Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 0d682fba34 | |||
| 84848ebd37 | |||
| 9c4df3f574 | |||
| 96b82f03c4 | |||
| a340a7a878 | |||
| 908dc1151c |
@@ -0,0 +1,57 @@
|
||||
# `dist/index.js` is a special file in Actions.
|
||||
# When you reference an action with `uses:` in a workflow,
|
||||
# `index.js` is the code that will run.
|
||||
# For our project, we generate this file through a build process from other source files.
|
||||
# We need to make sure the checked-in `index.js` actually matches what we expect it to be.
|
||||
name: Check dist/
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths-ignore:
|
||||
- '**.md'
|
||||
pull_request:
|
||||
paths-ignore:
|
||||
- '**.md'
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
check-dist:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set Node.js 20.x
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 20.x
|
||||
cache: npm
|
||||
|
||||
- name: Install dependencies
|
||||
run: npm ci
|
||||
|
||||
- name: Rebuild the dist/ directory
|
||||
run: |
|
||||
npm run build
|
||||
npm run package
|
||||
|
||||
- name: Compare the expected and actual dist/ directories
|
||||
run: |
|
||||
if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
|
||||
echo "Detected uncommitted changes after build. See status below:"
|
||||
git diff
|
||||
exit 1
|
||||
fi
|
||||
id: diff
|
||||
|
||||
# If index.js was different than expected, upload the expected version as an artifact
|
||||
- uses: actions/upload-artifact@v4
|
||||
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
|
||||
with:
|
||||
name: dist
|
||||
path: dist/
|
||||
@@ -18,7 +18,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v6
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 20
|
||||
cache: npm
|
||||
@@ -31,7 +31,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v6
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 20
|
||||
cache: npm
|
||||
|
||||
@@ -28,7 +28,7 @@ jobs:
|
||||
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v4
|
||||
uses: github/codeql-action/init@v3
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
# If you wish to specify custom queries, you can do so here or in a config file.
|
||||
@@ -38,11 +38,11 @@ jobs:
|
||||
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
|
||||
# queries: security-extended,security-and-quality
|
||||
config: |
|
||||
paths-ignore:
|
||||
paths-ignore:
|
||||
- dist/index.js
|
||||
- dist/sourcemap-register.js
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v4
|
||||
uses: github/codeql-action/analyze@v3
|
||||
with:
|
||||
category: "/language:${{matrix.language}}"
|
||||
|
||||
@@ -12,7 +12,7 @@ jobs:
|
||||
stale:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/stale@v10.1.0
|
||||
- uses: actions/stale@v9.1.0
|
||||
name: Clean up stale PRs and Issues
|
||||
with:
|
||||
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity for 180 days. You can: comment on the PR or remove the stale label to hold stalebot off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details."
|
||||
|
||||
+31
-28
@@ -25,11 +25,11 @@ If you'd like to make a contribution yourself, we ask that before significant ef
|
||||
|
||||
## Stalebot
|
||||
|
||||
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see [the configuration](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
|
||||
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see the configuration [here](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
|
||||
|
||||
## Development lifecycle
|
||||
|
||||
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
|
||||
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
|
||||
|
||||
### High level overview of the action
|
||||
|
||||
@@ -50,9 +50,10 @@ Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed,
|
||||
|
||||
#### Manually testing for vulnerabilities
|
||||
|
||||
We have a script to scan a given PR for vulnerabilities, which will help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
|
||||
We have a script to scan a given PR for vulnerabilities, this will
|
||||
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
|
||||
|
||||
<img width="480" alt="Screen to create a PAT with a note of `dr-token`, 30 day duration (expiring Jun 11, 2022), with `repo` scopes selected" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
|
||||
<img width="480" alt="Screenshot 2022-05-12 at 10 22 21" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
|
||||
|
||||
The syntax of the script is:
|
||||
|
||||
@@ -86,9 +87,8 @@ _Note_: We don't have a very comprehensive test suite, so any contributions to t
|
||||
|
||||
1. Create a new branch: `git checkout -b my-branch-name`
|
||||
2. Make your change, add tests, and make sure the tests still pass
|
||||
3. Push to your fork and [submit a pull request][pr]
|
||||
|
||||
(note: we don't recommend including changes to the `dist` directory in your pull request, because changes there have an increased likelihood of conflicts.)
|
||||
3. Make sure to build and package before pushing: `npm run build && npm run package`
|
||||
4. Push to your fork and [submit a pull request][pr]
|
||||
|
||||
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
|
||||
|
||||
@@ -105,38 +105,41 @@ Here are a few things you can do that will increase the likelihood of your pull
|
||||
|
||||
_Note: these instructions are for maintainers_
|
||||
|
||||
- Create a local branch based on the `main` of the upstream repo.
|
||||
- Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
|
||||
- Update the dist files by running `npm run build` and `npm run package`
|
||||
- Go to [Draft a new release](https://github.com/actions/dependency-review-action/releases/new) in the Releases page.
