Compare commits
41 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 3c4e3dcb1a | |||
| 02930b2072 | |||
| 49ffd9f636 | |||
| 70cb25ec56 | |||
| ebabd31cea | |||
| 19f9360983 | |||
| 5fd2f98b4f | |||
| 28647f4804 | |||
| f620fd175c | |||
| 9b42b7e9a9 | |||
| 4004cfa3a2 | |||
| 94004c3444 | |||
| 75e65b4d81 | |||
| 355d25e5a7 | |||
| d456baec30 | |||
| 66054da10b | |||
| 247f07b0c8 | |||
| 5975520ad2 | |||
| b4849e7628 | |||
| 752c04656e | |||
| 4fa8b92807 | |||
| 3660056ed3 | |||
| 5f8348ab03 | |||
| 6b5a983daf | |||
| 8fd9b22286 | |||
| c4b82d3047 | |||
| 622445f2a8 | |||
| 3f464ea511 | |||
| 8e51299cdf | |||
| 7a990117b1 | |||
| 99ce29f02e | |||
| 140b44b7bf | |||
| 4603a62e00 | |||
| 07b91577a3 | |||
| 3084754c49 | |||
| 40c09b7dc9 | |||
| 45529485b5 | |||
| e63da9a041 | |||
| 71365c76bc | |||
| 56339e523c | |||
| 1688b745f3 |
@@ -1,57 +0,0 @@
|
||||
# `dist/index.js` is a special file in Actions.
|
||||
# When you reference an action with `uses:` in a workflow,
|
||||
# `index.js` is the code that will run.
|
||||
# For our project, we generate this file through a build process from other source files.
|
||||
# We need to make sure the checked-in `index.js` actually matches what we expect it to be.
|
||||
name: Check dist/
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths-ignore:
|
||||
- '**.md'
|
||||
pull_request:
|
||||
paths-ignore:
|
||||
- '**.md'
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
check-dist:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set Node.js 20.x
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 20.x
|
||||
cache: npm
|
||||
|
||||
- name: Install dependencies
|
||||
run: npm ci
|
||||
|
||||
- name: Rebuild the dist/ directory
|
||||
run: |
|
||||
npm run build
|
||||
npm run package
|
||||
|
||||
- name: Compare the expected and actual dist/ directories
|
||||
run: |
|
||||
if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
|
||||
echo "Detected uncommitted changes after build. See status below:"
|
||||
git diff
|
||||
exit 1
|
||||
fi
|
||||
id: diff
|
||||
|
||||
# If index.js was different than expected, upload the expected version as an artifact
|
||||
- uses: actions/upload-artifact@v4
|
||||
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
|
||||
with:
|
||||
name: dist
|
||||
path: dist/
|
||||
@@ -0,0 +1,51 @@
|
||||
name: CI-update-dist
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- 'main'
|
||||
paths-ignore:
|
||||
- 'dist/**'
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
update-dist:
|
||||
# Only run for the original DRA repository; otherwise when users create pull requests from their `main` branch
|
||||
# it would erroneously update `dist` on their branch (and the pull request)
|
||||
if: github.repository == 'actions/dependency-review-action'
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
|
||||
- name: Set up Node.js
|
||||
uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
|
||||
with:
|
||||
node-version: 20
|
||||
cache: npm
|
||||
|
||||
- name: Install npm dependencies
|
||||
run: |
|
||||
npm clean-install
|
||||
|
||||
- name: Build distribution
|
||||
run: |
|
||||
npm run build
|
||||
npm run package
|
||||
|
||||
# Commit and push changes; has no effect if the files did not change
|
||||
# Important: The push event will not trigger any other workflows, see
|
||||
# https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
|
||||
- name: Commit & push changes
|
||||
uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
|
||||
with:
|
||||
commit_author: 'github-actions[bot] <github-actions[bot]@users.noreply.github.com>'
|
||||
commit_user_name: 'github-actions[bot]'
|
||||
commit_user_email: 'github-actions[bot]@users.noreply.github.com'
|
||||
commit_message: '[bot] Update dist directory [skip ci]'
|
||||
file_pattern: 'dist/'
|
||||
+10
-8
@@ -25,11 +25,11 @@ If you'd like to make a contribution yourself, we ask that before significant ef
|
||||
|
||||
## Stalebot
|
||||
|
||||
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see the configuration [here](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
|
||||
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see [the configuration](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
|
||||
|
||||
## Development lifecycle
|
||||
|
||||
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
|
||||
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
|
||||
|
||||
### High level overview of the action
|
||||
|
||||
@@ -53,7 +53,7 @@ Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed,
|
||||
We have a script to scan a given PR for vulnerabilities, this will
|
||||
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
|
||||
|
||||
<img width="480" alt="Screenshot 2022-05-12 at 10 22 21" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
|
||||
<img width="480" alt="Screen to create a PAT with a note of `dr-token`, 30 day duration (expiring Jun 11, 2022), with `repo` scopes selected" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
|
||||
|
||||
The syntax of the script is:
|
||||
|
||||
@@ -87,8 +87,9 @@ _Note_: We don't have a very comprehensive test suite, so any contributions to t
|
||||
|
||||
1. Create a new branch: `git checkout -b my-branch-name`
|
||||
2. Make your change, add tests, and make sure the tests still pass
|
||||
3. Make sure to build and package before pushing: `npm run build && npm run package`
|
||||
4. Push to your fork and [submit a pull request][pr]
|
||||
3. Push to your fork and [submit a pull request][pr]
|
||||
|
||||
(note: we don't recommend including changes to the `dist` directory in your pull request, because changes there have an increased likelihood of conflicts.)
