Compare commits

...

55 Commits

Author SHA1 Message Date
Barry Gordon 31c9f175b9 Merge pull request #987 from actions/rc-4.7.4
Prepare release of v4.7.4
2025-09-26 15:20:06 +01:00
Barry Gordon eacde7836e Update version 2025-09-26 14:42:22 +01:00
Barry Gordon 81510090e4 Merge pull request #986 from actions/brrygrdn/rc-4.7.4
Batch some contributions for release
2025-09-26 14:32:46 +01:00
Barry Gordon b472ec914b Add a quick regression test for the artefact summary 2025-09-26 13:34:03 +01:00
Matt Mencel e0cedc52dc feat: add large summary handling with artifact upload
When the dependency review summary exceeds GitHub's size limit (1024k), upload it as an artifact and provide a link in the comment. This ensures users can still access the full review details even when the summary is too large to display directly.
2025-09-26 12:55:14 +01:00
Jasper Kamerling e3fdf0f899 This ensures large allow or deny lists don't create huge comments 2025-09-26 12:49:38 +01:00
Lewis Jones 6fad417932 Merge pull request #978 from actions/ljones140/make-ruby-code-scannable
Make Ruby Code Scannable
2025-08-29 10:39:17 +01:00
Lewis Jones e86e9692ad Update scripts/scan_pr_lib.rb
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-08-28 16:24:02 +01:00
Lewis Jones 85c8e53ab7 Scan ruby 2025-08-28 16:12:23 +01:00
Lewis Jones c6a7eb7252 Extract ruby code
So can be scanned by code scanning
2025-08-28 16:11:56 +01:00
Claire Song 595b5aeba7 Update package version (#975) 2025-08-26 13:00:34 -07:00
Claire Song fc5fd661aa Claire153/fix spamming mentioned issue (#974)
* Keep the issue number and remove the url to avoid linking every PR running the action to that issue
2025-08-26 12:46:02 -07:00
Ashely Tenesaca d38d1a4f40 Merge pull request #965 from actions/dependabot/npm_and_yarn/multi-c22e25d29b
Bump brace-expansion
2025-08-20 17:40:22 -04:00
Ashely Tenesaca 8d420b827c Merge branch 'main' into dependabot/npm_and_yarn/multi-c22e25d29b 2025-08-20 17:28:38 -04:00
Ashely Tenesaca bde01290d3 Merge pull request #966 from actions/ashelytc/add-permissions
Add explicit permissions to workflow files
2025-08-20 09:33:56 -04:00
Ashely Tenesaca ab524903e8 remove ruby 2025-08-19 17:11:41 -04:00
Ashely Tenesaca ef00a0afbb add permissions to workflows 2025-08-19 20:55:24 +00:00
dependabot[bot] 74c8179d39 Bump brace-expansion
Bumps  and [brace-expansion](https://github.com/juliangruber/brace-expansion). These dependencies needed to be updated together.

Updates `brace-expansion` from 1.1.11 to 1.1.12
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/1.1.11...v1.1.12)

Updates `brace-expansion` from 2.0.1 to 2.0.2
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/1.1.11...v1.1.12)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 1.1.12
  dependency-type: indirect
- dependency-name: brace-expansion
  dependency-version: 2.0.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-18 22:33:26 +00:00
Claire Song bc41886e18 Cut 4.7.2 version release (#964)
* Cut 4.7.2 version release

* Bump dependency minor versions
2025-08-18 11:17:54 -07:00
Kevin Dangoor 1c73553e36 Merge pull request #960 from ahpook/ahpook/address-docs-dashes
Address discrepancy between docs and reality
2025-08-18 14:02:19 -04:00
dependabot[bot] fac3d41a58 Bump the minor-updates group across 1 directory with 5 updates (#956)
Bumps the minor-updates group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.4.0` | `29.4.1` |
| [yaml](https://github.com/eemeli/yaml) | `2.8.0` | `2.8.1` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.19.7` | `20.19.10` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.5.1` | `5.5.4` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.8.3` | `5.9.2` |



Updates `ts-jest` from 29.4.0 to 29.4.1
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.4.0...v29.4.1)

Updates `yaml` from 2.8.0 to 2.8.1
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.8.0...v2.8.1)

Updates `@types/node` from 20.19.7 to 20.19.10
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-prettier` from 5.5.1 to 5.5.4
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.5.1...v5.5.4)

Updates `typescript` from 5.8.3 to 5.9.2
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.8.3...v5.9.2)

---
updated-dependencies:
- dependency-name: ts-jest
  dependency-version: 29.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: yaml
  dependency-version: 2.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: "@types/node"
  dependency-version: 20.19.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: typescript
  dependency-version: 5.9.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-08-18 10:31:31 -07:00
Claire Song d8073c4b76 Merge pull request #958 from actions/claire153/deprecate-deny-lists
Deprecate deny lists
2025-08-18 12:33:17 -04:00
Claire Song 77184c6339 Fix tests 2025-08-18 15:10:48 +00:00
Eric Sorenson 5558c35bb3 Address discrepancy between docs and reality
The documentation used to say that you needed to transform keys
in external config files from using `-` to `_`, but in reality
the code transforms `-` to `_` regardless of where they occur.