|
||||
- Make sure that the `Publish this Action to the GitHub Marketplace` checkbox is enabled
|
||||
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
|
||||
1. Go to [Draft a new
|
||||
release](https://github.com/actions/dependency-review-action/releases/new)
|
||||
in the Releases page.
|
||||
1. Make sure that the `Publish this Action to the GitHub Marketplace`
|
||||
checkbox is enabled
|
||||
|
||||
<img width="481" alt="Screen showing Release Action with Publish this Action to the GitHub Marketplace checked" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
|
||||
<img width="481" alt="Screenshot 2022-06-15 at 12 08 19" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
|
||||
|
||||
- Click "Choose a tag" and then "Create new tag", where the tag name
|
||||
will be your version prefixed by a `v` (e.g. `v1.2.3`).
|
||||
- Use a version number for the release title (e.g. "1.2.3").
|
||||
3. Click "Choose a tag" and then "Create new tag", where the tag name
|
||||
will be your version prefixed by a `v` (e.g. `v1.2.3`).
|
||||
4. Use a version number for the release title (e.g. "1.2.3").
|
||||
|
||||
<img width="700" alt="Create an action release in categories Security + Dependency management from branch main creating tag v2.0.0 on publish" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
|
||||
<img width="700" alt="Screenshot 2022-06-15 at 12 08 36" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
|
||||
|
||||
- Add your release notes. If this is a major version make sure to include details about any breaking changes in the new version.
|
||||
- Click "Publish Release".
|
||||
5. Add your release notes. If this is a major version make sure to
|
||||
include a small description of the biggest changes in the new version.
|
||||
6. Click "Publish Release".
|
||||
|
||||
You now have a tag and release using the semver version you used above. The last remaining thing to do is to update the major version branch to match the current release. This allows users to adopt a major version number (e.g. `v4`) in their workflows while automatically getting all the minor/patch updates.
|
||||
You now have a tag and release using the semver version you used
|
||||
above. The last remaining thing to do is to move the dynamic version
|
||||
identifier to match the current SHA. This allows users to adopt a
|
||||
major version number (e.g. `v1`) in their workflows while
|
||||
automatically getting all the
|
||||
minor/patch updates.
|
||||
|
||||
As of v4.8.3, we use a **branch** (not a force-pushed tag) for the major version pointer. This is important because force-pushing tags breaks GitHub's auto-generated release changelog links (see [#1035](https://github.com/actions/dependency-review-action/issues/1035)) and violates git's (unenforced) expectation that tags are immutable.
|
||||
|
||||
To update the major version branch:
|
||||
To do this just checkout `main`, force-create a new annotated tag, and push it:
|
||||
|
||||
```
|
||||
git checkout main
|
||||
git pull origin main
|
||||
git branch -f v4 HEAD
|
||||
git push origin v4
|
||||
git tag -fa v4 -m "Updating v4 to 4.0.1"
|
||||
git push origin v4 --force
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
## Resources
|
||||
|
||||
- [Creating JavaScript GitHub actions](https://docs.github.com/en/actions/creating-actions/creating-a-javascript-action)
|
||||
|
||||
@@ -169,7 +169,6 @@ You can pass configuration options to the dependency review action using your wo
|
||||
|
||||
# Use comma-separated names to pass list arguments:
|
||||
deny-licenses: LGPL-2.0, BSD-2-Clause
|
||||
allow-dependencies-licenses: "pkg:npm/@myorg/mypackage, pkg:npm/packagename, pkg:githubactions/owner/repo@2.0.0"
|
||||
```
|
||||
|
||||
#### Option 2: Using an external configuration file
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
import {expect, test, beforeEach} from '@jest/globals'
|
||||
import {readConfig} from '../src/config'
|
||||
import {getRefs} from '../src/git-refs'
|
||||
import * as spdx from '../src/spdx'
|
||||
import {setInput, clearInputs} from './test-helpers'
|
||||
|
||||
beforeEach(() => {
|
||||
|
||||
@@ -1,164 +0,0 @@
|
||||
import {
|
||||
afterEach,
|
||||
beforeEach,
|
||||
describe,
|
||||
expect,
|
||||
jest,
|
||||
test
|
||||
} from '@jest/globals'
|
||||
import * as fs from 'fs'
|
||||
import * as core from '@actions/core'
|
||||
import {DefaultArtifactClient} from '@actions/artifact'
|
||||
import type {SpyInstance} from 'jest-mock'
|
||||
import {handleLargeSummary} from '../src/main'
|
||||
|
||||
jest.mock('ansi-styles', () => ({
|
