Compare commits

..

93 Commits

Author SHA1 Message Date
Federico Builes b91ea51364 updating dist. 2023-10-09 13:34:29 +02:00
Federico Builes 76b050a607 Use octokit-rest for the PR comments client. 2023-10-09 13:34:14 +02:00
Federico Builes e6d6badddb Update jest. 2023-10-09 13:33:55 +02:00
Federico Builes f7363549ac use octokit plugins 2023-10-09 13:20:24 +02:00
Federico Builes f71a906c2e Update plugins. 2023-10-09 13:17:54 +02:00
Federico Builes 03ace23f96 Update Node JS version. 2023-10-09 12:36:16 +02:00
dependabot[bot] cd09f857a3 Bump octokit from 2.1.0 to 3.1.1
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.1.0 to 3.1.1.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.1.0...v3.1.1)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-09 09:38:02 +00:00
Federico Builes 69a61b613b updating dist 2023-10-09 11:36:34 +02:00
Federico Builes 53eb1ebcf5 Merge branch 'update-request-errors' 2023-10-09 11:36:00 +02:00
Federico Builes 8dc52cdbed update tests 2023-10-09 11:23:53 +02:00
Federico Builes e8634671a4 Merge pull request #583 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.4.2
Bump eslint-plugin-jest from 27.2.3 to 27.4.2
2023-10-09 10:25:41 +02:00
Federico Builes 69ecf4db79 Merge pull request #582 from actions/dependabot/npm_and_yarn/eslint-8.51.0
Bump eslint from 8.48.0 to 8.51.0
2023-10-09 10:25:28 +02:00
dependabot[bot] 70835908ea Bump eslint-plugin-jest from 27.2.3 to 27.4.2
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.2.3 to 27.4.2.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.2.3...v27.4.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-09 01:37:39 +00:00
dependabot[bot] f704f55fa1 Bump eslint from 8.48.0 to 8.51.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.48.0 to 8.51.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.48.0...v8.51.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-09 01:37:24 +00:00
Federico Builes e51d18ae1e updating dist 2023-10-05 17:15:27 +02:00
Federico Builes 62f26a66d6 bumping zod 2023-10-05 17:14:25 +02:00
Federico Builes 2f836bbce6 Merge pull request #580 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.7.3
Bump @typescript-eslint/parser from 6.6.0 to 6.7.3
2023-10-01 21:21:28 -05:00
dependabot[bot] 75dbba1acf Bump @typescript-eslint/parser from 6.6.0 to 6.7.3
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.6.0 to 6.7.3.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.7.3/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 02:15:09 +00:00
Federico Builes 8325453339 Merge pull request #579 from actions/dependabot/npm_and_yarn/vercel/ncc-0.38.0
Bump @vercel/ncc from 0.36.1 to 0.38.0
2023-10-01 21:13:34 -05:00
dependabot[bot] 353956d50d Bump @vercel/ncc from 0.36.1 to 0.38.0
Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.36.1 to 0.38.0.
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](https://github.com/vercel/ncc/compare/0.36.1...0.38.0)

---
updated-dependencies:
- dependency-name: "@vercel/ncc"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 01:59:34 +00:00
Federico Builes 4e41165d4b Merge pull request #577 from jsoref/modernize-versions
Modernize versions
2023-09-27 13:46:13 -05:00
Josh Soref cf3393ef0a Drop references to v2 from README
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2023-09-27 12:53:32 -04:00
Josh Soref 8213a1db10 Use checkout@v4
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2023-09-27 12:53:32 -04:00
Federico Builes 64a6d1a0b8 Merge pull request #571 from actions/dependabot/npm_and_yarn/types/node-16.18.54
Bump @types/node from 16.18.48 to 16.18.54
2023-09-26 12:24:33 -05:00
Federico Builes 364de25b16 Merge pull request #573 from actions/dependabot/npm_and_yarn/prettier-3.0.3
Bump prettier from 3.0.2 to 3.0.3
2023-09-26 12:24:18 -05:00
dependabot[bot] ad34390f92 Bump @octokit/request-error from 2.1.0 to 5.0.1
Bumps [@octokit/request-error](https://github.com/octokit/request-error.js) from 2.1.0 to 5.0.1.