|
||||
|
||||
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
|
||||
|
||||
@@ -106,19 +107,20 @@ Here are a few things you can do that will increase the likelihood of your pull
|
||||
_Note: these instructions are for maintainers_
|
||||
|
||||
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
|
||||
1. Update the dist files by running `npm run build` and `npm run package`
|
||||
1. Go to [Draft a new
|
||||
release](https://github.com/actions/dependency-review-action/releases/new)
|
||||
in the Releases page.
|
||||
1. Make sure that the `Publish this Action to the GitHub Marketplace`
|
||||
checkbox is enabled
|
||||
|
||||
<img width="481" alt="Screenshot 2022-06-15 at 12 08 19" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
|
||||
<img width="481" alt="Screen showing Release Action with Publish this Action to the GitHub Marketplace checked" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
|
||||
|
||||
3. Click "Choose a tag" and then "Create new tag", where the tag name
|
||||
will be your version prefixed by a `v` (e.g. `v1.2.3`).
|
||||
4. Use a version number for the release title (e.g. "1.2.3").
|
||||
|
||||
<img width="700" alt="Screenshot 2022-06-15 at 12 08 36" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
|
||||
<img width="700" alt="Create an action release in categories Security + Dependency management from branch main creating tag v2.0.0 on publish" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
|
||||
|
||||
5. Add your release notes. If this is a major version make sure to
|
||||
include a small description of the biggest changes in the new version.
|
||||
@@ -137,8 +139,8 @@ To do this just checkout `main`, force-create a new annotated tag, and push it:
|
||||
git tag -fa v4 -m "Updating v4 to 4.0.1"
|
||||
git push origin v4 --force
|
||||
```
|
||||
</details>
|
||||
|
||||
</details>
|
||||
|
||||
## Resources
|
||||
|
||||
|
||||
@@ -169,6 +169,7 @@ You can pass configuration options to the dependency review action using your wo
|
||||
|
||||
# Use comma-separated names to pass list arguments:
|
||||
deny-licenses: LGPL-2.0, BSD-2-Clause
|
||||
allow-dependencies-licenses: "pkg:npm/@myorg/mypackage, pkg:npm/packagename, pkg:githubactions/owner/repo@2.0.0"
|
||||
```
|
||||
|
||||
#### Option 2: Using an external configuration file
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
import {expect, test, beforeEach} from '@jest/globals'
|
||||
import {readConfig} from '../src/config'
|
||||
import {getRefs} from '../src/git-refs'
|
||||
import * as spdx from '../src/spdx'
|
||||
import {setInput, clearInputs} from './test-helpers'
|
||||
|
||||
beforeEach(() => {
|
||||
|
||||
@@ -315,7 +315,7 @@ test('uses checkmarks for vulnerabilities if only license issues were found', ()
|
||||
expect(text).toContain('✅ 0 package(s) with unknown licenses')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - only includes section if any vulnerabilites found', () => {
|
||||
test('addChangeVulnerabilitiesToSummary() - only includes section if any vulnerabilities found', () => {
|
||||
summary.addChangeVulnerabilitiesToSummary(emptyChanges, 'low')
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toEqual('')
|
||||
@@ -385,7 +385,7 @@ test('addChangeVulnerabilitiesToSummary() - prints severity statement if above l
|
||||
)
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - does not print severity statment if it is set to "low"', () => {
|
||||
test('addChangeVulnerabilitiesToSummary() - does not print severity statement if it is set to "low"', () => {
|
||||
const changes = [createTestChange()]
|
||||
|
||||
summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
|
||||
+1
-1
@@ -53,7 +53,7 @@ inputs:
|
||||
description: A boolean to determine if vulnerability checks should be performed
|
||||
required: false
|
||||
comment-summary-in-pr:
|
||||
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
|
||||
description: "Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow `pull-requests: write` permissions"
|
||||
required: false
|
||||
deny-packages:
|
||||
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). If version specified, only deny matching packages and version; else, deny all regardless of version.
