Compare commits

...

39 Commits

Author SHA1 Message Date
Kevin Dangoor 3c4e3dcb1a Merge pull request #1016 from actions/dra-release
4.8.2 release
2025-11-10 17:45:29 -05:00
Kevin Dangoor 02930b2072 Update CONTRIBUTING to reflect new guidelines
External contributors should not build the project and commit
the build output any more.
2025-11-10 17:35:58 -05:00
Kevin Dangoor 49ffd9f636 Update CONTRIBUTING to reflect the need to build
Builds aren't happening automatically (or required to happen
manually), so we need to update the release steps to include
building the project.
2025-11-10 14:45:40 -05:00
Kevin Dangoor 70cb25ec56 4.8.2 release 2025-11-10 14:44:24 -05:00
Kevin Dangoor ebabd31cea Merge pull request #1008 from danielhardej/danielhardej-patch-20251023
Fix PURL parsing to prevent mismatch for scoped packages
2025-11-07 18:20:38 -05:00
Dan Hardej 19f9360983 Update package-lock.json 2025-11-08 07:15:17 +08:00
Dan Hardej 5fd2f98b4f Bump @types/jest to version 29.5.14 2025-11-07 12:39:28 +08:00
Dan Hardej 28647f4804 Fix PURL parsing by removing encodeURI 2025-11-07 12:32:03 +08:00
Kevin Dangoor f620fd175c Merge pull request #1013 from actions/dangoor/token-fix
Remove bad token reference
2025-11-06 08:40:41 -08:00
Kevin Dangoor 9b42b7e9a9 Remove bad token reference 2025-11-05 20:29:51 -05:00
Kevin Dangoor 4004cfa3a2 Merge pull request #1012 from actions/dangoor/saner-workflows
Generate dist files on main branch
2025-11-05 17:23:09 -08:00
Kevin Dangoor 94004c3444 Remove dist directory change blocking
We don't really need to prevent changes to the dist directory
being committed. If someone does push a change to the dist directory,
they'd be able to test with that. Plus the files will be regenerated
on main, so that we know the final dist files are correct.

This also fixes up some paths in the ci-update-dist.yml workflow
which generates the dist files on main.
2025-11-05 18:04:42 -05:00
Kevin Dangoor 75e65b4d81 Generate dist files on main branch
This adapts an approach taken by the Gradle actions in order to
generate the dist files on the main branch rather than having
every contributor need to generate them. (In fact, people will no
longer be able to submit PRs with the dist files updated). This
change is important because the current approach means that
people encounter merge conflicts all the time and will need to
keep regenerating the dist files in order to land their change.
2025-11-05 17:30:02 -05:00
Kevin Dangoor 355d25e5a7 Merge pull request #921 from jsoref/spelling
Spelling
2025-11-04 18:48:20 -08:00
Josh Soref d456baec30 spelling: vulnerabilities
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 21:39:50 -05:00
Josh Soref 66054da10b spelling: vuln
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 21:39:50 -05:00
Josh Soref 247f07b0c8 spelling: summary
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 21:39:50 -05:00
Josh Soref 5975520ad2 spelling: statement
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:17:52 -05:00
Josh Soref b4849e7628 spelling: lodash
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:17:52 -05:00
Josh Soref 752c04656e spelling: github
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:17:52 -05:00
Josh Soref 4fa8b92807 Add alt text for screen to create a PAT
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:17:44 -05:00
Josh Soref 3660056ed3 Add alt text for screen showing Release Action
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:17:34 -05:00
Josh Soref 5f8348ab03 Add alt text for screen to create arelease
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:16:44 -05:00
Josh Soref 6b5a983daf link: full list of configuration options
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:08:49 -05:00
Josh Soref 8fd9b22286 link: the configuration
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:08:49 -05:00
Josh Soref c4b82d3047 Reword comment-summary-in-pr description
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:08:49 -05:00
Josh Soref 622445f2a8 Remove unused import
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 20:08:49 -05:00
Kevin Dangoor 3f464ea511 Merge pull request #1009 from danielhardej/patch-1
Update README to include `allow-dependencies-licenses` example
2025-11-04 14:35:46 -08:00
Lewis Jones 8e51299cdf Merge pull request #1007 from gitulisca/gitulisca/summary-size-limit
Make handleLargeSummary also update core.summary
2025-10-27 12:51:46 +00:00
Art Leo 7a990117b1 Add dist files 2025-10-27 17:41:42 +11:00
Dan Hardej 99ce29f02e Update README with allowed-dependencies-licenses example 2025-10-23 16:31:35 +08:00
gitulisca 140b44b7bf Remove trailing whitespace from blank line
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-10-22 19:12:18 +11:00
Art Leo 4603a62e00 Make handleLargeSummary also update core.summary 2025-10-22 17:52:52 +11:00
Eric Sorenson 07b91577a3 Merge pull request #920 from jsoref/issue-919 2025-10-17 14:30:12 -07:00
Josh Soref 3084754c49 Scope warning about private repositories 2025-10-15 14:16:01 -04:00
Eric Sorenson 40c09b7dc9 Merge pull request #1001 from actions/ahpook/v4.8.1-release 2025-10-10 14:06:00 -07:00
Eric Sorenson 45529485b5 Bump version for 4.8.1 release 2025-10-10 12:55:32 -07:00
Eric Sorenson e63da9a041 Merge pull request #1000 from actions/ahpook/deprecation-redux 2025-10-10 12:21:31 -07:00
Eric Sorenson 71365c76bc (bug) Fix spamming link test in deprecation warning (again)
We'd thought that the syntax in #974 would avoid auto-linking
but didn't check closely enough, and now the deprecation issue
it links to cannot be loaded due to having too many references.