- [Release notes](https://github.com/octokit/request-error.js/releases)
- [Commits](https://github.com/octokit/request-error.js/compare/v2.1.0...v5.0.1)

---
updated-dependencies:
- dependency-name: "@octokit/request-error"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-25 01:31:40 +00:00
dependabot[bot] 1f5e4f1cd9 Bump prettier from 3.0.2 to 3.0.3
Bumps [prettier](https://github.com/prettier/prettier) from 3.0.2 to 3.0.3.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-25 01:30:59 +00:00
dependabot[bot] fcb0293419 Bump @types/node from 16.18.48 to 16.18.54
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.48 to 16.18.54.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-25 01:30:38 +00:00
Federico Builes 6c530dbedd Merge pull request #570 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.7.2
Bump @typescript-eslint/eslint-plugin from 6.4.0 to 6.7.2
2023-09-18 14:42:50 -05:00
dependabot[bot] e5c6ae035a Bump @typescript-eslint/eslint-plugin from 6.4.0 to 6.7.2
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.4.0 to 6.7.2.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.7.2/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-18 19:41:12 +00:00
Federico Builes 9c66f1b1b1 Merge pull request #569 from actions/dependabot/npm_and_yarn/esbuild-register-3.5.0
Bump esbuild-register from 3.4.2 to 3.5.0
2023-09-18 14:39:13 -05:00
dependabot[bot] 9add2f12fa Bump esbuild-register from 3.4.2 to 3.5.0
Bumps esbuild-register from 3.4.2 to 3.5.0.

---
updated-dependencies:
- dependency-name: esbuild-register
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-18 01:47:43 +00:00
Federico Builes 079b962af9 Merge pull request #564 from actions/dependabot/npm_and_yarn/zod-3.22.2
Bump zod from 3.21.4 to 3.22.2
2023-09-11 07:17:25 -05:00
Federico Builes e6b5e83d4e adding dist 2023-09-11 07:16:56 -05:00
Federico Builes 3c40a50e4b Merge pull request #565 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.6.0
Bump @typescript-eslint/parser from 6.2.1 to 6.6.0
2023-09-11 07:13:54 -05:00
Federico Builes 886d1fcf5f Merge pull request #563 from actions/dependabot/github_actions/actions/checkout-4
Bump actions/checkout from 3 to 4
2023-09-11 07:13:45 -05:00
dependabot[bot] 615671754c Bump @typescript-eslint/parser from 6.2.1 to 6.6.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.2.1 to 6.6.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.6.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-11 01:42:06 +00:00
dependabot[bot] cd1bb8895d Bump zod from 3.21.4 to 3.22.2
Bumps [zod](https://github.com/colinhacks/zod) from 3.21.4 to 3.22.2.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.21.4...v3.22.2)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-11 01:41:45 +00:00
dependabot[bot] 7095391667 Bump actions/checkout from 3 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-11 01:14:30 +00:00
Justin Holguín 6c5ccdad46 Merge pull request #562 from actions/juxtin/v3.0.9
Update version to 3.1.0
2023-09-07 14:46:08 -07:00
Federico Builes 51da82b3f5 updating package-lock.json 2023-09-07 16:44:36 -05:00
Justin Holguín ca13810d94 Update version to 3.1.0 2023-09-07 21:42:29 +00:00
Justin Holguín 8447b31d38 Merge pull request #561 from actions/juxtin/dr-snaps-readme
Add new Dr Snaps config options to readme
2023-09-07 14:19:42 -07:00
Justin Holguín 85df23de2c Update readme with new parameters 2023-09-07 21:17:45 +00:00
Justin Holguín 5da6fdbdf9 Clean up markdown formatting 2023-09-07 21:11:56 +00:00
Justin Holguín 92837b0ca8 Merge pull request #560 from actions/juxtin/improve-warnings
Improve display of snapshot warnings
2023-09-07 14:09:36 -07:00
Justin Holguín 35a52fd146 Minor tweaks to snapshot warnings 2023-09-07 18:00:57 +00:00
Justin Holguín bed9726f78 Make snapshot warning messages clearer and more actionable 2023-09-07 17:54:42 +00:00
Justin Holguín e4d20ce9ad Merge pull request #556 from actions/juxtin/dr-snaps-pre-launch
