8000 Merge pull request #696 from actions/output-comment · actions/dependency-review-action@cb180bf · GitHub
[go: up one dir, main page]
Skip to content

Commit cb180bf

Browse files
author
Federico Builes
authored
Merge pull request #696 from actions/output-comment
Expose dependency comment content
2 parents fd07d42 + c94f57b commit cb180bf

File tree

8 files changed

+89
-32
lines changed

8 files changed

+89
-32
lines changed

README.md

Lines changed: 13 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,21 @@
11
# dependency-review-action
22

33
This action scans your pull requests for dependency changes, and will
4-
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions on your default branch.
4+
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/rest/dependency-graph/dependency-review) that diffs the dependencies between any two revisions on your default branch.
55

66
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
77

88
You can see the results on the job logs:
99

10-
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
10+
<img width="850" alt="GitHub workflow run log showing Dependency Review job output" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
1111

1212
or on the job summary:
1313

14-
<img src="https://user-images.githubusercontent.com/7847935/182871416-50332bbb-b279-4621-a136-ca72a4314301.png">
14+
<img width="850" alt="GitHub job summary showing Dependency Review output" src="https://github.com/actions/dependency-review-action/assets/2161/42fbed1d-64a7-42bf-9b05-c416bc67493f">
1515

1616
## Installation
1717

18-
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
18+
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
1919

2020
1. Add a new YAML workflow to your `.github/workflows` folder:
2121

@@ -38,11 +38,11 @@ jobs:
3838
3939
### GitHub Enterprise Server
4040
41-
This action is available in Enterprise Server starting with version 3.6. Make sure
41+
Make sure
4242
[GitHub Advanced
43-
Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
43+
Security](https://docs.github.com/enterprise-server@3.8/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
4444
and [GitHub
45-
Connect](https://docs.github.com/en/enterprise-server@3.6/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
45+
Connect](https://docs.github.com/enterprise-server@3.8/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
4646
are enabled, and that you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
4747
4848
You can use the same workflow as above, replacing the `runs-on` value
< ED48 div class="diff-text-inner color-fg-muted">@@ -71,7 +71,7 @@ Configure this action by either inlining these options in your workflow file, or
7171
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
7272
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
7373
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
74-
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
74+
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
7575
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
7676
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
7777
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
@@ -86,8 +86,6 @@ Configure this action by either inlining these options in your workflow file, or
8686

8787
\*not supported for use with GitHub Enterprise Server
8888

89-
†will be supported with GitHub Enterprise Server 3.8
90-
9189
+when `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.
9290

9391
### Inline Configuration
@@ -157,7 +155,11 @@ For more examples of how to use this action and its configuration options, see t
157155

158156
## Blocking pull requests
159157

160-
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
158+
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
159+
160+
## Outputs
161+
162+
`comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
161163

162164
## Getting help
163165

action.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,9 @@ inputs:
6565
description: When set to `true` this action will always complete with success, overriding the `fail-on-severity` parameter.
6666
required: false
6767
default: false
68+
outputs:
69+
comment-content:
70+
description: Prepared dependency report comment
6871

6972
runs:
7073
using: 'node20'
< ED40 button data-component="IconButton" type="button" class="prc-Button-ButtonBase-c50BI prc-Button-IconButton-szpyj" data-loading="false" data-no-visuals="true" data-size="small" data-variant="invisible" aria-describedby=":R1iptlab:-loading-announcement" aria-labelledby=":R2ptlab:">