This updates the text to point to a new issue in a way that...
I hope... will not be auto-linked.
2025-10-10 09:37:13 -07:00
15 changed files with 138 additions and 105 deletions
-57
View File
@@ -1,57 +0,0 @@
# `dist/index.js` is a special file in Actions.
# When you reference an action with `uses:` in a workflow,
# `index.js` is the code that will run.
# For our project, we generate this file through a build process from other source files.
# We need to make sure the checked-in `index.js` actually matches what we expect it to be.
name: Check dist/
on:
push:
branches:
- main
paths-ignore:
- '**.md'
pull_request:
paths-ignore:
- '**.md'
workflow_dispatch:
permissions:
contents: read
jobs:
check-dist:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set Node.js 20.x
uses: actions/setup-node@v4
with:
node-version: 20.x
cache: npm
- name: Install dependencies
run: npm ci
- name: Rebuild the dist/ directory
run: |
npm run build
npm run package
- name: Compare the expected and actual dist/ directories
run: |
if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
echo "Detected uncommitted changes after build. See status below:"
git diff
exit 1
fi
id: diff
# If index.js was different than expected, upload the expected version as an artifact
- uses: actions/upload-artifact@v4
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
with:
name: dist
path: dist/
+51
View File
@@ -0,0 +1,51 @@
name: CI-update-dist
on:
workflow_dispatch:
push:
branches:
- 'main'
paths-ignore:
- 'dist/**'
permissions:
contents: read
jobs:
update-dist:
# Only run for the original DRA repository; otherwise when users create pull requests from their `main` branch
# it would erroneously update `dist` on their branch (and the pull request)
if: github.repository == 'actions/dependency-review-action'
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Node.js
uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
with:
node-version: 20
cache: npm
- name: Install npm dependencies
run: |
npm clean-install
- name: Build distribution
run: |
npm run build
npm run package
# Commit and push changes; has no effect if the files did not change
# Important: The push event will not trigger any other workflows, see
# https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
- name: Commit & push changes
uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
with:
commit_author: 'github-actions[bot] <github-actions[bot]@users.noreply.github.com>'
commit_user_name: 'github-actions[bot]'
commit_user_email: 'github-actions[bot]@users.noreply.github.com'
commit_message: '[bot] Update dist directory [skip ci]'
file_pattern: 'dist/'
+10 -8
View File
@@ -25,11 +25,11 @@ If you'd like to make a contribution yourself, we ask that before significant ef
## Stalebot
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see the configuration [here](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see [the configuration](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
## Development lifecycle
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
### High level overview of the action
@@ -53,7 +53,7 @@ Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed,
We have a script to scan a given PR for vulnerabilities, this will
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
<img width="480" alt="Screenshot 2022-05-12 at 10 22 21" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
<img width="480" alt="Screen to create a PAT with a note of `dr-token`, 30 day duration (expiring Jun 11, 2022), with `repo` scopes selected" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
The syntax of the script is:
@@ -87,8 +87,9 @@ _Note_: We don't have a very comprehensive test suite, so any contributions to t
1. Create a new branch: `git checkout -b my-branch-name`
2. Make your change, add tests, and make sure the tests still pass
3. Make sure to build and package before pushing: `npm run build && npm run package`
4. Push to your fork and [submit a pull request][pr]
3. Push to your fork and [submit a pull request][pr]
(note: we don't recommend including changes to the `dist` directory in your pull request, because changes there have an increased likelihood of conflicts.)