Dr Snaps launch PR
2023-09-07 10:18:47 -07:00
Justin Holguín bb0ca79fcd Update action.yml to show retry default 2023-09-07 17:08:20 +00:00
Justin Holguín 07f52ce621 Add example with retry-on-snapshot-warnings to docs 2023-09-07 17:07:50 +00:00
Justin Holguín c7e8727af4 Update action.yml
Co-authored-by: Federico Builes <febuiles@github.com>
2023-09-07 09:50:44 -07:00
Federico Builes 5e4b90e080 add dist 2023-09-07 09:06:46 -05:00
Federico Builes 7d0e0f61e8 Update src/dependency-graph.ts
Co-authored-by: Justin Holguín <juxtin@github.com>
2023-09-07 07:08:21 -05:00
Justin Holguín ffaf251c92 update dist 2023-09-06 20:38:47 +00:00
Justin Holguín 726ffc8aa8 Merge remote-tracking branch 'origin/main' into juxtin/dr-snaps-pre-launch 2023-09-06 20:26:55 +00:00
Justin Holguín fcef41f1e0 Add docs link to snapshot warnings 2023-09-06 19:07:18 +00:00
Justin Holguín e81e6e582f Default retry-on-snapshot-warnings to false
Keeping this true by default means wasting actions minutes for
the vast majority of DR users
2023-09-06 18:04:16 +00:00
Federico Builes 511675e747 Merge pull request #558 from actions/dependabot/npm_and_yarn/types/node-16.18.48
Bump @types/node from 16.18.41 to 16.18.48
2023-09-05 16:15:52 -04:00
Federico Builes dcdbff2f84 Merge pull request #557 from actions/dependabot/npm_and_yarn/yaml-2.3.2
Bump yaml from 2.3.1 to 2.3.2
2023-09-05 11:55:49 -04:00
Federico Builes 29513b58ad updating dist 2023-09-05 08:28:43 -05:00
dependabot[bot] 347cb43687 Bump @types/node from 16.18.41 to 16.18.48
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.41 to 16.18.48.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-04 01:44:52 +00:00
dependabot[bot] dfe37bb356 Bump yaml from 2.3.1 to 2.3.2
Bumps [yaml](https://github.com/eemeli/yaml) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.3.1...v2.3.2)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-04 01:44:44 +00:00
Justin Holguín ada103783f Merge remote-tracking branch 'origin/retry-on-snapshot-warnings' into juxtin/dr-snaps-pre-launch 2023-08-31 16:31:44 +00:00
Justin Holguín abc80cf6a0 Merge branch 'juxtin/snapshot-warnings' into juxtin/dr-snaps-pre-launch 2023-08-31 16:06:14 +00:00
Federico Builes 15e91a3980 Merge pull request #554 from actions/dependabot/npm_and_yarn/eslint-8.48.0
Bump eslint from 8.47.0 to 8.48.0
2023-08-28 08:52:43 -05:00
Federico Builes c7d2795410 Merge pull request #553 from actions/dependabot/npm_and_yarn/prettier-3.0.2
Bump prettier from 3.0.1 to 3.0.2
2023-08-28 08:52:32 -05:00
dependabot[bot] eb07c6d763 Bump eslint from 8.47.0 to 8.48.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.47.0 to 8.48.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.47.0...v8.48.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-28 01:52:04 +00:00
dependabot[bot] 4d8fe1e464 Bump prettier from 3.0.1 to 3.0.2
Bumps [prettier](https://github.com/prettier/prettier) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.0.1...3.0.2)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-28 01:51:43 +00:00
Justin Holguín ee86529290 Show all non-empty snapshot warnings 2023-08-23 18:45:35 +00:00
Federico Builes c17dea4c51 Merge pull request #549 from actions/dependabot/npm_and_yarn/types/node-16.18.41
Bump @types/node from 16.18.39 to 16.18.41
2023-08-23 15:16:07 +02:00
Federico Builes 727ca667a3 Merge pull request #550 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.4.0
Bump @typescript-eslint/eslint-plugin from 6.3.0 to 6.4.0
2023-08-23 15:15:56 +02:00
Federico Builes 84cd472b61 Merge pull request #551 from oerd/update-inputs-documentation-and-links
Fix(docs): Correct action input name
2023-08-22 17:02:07 +02:00
Oerd Cukalla 366fffb717 Fix(docs): Correct article use. 2023-08-22 00:28:34 +02:00
Oerd Cukalla 62a1d2d370 Fix(docs): Correct action input name
Change input name used for passing the personal access token to
`external-repo-token`.