||||
__esModule: true,
|
||||
default: {
|
||||
color: {
|
||||
red: {open: '', close: ''},
|
||||
yellow: {open: '', close: ''},
|
||||
grey: {open: '', close: ''},
|
||||
green: {open: '', close: ''}
|
||||
},
|
||||
bold: {open: '', close: ''}
|
||||
}
|
||||
}))
|
||||
jest.mock('../src/dependency-graph', () => ({}))
|
||||
jest.mock('@actions/core', () => {
|
||||
const summary = {
|
||||
addRaw: jest.fn().mockReturnThis(),
|
||||
addHeading: jest.fn().mockReturnThis(),
|
||||
addTable: jest.fn().mockReturnThis(),
|
||||
addSeparator: jest.fn().mockReturnThis(),
|
||||
addImage: jest.fn().mockReturnThis(),
|
||||
addList: jest.fn().mockReturnThis(),
|
||||
addBreak: jest.fn().mockReturnThis(),
|
||||
addLink: jest.fn().mockReturnThis(),
|
||||
addDetails: jest.fn().mockReturnThis(),
|
||||
addSection: jest.fn().mockReturnThis(),
|
||||
addCodeBlock: jest.fn().mockReturnThis(),
|
||||
addFields: jest.fn().mockReturnThis(),
|
||||
addEol: jest.fn().mockReturnThis(),
|
||||
write: jest.fn(async () => undefined),
|
||||
emptyBuffer: jest.fn(),
|
||||
stringify: jest.fn(() => '')
|
||||
}
|
||||
return {
|
||||
__esModule: true,
|
||||
getInput: jest.fn((name: string) =>
|
||||
name === 'repo-token' ? 'gh_test_token' : ''
|
||||
),
|
||||
setOutput: jest.fn(),
|
||||
setFailed: jest.fn(),
|
||||
warning: jest.fn(),
|
||||
info: jest.fn(),
|
||||
debug: jest.fn(),
|
||||
startGroup: jest.fn(),
|
||||
endGroup: jest.fn(),
|
||||
group: jest.fn(async (_name: string, fn: () => Promise<unknown>) => fn()),
|
||||
summary
|
||||
}
|
||||
})
|
||||
jest.mock('@actions/artifact', () => ({
|
||||
DefaultArtifactClient: jest.fn()
|
||||
}))
|
||||
|
||||
const ORIGINAL_ENV = {...process.env}
|
||||
|
||||
type ArtifactClientInstance = {
|
||||
uploadArtifact: jest.Mock
|
||||
}
|
||||
|
||||
const DefaultArtifactClientMock = DefaultArtifactClient as unknown as jest.Mock
|
||||
|
||||
const createArtifactClient = (): ArtifactClientInstance => ({
|
||||
uploadArtifact: jest.fn(async () => undefined)
|
||||
})
|
||||
|
||||
describe('handleLargeSummary', () => {
|
||||
let writeFileSpy: SpyInstance<typeof fs.promises.writeFile>
|
||||
|
||||
beforeEach(() => {
|
||||
process.env = {...ORIGINAL_ENV}
|
||||
writeFileSpy = jest
|
||||
.spyOn(fs.promises, 'writeFile')
|
||||
.mockImplementation(async () => undefined)
|
||||
DefaultArtifactClientMock.mockClear()
|
||||
DefaultArtifactClientMock.mockImplementation(() => createArtifactClient())
|
||||
})
|
||||
|
||||
afterEach(() => {
|
||||
writeFileSpy.mockRestore()
|
||||
jest.clearAllMocks()
|
||||
process.env = {...ORIGINAL_ENV}
|
||||
})
|
||||
|
||||
test('returns original summary when under size threshold', async () => {
|
||||
const summaryContent = 'short summary'
|
||||
|
||||
const result = await handleLargeSummary(summaryContent)
|
||||
|
||||
expect(result).toBe(summaryContent)
|
||||
expect(writeFileSpy).not.toHaveBeenCalled()
|
||||
expect(DefaultArtifactClientMock).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
test('uploads artifact and returns minimal summary when summary is too large', async () => {
|
||||
process.env.GITHUB_SERVER_URL = 'https://github.com'
|
||||
process.env.GITHUB_REPOSITORY = 'owner/repo'
|
||||
process.env.GITHUB_RUN_ID = '12345'
|
||||
|
||||
const largeSummary = 'a'.repeat(1024 * 1024 + 1)
|
||||
|
||||
const result = await handleLargeSummary(largeSummary)
|
||||
|
||||
expect(writeFileSpy).toHaveBeenCalledTimes(1)
|
||||
expect(writeFileSpy).toHaveBeenCalledWith('summary.md', largeSummary)
|
||||
expect(DefaultArtifactClientMock).toHaveBeenCalledTimes(1)
|
||||
|
||||
const artifactInstance = DefaultArtifactClientMock.mock.results[0]
|
||||
?.value as ArtifactClientInstance
|
||||
|
||||
expect(artifactInstance.uploadArtifact).toHaveBeenCalledWith(
|
||||
'dependency-review-summary',
|
||||
['summary.md'],
|
||||
'.',
|
||||
{retentionDays: 1}
|
||||
)
|
||||
|
||||
expect(result).toContain('# Dependency Review Summary')
|
||||
expect(result).toContain('dependency-review-summary')
|
||||
expect(result).toContain('actions/runs/12345')
|
||||
})
|
||||
|
||||
test('returns truncated summary and replaces buffer when artifact upload fails', async () => {
|
||||
const warningMock = core.warning as jest.Mock
|
||||
const emptyBufferMock = core.summary.emptyBuffer as jest.Mock
|
||||
const addRawMock = core.summary.addRaw as jest.Mock
|
||||
warningMock.mockClear()
|
||||
emptyBufferMock.mockClear()
|
||||
addRawMock.mockClear()
|
||||
const largeSummary = 'b'.repeat(1024 * 1024 + 1)
|
||||
|
||||
DefaultArtifactClientMock.mockImplementation(() => ({
|