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
@@ -106,19 +107,20 @@ Here are a few things you can do that will increase the likelihood of your pull
_Note: these instructions are for maintainers_
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
1. Update the dist files by running `npm run build` and `npm run package`
1. Go to [Draft a new
release](https://github.com/actions/dependency-review-action/releases/new)
in the Releases page.
1. Make sure that the `Publish this Action to the GitHub Marketplace`
checkbox is enabled
<img width="481" alt="Screenshot 2022-06-15 at 12 08 19" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
<img width="481" alt="Screen showing Release Action with Publish this Action to the GitHub Marketplace checked" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
3. Click "Choose a tag" and then "Create new tag", where the tag name
will be your version prefixed by a `v` (e.g. `v1.2.3`).
4. Use a version number for the release title (e.g. "1.2.3").
<img width="700" alt="Screenshot 2022-06-15 at 12 08 36" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
<img width="700" alt="Create an action release in categories Security + Dependency management from branch main creating tag v2.0.0 on publish" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
5. Add your release notes. If this is a major version make sure to
include a small description of the biggest changes in the new version.
@@ -137,8 +139,8 @@ To do this just checkout `main`, force-create a new annotated tag, and push it:
git tag -fa v4 -m "Updating v4 to 4.0.1"
git push origin v4 --force
```
</details>
</details>
## Resources
+1
View File
@@ -169,6 +169,7 @@ You can pass configuration options to the dependency review action using your wo
# Use comma-separated names to pass list arguments:
deny-licenses: LGPL-2.0, BSD-2-Clause
allow-dependencies-licenses: "pkg:npm/@myorg/mypackage, pkg:npm/packagename, pkg:githubactions/owner/repo@2.0.0"
```
#### Option 2: Using an external configuration file
-1
View File
@@ -1,7 +1,6 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
import {getRefs} from '../src/git-refs'
import * as spdx from '../src/spdx'
import {setInput, clearInputs} from './test-helpers'
beforeEach(() => {
+2 -2
View File
@@ -315,7 +315,7 @@ test('uses checkmarks for vulnerabilities if only license issues were found', ()
expect(text).toContain('✅ 0 package(s) with unknown licenses')
})
test('addChangeVulnerabilitiesToSummary() - only includes section if any vulnerabilites found', () => {
test('addChangeVulnerabilitiesToSummary() - only includes section if any vulnerabilities found', () => {
summary.addChangeVulnerabilitiesToSummary(emptyChanges, 'low')
const text = core.summary.stringify()
expect(text).toEqual('')
@@ -385,7 +385,7 @@ test('addChangeVulnerabilitiesToSummary() - prints severity statement if above l
)
})
test('addChangeVulnerabilitiesToSummary() - does not print severity statment if it is set to "low"', () => {
test('addChangeVulnerabilitiesToSummary() - does not print severity statement if it is set to "low"', () => {
const changes = [createTestChange()]
summary.addChangeVulnerabilitiesToSummary(changes, 'low')
+1 -1
View File
@@ -53,7 +53,7 @@ inputs:
description: A boolean to determine if vulnerability checks should be performed
required: false
comment-summary-in-pr:
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
description: "Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow `pull-requests: write` permissions"
required: false
deny-packages:
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). If version specified, only deny matching packages and version; else, deny all regardless of version.
Generated Vendored
+24 -10
View File
@@ -548,7 +548,7 @@ function groupChanges(changes_1) {
if (change.package_url.length === 0) {
return true;
}
const changeAsPackageURL = (0, purl_1.parsePURL)(encodeURI(change.package_url));
const changeAsPackageURL = (0, purl_1.parsePURL)(change.package_url);
// We want to find if the licenseExclusion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false
// If it doesn't, we want to keep it and therefore return true
@@ -717,12 +717,16 @@ function handleLargeSummary(summaryContent) {
yield artifactClient.uploadArtifact(artifactName, files, '.', {
retentionDays: 1
});
// Return a minimal summary with a link to the artifact
return `# Dependency Review Summary
// Return a shorter summary with a link to the artifact
const shortSummary = `# Dependency Review Summary
The full dependency review summary is too large to display here. Please download the artifact named "${artifactName}" to view the complete report.