2023-08-22 00:20:26 +02:00
dependabot[bot] 42c2f7100f Bump @typescript-eslint/eslint-plugin from 6.3.0 to 6.4.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.3.0 to 6.4.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.4.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-21 01:04:16 +00:00
dependabot[bot] 608049acca Bump @types/node from 16.18.39 to 16.18.41
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.39 to 16.18.41.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-21 01:03:36 +00:00
Federico Builes 32037a1d97 bumping to 3.0.8 2023-08-15 10:11:44 +02:00
Henri Maurer d3fa764646 fix 2023-06-14 10:38:45 +01:00
Henri Maurer 1856a6de19 fix 2023-06-14 10:26:22 +01:00
Henri Maurer 5573b58443 better logging 2023-06-14 10:24:40 +01:00
Henri Maurer c3c3c2e746 fix retry until 2023-06-14 10:12:19 +01:00
Henri Maurer f6f94a23a4 fix 2023-06-09 10:44:43 +01:00
Henri Maurer 50954e6a9a fix 2023-06-09 10:30:56 +01:00
Henri Maurer 66b6f67835 Add configs 2023-06-09 10:26:24 +01:00
Henri Maurer 1644401f8d rewrite retry logic 2023-06-08 18:11:13 +01:00
Henri Maurer 1a326fc7fa proceed even if warnings 2023-06-08 17:04:40 +01:00
Henri Maurer a82096e68a fix 2023-06-07 16:51:53 +01:00
Henri Maurer 90d3a94eb7 fix 2023-06-07 16:48:32 +01:00
Henri Maurer 9dde5949a8 retry every 10s 2023-06-07 16:39:16 +01:00
Henri Maurer cff142b535 includes_dependency_snapshots 2023-06-07 14:04:29 +01:00
Henri Maurer a4c5ac881a disable caching 2023-06-07 10:10:21 +01:00
Henri Maurer d35955ebf6 Prototype re-try on snapshot warnings 2023-06-06 16:44:27 +01:00
21 changed files with 11242 additions and 25356 deletions
+1 -1
View File
@@ -21,7 +21,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Set Node.js 18.x
uses: actions/setup-node@v3
+2 -2
View File
@@ -14,7 +14,7 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
with:
node-version: 18
@@ -27,7 +27,7 @@ jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
with:
node-version: 18
+1 -1
View File
@@ -9,6 +9,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@main
+1 -1
View File
@@ -79,7 +79,7 @@ Here are a few things you can do that will increase the likelihood of your pull
- Write tests.
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
- Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
- Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
## Cutting a new release
+21 -19
View File
@@ -1,4 +1,4 @@
# dependency-review-action
# dependency-review-action
This action scans your pull requests for dependency changes, and will
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions on your default branch.
