3OLg==",
"dev": true,
"dependencies": {
"@eslint-community/eslint-utils": "^4.2.0",
"@eslint-community/regexpp": "^4.6.1",
"@eslint/eslintrc": "^2.1.1",
"@eslint/js": "^8.46.0",
"@eslint/eslintrc": "^2.1.2",
"@eslint/js": "8.48.0",
"@humanwhocodes/config-array": "^0.11.10",
"@humanwhocodes/module-importer": "^1.0.1",
"@nodelib/fs.walk": "^1.2.8",
@@ -4116,7 +4128,7 @@
"doctrine": "^3.0.0",
"escape-string-regexp": "^4.0.0",
"eslint-scope": "^7.2.2",
"eslint-visitor-keys": "^3.4.2",
"eslint-visitor-keys": "^3.4.3",
"espree": "^9.6.1",
"esquery": "^1.4.2",
"esutils": "^2.0.2",
@@ -4615,9 +4627,9 @@
}
},
"node_modules/eslint-visitor-keys": {
"version": "3.4.2",
"resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.4.2.tgz",
"integrity": "sha512-8drBzUEyZ2llkpCA67iYrgEssKDUu68V8ChqqOfFupIaG/LCVPUT+CoGJpT77zJprs4T/W7p07LP7zAIMuweVw==",
"version": "3.4.3",
"resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.4.3.tgz",
"integrity": "sha512-wpc+LXeiyiisxPlEkUzU6svyS1frIO3Mgxj1fdy7Pm8Ygzguax2N3Fa/D/ag1WqbOprdI+uY6wMUl8/a2G+iag==",
"dev": true,
"engines": {
"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
@@ -5079,9 +5091,9 @@
}
},
"node_modules/globals": {
"version": "13.20.0",
"resolved": "https://registry.npmjs.org/globals/-/globals-13.20.0.tgz",
"integrity": "sha512-Qg5QtVkCy/kv3FUSlu4ukeZDVf9ee0iXLAUYX13gbR17bnejFTzr4iS9bY7kwCf1NztRNm1t91fjOiyx4CSwPQ==",
"version": "13.21.0",
"resolved": "https://registry.npmjs.org/globals/-/globals-13.21.0.tgz",
"integrity": "sha512-ybyme3s4yy/t/3s35bewwXKOf7cvzfreG2lH0lZl0JB7I4GxRP2ghxOK/Nb9EkRXdbBXZLfq/p/0W2JUONB/Gg==",
"dev": true,
"dependencies": {
"type-fest": "^0.20.2"
@@ -6924,12 +6936,6 @@
"integrity": "sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==",
"dev": true
},
"node_modules/natural-compare-lite": {
"version": "1.4.0",
"resolved": "https://registry.npmjs.org/natural-compare-lite/-/natural-compare-lite-1.4.0.tgz",
"integrity": "sha512-Tj+HTDSJJKaZnfiuw+iaF9skdPpTo2GtEly5JHnWV/hfv2Qj/9RKsGISQtLh2ox3l5EAGw487hnBee0sIJ6v2g==",
"dev": true
},
"node_modules/node-fetch": {
"version": "2.6.12",
"resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.12.tgz",
@@ -7560,9 +7566,9 @@
}
},
"node_modules/prettier": {
"version": "3.0.1",
"resolved": "https://registry.npmjs.org/prettier/-/prettier-3.0.1.tgz",
"integrity": "sha512-fcOWSnnpCrovBsmFZIGIy9UqK2FaI7Hqax+DIO0A9UxeVoY4iweyaFjS5TavZN97Hfehph0nhsZnjlVKzEQSrQ==",
"version": "3.0.2",
"resolved": "https://registry.npmjs.org/prettier/-/prettier-3.0.2.tgz",
"integrity": "sha512-o2YR9qtniXvwEZlOKbveKfDQVyqxbEIWn48Z8m3ZJjBjcCmUy3xZGIv+7AkaeuaTr6yPXJjwv07ZWlsWbEy1rQ==",
"dev": true,
"bin": {
"prettier": "bin/prettier.cjs"
@@ -9054,9 +9060,9 @@
"dev": true
},
"node_modules/yaml": {
"version": "2.3.1",
"resolved": "https://registry.npmjs.org/yaml/-/yaml-2.3.1.tgz",
"integrity": "sha512-2eHWfjaoXgTBC2jNM1LRef62VQa0umtvRiDSk6HSzW7RvS5YtkabJrwYLLEKWBc8a5U2PTSCs+dJjUTJdlHsWQ==",
"version": "2.3.2",
"resolved": "https://registry.npmjs.org/yaml/-/yaml-2.3.2.tgz",
"integrity": "sha512-N/lyzTPaJasoDmfV7YTrYCI0G/3ivm/9wdG0aHuheKowWQwGTsK0Eoiw6utmzAnI6pkJa0DUVygvp3spqqEKXg==",
"engines": {
"node": ">= 14"
}
@@ -9101,9 +9107,9 @@
}
},
"node_modules/zod": {
"version": "3.21.4",
"resolved": "https://registry.npmjs.org/zod/-/zod-3.21.4.tgz",
"integrity": "sha512-m46AKbrzKVzOzs/DZgVnG5H55N1sv1M8qZU3A8RIKbs3mrACDNeIOeilDymVb2HdmP8uwshOCF4uJ8uM9rCqJw==",
"version": "3.22.2",
"resolved": "https://registry.npmjs.org/zod/-/zod-3.22.2.tgz",
"integrity": "sha512-wvWkphh5WQsJbVk1tbx1l1Ly4yg+XecD+Mq280uBGt9wa5BKSWf4Mhp6GmrkPixhMxmabYY7RbzlwVP32pbGCg==",
"funding": {
"url": "https://github.com/sponsors/colinhacks"
}
+10 -10
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "3.0.7",
"version": "3.1.0",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -28,33 +28,33 @@