[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`;
// Set core.summary to the shorter summary value to avoid exceeding MAX_SUMMARY_SIZE
core.summary.emptyBuffer();
core.summary.addRaw(shortSummary);
return shortSummary;
}
catch (error) {
core.warning(`Failed to handle large summary: ${error instanceof Error ? error.message : 'Unknown error'}`);
@@ -814,7 +818,17 @@ function run() {
core.setFailed(`Dependency review could not obtain dependency data for the specified owner, repository, or revision range.`);
}
else if (error instanceof request_error_1.RequestError && error.status === 403) {
core.setFailed(`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`);
let repoIsPrivate = false;
if ('repository' in github.context.payload) {
const repo = github.context.payload.repository;
repoIsPrivate = repo.private;
}
if (repoIsPrivate) {
core.setFailed(`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`);
}
else {
core.setFailed(`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`);
}
}
else {
if (error instanceof Error) {
@@ -833,11 +847,11 @@ function run() {
function printVulnerabilitiesBlock(addedChanges, minSeverity, warnOnly) {
return __awaiter(this, void 0, void 0, function* () {
return core.group('Vulnerabilities', () => __awaiter(this, void 0, void 0, function* () {
let vulFound = false;
let vulnFound = false;
for (const change of addedChanges) {
vulFound || (vulFound = printChangeVulnerabilities(change));
vulnFound || (vulnFound = printChangeVulnerabilities(change));
}
if (vulFound) {
if (vulnFound) {
const msg = 'Dependency review detected vulnerable packages.';
if (warnOnly) {
core.warning(msg);
@@ -849,7 +863,7 @@ function printVulnerabilitiesBlock(addedChanges, minSeverity, warnOnly) {
else {
core.info(`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`);
}
return vulFound;
return vulnFound;
}));
});
}
@@ -1630,7 +1644,7 @@ const icons = {
warning: '⚠️'
};
const MAX_SCANNED_FILES_BYTES = 1048576;
// generates the DR report summmary and caches it to the Action's core.summary.
// generates the DR report summary and caches it to the Action's core.summary.
// returns the DR summary string, ready to be posted as a PR comment if the
// final DR report is too large
function addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedChanges, scorecard, config) {
@@ -1698,7 +1712,7 @@ function addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedCha
return out.join('\n');
}
function addDenyListsDeprecationWarningToSummary() {
core.summary.addRaw(`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see actions/dependency-review-action/issues/938.`, true);
core.summary.addRaw(`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see issue 997.`, true);
}
function countScorecardWarnings(scorecard, config) {
return scorecard.dependencies.reduce((total, dependency) => {
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+4 -4
View File
@@ -4,7 +4,7 @@
A very basic example of how to use the action. This will run the action with the default configuration.
The full list of configuration options can be found [here](../README.md#configuration-options).
See the [full list of configuration options](../README.md#configuration-options).
```yaml
name: 'Dependency Review'
@@ -112,7 +112,7 @@ jobs:
## Using a configuration file from an external repository with a personal access token
The following example will use a configuration file from an external private GtiHub repository to configure the action.
The following example will use a configuration file from an external private GitHub repository to configure the action.
Let's say that the configuration file is located in `github/octorepo-private/dependency-review-config.yml@main`
@@ -233,7 +233,7 @@ jobs:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: always
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pypi/requests'
allow-dependencies-licenses: 'pkg:npm/lodash, pkg:pypi/requests'
```
If we were to use configuration file, the configuration would look like this:
@@ -244,7 +244,7 @@ allow-licenses:
- 'LGPL-2.0'
- 'BSD-2-Clause'
allow-dependencies-licenses:
- 'pkg:npm/loadash'
- 'pkg:npm/lodash'
- 'pkg:pypi/requests'
```
+7 -6
View File
@@ -1,12 +1,12 @@
{
"name": "dependency-review-action",
"version": "4.8.0",
"version": "4.8.2",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "dependency-review-action",
"version": "4.8.0",
"version": "4.8.2",
"license": "MIT",
"dependencies": {
"@actions/artifact": "^2.3.2",
@@ -27,7 +27,7 @@
"zod": "^3.24.1"
},
"devDependencies": {
"@types/jest": "^29.5.12",
"@types/jest": "^29.5.14",
"@types/node": "^20",
"@types/spdx-expression-parse": "^3.0.4",
"@typescript-eslint/eslint-plugin": "^6.21.0",