@@ -31,7 +31,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
```
@@ -57,7 +57,7 @@ jobs:
runs-on: self-hosted
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
```
@@ -66,20 +66,22 @@ jobs:
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
| Option | Usage | Possible values | Default value |
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| Option | Usage | Possible values | Default value |
| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
\*not supported for use with GitHub Enterprise Server
@@ -101,7 +103,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v3
with:
@@ -126,7 +128,7 @@ Start by specifying that you will be using an external configuration file:
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
uses: actions/dependency-review-action@v3
with:
config-file: './.github/dependency-review-config.yml'
```
+2 -1
View File
@@ -24,6 +24,7 @@ test('it properly catches RequestError type', async () => {
headRef: 'refs/heads/master'
})
} catch (error) {
expect(error).toBeInstanceOf(RequestError)
const err = error as RequestError
expect(err.status).toBe(401)
}
})
+3 -1
View File
@@ -26,7 +26,9 @@ const defaultConfig: ConfigurationOptions = {
deny_licenses: [],
deny_packages: [],
deny_groups: [],
comment_summary_in_pr: true
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
retry_on_snapshot_warnings_timeout: 120
}
const changesWithEmptyManifests: Changes = [
+9 -1
View File
@@ -53,6 +53,14 @@ inputs:
deny-groups:
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
required: false
retry-on-snapshot-warnings:
description: Whether to retry on snapshot warnings
required: false
default: false
retry-on-snapshot-warnings-timeout:
description: Number of seconds to wait before stopping snapshot retries.
required: false
default: 120
runs:
using: 'node16'
using: 'node20'
main: 'dist/index.js'
Generated Vendored
+9513 -23164
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+281 -26
View File
@@ -322,6 +322,17 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@octokit/plugin-paginate-graphql
MIT
MIT License Copyright (c) 2019 Octokit contributors
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice (including the next paragraph) shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@octokit/plugin-paginate-rest
MIT
MIT License Copyright (c) 2019 Octokit contributors
@@ -333,6 +344,17 @@ The above copyright notice and this permission notice (including the next paragr
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@octokit/plugin-request-log
MIT
MIT License Copyright (c) 2020 Octokit contributors
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice (including the next paragraph) shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@octokit/plugin-rest-endpoint-methods
MIT
MIT License Copyright (c) 2019 Octokit contributors
@@ -444,6 +466,32 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
@octokit/rest
MIT
The MIT License
Copyright (c) 2012 Cloud9 IDE, Inc. (Mike de Boer)
Copyright (c) 2017-2018 Octokit contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
@octokit/webhooks
MIT
Copyright (c) 2017 Gregor Martynus
@@ -1046,30 +1094,6 @@ Apache License
limitations under the License.
fromentries
MIT
The MIT License (MIT)
Copyright (c) Feross Aboukhadijeh
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
indent-string
MIT
MIT License
@@ -1175,9 +1199,240 @@ FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TOR
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
lodash
lodash.includes
MIT
Copyright OpenJS Foundation and other contributors <https://openjsf.org/>
Copyright jQuery Foundation and other contributors <https://jquery.org/>
Based on Underscore.js, copyright Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
This software consists of voluntary contributions made by many
individuals. For exact contribution history, see the revision history
available at https://github.com/lodash/lodash
The following license applies to all parts of this software except as
documented below:
====
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
====
Copyright and related rights for sample code are waived via CC0. Sample
code is defined as all source code displayed within the prose of the
documentation.
CC0: http://creativecommons.org/publicdomain/zero/1.0/
====
Files located in the node_modules and vendor directories are externally
maintained libraries used by this software which have their own
licenses; we recommend you read them, as their terms may differ from the
terms above.
lodash.isboolean
MIT
Copyright 2012-2016 The Dojo Foundation <http://dojofoundation.org/>
Based on Underscore.js, copyright 2009-2016 Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
lodash.isinteger
MIT
Copyright jQuery Foundation and other contributors <https://jquery.org/>
Based on Underscore.js, copyright Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
This software consists of voluntary contributions made by many
individuals. For exact contribution history, see the revision history
available at https://github.com/lodash/lodash
The following license applies to all parts of this software except as
documented below:
====
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
====
Copyright and related rights for sample code are waived via CC0. Sample
code is defined as all source code displayed within the prose of the
documentation.