||||
uploadArtifact: jest.fn(async () => {
|
||||
throw new Error('upload failed')
|
||||
})
|
||||
}))
|
||||
|
||||
const result = await handleLargeSummary(largeSummary)
|
||||
|
||||
// Should NOT return the original oversized content
|
||||
expect(result).not.toBe(largeSummary)
|
||||
// Should return a truncated summary
|
||||
expect(result).toContain('Dependency Review Summary')
|
||||
expect(result).toContain('too large to display')
|
||||
// Should replace the core.summary buffer to prevent write() from failing
|
||||
expect(emptyBufferMock).toHaveBeenCalled()
|
||||
expect(addRawMock).toHaveBeenCalledWith(result)
|
||||
expect(warningMock).toHaveBeenCalledWith(
|
||||
expect.stringContaining('Failed to upload large summary as artifact')
|
||||
)
|
||||
})
|
||||
})
|
||||
@@ -315,7 +315,7 @@ test('uses checkmarks for vulnerabilities if only license issues were found', ()
|
||||
expect(text).toContain('✅ 0 package(s) with unknown licenses')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - only includes section if any vulnerabilities found', () => {
|
||||
test('addChangeVulnerabilitiesToSummary() - only includes section if any vulnerabilites found', () => {
|
||||
summary.addChangeVulnerabilitiesToSummary(emptyChanges, 'low')
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toEqual('')
|
||||
@@ -385,7 +385,7 @@ test('addChangeVulnerabilitiesToSummary() - prints severity statement if above l
|
||||
)
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - does not print severity statement if it is set to "low"', () => {
|
||||
test('addChangeVulnerabilitiesToSummary() - does not print severity statment if it is set to "low"', () => {
|
||||
const changes = [createTestChange()]
|
||||
|
||||
summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
@@ -464,9 +464,7 @@ test('addLicensesToSummary() - includes list of configured allowed licenses', ()
|
||||
summary.addLicensesToSummary(licenseIssues, config)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain(
|
||||
'<details><summary><strong>Allowed Licenses</strong>:</summary> MIT, Apache-2.0</details>'
|
||||
)
|
||||
expect(text).toContain('<strong>Allowed Licenses</strong>: MIT, Apache-2.0')
|
||||
})
|
||||
|
||||
test('addLicensesToSummary() - includes configured denied license', () => {
|
||||
@@ -478,33 +476,11 @@ test('addLicensesToSummary() - includes configured denied license', () => {
|
||||
|
||||
const config: ConfigurationOptions = {
|
||||
...defaultConfig,
|
||||
deny_licenses: ['MIT', 'Apache-2.0']
|
||||
deny_licenses: ['MIT']
|
||||
}
|
||||
|
||||
summary.addLicensesToSummary(licenseIssues, config)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain(
|
||||
'<details><summary><strong>Denied Licenses</strong>:</summary> MIT, Apache-2.0</details>'
|
||||
)
|
||||
})
|
||||
|
||||
test('addLicensesToSummary() - includes allowed dependency licences', () => {
|
||||
const licenseIssues = {
|
||||
forbidden: [createTestChange()],
|
||||
unresolved: [],
|
||||
unlicensed: []
|
||||
}
|
||||
|
||||
const config: ConfigurationOptions = {
|
||||
...defaultConfig,
|
||||
allow_dependencies_licenses: ['MIT', 'Apache-2.0']
|
||||
}
|
||||
|
||||
summary.addLicensesToSummary(licenseIssues, config)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain(
|
||||
'<details><summary><strong>Excluded from license check</strong>:</summary> MIT, Apache-2.0</details>'
|
||||
)
|
||||
expect(text).toContain('<strong>Denied Licenses</strong>: MIT')
|
||||
})
|
||||
|
||||
+1
-1
@@ -53,7 +53,7 @@ inputs:
|
||||
description: A boolean to determine if vulnerability checks should be performed
|
||||
required: false
|
||||
comment-summary-in-pr:
|
||||
description: "Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow `pull-requests: write` permissions"
|
||||
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
|
||||
required: false
|
||||
deny-packages:
|
||||
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). If version specified, only deny matching packages and version; else, deny all regardless of version.
|
||||
|
||||
+1330
-98272
File diff suppressed because one or more lines are too long
+1
-1
File diff suppressed because one or more lines are too long
-2827
File diff suppressed because it is too large
Load Diff
+4
-4
@@ -4,7 +4,7 @@
|
||||
|
||||
A very basic example of how to use the action. This will run the action with the default configuration.
|
||||
|
||||
See the [full list of configuration options](../README.md#configuration-options).
|
||||
The full list of configuration options can be found [here](../README.md#configuration-options).