|
||||
|
||||
+24
-10
@@ -548,7 +548,7 @@ function groupChanges(changes_1) {
|
||||
if (change.package_url.length === 0) {
|
||||
return true;
|
||||
}
|
||||
const changeAsPackageURL = (0, purl_1.parsePURL)(encodeURI(change.package_url));
|
||||
const changeAsPackageURL = (0, purl_1.parsePURL)(change.package_url);
|
||||
// We want to find if the licenseExclusion list contains the PackageURL of the Change
|
||||
// If it does, we want to filter it out and therefore return false
|
||||
// If it doesn't, we want to keep it and therefore return true
|
||||
@@ -717,12 +717,16 @@ function handleLargeSummary(summaryContent) {
|
||||
yield artifactClient.uploadArtifact(artifactName, files, '.', {
|
||||
retentionDays: 1
|
||||
});
|
||||
// Return a minimal summary with a link to the artifact
|
||||
return `# Dependency Review Summary
|
||||
// Return a shorter summary with a link to the artifact
|
||||
const shortSummary = `# Dependency Review Summary
|
||||
|
||||
The full dependency review summary is too large to display here. Please download the artifact named "${artifactName}" to view the complete report.
|
||||
|
||||
[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`;
|
||||
// Set core.summary to the shorter summary value to avoid exceeding MAX_SUMMARY_SIZE
|
||||
core.summary.emptyBuffer();
|
||||
core.summary.addRaw(shortSummary);
|
||||
return shortSummary;
|
||||
}
|
||||
catch (error) {
|
||||
core.warning(`Failed to handle large summary: ${error instanceof Error ? error.message : 'Unknown error'}`);
|
||||
@@ -814,7 +818,17 @@ function run() {
|
||||
core.setFailed(`Dependency review could not obtain dependency data for the specified owner, repository, or revision range.`);
|
||||
}
|
||||
else if (error instanceof request_error_1.RequestError && error.status === 403) {
|
||||
core.setFailed(`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`);
|
||||
let repoIsPrivate = false;
|
||||
if ('repository' in github.context.payload) {
|
||||
const repo = github.context.payload.repository;
|
||||
repoIsPrivate = repo.private;
|
||||
}
|
||||
if (repoIsPrivate) {
|
||||
core.setFailed(`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`);
|
||||
}
|
||||
else {
|
||||
core.setFailed(`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`);
|
||||
}
|
||||
}
|
||||
else {
|
||||
if (error instanceof Error) {
|
||||
@@ -833,11 +847,11 @@ function run() {
|
||||
function printVulnerabilitiesBlock(addedChanges, minSeverity, warnOnly) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
return core.group('Vulnerabilities', () => __awaiter(this, void 0, void 0, function* () {
|
||||
let vulFound = false;
|
||||
let vulnFound = false;
|
||||
for (const change of addedChanges) {
|
||||
vulFound || (vulFound = printChangeVulnerabilities(change));
|
||||
vulnFound || (vulnFound = printChangeVulnerabilities(change));
|
||||
}
|
||||
if (vulFound) {
|
||||
if (vulnFound) {
|
||||
const msg = 'Dependency review detected vulnerable packages.';
|
||||
if (warnOnly) {
|
||||
core.warning(msg);
|
||||
@@ -849,7 +863,7 @@ function printVulnerabilitiesBlock(addedChanges, minSeverity, warnOnly) {
|
||||
else {
|
||||
core.info(`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`);
|
||||
}
|
||||
return vulFound;
|
||||
return vulnFound;
|
||||
}));
|
||||
});
|
||||
}
|
||||
@@ -1630,7 +1644,7 @@ const icons = {
|
||||
warning: '⚠️'
|
||||
};
|
||||
const MAX_SCANNED_FILES_BYTES = 1048576;
|
||||
// generates the DR report summmary and caches it to the Action's core.summary.
|
||||
// generates the DR report summary and caches it to the Action's core.summary.