CC0: http://creativecommons.org/publicdomain/zero/1.0/
====
Files located in the node_modules and vendor directories are externally
maintained libraries used by this software which have their own
licenses; we recommend you read them, as their terms may differ from the
terms above.
lodash.isnumber
MIT
Copyright 2012-2016 The Dojo Foundation <http://dojofoundation.org/>
Based on Underscore.js, copyright 2009-2016 Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
lodash.isplainobject
MIT
Copyright jQuery Foundation and other contributors <https://jquery.org/>
Based on Underscore.js, copyright Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
This software consists of voluntary contributions made by many
individuals. For exact contribution history, see the revision history
available at https://github.com/lodash/lodash
The following license applies to all parts of this software except as
documented below:
====
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
====
Copyright and related rights for sample code are waived via CC0. Sample
code is defined as all source code displayed within the prose of the
documentation.
CC0: http://creativecommons.org/publicdomain/zero/1.0/
====
Files located in the node_modules and vendor directories are externally
maintained libraries used by this software which have their own
licenses; we recommend you read them, as their terms may differ from the
terms above.
lodash.isstring
MIT
Copyright 2012-2016 The Dojo Foundation <http://dojofoundation.org/>
Based on Underscore.js, copyright 2009-2016 Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
lodash.once
MIT
Copyright jQuery Foundation and other contributors <https://jquery.org/>
Based on Underscore.js, copyright Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
+49 -13
View File
@@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
```
@@ -39,7 +39,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
@@ -76,14 +76,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
config-file: './.github/dependency-review-config.yml'
```
## Using a configuration file from a external repository
## Using a configuration file from an external repository
The following example will use a configuration file from an external public GitHub repository to configure the action.
@@ -103,14 +103,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
config-file: 'github/octorepo/dependency-review-config.yml@main'
```
## Using a configuration file from a external repository with a personal access token
## Using a configuration file from an external repository with a personal access token
The following example will use a configuration file from an external private GtiHub repository to configure the action.
@@ -130,12 +130,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
config-file: 'github/octorepo-private/dependency-review-config.yml@main'
config-file-token: ${{ secrets.GITHUB_TOKEN }} # or a personal access token
external-repo-token: ${{ secrets.GITHUB_TOKEN }} # or a personal access token
```
## Getting the results of the action in the PR as a comment
@@ -155,7 +155,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
@@ -183,7 +183,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
@@ -222,7 +222,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
@@ -251,10 +251,46 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core'
deny-groups: 'pkg:maven/com.bazaarvoice.jolt'
```
```
## Waiting for dependency submission jobs to complete
When possible, this action will [include dependencies submitted through the dependency submission API][DSAPI]. In this case,
it's important for the action not to complete until all of the relevant dependencies have been submitted for both the base
and head commits.
When this action runs before one or more of the dependency submission actions, there will be an unequal number of dependency
snapshots between the base and head commits. For example, there may be one snapshot available for the tip of `main` and none
for the PR branch. In that case, the API response will contain a "snapshot warning" explaining the discrepancy.
In this example, when the action encounters one of these warnings it will retry every 10 seconds after that for 60 seconds
or until there is no warning in the response.