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -112,7 +112,7 @@ jobs:
|
||||
|
||||
## Using a configuration file from an external repository with a personal access token
|
||||
|
||||
The following example will use a configuration file from an external private GitHub repository to configure the action.
|
||||
The following example will use a configuration file from an external private GtiHub repository to configure the action.
|
||||
|
||||
Let's say that the configuration file is located in `github/octorepo-private/dependency-review-config.yml@main`
|
||||
|
||||
@@ -233,7 +233,7 @@ jobs:
|
||||
fail-on-severity: critical
|
||||
deny-licenses: LGPL-2.0, BSD-2-Clause
|
||||
comment-summary-in-pr: always
|
||||
allow-dependencies-licenses: 'pkg:npm/lodash, pkg:pypi/requests'
|
||||
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pypi/requests'
|
||||
```
|
||||
|
||||
If we were to use configuration file, the configuration would look like this:
|
||||
@@ -244,7 +244,7 @@ allow-licenses:
|
||||
- 'LGPL-2.0'
|
||||
- 'BSD-2-Clause'
|
||||
allow-dependencies-licenses:
|
||||
- 'pkg:npm/lodash'
|
||||
- 'pkg:npm/loadash'
|
||||
- 'pkg:pypi/requests'
|
||||
```
|
||||
|
||||
|
||||
Generated
+77
-1322
File diff suppressed because it is too large
Load Diff
+4
-5
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.8.3",
|
||||
"version": "4.7.3",
|
||||
"private": true,
|
||||
"description": "A GitHub Action for Dependency Review",
|
||||
"main": "lib/main.js",
|
||||
@@ -25,7 +25,6 @@
|
||||
"author": "GitHub",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/artifact": "^5.0.1",
|
||||
"@actions/core": "^1.11.1",
|
||||
"@actions/github": "^6.0.1",
|
||||
"@octokit/plugin-retry": "^6.1.0",
|
||||
@@ -36,14 +35,14 @@
|
||||
"got": "^14.4.7",
|
||||
"jest": "^29.7.0",
|
||||
"octokit": "^3.1.2",
|
||||
"spdx-expression-parse": "^4.0.0",
|
||||
"spdx-expression-parse": "^3.0.1",
|
||||
"spdx-satisfies": "^6.0.0",
|
||||
"ts-jest": "^29.4.1",
|
||||
"yaml": "^2.8.1",
|
||||
"zod": "^3.24.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/jest": "^29.5.14",
|
||||
"@types/jest": "^29.5.12",
|
||||
"@types/node": "^20",
|
||||
"@types/spdx-expression-parse": "^3.0.4",
|
||||
"@typescript-eslint/eslint-plugin": "^6.21.0",
|
||||
@@ -54,7 +53,7 @@
|
||||
"eslint-plugin-github": "^4.10.2",
|
||||
"eslint-plugin-jest": "^28.8.3",
|
||||
"eslint-plugin-prettier": "^5.5.4",
|
||||
"js-yaml": "^4.1.1",
|
||||
"js-yaml": "^4.1.0",
|
||||
"nodemon": "^3.1.10",
|
||||
"prettier": "3.6.2",
|
||||
"typescript": "^5.9.2"
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
#!/usr/bin/env ruby
|
||||
|
||||
# Load the scan_pr library
|
||||
require_relative 'scan_pr_lib'
|
||||
|
||||
# Create and run the scanner
|
||||
scanner = ScanPr.new
|
||||
scanner.run(ARGV)
|
||||
Executable
+87
@@ -0,0 +1,87 @@
|
||||
#!/usr/bin/env ruby
|
||||
require 'json'
|
||||
require 'tempfile'
|
||||
require 'open3'
|
||||
require 'bundler/inline'
|
||||
require 'optparse'
|
||||
|
||||
gemfile do
|
||||
source 'https://rubygems.org'
|
||||
gem 'octokit'
|
||||
end
|
||||
|
||||
config_file = nil
|
||||
github_token = ENV["GITHUB_TOKEN"]
|
||||
|
||||
if !github_token || github_token.empty?
|
||||
puts "Please set the GITHUB_TOKEN environment variable"
|
||||
exit -1
|
||||
end
|
||||
|
||||
op = OptionParser.new do |opts|
|
||||
usage = <<EOF
|
||||
Run Dependency Review on a repository.
|
||||
|
||||
\e[1mUsage:\e[22m
|
||||
scripts/scan_pr [options] <pr_url>
|
||||
|
||||
\e[1mExample:\e[22m
|
||||
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294
|
||||
|
||||
EOF
|
||||
|
||||
opts.banner = usage
|
||||
|
||||
opts.on('-c', '--config-file <FILE>', 'Use an external configuration file') do |cf|
|
||||
config_file = cf
|
||||
end
|
||||
|
||||
opts.on("-h", "--help", "Prints this help") do
|
||||
puts opts
|
||||
exit
|
||||
end
|
||||
end
|
||||
|
||||
op.parse!
