Skip to content

Commit

Permalink
Merge pull request #696 from actions/output-comment
Browse files Browse the repository at this point in the history
Expose dependency comment content
  • Loading branch information
febuiles authored Feb 19, 2024
2 parents fd07d42 + c94f57b commit cb180bf
Show file tree
Hide file tree
Showing 8 changed files with 89 additions and 32 deletions.
24 changes: 13 additions & 11 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,21 +1,21 @@
# dependency-review-action

This action scans your pull requests for dependency changes, and will
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions on your default branch.
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/rest/dependency-graph/dependency-review) that diffs the dependencies between any two revisions on your default branch.

The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.

You can see the results on the job logs:

<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
<img width="850" alt="GitHub workflow run log showing Dependency Review job output" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">

or on the job summary:

<img src="https://user-images.githubusercontent.com/7847935/182871416-50332bbb-b279-4621-a136-ca72a4314301.png">
<img width="850" alt="GitHub job summary showing Dependency Review output" src="https://github.com/actions/dependency-review-action/assets/2161/42fbed1d-64a7-42bf-9b05-c416bc67493f">

## Installation

**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**

1. Add a new YAML workflow to your `.github/workflows` folder:

Expand All @@ -38,11 +38,11 @@ jobs:
### GitHub Enterprise Server
This action is available in Enterprise Server starting with version 3.6. Make sure
Make sure
[GitHub Advanced
Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
Security](https://docs.github.com/enterprise-server@3.8/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
and [GitHub
Connect](https://docs.github.com/en/enterprise-server@3.6/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
Connect](https://docs.github.com/enterprise-server@3.8/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
are enabled, and that you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
You can use the same workflow as above, replacing the `runs-on` value
Expand Down Expand Up @@ -71,7 +71,7 @@ Configure this action by either inlining these options in your workflow file, or
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
Expand All @@ -86,8 +86,6 @@ Configure this action by either inlining these options in your workflow file, or

\*not supported for use with GitHub Enterprise Server

†will be supported with GitHub Enterprise Server 3.8

+when `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.

### Inline Configuration
Expand Down Expand Up @@ -157,7 +155,11 @@ For more examples of how to use this action and its configuration options, see t

## Blocking pull requests

The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).

## Outputs

`comment-content` is generated with the same content as would be present in a Dependency Review Action comment.

## Getting help

Expand Down
3 changes: 3 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,9 @@ inputs:
description: When set to `true` this action will always complete with success, overriding the `fail-on-severity` parameter.
required: false
default: false
outputs:
comment-content:
description: Prepared dependency report comment

runs:
using: 'node20'
Expand Down
24 changes: 15 additions & 9 deletions dist/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/index.js.map

Large diffs are not rendered by default.

33 changes: 33 additions & 0 deletions docs/examples.md
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,39 @@ jobs:
comment-summary-in-pr: always
```

## Getting the results of the action in a later step

Using the `comment-content` output you can get the results of the action in a workflow step.

```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
id: review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
- name: 'Report'
if: always() # make sure this step runs even if the previous failed
shell: bash
env:
comment: ${{ steps.review.outputs.comment-content }}
run: |
echo "$comment" # do something with the comment
```

## Exclude dependencies from the license check

Using the `allow-dependencies-licenses` you can exclude dependencies from the license check. The values should be provided in [purl](https://github.com/package-url/purl-spec) format.
Expand Down
20 changes: 18 additions & 2 deletions src/comment-pr.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import * as core from '@actions/core'
import * as githubUtils from '@actions/github/lib/utils'
import * as retry from '@octokit/plugin-retry'
import {RequestError} from '@octokit/request-error'
import {ConfigurationOptions} from './schemas'

const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
const octo = new retryingOctokit(
Expand All @@ -12,15 +13,30 @@ const octo = new retryingOctokit(
// Comment Marker to identify an existing comment to update, so we don't spam the PR with comments
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'

export async function commentPr(summary: typeof core.summary): Promise<void> {
export async function commentPr(
summary: typeof core.summary,
config: ConfigurationOptions
): Promise<void> {
const commentContent = summary.stringify()

core.setOutput('comment-content', commentContent)

if (
config.comment_summary_in_pr !== 'always' &&
config.comment_summary_in_pr === 'on-failure' &&
process.exitCode !== core.ExitCode.Failure
) {
return
}

if (!github.context.payload.pull_request) {
core.warning(
'Not in the context of a pull request. Skipping comment creation.'
)
return
}

const commentBody = `${summary.stringify()}\n\n${COMMENT_MARKER}`
const commentBody = `${commentContent}\n\n${COMMENT_MARKER}`

try {
const existingCommentId = await findCommentByMarker(COMMENT_MARKER)
Expand Down
7 changes: 5 additions & 2 deletions src/git-refs.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,16 +21,19 @@ export function getRefs(
if (!base_ref && !head_ref) {
throw new Error(
'Both a base ref and head ref must be provided, either via the `base_ref`/`head_ref` ' +
'config options, or by running a `pull_request`/`pull_request_target` workflow.'
'config options, `base-ref`/`head-ref` workflow action options, or by running a ' +
'`pull_request`/`pull_request_target` workflow.'
)
} else if (!base_ref) {
throw new Error(
'A base ref must be provided, either via the `base_ref` config option, ' +
'or by running a `pull_request`/`pull_request_target` workflow.'
'`base-ref` workflow action option, or by running a ' +
'`pull_request`/`pull_request_target` workflow.'
)
} else if (!head_ref) {
throw new Error(
'A head ref must be provided, either via the `head_ref` config option, ' +
'`head-ref` workflow action option, or by running a ' +
'or by running a `pull_request`/`pull_request_target` workflow.'
)
}
Expand Down
8 changes: 1 addition & 7 deletions src/main.ts
Original file line number Diff line number Diff line change
Expand Up @@ -144,13 +144,7 @@ async function run(): Promise<void> {

summary.addScannedDependencies(changes)
printScannedDependencies(changes)
if (
config.comment_summary_in_pr === 'always' ||
(config.comment_summary_in_pr === 'on-failure' &&
process.exitCode === core.ExitCode.Failure)
) {
await commentPr(core.summary)
}
await commentPr(core.summary, config)
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
core.setFailed(
Expand Down

0 comments on commit cb180bf

Please sign in to comment.