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
retry-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 60
```
[DSAPI]: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together
+1239 -2084
View File
File diff suppressed because it is too large Load Diff
+18 -17
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "3.0.7",
"version": "3.1.0",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -27,35 +27,36 @@
"dependencies": {
"@actions/core": "^1.10.0",
"@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^5.0.4",
"@octokit/request-error": "^2.1.0",
"@octokit/plugin-retry": "^6.0.1",
"@octokit/request-error": "^5.0.1",
"@octokit/rest": "^20.0.2",
"@types/jest": "^29.5.5",
"ansi-styles": "^6.2.1",
"got": "^13.0.0",
"octokit": "^2.1.0",
"jest": "^29.7.0",
"octokit": "^3.1.1",
"packageurl-js": "^1.0.2",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"yaml": "^2.3.1",
"zod": "^3.21.4"
"ts-jest": "^29.1.1",
"yaml": "^2.3.2",
"zod": "^3.22.3"
},
"devDependencies": {
"@types/jest": "^27.5.2",
"@types/node": "^16.18.38",
"@types/node": "^16.18.54",
"@types/spdx-expression-parse": "^3.0.2",
"@types/spdx-satisfies": "^0.1.0",
"@typescript-eslint/eslint-plugin": "^6.3.0",
"@typescript-eslint/parser": "^6.2.1",
"@vercel/ncc": "^0.36.1",
"esbuild-register": "^3.4.2",
"eslint": "^8.47.0",
"@typescript-eslint/eslint-plugin": "^6.7.2",
"@typescript-eslint/parser": "^6.7.3",
"@vercel/ncc": "^0.38.0",
"esbuild-register": "^3.5.0",
"eslint": "^8.51.0",
"eslint-plugin-github": "^4.8.0",
"eslint-plugin-jest": "^27.2.2",
"eslint-plugin-jest": "^27.4.2",
"eslint-plugin-prettier": "^5.0.0",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^3.0.1",
"prettier": "3.0.1",
"ts-jest": "^27.1.4",
"prettier": "3.0.3",
"typescript": "^4.9.5"
}
}
+3 -1
View File
@@ -30,7 +30,9 @@ const defaultConfig: ConfigurationOptions = {
'pkg:pip/certifi',
'pkg:pip/pycrypto@2.6.1'
],
comment_summary_in_pr: 'never'
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
retry_on_snapshot_warnings_timeout: 120
}
const tmpDir = path.resolve(__dirname, '../tmp')
+3 -2
View File
@@ -1,10 +1,11 @@
import * as github from '@actions/github'
import * as core from '@actions/core'
import * as githubUtils from '@actions/github/lib/utils'
import * as retry from '@octokit/plugin-retry'
import {retry} from '@octokit/plugin-retry'
import {RequestError} from '@octokit/request-error'
import {Octokit} from '@octokit/rest'
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
const retryingOctokit = Octokit.plugin(retry)
const octo = new retryingOctokit(
githubUtils.getOctokitOptions(core.getInput('repo-token', {required: true}))
)
+15 -1
View File
@@ -41,6 +41,12 @@ function readInlineConfig(): ConfigurationOptionsPartial {
const base_ref = getOptionalInput('base-ref')
const head_ref = getOptionalInput('head-ref')
const comment_summary_in_pr = getOptionalInput('comment-summary-in-pr')
const retry_on_snapshot_warnings = getOptionalBoolean(
'retry-on-snapshot-warnings'
)
const retry_on_snapshot_warnings_timeout = getOptionalNumber(
'retry-on-snapshot-warnings-timeout'
)
validatePURL(allow_dependencies_licenses)
validateLicenses('allow-licenses', allow_licenses)
@@ -59,7 +65,9 @@ function readInlineConfig(): ConfigurationOptionsPartial {
vulnerability_check,
base_ref,
head_ref,
comment_summary_in_pr
comment_summary_in_pr,
retry_on_snapshot_warnings,
retry_on_snapshot_warnings_timeout
}
return Object.fromEntries(
@@ -67,6 +75,12 @@ function readInlineConfig(): ConfigurationOptionsPartial {
)
}
function getOptionalNumber(name: string): number | undefined {
const value = core.getInput(name)
const parsed = z.string().regex(/^\d+$/).transform(Number).safeParse(value)
return parsed.success ? parsed.data : undefined
}
function getOptionalBoolean(name: string): boolean | undefined {
const value = core.getInput(name)
return value.length > 0 ? core.getBooleanInput(name) : undefined
+5 -2
View File
@@ -1,13 +1,16 @@
import * as core from '@actions/core'
import * as githubUtils from '@actions/github/lib/utils'
import * as retry from '@octokit/plugin-retry'
import {Octokit} from '@octokit/core'
import {retry} from '@octokit/plugin-retry'
import {paginateRest} from '@octokit/plugin-paginate-rest'
import {
ChangesSchema,
ComparisonResponse,
ComparisonResponseSchema