|
||||
|
||||
# make sure we have a NWO somewhere in the parameters
|
||||
arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(ARGV.join(" "))
|
||||
|
||||
if arg.nil?
|
||||
puts op
|
||||
exit -1
|
||||
end
|
||||
|
||||
repo_nwo = arg[:repo_nwo]
|
||||
pr_number = arg[:pr_number]
|
||||
|
||||
octo = Octokit::Client.new(access_token: github_token)
|
||||
pr = octo.pull_request(repo_nwo, pr_number)
|
||||
|
||||
event_file = Tempfile.new
|
||||
event_file.write("{ \"pull_request\": #{pr.to_h.to_json}}")
|
||||
event_file.close
|
||||
|
||||
action_inputs = {
|
||||
"repo-token": github_token,
|
||||
"config-file": config_file
|
||||
}
|
||||
|
||||
dev_cmd_env = {
|
||||
"GITHUB_REPOSITORY" => repo_nwo,
|
||||
"GITHUB_EVENT_NAME" => "pull_request",
|
||||
"GITHUB_EVENT_PATH" => event_file.path,
|
||||
"GITHUB_STEP_SUMMARY" => "/dev/null"
|
||||
}
|
||||
|
||||
# bash does not like variable names with dashes like the ones Actions
|
||||
# uses (e.g. INPUT_REPO-TOKEN). Passing them through `env` instead of
|
||||
# manually setting them does the job.
|
||||
action_inputs_env_str = action_inputs.map { |name, value| "\"INPUT_#{name.upcase}=#{value}\"" }.join(" ")
|
||||
dev_cmd = "./node_modules/.bin/nodemon --exec \"env #{action_inputs_env_str} node -r esbuild-register\" src/main.ts"
|
||||
|
||||
Open3.popen2e(dev_cmd_env, dev_cmd) do |stdin, out|
|
||||
while line = out.gets
|
||||
puts line.gsub(github_token, "<REDACTED>")
|
||||
end
|
||||
end
|
||||
@@ -1,128 +0,0 @@
|
||||
require 'json'
|
||||
require 'tempfile'
|
||||
require 'open3'
|
||||
require 'bundler/inline'
|
||||
require 'optparse'
|
||||
|
||||
gemfile do
|
||||
source 'https://rubygems.org'
|
||||
gem 'octokit'
|
||||
end
|
||||
|
||||
class ScanPr
|
||||
def initialize
|
||||
@config_file = nil
|
||||
@github_token = ENV["GITHUB_TOKEN"]
|
||||
|
||||
validate_token
|
||||
end
|
||||
|
||||
def run(args)
|
||||
parse_options(args)
|
||||
repo_nwo, pr_number = extract_repo_and_pr(args)
|
||||
|
||||
pr = fetch_pull_request(repo_nwo, pr_number)
|
||||
event_file = create_event_file(pr)
|
||||
|
||||
execute_dependency_review(repo_nwo, event_file)
|
||||
ensure
|
||||
event_file&.unlink
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def validate_token
|
||||
if !@github_token || @github_token.empty?
|
||||
puts "Please set the GITHUB_TOKEN environment variable"
|
||||
exit -1
|
||||
end
|
||||
end
|
||||
|
||||
def parse_options(args)
|
||||
op = OptionParser.new do |opts|
|
||||
usage = <<EOF
|
||||
Run Dependency Review on a repository.
|
||||
|
||||
\e[1mUsage:\e[22m
|
||||
scripts/scan_pr [options] <pr_url>
|
||||
|
||||
\e[1mExample:\e[22m
|
||||
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294
|
||||
|
||||
EOF
|
||||
|
||||
opts.banner = usage
|
||||
|
||||
opts.on('-c', '--config-file <FILE>', 'Use an external configuration file') do |cf|
|
||||
@config_file = cf
|
||||
end
|
||||
|
||||
opts.on("-h", "--help", "Prints this help") do
|
||||
puts opts
|
||||
exit
|
||||
end
|
||||
end
|
||||
|
||||
op.parse!(args)
|
||||
@option_parser = op
|
||||
end
|
||||
|
||||
def extract_repo_and_pr(args)
|
||||
# make sure we have a NWO somewhere in the parameters
|
||||
arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(args.join(" "))
|
||||
|
||||
if arg.nil?