|
||||
// returns the DR summary string, ready to be posted as a PR comment if the
|
||||
// final DR report is too large
|
||||
function addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedChanges, scorecard, config) {
|
||||
@@ -1698,7 +1712,7 @@ function addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedCha
|
||||
return out.join('\n');
|
||||
}
|
||||
function addDenyListsDeprecationWarningToSummary() {
|
||||
core.summary.addRaw(`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see actions/dependency-review-action/issues/938.`, true);
|
||||
core.summary.addRaw(`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see issue 997.`, true);
|
||||
}
|
||||
function countScorecardWarnings(scorecard, config) {
|
||||
return scorecard.dependencies.reduce((total, dependency) => {
|
||||
|
||||
+1
-1
File diff suppressed because one or more lines are too long
+4
-4
@@ -4,7 +4,7 @@
|
||||
|
||||
A very basic example of how to use the action. This will run the action with the default configuration.
|
||||
|
||||
The full list of configuration options can be found [here](../README.md#configuration-options).
|
||||
See the [full list of configuration options](../README.md#configuration-options).
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -112,7 +112,7 @@ jobs:
|
||||
|
||||
## Using a configuration file from an external repository with a personal access token
|
||||
|
||||
The following example will use a configuration file from an external private GtiHub repository to configure the action.
|
||||
The following example will use a configuration file from an external private GitHub repository to configure the action.
|
||||
|
||||
Let's say that the configuration file is located in `github/octorepo-private/dependency-review-config.yml@main`
|
||||
|
||||
@@ -233,7 +233,7 @@ jobs:
|
||||
fail-on-severity: critical
|
||||
deny-licenses: LGPL-2.0, BSD-2-Clause
|
||||
comment-summary-in-pr: always
|
||||
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pypi/requests'
|
||||
allow-dependencies-licenses: 'pkg:npm/lodash, pkg:pypi/requests'
|
||||
```
|
||||
|
||||
If we were to use configuration file, the configuration would look like this:
|
||||
@@ -244,7 +244,7 @@ allow-licenses:
|
||||
- 'LGPL-2.0'
|
||||
- 'BSD-2-Clause'
|
||||
allow-dependencies-licenses:
|
||||
- 'pkg:npm/loadash'
|
||||
- 'pkg:npm/lodash'
|
||||
- 'pkg:pypi/requests'
|
||||
```
|
||||
|
||||
|
||||
Generated
+7
-6
@@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.7.4",
|
||||
"version": "4.8.2",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.7.4",
|
||||
"version": "4.8.2",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/artifact": "^2.3.2",
|
||||
@@ -27,7 +27,7 @@
|
||||
"zod": "^3.24.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/jest": "^29.5.12",
|
||||
"@types/jest": "^29.5.14",
|
||||
"@types/node": "^20",
|
||||
"@types/spdx-expression-parse": "^3.0.4",
|
||||
"@typescript-eslint/eslint-plugin": "^6.21.0",
|
||||
@@ -2282,10 +2282,11 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@types/jest": {
|
||||
"version": "29.5.12",
|
||||
"resolved": "https://registry.npmjs.org/@types/jest/-/jest-29.5.12.tgz",
|
||||
"integrity": "sha512-eDC8bTvT/QhYdxJAulQikueigY5AsdBRH2yDKW3yveW7svY3+DzN84/2NUgkw10RTiJbWqZrTtoGVdYlvFJdLw==",
|
||||
"version": "29.5.14",
|
||||
"resolved": "https://registry.npmjs.org/@types/jest/-/jest-29.5.14.tgz",
|
||||
"integrity": "sha512-ZN+4sdnLUbo8EVvVc2ao0GFW6oVrQRPn4K2lglySj7APvSrgzxHiNNK99us4WDMi57xxA2yggblIAMNhXOotLQ==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"expect": "^29.0.0",
|
||||
"pretty-format": "^29.0.0"
|
||||
|
||||
+3
-3
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.7.4",
|
||||
"version": "4.8.2",
|
||||
"private": true,
|
||||
"description": "A GitHub Action for Dependency Review",
|
||||
"main": "lib/main.js",
|
||||
@@ -43,7 +43,7 @@
|
||||
"zod": "^3.24.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/jest": "^29.5.12",
|
||||
"@types/jest": "^29.5.14",
|
||||
"@types/node": "^20",
|
||||
"@types/spdx-expression-parse": "^3.0.4",
|
||||
"@typescript-eslint/eslint-plugin": "^6.21.0",
|
||||
@@ -63,4 +63,4 @@
|
||||
"cross-spawn": ">=7.0.5",
|
||||
"@octokit/request-error@5.0.1": "5.1.1"
|
||||
}
|
||||
}
|
||||
}
|
||||
+1
-1
@@ -174,7 +174,7 @@ async function groupChanges(
|
||||
return true
|
||||
}
|
||||
|
||||
const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
|
||||
const changeAsPackageURL = parsePURL(change.package_url)
|
||||
|
||||
// We want to find if the licenseExclusion list contains the PackageURL of the Change
|
||||
// If it does, we want to filter it out and therefore return false
|
||||
|
||||
+31
-9
@@ -27,6 +27,8 @@ import {getDeniedChanges} from './deny'
|
||||
import * as artifact from '@actions/artifact'
|
||||
import * as fs from 'fs'
|
||||
|
||||
import type {PayloadRepository} from '@actions/github/lib/interfaces.d'
|
||||
|
||||
async function delay(ms: number): Promise<void> {
|
||||
return new Promise(resolve => setTimeout(resolve, ms))
|
||||
}
|
||||
@@ -84,12 +86,17 @@ export async function handleLargeSummary(
|
||||
retentionDays: 1
|
||||
})
|
||||
|
||||
// Return a minimal summary with a link to the artifact
|
||||
return `# Dependency Review Summary
|
||||
// Return a shorter summary with a link to the artifact
|
||||
const shortSummary = `# Dependency Review Summary
|
||||
|
||||
The full dependency review summary is too large to display here. Please download the artifact named "${artifactName}" to view the complete report.