} from './schemas'
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
const retryingOctokit = Octokit.plugin(retry, paginateRest)
const SnapshotWarningsHeader = 'x-github-dependency-graph-snapshot-warnings'
const octo = new retryingOctokit(
githubUtils.getOctokitOptions(core.getInput('repo-token', {required: true}))
+49 -7
View File
@@ -18,18 +18,60 @@ import {groupDependenciesByManifest} from './utils'
import {commentPr} from './comment-pr'
import {getDeniedChanges} from './deny'
async function delay(ms: number): Promise<void> {
return new Promise(resolve => setTimeout(resolve, ms))
}
async function getComparison(
baseRef: string,
headRef: string,
retryOpts?: {
retryUntil: number
retryDelay: number
}
): ReturnType<typeof dependencyGraph.compare> {
const comparison = await dependencyGraph.compare({
owner: github.context.repo.owner,
repo: github.context.repo.repo,
baseRef,
headRef
})
if (comparison.snapshot_warnings.trim() !== '') {
core.info(comparison.snapshot_warnings)
if (retryOpts !== undefined) {
if (retryOpts.retryUntil < Date.now()) {
core.info(`Retry timeout exceeded. Proceeding...`)
return comparison
} else {
core.info(`Retrying in ${retryOpts.retryDelay} seconds...`)
await delay(retryOpts.retryDelay * 1000)
return getComparison(baseRef, headRef, retryOpts)
}
}
}
return comparison
}
async function run(): Promise<void> {
try {
const config = await readConfig()
const refs = getRefs(config, github.context)
const comparison = await dependencyGraph.compare({
owner: github.context.repo.owner,
repo: github.context.repo.repo,
baseRef: refs.base,
headRef: refs.head
})
const comparison = await getComparison(
refs.base,
refs.head,
config.retry_on_snapshot_warnings
? {
retryUntil:
Date.now() + config.retry_on_snapshot_warnings_timeout * 1000,
retryDelay: 10
}
: undefined
)
const changes = comparison.changes
const snapshot_warnings = comparison.snapshot_warnings
@@ -81,7 +123,7 @@ async function run(): Promise<void> {
)
if (snapshot_warnings) {
summary.addSnapshotWarnings(snapshot_warnings)
summary.addSnapshotWarnings(config, snapshot_warnings)
}
if (config.vulnerability_check) {
+2
View File
@@ -49,6 +49,8 @@ export const ConfigurationOptionsSchema = z
config_file: z.string().optional(),
base_ref: z.string().optional(),
head_ref: z.string().optional(),
retry_on_snapshot_warnings: z.boolean().default(false),
retry_on_snapshot_warnings_timeout: z.number().default(120),
comment_summary_in_pr: z
.union([
z.preprocess(
+24 -11
View File
@@ -231,21 +231,34 @@ export function addScannedDependencies(changes: Changes): void {
}
}
export function addSnapshotWarnings(warnings: string): void {
// For now, we want to ignore warnings that just complain
// about missing snapshots on the head SHA. This is a product
// decision to avoid presenting warnings to users who simply
// don't use snapshots.
const ignore_regex = new RegExp(/No.*snapshot.*found.*head.*/, 'i')
if (ignore_regex.test(warnings)) {
return
function snapshotWarningRecommendation(
config: ConfigurationOptions,
warnings: string
): string {
const no_pr_snaps = warnings.includes(
'No snapshots were found for the head SHA'
)
const retries_disabled = !config.retry_on_snapshot_warnings
if (no_pr_snaps && retries_disabled) {
return 'Ensure that dependencies are being submitted on PR branches and consider enabling <em>retry-on-snapshot-warnings</em>.'
} else if (no_pr_snaps) {
return 'Ensure that dependencies are being submitted on PR branches. Re-running this action after a short time may resolve the issue.'
} else if (retries_disabled) {
return 'Consider enabling <em>retry-on-snapshot-warnings</em>.'
}
return 'Re-running this action after a short time may resolve the issue.'
}
export function addSnapshotWarnings(
config: ConfigurationOptions,
warnings: string
): void {
core.summary.addHeading('Snapshot Warnings', 2)
core.summary.addQuote(`${icons.warning}: ${warnings}`)
core.summary.addRaw(
'Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice.'
)
const recommendation = snapshotWarningRecommendation(config, warnings)
const docsLink =
'See <a href="https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together">the documentation</a> for more information and troubleshooting advice.'
core.summary.addRaw(`${recommendation} ${docsLink}`)
}
function countLicenseIssues(