|
||||
puts @option_parser
|
||||
exit -1
|
||||
end
|
||||
|
||||
[arg[:repo_nwo], arg[:pr_number]]
|
||||
end
|
||||
|
||||
def fetch_pull_request(repo_nwo, pr_number)
|
||||
octo = Octokit::Client.new(access_token: @github_token)
|
||||
octo.pull_request(repo_nwo, pr_number)
|
||||
end
|
||||
|
||||
def create_event_file(pr)
|
||||
event_file = Tempfile.new
|
||||
event_file.write("{ \"pull_request\": #{pr.to_h.to_json}}")
|
||||
event_file.close
|
||||
event_file
|
||||
end
|
||||
|
||||
def execute_dependency_review(repo_nwo, event_file)
|
||||
action_inputs = {
|
||||
"repo-token": @github_token,
|
||||
"config-file": @config_file
|
||||
}
|
||||
|
||||
dev_cmd_env = {
|
||||
"GITHUB_REPOSITORY" => repo_nwo,
|
||||
"GITHUB_EVENT_NAME" => "pull_request",
|
||||
"GITHUB_EVENT_PATH" => event_file.path,
|
||||
"GITHUB_STEP_SUMMARY" => "/dev/null"
|
||||
}
|
||||
|
||||
# Merge action inputs into environment, formatting keys as INPUT_...
|
||||
action_inputs_env = action_inputs.each_with_object({}) do |(name, value), h|
|
||||
h["INPUT_#{name.to_s.upcase}"] = value unless value.nil?
|
||||
end
|
||||
env = dev_cmd_env.merge(action_inputs_env)
|
||||
|
||||
dev_cmd = [
|
||||
"./node_modules/.bin/nodemon",
|
||||
"--exec",
|
||||
"node",
|
||||
"-r",
|
||||
"esbuild-register",
|
||||
"src/main.ts"
|
||||
]
|
||||
|
||||
Open3.popen2e(env, *dev_cmd) do |stdin, out|
|
||||
while line = out.gets
|
||||
puts line.gsub(@github_token, "<REDACTED>")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
+1
-1
@@ -174,7 +174,7 @@ async function groupChanges(
|
||||
return true
|
||||
}
|
||||
|
||||
const changeAsPackageURL = parsePURL(change.package_url)
|
||||
const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
|
||||
|
||||
// We want to find if the licenseExclusion list contains the PackageURL of the Change
|
||||
// If it does, we want to filter it out and therefore return false
|
||||
|
||||
+8
-88
@@ -24,10 +24,6 @@ import {getRefs} from './git-refs'
|
||||
import {groupDependenciesByManifest} from './utils'
|
||||
import {commentPr, MAX_COMMENT_LENGTH} from './comment-pr'
|
||||
import {getDeniedChanges} from './deny'
|
||||
import {DefaultArtifactClient} from '@actions/artifact'
|
||||
import * as fs from 'fs'
|
||||
|
||||
import type {PayloadRepository} from '@actions/github/lib/interfaces.d'
|
||||
|
||||
async function delay(ms: number): Promise<void> {
|
||||
return new Promise(resolve => setTimeout(resolve, ms))
|
||||
@@ -65,62 +61,6 @@ async function getComparison(
|
||||
return comparison
|
||||
}
|
||||
|
||||
export async function handleLargeSummary(
|
||||
summaryContent: string
|
||||
): Promise<string> {
|
||||
const MAX_SUMMARY_SIZE = 1024 * 1024 // 1024k in bytes
|
||||
if (Buffer.byteLength(summaryContent, 'utf8') <= MAX_SUMMARY_SIZE) {
|
||||
return summaryContent
|
||||
}
|
||||
|
||||
const summarySize = Math.round(
|
||||
Buffer.byteLength(summaryContent, 'utf8') / 1024
|
||||
)
|
||||
const truncatedSummary = `# Dependency Review Summary
|
||||
|
||||
The full dependency review summary was too large to display here (${summarySize}KB, limit is 1024KB).`
|
||||
|
||||
const artifactClient = new DefaultArtifactClient()
|
||||
const artifactName = 'dependency-review-summary'
|
||||
const files = ['summary.md']
|
||||
|
||||
try {
|
||||
// Write the summary to a file
|
||||
await fs.promises.writeFile('summary.md', summaryContent)
|
||||
|
||||
// Upload the artifact
|
||||
await artifactClient.uploadArtifact(artifactName, files, '.', {
|
||||
retentionDays: 1
|
||||
})
|
||||
|
||||
// Return a shorter summary with a link to the artifact
|
||||
const shortSummary = `${truncatedSummary}
|
||||
|
||||
Please download the artifact named "${artifactName}" to view the complete report.