See 4b4ec08f7b

Closes #909
2025-08-15 17:16:55 -07:00
Claire Song e85d57a50e Remove test code 2025-08-15 16:15:02 +00:00
Claire Song 3eb62794c5 Re-add test package. Only show warning in summary if option is used. Update copy. 2025-08-15 15:49:35 +00:00
Claire Song 7cf33ac2f2 Remove test deny list 2025-08-14 17:58:31 +00:00
Claire Song 493bee0560 Remove test package 2025-08-14 17:46:53 +00:00
Claire Song 659a1e1bd0 Update copy and styling 2025-08-14 17:44:34 +00:00
Claire Song 6e80be31cd Add one more line break 2025-08-14 16:39:53 +00:00
Claire Song 3fb5c613f0 Add one more line break 2025-08-14 16:32:20 +00:00
Claire Song 7d16ba5d7e Add one more line break 2025-08-14 15:43:03 +00:00
Claire Song a92a9da9c8 Add one more line break 2025-08-14 15:39:37 +00:00
Claire Song c1fa9df06b Build 2025-08-14 14:43:45 +00:00
Claire Song 6e2bbef080 Add deprecation warning, fix lint issues 2025-08-14 14:25:52 +00:00
Claire Song 9ca24b6906 Add new package 2025-08-13 21:22:20 +00:00
Claire Song 70e1d26338 Test deny list 2025-08-13 21:07:58 +00:00
Roman Iakovlev 89c7383074 Merge pull request #946 from actions/dependabot/npm_and_yarn/minor-updates-9b599382cb
Bump the minor-updates group across 1 directory with 10 updates
2025-07-22 16:15:34 +02:00
Roman Iakovlev 40f2ab01b7 Update dist 2025-07-22 14:06:49 +00:00
Roman Iakovlev 2bedf4a221 Update dist 2025-07-22 14:01:55 +00:00
dependabot[bot] 87052cdc7b Bump the minor-updates group across 1 directory with 10 updates
Bumps the minor-updates group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) | `1.10.1` | `1.11.1` |
| [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) | `6.0.0` | `6.0.1` |
| [got](https://github.com/sindresorhus/got) | `14.4.5` | `14.4.7` |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.2.5` | `29.4.0` |
| [yaml](https://github.com/eemeli/yaml) | `2.3.4` | `2.8.0` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.16.0` | `20.19.7` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.1.3` | `5.5.1` |
| [nodemon](https://github.com/remy/nodemon) | `3.1.9` | `3.1.10` |
| [prettier](https://github.com/prettier/prettier) | `3.2.5` | `3.6.2` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.4.5` | `5.8.3` |



Updates `@actions/core` from 1.10.1 to 1.11.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

Updates `@actions/github` from 6.0.0 to 6.0.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

Updates `got` from 14.4.5 to 14.4.7
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.5...v14.4.7)

Updates `ts-jest` from 29.2.5 to 29.4.0
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.2.5...v29.4.0)

Updates `yaml` from 2.3.4 to 2.8.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.3.4...v2.8.0)

Updates `@types/node` from 20.16.0 to 20.19.7
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-prettier` from 5.1.3 to 5.5.1
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.1.3...v5.5.1)

Updates `nodemon` from 3.1.9 to 3.1.10
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.1.9...v3.1.10)

Updates `prettier` from 3.2.5 to 3.6.2
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.2.5...3.6.2)

Updates `typescript` from 5.4.5 to 5.8.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.4.5...v5.8.3)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-version: 1.11.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@actions/github"
  dependency-version: 6.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: got
  dependency-version: 14.4.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: ts-jest
  dependency-version: 29.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: yaml
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@types/node"
  dependency-version: 20.19.7
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: nodemon
  dependency-version: 3.1.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: prettier
  dependency-version: 3.6.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: typescript
  dependency-version: 5.8.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-22 13:56:08 +00:00
Roman Iakovlev 47d790678f Merge pull request #934 from actions/dependabot/npm_and_yarn/undici-5.29.0
Bump undici from 5.28.5 to 5.29.0
2025-07-21 19:12:52 +02:00
Roman Iakovlev 1e946feb37 Update dist 2025-07-21 13:53:37 +00:00
Kevin Dangoor 8a1ad91c0a Merge pull request #945 from KyFaSt/patch-1
Add Missing Languages to CodeQL Advanced Configuration
2025-07-11 13:47:35 -04:00
Kylie Stradley 8296deda21 Add Missing Languages to CodeQL Advanced Configuration 2025-07-10 09:22:28 -04:00
dependabot[bot] 733ef0ab01 Bump undici from 5.28.5 to 5.29.0
Bumps [undici](https://github.com/nodejs/undici) from 5.28.5 to 5.29.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.5...v5.29.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 5.29.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-15 16:32:05 +00:00
Kevin Dangoor da24556b54 Merge pull request #933 from actions/dangoor/471-release
Bump version number for 4.7.1
2025-05-13 12:46:37 -04:00
Kevin Dangoor 9af0caf0e5 Bump version number for 4.7.1 2025-05-13 11:20:20 -04:00
Kevin Dangoor d8f2df20d5 Merge pull request #932 from actions/907-disallow-expression
Discard allow list entries that are not SPDX IDs
2025-05-13 10:28:49 -04:00
Kevin Dangoor 6e9307a3d4 Discard allow list entries that are not SPDX IDs
The allow-licenses list is expected (and documented) to be a list of
SPDX license IDs (LicenseRefs are also valid). If someone puts an
expression in the list (e.g. "GPL-3.0-only OR MIT"), it should be
discarded so that the whole list does not become invalid.