"@actions/core": "^1.10.0",
"@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^5.0.4",
"@octokit/request-error": "^2.1.0",
"@octokit/request-error": "^5.0.1",
"ansi-styles": "^6.2.1",
"got": "^13.0.0",
"octokit": "^2.1.0",
"packageurl-js": "^1.0.2",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"yaml": "^2.3.1",
"zod": "^3.21.4"
"yaml": "^2.3.2",
"zod": "^3.22.2"
},
"devDependencies": {
"@types/jest": "^27.5.2",
"@types/node": "^16.18.38",
"@types/node": "^16.18.48",
"@types/spdx-expression-parse": "^3.0.2",
"@types/spdx-satisfies": "^0.1.0",
"@typescript-eslint/eslint-plugin": "^6.2.0",
"@typescript-eslint/parser": "^6.2.1",
"@typescript-eslint/eslint-plugin": "^6.7.2",
"@typescript-eslint/parser": "^6.6.0",
"@vercel/ncc": "^0.36.1",
"esbuild-register": "^3.4.2",
"eslint": "^8.44.0",
"esbuild-register": "^3.5.0",
"eslint": "^8.48.0",
"eslint-plugin-github": "^4.8.0",
"eslint-plugin-jest": "^27.2.2",
"eslint-plugin-prettier": "^5.0.0",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^3.0.1",
"prettier": "3.0.1",
"prettier": "3.0.2",
"ts-jest": "^27.1.4",
"typescript": "^4.9.5"
}
+3 -1
View File
@@ -30,7 +30,9 @@ const defaultConfig: ConfigurationOptions = {
'pkg:pip/certifi',
'pkg:pip/pycrypto@2.6.1'
],
comment_summary_in_pr: true
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
retry_on_snapshot_warnings_timeout: 120
}
const tmpDir = path.resolve(__dirname, '../tmp')
+16 -2
View File
@@ -40,7 +40,13 @@ function readInlineConfig(): ConfigurationOptionsPartial {
const vulnerability_check = getOptionalBoolean('vulnerability-check')
const base_ref = getOptionalInput('base-ref')
const head_ref = getOptionalInput('head-ref')
const comment_summary_in_pr = getOptionalBoolean('comment-summary-in-pr')
const comment_summary_in_pr = getOptionalInput('comment-summary-in-pr')
const retry_on_snapshot_warnings = getOptionalBoolean(
'retry-on-snapshot-warnings'
)
const retry_on_snapshot_warnings_timeout = getOptionalNumber(
'retry-on-snapshot-warnings-timeout'
)
validatePURL(allow_dependencies_licenses)
validateLicenses('allow-licenses', allow_licenses)
@@ -59,7 +65,9 @@ function readInlineConfig(): ConfigurationOptionsPartial {
vulnerability_check,
base_ref,
head_ref,
comment_summary_in_pr
comment_summary_in_pr,
retry_on_snapshot_warnings,
retry_on_snapshot_warnings_timeout
}
return Object.fromEntries(
@@ -67,6 +75,12 @@ function readInlineConfig(): ConfigurationOptionsPartial {
)
}
function getOptionalNumber(name: string): number | undefined {
const value = core.getInput(name)
const parsed = z.string().regex(/^\d+$/).transform(Number).safeParse(value)
return parsed.success ? parsed.data : undefined
}
function getOptionalBoolean(name: string): boolean | undefined {
const value = core.getInput(name)
return value.length > 0 ? core.getBooleanInput(name) : undefined
+54 -8
View File
@@ -18,18 +18,60 @@ import {groupDependenciesByManifest} from './utils'
import {commentPr} from './comment-pr'
import {getDeniedChanges} from './deny'
async function delay(ms: number): Promise<void> {
return new Promise(resolve => setTimeout(resolve, ms))
}
async function getComparison(
baseRef: string,
headRef: string,
retryOpts?: {
retryUntil: number
retryDelay: number
}
): ReturnType<typeof dependencyGraph.compare> {
const comparison = await dependencyGraph.compare({
owner: github.context.repo.owner,
repo: github.context.repo.repo,
baseRef,
headRef
})
if (comparison.snapshot_warnings.trim() !== '') {
core.info(comparison.snapshot_warnings)
if (retryOpts !== undefined) {
if (retryOpts.retryUntil < Date.now()) {
core.info(`Retry timeout exceeded. Proceeding...`)
return comparison
} else {
core.info(`Retrying in ${retryOpts.retryDelay} seconds...`)
await delay(retryOpts.retryDelay * 1000)
return getComparison(baseRef, headRef, retryOpts)
}
}
}
return comparison
}
async function run(): Promise<void> {