|
||||
|
||||
[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`
|
||||
|
||||
// Set core.summary to the shorter summary value to avoid exceeding MAX_SUMMARY_SIZE
|
||||
core.summary.emptyBuffer()
|
||||
core.summary.addRaw(shortSummary)
|
||||
return shortSummary
|
||||
} catch (error) {
|
||||
core.warning(
|
||||
`Failed to upload large summary as artifact: ${error instanceof Error ? error.message : 'Unknown error'}`
|
||||
)
|
||||
// Even though artifact upload failed, we must still replace the buffer
|
||||
// with a truncated summary to prevent core.summary.write() from failing
|
||||
// with the oversized content (see issue #867)
|
||||
core.summary.emptyBuffer()
|
||||
core.summary.addRaw(truncatedSummary)
|
||||
return truncatedSummary
|
||||
}
|
||||
}
|
||||
|
||||
interface RepoWithPrivate extends PayloadRepository {
|
||||
private: boolean
|
||||
}
|
||||
|
||||
async function run(): Promise<void> {
|
||||
try {
|
||||
const config = await readConfig()
|
||||
@@ -239,9 +179,6 @@ async function run(): Promise<void> {
|
||||
let rendered = core.summary.stringify()
|
||||
core.setOutput('comment-content', rendered)
|
||||
|
||||
// Handle large summaries by uploading as artifact
|
||||
rendered = await handleLargeSummary(rendered)
|
||||
|
||||
// if the summary is oversized, replace with minimal version
|
||||
if (rendered.length >= MAX_COMMENT_LENGTH) {
|
||||
core.debug(
|
||||
@@ -258,20 +195,9 @@ async function run(): Promise<void> {
|
||||
`Dependency review could not obtain dependency data for the specified owner, repository, or revision range.`
|
||||
)
|
||||
} else if (error instanceof RequestError && error.status === 403) {
|
||||
let repoIsPrivate = false
|
||||
if ('repository' in github.context.payload) {
|
||||
const repo = github.context.payload.repository as RepoWithPrivate
|
||||
repoIsPrivate = repo.private
|
||||
}
|
||||
if (repoIsPrivate) {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
} else {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
}
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
} else {
|
||||
if (error instanceof Error) {
|
||||
core.setFailed(error.message)
|
||||
@@ -280,13 +206,7 @@ async function run(): Promise<void> {
|
||||
}
|
||||
}
|
||||
} finally {
|
||||
try {
|
||||
await core.summary.write()
|
||||
} catch (error) {
|
||||
core.warning(
|
||||
`Failed to write job summary: ${error instanceof Error ? error.message : 'Unknown error'}`
|
||||
)
|
||||
}
|
||||
await core.summary.write()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -296,13 +216,13 @@ async function printVulnerabilitiesBlock(
|
||||
warnOnly: boolean
|
||||
): Promise<boolean> {
|
||||
return core.group('Vulnerabilities', async () => {
|
||||
let vulnFound = false
|
||||
let vulFound = false
|
||||
|
||||
for (const change of addedChanges) {
|
||||
vulnFound ||= printChangeVulnerabilities(change)
|
||||
vulFound ||= printChangeVulnerabilities(change)
|
||||
}
|
||||
|
||||
if (vulnFound) {
|
||||
if (vulFound) {
|
||||
const msg = 'Dependency review detected vulnerable packages.'
|
||||
if (warnOnly) {
|
||||
core.warning(msg)
|
||||
@@ -315,7 +235,7 @@ async function printVulnerabilitiesBlock(
|
||||
)
|
||||
}
|
||||
|
||||
return vulnFound
|
||||
return vulFound
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
+7
-5
@@ -12,7 +12,7 @@ const icons = {
|
||||
|
||||
const MAX_SCANNED_FILES_BYTES = 1048576
|
||||
|
||||
// generates the DR report summary and caches it to the Action's core.summary.
|
||||
// generates the DR report summmary and caches it to the Action's core.summary.
|
||||
// returns the DR summary string, ready to be posted as a PR comment if the
|
||||
// final DR report is too large
|
||||
export function addSummaryToSummary(
|
||||
@@ -112,7 +112,7 @@ export function addSummaryToSummary(
|
||||
|
||||
function addDenyListsDeprecationWarningToSummary(): void {
|
||||
core.summary.addRaw(
|
||||
`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see issue 997.`,
|
||||
`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see actions/dependency-review-action/issues/938.`,
|
||||
true
|
||||
)
|
||||
}
|
||||
@@ -206,17 +206,19 @@ export function addLicensesToSummary(
|
||||
|
||||
if (config.allow_licenses && config.allow_licenses.length > 0) {
|
||||
core.summary.addQuote(
|
||||
`<details><summary><strong>Allowed Licenses</strong>:</summary> ${config.allow_licenses.join(', ')}</details>`
|
||||
`<strong>Allowed Licenses</strong>: ${config.allow_licenses.join(', ')}`
|
||||
)
|
||||
}
|
||||
if (config.deny_licenses && config.deny_licenses.length > 0) {
|
||||
core.summary.addQuote(
|
||||
`<details><summary><strong>Denied Licenses</strong>:</summary> ${config.deny_licenses.join(', ')}</details>`
|
||||
`<strong>Denied Licenses</strong>: ${config.deny_licenses.join(', ')}`
|
||||
)
|
||||
}
|
||||
if (config.allow_dependencies_licenses) {
|
||||
core.summary.addQuote(
|
||||
`<details><summary><strong>Excluded from license check</strong>:</summary> ${config.allow_dependencies_licenses.join(', ')}</details>`
|
||||
`<strong>Excluded from license check</strong>: ${config.allow_dependencies_licenses.join(
|
||||
', '
|
||||
)}`
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user