Fixes #907
2025-05-12 18:58:58 -04:00
Kevin Dangoor 8805179dc9 Merge pull request #930 from actions/889-allow-no-license
Allowing dependencies works with no licenses
2025-05-08 17:38:03 -04:00
Kevin Dangoor 014300b08c Update build 2025-05-08 17:19:56 -04:00
Kevin Dangoor 34486f306e Check namespaces when excluding license checks
The `allow-dependencies-licenses` option was not checking the namespace
part of the PURL to make sure it matched.
2025-05-08 17:17:08 -04:00
Kevin Dangoor 9b155d6432 Update build 2025-05-08 16:37:11 -04:00
Kevin Dangoor f199659a6a Allowing dependencies works with no licenses
When using the `allow-dependencies-licenses` option, the packages listed
there should be allowed even if they have no license. This wasn't
working because the filtering for allowed dependencies was done
specifically on the list of packages that had licenses, leaving a
separate list (unfiltered) for packages with no licenses. With this
change, we filter out any changes for packages that have been allowed
_before_ we retrieve licenses.

Fixes #889
2025-05-08 16:31:46 -04:00
17 changed files with 107631 additions and 3194 deletions
+3
View File
@@ -16,6 +16,9 @@ on:
- '**.md'
workflow_dispatch:
permissions:
contents: read
jobs:
check-dist:
runs-on: ubuntu-latest
+3
View File
@@ -10,6 +10,9 @@ on:
paths-ignore:
- '**.md'
permissions:
contents: read
jobs:
test:
runs-on: ubuntu-latest
+2 -2
View File
@@ -20,7 +20,7 @@ jobs:
strategy:
fail-fast: false
matrix:
language: [ 'javascript-typescript' ]
language: [ 'javascript-typescript', 'actions', 'ruby' ]
steps:
- name: Checkout repository
@@ -38,7 +38,7 @@ jobs:
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
config: |
paths-ignore:
paths-ignore:
- dist/index.js
- dist/sourcemap-register.js
+39 -33
View File
@@ -1,13 +1,23 @@
# dependency-review-action
- [Overview](#overview)
- [Installation](#installation)
- [Configuration](#configuration)
- [Using dependency review action to block a pull request from being merged](#using-dependency-review-action-to-block-a-pull-request-from-being-merged)
- [Outputs](#outputs)
- [Getting help](#getting-help)
- [Contributing](#contributing)
- [License](#license)
- [dependency-review-action](#dependency-review-action)
- [Overview](#overview)
- [Viewing the results](#viewing-the-results)
- [Installation](#installation)
- [Installation (standard)](#installation-standard)
- [Installation (GitHub Enterprise Server)](#installation-github-enterprise-server)
- [Configuration](#configuration)
- [Configuration options](#configuration-options)
- [Configuration methods](#configuration-methods)
- [Option 1: Using inline configuration](#option-1-using-inline-configuration)
- [Option 2: Using an external configuration file](#option-2-using-an-external-configuration-file)
- [`OTHER` in license strings](#other-in-license-strings)
- [Further information](#further-information)
- [Using dependency review action to block a pull request from being merged](#using-dependency-review-action-to-block-a-pull-request-from-being-merged)
- [Outputs](#outputs)
- [Getting help](#getting-help)
- [Contributing](#contributing)
- [License](#license)
## Overview
@@ -24,7 +34,6 @@ The action is available for:
When the action runs, you can see the results on:
- The **job logs** page.
1. Go to the **Actions** tab for the repository and select the relevant workflow run.
1. Then under "Jobs", click **dependency review**.
@@ -102,25 +111,25 @@ There are various configuration options you can use to specify settings for the
All configuration options are optional.
| Option | Usage | Possible values | Default value |
| -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. With each execution, a new comment will overwrite the existing one. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. This option will match on the exact version provided. If no version is provided, the option will treat the specified package as a wildcard and deny all versions. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
| `show-openssf-scorecard` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
| Option | Usage | Possible values | Default value |
| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | ⚠️ This option is deprecated for possible removal in the next major release. See [Deprecate the deny-licenses option #938](https://github.com/actions/dependency-review-action/issues/938) for more information. <br> Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. With each execution, a new comment will overwrite the existing one. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. This option will match on the exact version provided. If no version is provided, the option will treat the specified package as a wildcard and deny all versions. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