try {
const config = await readConfig()
const refs = getRefs(config, github.context)
const comparison = await dependencyGraph.compare({
owner: github.context.repo.owner,
repo: github.context.repo.repo,
baseRef: refs.base,
headRef: refs.head
})
const comparison = await getComparison(
refs.base,
refs.head,
config.retry_on_snapshot_warnings
? {
retryUntil:
Date.now() + config.retry_on_snapshot_warnings_timeout * 1000,
retryDelay: 10
}
: undefined
)
const changes = comparison.changes
const snapshot_warnings = comparison.snapshot_warnings
@@ -81,7 +123,7 @@ async function run(): Promise<void> {
)
if (snapshot_warnings) {
summary.addSnapshotWarnings(snapshot_warnings)
summary.addSnapshotWarnings(config, snapshot_warnings)
}
if (config.vulnerability_check) {
@@ -99,7 +141,11 @@ async function run(): Promise<void> {
summary.addScannedDependencies(changes)
printScannedDependencies(changes)
if (config.comment_summary_in_pr) {
if (
config.comment_summary_in_pr === 'always' ||
(config.comment_summary_in_pr === 'on-failure' &&
process.exitCode === core.ExitCode.Failure)
) {
await commentPr(core.summary)
}
} catch (error) {
+19 -1
View File
@@ -49,7 +49,25 @@ export const ConfigurationOptionsSchema = z
config_file: z.string().optional(),
base_ref: z.string().optional(),
head_ref: z.string().optional(),
comment_summary_in_pr: z.boolean().default(false)
retry_on_snapshot_warnings: z.boolean().default(false),
retry_on_snapshot_warnings_timeout: z.number().default(120),
comment_summary_in_pr: z
.union([
z.preprocess(
val => (val === 'true' ? true : val === 'false' ? false : val),
z.boolean()
),
z.enum(['always', 'never', 'on-failure'])
])
.default('never')
})
.transform(config => {
if (config.comment_summary_in_pr === true) {
config.comment_summary_in_pr = 'always'
} else if (config.comment_summary_in_pr === false) {
config.comment_summary_in_pr = 'never'
}
return config
})
.superRefine((config, context) => {
if (config.allow_licenses && config.deny_licenses) {
+24 -11
View File
@@ -231,21 +231,34 @@ export function addScannedDependencies(changes: Changes): void {
}
}
export function addSnapshotWarnings(warnings: string): void {
// For now, we want to ignore warnings that just complain
// about missing snapshots on the head SHA. This is a product
// decision to avoid presenting warnings to users who simply
// don't use snapshots.
const ignore_regex = new RegExp(/No.*snapshot.*found.*head.*/, 'i')
if (ignore_regex.test(warnings)) {
return
function snapshotWarningRecommendation(
config: ConfigurationOptions,
warnings: string
): string {
const no_pr_snaps = warnings.includes(
'No snapshots were found for the head SHA'
)
const retries_disabled = !config.retry_on_snapshot_warnings
if (no_pr_snaps && retries_disabled) {
return 'Ensure that dependencies are being submitted on PR branches and consider enabling <em>retry-on-snapshot-warnings</em>.'
} else if (no_pr_snaps) {
return 'Ensure that dependencies are being submitted on PR branches. Re-running this action after a short time may resolve the issue.'
} else if (retries_disabled) {
return 'Consider enabling <em>retry-on-snapshot-warnings</em>.'
}
return 'Re-running this action after a short time may resolve the issue.'
}
export function addSnapshotWarnings(
config: ConfigurationOptions,
warnings: string
): void {
core.summary.addHeading('Snapshot Warnings', 2)
core.summary.addQuote(`${icons.warning}: ${warnings}`)
core.summary.addRaw(
'Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice.'
)
const recommendation = snapshotWarningRecommendation(config, warnings)
const docsLink =
'See <a href="https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together">the documentation</a> for more information and troubleshooting advice.'
core.summary.addRaw(`${recommendation} ${docsLink}`)
}
function countLicenseIssues(