dist/index.js

Lines changed: 15 additions & 9 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/index.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/examples.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,39 @@ jobs:
164164
comment-summary-in-pr: always
165165
```
166166

167+
## Getting the results of the action in a later step
168+
169+
Using the `comment-content` output you can get the results of the action in a workflow step.
170+
171+
```yaml
172+
name: 'Dependency Review'
173+
on: [pull_request]
174+
175+
permissions:
176+
contents: read
177+
pull-requests: write
178+
179+
jobs:
180+
dependency-review:
181+
runs-on: ubuntu-latest
182+
steps:
183+
- name: 'Checkout Repository'
184+
uses: actions/checkout@v4
185+
- name: 'Dependency Review'
186+
id: review
187+
uses: actions/dependency-review-action@v4
188+
with:
189+
fail-on-severity: critical
190+
deny-licenses: LGPL-2.0, BSD-2-Clause
191+
- name: 'Report'
192+
if: always() # make sure this step runs even if the previous failed
193+
shell: bash
194+
env:
195+
comment: ${{ steps.review.outputs.comment-content }}
196+
run: |
197+
echo "$comment" # do something with the comment
198+
```
199+
167200
## Exclude dependencies from the license check
168201

169202
Using the `allow-dependencies-licenses` you can exclude dependencies from the license check. The values should be provided in [purl](https://github.com/package-url/purl-spec) format.

src/comment-pr.ts

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ import * as core from '@actions/core'
33
import * as githubUtils from '@actions/github/lib/utils'
44
import * as retry from '@octokit/plugin-retry'
55
import {RequestError} from '@octokit/request-error'
6+
import {ConfigurationOptions} from './schemas'
67

78
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
89
const octo = new retryingOctokit(
@@ -12,15 +13,30 @@ const octo = new retryingOctokit(
1213
// Comment Marker to identify an existing comment to update, so we don't spam the PR with comments
1314
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
1415

15-
export async function commentPr(summary: typeof core.summary): Promise<void> {
16+
export async function commentPr(
17+
summary: typeof core.summary,
18+
config: ConfigurationOptions
19+
): Promise<void> {
20+
const commentContent = summary.stringify()
21+
22+
core.setOutput('comment-content', commentContent)
23+
24+
if (
25+
config.comment_summary_in_pr !== 'always' &&
26+
config.comment_summary_in_pr === 'on-failure' &&
27+
process.exitCode !== core.ExitCode.Failure
28+
) {
29+
return
30+
}
31+
1632
if (!github.context.payload.pull_request) {
1733
core.warning(
1834
'Not in the context of a pull request. Skipping comment creation.'
1935
)
2036
return
2137
}
2238

23-
const commentBody = `${summary.stringify()}\n\n${COMMENT_MARKER}`
39+
const commentBody = `${commentContent}\n\n${COMMENT_MARKER}`
2440

2541
try {
2642
const existingCommentId = await findCommentByMarker(COMMENT_MARKER)

src/git-refs.ts

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,16 +21,19 @@ export function getRefs(
2121
if (!base_ref && !head_ref) {
2222
throw new Error(
2323
'Both a base ref and head ref must be provided, either via the `base_ref`/`head_ref` ' +
24-
'config options, or by running a `pull_request`/`pull_request_target` workflow.'
24+
'config options, `base-ref`/`head-ref` workflow action options, or by running a ' +
25+
'`pull_request`/`pull_request_target` workflow.'
2526
)
2627
} else if (!base_ref) {
2728
throw new Error(
2829
'A base ref must be provided, either via the `base_ref` config option, ' +
29-
'or by running a `pull_request`/`pull_request_target` workflow.'
30+
'`base-ref` workflow action option, or by running a ' +
31+
'`pull_request`/`pull_request_target` workflow.'
3032
)
3133
} else if (!head_ref) {
3234
throw new Error(
3335
'A head ref must be provided, either via the `head_ref` config option, ' +
36+
'`head-ref` workflow action option, or by running a ' +
3437
'or by running a `pull_request`/`pull_request_target` workflow.'
3538
)
3639
}

src/main.ts

Lines changed: 1 addition & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -144,13 +144,7 @@ async function run(): Promise<void> {
144144

145145
summary.addScannedDependencies(changes)
146146
printScannedDependencies(changes)
147-
if (
148-
config.comment_summary_in_pr === 'always' ||
149-
(config.comment_summary_in_pr === 'on-failure' &&
150-
process.exitCode === core.ExitCode.Failure)
151-
) {
152-
await commentPr(core.summary)
153-
}
147+
await commentPr(core.summary, config)
154148
} catch (error) {
155149
if (error instanceof RequestError && error.status === 404) {
156150
core.setFailed(

0 commit comments

Comments
 (0)
0