| `show-openssf-scorecard` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
> [!NOTE]
>
@@ -206,15 +215,12 @@ You can use an external configuration file to specify settings for this action.
3. Create the configuration file in the path you specified for `config-file`.
4. In the configuration file, specify your chosen settings.
```yaml
fail_on_severity: 'critical'
allow_licenses:
fail-on-severity: 'critical'
allow-licenses:
- 'GPL-3.0'
- 'BSD-3-Clause'
- 'MIT'
```
> [!NOTE]
> For external configuration files, the option names use underscores instead of dashes.
> Example: `fail_on_severity`
#### `OTHER` in license strings
+49
View File
@@ -100,6 +100,20 @@ const complexLicenseChange: Change = {
]
}
const unlicensedChange: Change = {
change_type: 'added',
manifest: '.github/workflows/ci.yml',
ecosystem: 'actions',
name: 'foo-org/actions-repo/.github/workflows/some-action.yml',
version: '1.1.1',
package_url:
'pkg:githubactions/foo-org/actions-repo/.github/workflows/some-action.yml@1.1.1',
license: null,
source_repository_url: 'github.com/some-repo',
scope: 'development',
vulnerabilities: []
}
jest.mock('@actions/core')
const mockOctokit = {
@@ -276,6 +290,19 @@ test('it does filters out changes if they are not on the exclusions list', async
expect(invalidLicenses.forbidden[1]).toBe(npmChange)
})
test('it does not fail if there is a license expression in the allow list', async () => {
const changes: Changes = [
{...npmChange, license: 'MIT AND Apache-2.0'},
{...rubyChange, license: 'BSD-3-Clause'}
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD-3-Clause', 'MIT AND Apache-2.0', 'MIT', 'Apache-2.0']
})
expect(forbidden.length).toEqual(0)
})
describe('GH License API fallback', () => {
test('it calls licenses endpoint if atleast one of the changes has null license and valid source_repository_url', async () => {
const nullLicenseChange = {
@@ -313,4 +340,26 @@ describe('GH License API fallback', () => {
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
expect(unlicensed.length).toEqual(0)
})
test('it does not call licenses API if the package is excluded', async () => {
const {unlicensed} = await getInvalidLicenseChanges([unlicensedChange], {
licenseExclusions: [
'pkg:githubactions/foo-org/actions-repo/.github/workflows/some-action.yml'
]
})
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
expect(unlicensed.length).toEqual(0)
})
test('it checks namespaces when doing exclusions', async () => {
const {unlicensed} = await getInvalidLicenseChanges([unlicensedChange], {
licenseExclusions: [
'pkg:githubactions/bar-org/actions-repo/.github/workflows/some-action.yml'
]
})
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
expect(unlicensed.length).toEqual(1)
})
})
+153
View File
@@ -0,0 +1,153 @@
import {
afterEach,
beforeEach,
describe,
expect,
jest,
test
} from '@jest/globals'
import * as fs from 'fs'
import * as core from '@actions/core'
import {DefaultArtifactClient} from '@actions/artifact'
import type {SpyInstance} from 'jest-mock'
import {handleLargeSummary} from '../src/main'
jest.mock('ansi-styles', () => ({
__esModule: true,
default: {
color: {
red: {open: '', close: ''},
yellow: {open: '', close: ''},
grey: {open: '', close: ''},
green: {open: '', close: ''}
},
bold: {open: '', close: ''}
}
}))
jest.mock('../src/dependency-graph', () => ({}))
jest.mock('@actions/core', () => {
const summary = {
addRaw: jest.fn().mockReturnThis(),
addHeading: jest.fn().mockReturnThis(),
addTable: jest.fn().mockReturnThis(),
addSeparator: jest.fn().mockReturnThis(),
addImage: jest.fn().mockReturnThis(),
addList: jest.fn().mockReturnThis(),
addBreak: jest.fn().mockReturnThis(),
addLink: jest.fn().mockReturnThis(),
addDetails: jest.fn().mockReturnThis(),
addSection: jest.fn().mockReturnThis(),
addCodeBlock: jest.fn().mockReturnThis(),
addFields: jest.fn().mockReturnThis(),
addEol: jest.fn().mockReturnThis(),
write: jest.fn(async () => undefined),
emptyBuffer: jest.fn(),
stringify: jest.fn(() => '')
}
return {
__esModule: true,
getInput: jest.fn((name: string) =>
name === 'repo-token' ? 'gh_test_token' : ''
),
setOutput: jest.fn(),
setFailed: jest.fn(),
warning: jest.fn(),
info: jest.fn(),
debug: jest.fn(),
startGroup: jest.fn(),
endGroup: jest.fn(),
group: jest.fn(async (_name: string, fn: () => Promise<unknown>) => fn()),
summary
}
})
jest.mock('@actions/artifact', () => ({
DefaultArtifactClient: jest.fn()
