-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose dependency comment content #696
Changes from all commits
a569f6f
f1706f5
0034949
da507e6
47a0fcb
2876926
ad040f4
7911825
60c44a0
f9daaa3
81bba5e
d416fb5
0ca1f60
64f81cd
a87338a
26174d8
124fafe
c94f57b
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,21 +1,21 @@ | ||
# dependency-review-action | ||
|
||
This action scans your pull requests for dependency changes, and will | ||
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions on your default branch. | ||
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/rest/dependency-graph/dependency-review) that diffs the dependencies between any two revisions on your default branch. | ||
|
||
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed. | ||
|
||
You can see the results on the job logs: | ||
|
||
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png"> | ||
<img width="850" alt="GitHub workflow run log showing Dependency Review job output" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png"> | ||
|
||
or on the job summary: | ||
|
||
<img src="https://user-images.githubusercontent.com/7847935/182871416-50332bbb-b279-4621-a136-ca72a4314301.png"> | ||
<img width="850" alt="GitHub job summary showing Dependency Review output" src="https://github.com/actions/dependency-review-action/assets/2161/42fbed1d-64a7-42bf-9b05-c416bc67493f"> | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Added a new image, thanks for the feedback! |
||
|
||
## Installation | ||
|
||
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.** | ||
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.** | ||
|
||
1. Add a new YAML workflow to your `.github/workflows` folder: | ||
|
||
|
@@ -38,11 +38,11 @@ jobs: | |
|
||
### GitHub Enterprise Server | ||
|
||
This action is available in Enterprise Server starting with version 3.6. Make sure | ||
Make sure | ||
[GitHub Advanced | ||
Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise) | ||
Security](https://docs.github.com/enterprise-server@3.8/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise) | ||
and [GitHub | ||
Connect](https://docs.github.com/en/enterprise-server@3.6/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) | ||
Connect](https://docs.github.com/enterprise-server@3.8/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) | ||
are enabled, and that you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server. | ||
|
||
You can use the same workflow as above, replacing the `runs-on` value | ||
|
@@ -71,7 +71,7 @@ Configure this action by either inlining these options in your workflow file, or | |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` | | ||
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none | | ||
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none | | ||
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` | | ||
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` | | ||
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none | | ||
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` | | ||
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` | | ||
|
@@ -86,8 +86,6 @@ Configure this action by either inlining these options in your workflow file, or | |
|
||
\*not supported for use with GitHub Enterprise Server | ||
|
||
†will be supported with GitHub Enterprise Server 3.8 | ||
|
||
+when `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail. | ||
|
||
### Inline Configuration | ||
|
@@ -157,7 +155,11 @@ For more examples of how to use this action and its configuration options, see t | |
|
||
## Blocking pull requests | ||
|
||
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging). | ||
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging). | ||
|
||
## Outputs | ||
|
||
`comment-content` is generated with the same content as would be present in a Dependency Review Action comment. | ||
|
||
## Getting help | ||
|
||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -164,6 +164,39 @@ jobs: | |
comment-summary-in-pr: always | ||
``` | ||
|
||
## Getting the results of the action in a later step | ||
|
||
Using the `comment-content` output you can get the results of the action in a workflow step. | ||
|
||
```yaml | ||
name: 'Dependency Review' | ||
on: [pull_request] | ||
|
||
permissions: | ||
contents: read | ||
pull-requests: write | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is necessary to get the nice comment output on the PRs. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Oh, my goal was to not have a comment. Can we instead include the setting to suppress the normal comment logic? Maybe the workflow author only wants to use a job summary There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Sure, we can remove this permission if that's the case, happy to approve a PR. |
||
|
||
jobs: | ||
dependency-review: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: 'Checkout Repository' | ||
uses: actions/checkout@v4 | ||
- name: 'Dependency Review' | ||
id: review | ||
uses: actions/dependency-review-action@v4 | ||
with: | ||
fail-on-severity: critical | ||
deny-licenses: LGPL-2.0, BSD-2-Clause | ||
- name: 'Report' | ||
if: always() # make sure this step runs even if the previous failed | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Had to add this to make sure this step was run regardless of the exit status of the previous one. When DR Action was run on a pull request and it failed it would stop execution (sample run here). I have validated this workflow here: future-funk/bookish-eureka#4. See the details for the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @jsoref Gonna run with this example for the release, if you know of a better way to get around the Action failures please let me know and I'll be happy to update the docs. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we want: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fwiw, for my check-spelling action, because the github workflow/action api surface and docs are so frustrating/painful, I have an input: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. From the description: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If the goal is for the job to fail and to generally yield output, then you want: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks for the pointer. There is a There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed in 587ff57. |
||
shell: bash | ||
env: | ||
comment: ${{ steps.review.outputs.comment-content }} | ||
run: | | ||
echo "$comment" # do something with the comment | ||
``` | ||
|
||
## Exclude dependencies from the license check | ||
|
||
Using the `allow-dependencies-licenses` you can exclude dependencies from the license check. The values should be provided in [purl](https://github.com/package-url/purl-spec) format. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed this to point directly to the DR API.