|
||||
|
||||
[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`
|
||||
|
||||
// Set core.summary to the shorter summary value to avoid exceeding MAX_SUMMARY_SIZE
|
||||
core.summary.emptyBuffer()
|
||||
core.summary.addRaw(shortSummary)
|
||||
return shortSummary
|
||||
} catch (error) {
|
||||
core.warning(
|
||||
`Failed to handle large summary: ${error instanceof Error ? error.message : 'Unknown error'}`
|
||||
@@ -98,6 +105,10 @@ The full dependency review summary is too large to display here. Please download
|
||||
}
|
||||
}
|
||||
|
||||
interface RepoWithPrivate extends PayloadRepository {
|
||||
private: boolean
|
||||
}
|
||||
|
||||
async function run(): Promise<void> {
|
||||
try {
|
||||
const config = await readConfig()
|
||||
@@ -235,9 +246,20 @@ async function run(): Promise<void> {
|
||||
`Dependency review could not obtain dependency data for the specified owner, repository, or revision range.`
|
||||
)
|
||||
} else if (error instanceof RequestError && error.status === 403) {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
let repoIsPrivate = false
|
||||
if ('repository' in github.context.payload) {
|
||||
const repo = github.context.payload.repository as RepoWithPrivate
|
||||
repoIsPrivate = repo.private
|
||||
}
|
||||
if (repoIsPrivate) {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
} else {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
}
|
||||
} else {
|
||||
if (error instanceof Error) {
|
||||
core.setFailed(error.message)
|
||||
@@ -256,13 +278,13 @@ async function printVulnerabilitiesBlock(
|
||||
warnOnly: boolean
|
||||
): Promise<boolean> {
|
||||
return core.group('Vulnerabilities', async () => {
|
||||
let vulFound = false
|
||||
let vulnFound = false
|
||||
|
||||
for (const change of addedChanges) {
|
||||
vulFound ||= printChangeVulnerabilities(change)
|
||||
vulnFound ||= printChangeVulnerabilities(change)
|
||||
}
|
||||
|
||||
if (vulFound) {
|
||||
if (vulnFound) {
|
||||
const msg = 'Dependency review detected vulnerable packages.'
|
||||
if (warnOnly) {
|
||||
core.warning(msg)
|
||||
@@ -275,7 +297,7 @@ async function printVulnerabilitiesBlock(
|
||||
)
|
||||
}
|
||||
|
||||
return vulFound
|
||||
return vulnFound
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
+2
-2
@@ -12,7 +12,7 @@ const icons = {
|
||||
|
||||
const MAX_SCANNED_FILES_BYTES = 1048576
|
||||
|
||||
// generates the DR report summmary and caches it to the Action's core.summary.
|
||||
// generates the DR report summary and caches it to the Action's core.summary.
|
||||
// returns the DR summary string, ready to be posted as a PR comment if the
|
||||
// final DR report is too large
|
||||
export function addSummaryToSummary(
|
||||
@@ -112,7 +112,7 @@ export function addSummaryToSummary(
|
||||
|
||||
function addDenyListsDeprecationWarningToSummary(): void {
|
||||
core.summary.addRaw(
|
||||
`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see actions/dependency-review-action/issues/938.`,
|
||||
`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see issue 997.`,
|
||||
true
|
||||
)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user