}))
const ORIGINAL_ENV = {...process.env}
type ArtifactClientInstance = {
uploadArtifact: jest.Mock
}
const DefaultArtifactClientMock = DefaultArtifactClient as unknown as jest.Mock
const createArtifactClient = (): ArtifactClientInstance => ({
uploadArtifact: jest.fn(async () => undefined)
})
describe('handleLargeSummary', () => {
let writeFileSpy: SpyInstance<typeof fs.promises.writeFile>
beforeEach(() => {
process.env = {...ORIGINAL_ENV}
writeFileSpy = jest
.spyOn(fs.promises, 'writeFile')
.mockImplementation(async () => undefined)
DefaultArtifactClientMock.mockClear()
DefaultArtifactClientMock.mockImplementation(() => createArtifactClient())
})
afterEach(() => {
writeFileSpy.mockRestore()
jest.clearAllMocks()
process.env = {...ORIGINAL_ENV}
})
test('returns original summary when under size threshold', async () => {
const summaryContent = 'short summary'
const result = await handleLargeSummary(summaryContent)
expect(result).toBe(summaryContent)
expect(writeFileSpy).not.toHaveBeenCalled()
expect(DefaultArtifactClientMock).not.toHaveBeenCalled()
})
test('uploads artifact and returns minimal summary when summary is too large', async () => {
process.env.GITHUB_SERVER_URL = 'https://github.com'
process.env.GITHUB_REPOSITORY = 'owner/repo'
process.env.GITHUB_RUN_ID = '12345'
const largeSummary = 'a'.repeat(1024 * 1024 + 1)
const result = await handleLargeSummary(largeSummary)
expect(writeFileSpy).toHaveBeenCalledTimes(1)
expect(writeFileSpy).toHaveBeenCalledWith('summary.md', largeSummary)
expect(DefaultArtifactClientMock).toHaveBeenCalledTimes(1)
const artifactInstance = DefaultArtifactClientMock.mock.results[0]
?.value as ArtifactClientInstance
expect(artifactInstance.uploadArtifact).toHaveBeenCalledWith(
'dependency-review-summary',
['summary.md'],
'.',
{retentionDays: 1}
)
expect(result).toContain('# Dependency Review Summary')
expect(result).toContain('dependency-review-summary')
expect(result).toContain('actions/runs/12345')
})
test('returns original summary and logs a warning when artifact handling fails', async () => {
const warningMock = core.warning as jest.Mock
warningMock.mockClear()
const largeSummary = 'b'.repeat(1024 * 1024 + 1)
DefaultArtifactClientMock.mockImplementation(() => ({
uploadArtifact: jest.fn(async () => {
throw new Error('upload failed')
})
}))
const result = await handleLargeSummary(largeSummary)
expect(result).toBe(largeSummary)
expect(warningMock).toHaveBeenCalledWith(
expect.stringContaining('Failed to handle large summary')
)
})
})
+58 -6
View File
@@ -1,5 +1,5 @@
import {expect, jest, test} from '@jest/globals'
import {Change, Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
import {Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
import * as summary from '../src/summary'
import * as core from '@actions/core'
import {createTestChange} from './fixtures/create-test-change'
@@ -109,10 +109,38 @@ test('prints headline as h1', () => {
expect(text).toContain('<h1>Dependency Review</h1>')
})
test('does not add deprecation warning for deny-licenses option if not set', () => {
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
scorecard,
defaultConfig
)
const text = core.summary.stringify()
expect(text).not.toContain('deny-licenses')
})
test('adds deprecation warning for deny-licenses option if set', () => {
const config = {...defaultConfig, deny_licenses: ['MIT']}
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
scorecard,
config
)
const text = core.summary.stringify()
expect(text).toContain('deny-licenses')
})
test('returns minimal summary formatted for posting as a PR comment', () => {
const OLD_ENV = process.env
let changes: Changes = [
const changes: Changes = [
createTestChange({name: 'lodash', version: '1.2.3'}),
createTestChange({name: 'colors', version: '2.3.4'}),
createTestChange({name: '@foo/bar', version: '*'})
@@ -122,7 +150,7 @@ test('returns minimal summary formatted for posting as a PR comment', () => {
process.env.GITHUB_REPOSITORY = 'owner/repo'
process.env.GITHUB_RUN_ID = 'abc-123-xyz'
let minSummary: string = summary.addSummaryToSummary(
const minSummary: string = summary.addSummaryToSummary(
changes,
emptyInvalidLicenseChanges,
emptyChanges,
@@ -436,7 +464,9 @@ test('addLicensesToSummary() - includes list of configured allowed licenses', ()
summary.addLicensesToSummary(licenseIssues, config)
const text = core.summary.stringify()
expect(text).toContain('<strong>Allowed Licenses</strong>: MIT, Apache-2.0')
expect(text).toContain(
'<details><summary><strong>Allowed Licenses</strong>:</summary> MIT, Apache-2.0</details>'
)
})