@@ -2282,10 +2282,11 @@
}
},
"node_modules/@types/jest": {
"version": "29.5.12",
"resolved": "https://registry.npmjs.org/@types/jest/-/jest-29.5.12.tgz",
"integrity": "sha512-eDC8bTvT/QhYdxJAulQikueigY5AsdBRH2yDKW3yveW7svY3+DzN84/2NUgkw10RTiJbWqZrTtoGVdYlvFJdLw==",
"version": "29.5.14",
"resolved": "https://registry.npmjs.org/@types/jest/-/jest-29.5.14.tgz",
"integrity": "sha512-ZN+4sdnLUbo8EVvVc2ao0GFW6oVrQRPn4K2lglySj7APvSrgzxHiNNK99us4WDMi57xxA2yggblIAMNhXOotLQ==",
"dev": true,
"license": "MIT",
"dependencies": {
"expect": "^29.0.0",
"pretty-format": "^29.0.0"
+3 -3
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "4.8.0",
"version": "4.8.2",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -43,7 +43,7 @@
"zod": "^3.24.1"
},
"devDependencies": {
"@types/jest": "^29.5.12",
"@types/jest": "^29.5.14",
"@types/node": "^20",
"@types/spdx-expression-parse": "^3.0.4",
"@typescript-eslint/eslint-plugin": "^6.21.0",
@@ -63,4 +63,4 @@
"cross-spawn": ">=7.0.5",
"@octokit/request-error@5.0.1": "5.1.1"
}
}
}
+1 -1
View File
@@ -174,7 +174,7 @@ async function groupChanges(
return true
}
const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
const changeAsPackageURL = parsePURL(change.package_url)
// We want to find if the licenseExclusion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false
+31 -9
View File
@@ -27,6 +27,8 @@ import {getDeniedChanges} from './deny'
import * as artifact from '@actions/artifact'
import * as fs from 'fs'
import type {PayloadRepository} from '@actions/github/lib/interfaces.d'
async function delay(ms: number): Promise<void> {
return new Promise(resolve => setTimeout(resolve, ms))
}
@@ -84,12 +86,17 @@ export async function handleLargeSummary(
retentionDays: 1
})
// Return a minimal summary with a link to the artifact
return `# Dependency Review Summary
// Return a shorter summary with a link to the artifact
const shortSummary = `# Dependency Review Summary
The full dependency review summary is too large to display here. Please download the artifact named "${artifactName}" to view the complete report.
[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`
// Set core.summary to the shorter summary value to avoid exceeding MAX_SUMMARY_SIZE
core.summary.emptyBuffer()
core.summary.addRaw(shortSummary)
return shortSummary
} catch (error) {
core.warning(
`Failed to handle large summary: ${error instanceof Error ? error.message : 'Unknown error'}`
@@ -98,6 +105,10 @@ The full dependency review summary is too large to display here. Please download
}
}
interface RepoWithPrivate extends PayloadRepository {
private: boolean
}
async function run(): Promise<void> {
try {
const config = await readConfig()
@@ -235,9 +246,20 @@ async function run(): Promise<void> {
`Dependency review could not obtain dependency data for the specified owner, repository, or revision range.`
)
} else if (error instanceof RequestError && error.status === 403) {
core.setFailed(
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
)
let repoIsPrivate = false
if ('repository' in github.context.payload) {
const repo = github.context.payload.repository as RepoWithPrivate
repoIsPrivate = repo.private
}
if (repoIsPrivate) {
core.setFailed(
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
)
} else {
core.setFailed(
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
)
}
} else {
if (error instanceof Error) {
core.setFailed(error.message)
@@ -256,13 +278,13 @@ async function printVulnerabilitiesBlock(
warnOnly: boolean
): Promise<boolean> {
return core.group('Vulnerabilities', async () => {
let vulFound = false
let vulnFound = false
for (const change of addedChanges) {
vulFound ||= printChangeVulnerabilities(change)
vulnFound ||= printChangeVulnerabilities(change)
}
if (vulFound) {
if (vulnFound) {
const msg = 'Dependency review detected vulnerable packages.'
if (warnOnly) {
core.warning(msg)
@@ -275,7 +297,7 @@ async function printVulnerabilitiesBlock(
)
}
return vulFound
return vulnFound
})
}
+2 -2
View File
@@ -12,7 +12,7 @@ const icons = {
const MAX_SCANNED_FILES_BYTES = 1048576
// generates the DR report summmary and caches it to the Action's core.summary.
// generates the DR report summary and caches it to the Action's core.summary.
// returns the DR summary string, ready to be posted as a PR comment if the
// final DR report is too large
export function addSummaryToSummary(
@@ -112,7 +112,7 @@ export function addSummaryToSummary(
function addDenyListsDeprecationWarningToSummary(): void {
core.summary.addRaw(
`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see actions/dependency-review-action/issues/938.`,
`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see issue 997.`,
true
)
}