test('addLicensesToSummary() - includes configured denied license', () => {
@@ -448,11 +478,33 @@ test('addLicensesToSummary() - includes configured denied license', () => {
const config: ConfigurationOptions = {
...defaultConfig,
deny_licenses: ['MIT']
deny_licenses: ['MIT', 'Apache-2.0']
}
summary.addLicensesToSummary(licenseIssues, config)
const text = core.summary.stringify()
expect(text).toContain('<strong>Denied Licenses</strong>: MIT')
expect(text).toContain(
'<details><summary><strong>Denied Licenses</strong>:</summary> MIT, Apache-2.0</details>'
)
})
test('addLicensesToSummary() - includes allowed dependency licences', () => {
const licenseIssues = {
forbidden: [createTestChange()],
unresolved: [],
unlicensed: []
}
const config: ConfigurationOptions = {
...defaultConfig,
allow_dependencies_licenses: ['MIT', 'Apache-2.0']
}
summary.addLicensesToSummary(licenseIssues, config)
const text = core.summary.stringify()
expect(text).toContain(
'<details><summary><strong>Excluded from license check</strong>:</summary> MIT, Apache-2.0</details>'
)
})
Generated Vendored
+102587 -2396
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+2927 -5
View File
File diff suppressed because it is too large Load Diff
+1564 -620
View File
File diff suppressed because it is too large Load Diff
+12 -11
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "4.7.0",
"version": "4.7.4",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -25,20 +25,21 @@
"author": "GitHub",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.10.1",
"@actions/github": "^6.0.0",
"@actions/artifact": "^2.3.2",
"@actions/core": "^1.11.1",
"@actions/github": "^6.0.1",
"@octokit/plugin-retry": "^6.1.0",
"@octokit/request-error": "^5.1.1",
"@octokit/types": "12.5.0",
"@onebeyond/spdx-license-satisfies": "^1.0.1",
"ansi-styles": "^6.2.1",
"got": "^14.4.5",
"got": "^14.4.7",
"jest": "^29.7.0",
"octokit": "^3.1.2",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^6.0.0",
"ts-jest": "^29.2.5",
"yaml": "^2.3.4",
"ts-jest": "^29.4.1",
"yaml": "^2.8.1",
"zod": "^3.24.1"
},
"devDependencies": {
@@ -52,14 +53,14 @@
"eslint": "^8.57.0",
"eslint-plugin-github": "^4.10.2",
"eslint-plugin-jest": "^28.8.3",
"eslint-plugin-prettier": "^5.1.3",
"eslint-plugin-prettier": "^5.5.4",
"js-yaml": "^4.1.0",
"nodemon": "^3.1.9",
"prettier": "3.2.5",
"typescript": "^5.4.5"
"nodemon": "^3.1.10",
"prettier": "3.6.2",
"typescript": "^5.9.2"
},
"overrides": {
"cross-spawn": ">=7.0.5",
"@octokit/request-error@5.0.1": "5.1.1"
}
}
}
+5 -84
View File
@@ -1,87 +1,8 @@
#!/usr/bin/env ruby
require 'json'
require 'tempfile'
require 'open3'
require 'bundler/inline'
require 'optparse'
gemfile do
source 'https://rubygems.org'
gem 'octokit'
end
# Load the scan_pr library
require_relative 'scan_pr_lib'
config_file = nil
github_token = ENV["GITHUB_TOKEN"]
if !github_token || github_token.empty?
puts "Please set the GITHUB_TOKEN environment variable"
exit -1
end
op = OptionParser.new do |opts|
usage = <<EOF
Run Dependency Review on a repository.
\e[1mUsage:\e[22m
scripts/scan_pr [options] <pr_url>
\e[1mExample:\e[22m
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294
EOF
opts.banner = usage
opts.on('-c', '--config-file <FILE>', 'Use an external configuration file') do |cf|
config_file = cf
end
opts.on("-h", "--help", "Prints this help") do
puts opts
exit
end
end
op.parse!
# make sure we have a NWO somewhere in the parameters
arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(ARGV.join(" "))
if arg.nil?
puts op
exit -1
end
repo_nwo = arg[:repo_nwo]
pr_number = arg[:pr_number]
octo = Octokit::Client.new(access_token: github_token)
pr = octo.pull_request(repo_nwo, pr_number)
event_file = Tempfile.new
event_file.write("{ \"pull_request\": #{pr.to_h.to_json}}")
event_file.close
action_inputs = {
"repo-token": github_token,
"config-file": config_file
}
dev_cmd_env = {
"GITHUB_REPOSITORY" => repo_nwo,
"GITHUB_EVENT_NAME" => "pull_request",
"GITHUB_EVENT_PATH" => event_file.path,
"GITHUB_STEP_SUMMARY" => "/dev/null"
}
# bash does not like variable names with dashes like the ones Actions
# uses (e.g. INPUT_REPO-TOKEN). Passing them through `env` instead of
# manually setting them does the job.
action_inputs_env_str = action_inputs.map { |name, value| "\"INPUT_#{name.upcase}=#{value}\"" }.join(" ")
dev_cmd = "./node_modules/.bin/nodemon --exec \"env #{action_inputs_env_str} node -r esbuild-register\" src/main.ts"
Open3.popen2e(dev_cmd_env, dev_cmd) do |stdin, out|
while line = out.gets
puts line.gsub(github_token, "<REDACTED>")
end
end
# Create and run the scanner
scanner = ScanPr.new
scanner.run(ARGV)
+128
View File
@@ -0,0 +1,128 @@
require 'json'
require 'tempfile'
require 'open3'
require 'bundler/inline'
require 'optparse'
gemfile do
source 'https://rubygems.org'
gem 'octokit'
end
class ScanPr
def initialize
@config_file = nil
@github_token = ENV["GITHUB_TOKEN"]
validate_token
end
def run(args)
parse_options(args)
repo_nwo, pr_number = extract_repo_and_pr(args)
pr = fetch_pull_request(repo_nwo, pr_number)
event_file = create_event_file(pr)
execute_dependency_review(repo_nwo, event_file)
ensure
event_file&.unlink
end
private
def validate_token
if !@github_token || @github_token.empty?
puts "Please set the GITHUB_TOKEN environment variable"
exit -1
end
end
def parse_options(args)
op = OptionParser.new do |opts|
usage = <<EOF
Run Dependency Review on a repository.
\e[1mUsage:\e[22m
scripts/scan_pr [options] <pr_url>
\e[1mExample:\e[22m
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294
EOF
opts.banner = usage
opts.on('-c', '--config-file <FILE>', 'Use an external configuration file') do |cf|
@config_file = cf
end
opts.on("-h", "--help", "Prints this help") do
puts opts
exit
end
end
op.parse!(args)
@option_parser = op
end
def extract_repo_and_pr(args)
# make sure we have a NWO somewhere in the parameters
arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(args.join(" "))
if arg.nil?
puts @option_parser
exit -1
end
[arg[:repo_nwo], arg[:pr_number]]
end
def fetch_pull_request(repo_nwo, pr_number)
octo = Octokit::Client.new(access_token: @github_token)
octo.pull_request(repo_nwo, pr_number)
end
def create_event_file(pr)
event_file = Tempfile.new
event_file.write("{ \"pull_request\": #{pr.to_h.to_json}}")
event_file.close
event_file
end
def execute_dependency_review(repo_nwo, event_file)
action_inputs = {
"repo-token": @github_token,
"config-file": @config_file
}
dev_cmd_env = {
"GITHUB_REPOSITORY" => repo_nwo,
"GITHUB_EVENT_NAME" => "pull_request",
"GITHUB_EVENT_PATH" => event_file.path,
"GITHUB_STEP_SUMMARY" => "/dev/null"
}
# Merge action inputs into environment, formatting keys as INPUT_...
action_inputs_env = action_inputs.each_with_object({}) do |(name, value), h|
h["INPUT_#{name.to_s.upcase}"] = value unless value.nil?
end
env = dev_cmd_env.merge(action_inputs_env)
dev_cmd = [
"./node_modules/.bin/nodemon",
"--exec",
"node",
"-r",
"esbuild-register",
"src/main.ts"
]
Open3.popen2e(env, *dev_cmd) do |stdin, out|
while line = out.gets
puts line.gsub(@github_token, "<REDACTED>")
end
end
end
end
+46 -31
View File
@@ -1,6 +1,6 @@
import {Change, Changes} from './schemas'
import {octokitClient} from './utils'
import {parsePURL} from './purl'
import {parsePURL, PackageURL} from './purl'
import * as spdx from './spdx'
/**
@@ -29,41 +29,24 @@ export async function getInvalidLicenseChanges(
licenseExclusions?: string[]
}
): Promise<InvalidLicenseChanges> {
const {allow, deny} = licenses
const deny = licenses.deny
let allow = licenses.allow
// Filter out elements of the allow list that include AND
// or OR because the list should be simple license IDs and
// not expressions.
allow = allow?.filter(license => {
return !license.includes(' AND ') && !license.includes(' OR ')
})
const licenseExclusions = licenses.licenseExclusions?.map(
(pkgUrl: string) => {
return parsePURL(pkgUrl)
}
)
const groupedChanges = await groupChanges(changes)
const groupedChanges = await groupChanges(changes, licenseExclusions)
// Takes the changes from the groupedChanges object and filters out the ones that are part of the exclusions list
// It does by creating a new PackageURL object from the change and comparing it to the exclusions list
groupedChanges.licensed = groupedChanges.licensed.filter(change => {
if (change.package_url.length === 0) {
return true
}
const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
// We want to find if the licenseExclusion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false
// If it doesn't, we want to keep it and therefore return true
if (
licenseExclusions !== null &&
licenseExclusions !== undefined &&
licenseExclusions.findIndex(
exclusion =>
exclusion.type === changeAsPackageURL.type &&
exclusion.name === changeAsPackageURL.name
) !== -1
) {
return false
} else {
return true
}
})
const licensedChanges: Changes = groupedChanges.licensed
const invalidLicenseChanges: InvalidLicenseChanges = {
@@ -172,16 +155,48 @@ const truncatedDGLicense = (license: string): boolean =>
license.length === 255 && !spdx.isValid(license)
async function groupChanges(
changes: Changes
changes: Changes,
licenseExclusions: PackageURL[] | null = null
): Promise<Record<string, Changes>> {
const result: Record<string, Changes> = {
licensed: [],
unlicensed: []
}
let candidateChanges = changes
// If a package is excluded from license checking, we don't bother trying to
// fetch the license for it and we leave it off of the `licensed` and
// `unlicensed` lists.
if (licenseExclusions !== null && licenseExclusions !== undefined) {
candidateChanges = candidateChanges.filter(change => {
if (change.package_url.length === 0) {
return true
}
const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
// We want to find if the licenseExclusion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false
// If it doesn't, we want to keep it and therefore return true
if (
licenseExclusions.findIndex(
exclusion =>
exclusion.type === changeAsPackageURL.type &&
exclusion.namespace === changeAsPackageURL.namespace &&
exclusion.name === changeAsPackageURL.name
) !== -1
) {
return false
} else {
return true
}
})
}
const ghChanges = []
for (const change of changes) {
for (const change of candidateChanges) {
if (change.change_type === 'removed') {
continue
}
+40
View File
@@ -24,6 +24,8 @@ import {getRefs} from './git-refs'
import {groupDependenciesByManifest} from './utils'
import {commentPr, MAX_COMMENT_LENGTH} from './comment-pr'
import {getDeniedChanges} from './deny'
import * as artifact from '@actions/artifact'
import * as fs from 'fs'
async function delay(ms: number): Promise<void> {
return new Promise(resolve => setTimeout(resolve, ms))
@@ -61,6 +63,41 @@ async function getComparison(
return comparison
}
export async function handleLargeSummary(
summaryContent: string
): Promise<string> {
const MAX_SUMMARY_SIZE = 1024 * 1024 // 1024k in bytes
if (Buffer.byteLength(summaryContent, 'utf8') <= MAX_SUMMARY_SIZE) {
return summaryContent
}
const artifactClient = new artifact.DefaultArtifactClient()
const artifactName = 'dependency-review-summary'
const files = ['summary.md']
try {
// Write the summary to a file
await fs.promises.writeFile('summary.md', summaryContent)
// Upload the artifact
await artifactClient.uploadArtifact(artifactName, files, '.', {
retentionDays: 1
})
// Return a minimal summary with a link to the artifact
return `# Dependency Review Summary
The full dependency review summary is too large to display here. Please download the artifact named "${artifactName}" to view the complete report.
[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`
} catch (error) {
core.warning(
`Failed to handle large summary: ${error instanceof Error ? error.message : 'Unknown error'}`
)
return summaryContent
}
}
async function run(): Promise<void> {
try {
const config = await readConfig()
@@ -179,6 +216,9 @@ async function run(): Promise<void> {
let rendered = core.summary.stringify()
core.setOutput('comment-content', rendered)
// Handle large summaries by uploading as artifact
rendered = await handleLargeSummary(rendered)
// if the summary is oversized, replace with minimal version
if (rendered.length >= MAX_COMMENT_LENGTH) {
core.debug(
+14 -5
View File
@@ -22,6 +22,10 @@ export function addSummaryToSummary(
scorecard: Scorecard,
config: ConfigurationOptions
): string {
if (config.deny_licenses && config.deny_licenses.length > 0) {
addDenyListsDeprecationWarningToSummary()
}
const out: string[] = []
const scorecardWarnings = countScorecardWarnings(scorecard, config)
@@ -106,6 +110,13 @@ export function addSummaryToSummary(
return out.join('\n')
}
function addDenyListsDeprecationWarningToSummary(): void {
core.summary.addRaw(
`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see actions/dependency-review-action/issues/938.`,
true
)
}
function countScorecardWarnings(
scorecard: Scorecard,
config: ConfigurationOptions
@@ -195,19 +206,17 @@ export function addLicensesToSummary(
if (config.allow_licenses && config.allow_licenses.length > 0) {
core.summary.addQuote(
`<strong>Allowed Licenses</strong>: ${config.allow_licenses.join(', ')}`
`<details><summary><strong>Allowed Licenses</strong>:</summary> ${config.allow_licenses.join(', ')}</details>`
)
}
if (config.deny_licenses && config.deny_licenses.length > 0) {
core.summary.addQuote(
`<strong>Denied Licenses</strong>: ${config.deny_licenses.join(', ')}`
`<details><summary><strong>Denied Licenses</strong>:</summary> ${config.deny_licenses.join(', ')}</details>`
)
}
if (config.allow_dependencies_licenses) {
core.summary.addQuote(
`<strong>Excluded from license check</strong>: ${config.allow_dependencies_licenses.join(
', '
)}`
`<details><summary><strong>Excluded from license check</strong>:</summary> ${config.allow_dependencies_licenses.join(', ')}</details>`
)
}