dependabot/fetch-metadata
2
0
Fork 0
mirror of https://github.com/dependabot/fetch-metadata.git synced 2026-03-12 18:07:12 -04:00
Code Issues Packages Projects Releases Wiki Activity

disabling by default

Browse Source
This commit is contained in:
Michael Waddell
2022-02-21 19:36:02 -06:00
parent dd76591256
commit ba0ddd7fd8
4 changed files with 17 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@@ -26,6 +26,7 @@ jobs:
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
alert-lookup: true
compat-lookup: true
```
Supported inputs are:
@@ -33,7 +34,10 @@ Supported inputs are:
- `github-token` (REQUIRED string)
- The `GITHUB_TOKEN` secret
- `alert-lookup` (boolean)
- If `true`, then call populate the `alert-state`, `ghsa-id` and `cvss` outputs.
- If `true`, then populate the `alert-state`, `ghsa-id` and `cvss` outputs.
- Defaults to `false`
- `compat-lookup` (boolean)
- If `true`, then populate the `compatibility-score` output.
- Defaults to `false`
Subsequent actions will have access to the following outputs:
@@ -56,14 +60,14 @@ Subsequent actions will have access to the following outputs:
- The version that this PR updates the dependency from.
- `steps.dependabot-metadata.outputs.new-version`
- The version that this PR updates the dependency to.
- `steps.dependabot-metadata.outputs.compatibility-score`
- The compatibility score of this update (if known, 0 otherwise)
- `steps.dependabot-metadata.outputs.alert-state`
- If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
- `steps.dependabot-metadata.outputs.ghsa-id`
- If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the GHSA-ID of that alert.
- `steps.dependabot-metadata.outputs.cvss`
- If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the CVSS value of that alert (otherwise it contains 0).
- `steps.dependabot-metadata.outputs.compatibility-score`
- If this PR has a known compatibility score and `compat-lookup` is `true`, this contains the compatibility score (otherwise it contains 0).
**Note:** These outputs will only be populated if the target Pull Request was opened by Dependabot and contains
**only** Dependabot-created commits.

9
action.yml
View File

@@ -6,7 +6,10 @@ branding:
inputs:
alert-lookup:
type: boolean
description: 'If true, then call populate the `alert-state`, `ghsa-id` and `cvss` outputs'
description: 'If true, then populate the `alert-state`, `ghsa-id` and `cvss` outputs'
compat-lookup:
type: boolean
description: 'If true, then populate the `compatibility-score` output'
github-token:
description: 'The GITHUB_TOKEN secret'
required: true
@@ -29,14 +32,14 @@ outputs:
description: 'The version that this PR updates the dependency from.'
new-version:
description: 'The version that this PR updates the dependency to.'
compatibility-score:
description: 'The compatibility score of this update (if known, 0 otherwise)'
alert-state:
description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the current state of that alert (OPEN, FIXED or DISMISSED).'
ghsa-id:
description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the GHSA-ID of that alert.'
cvss:
description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the CVSS value of that alert (otherwise it contains 0).'
compatibility-score:
description: 'If this PR has a known compatibility score and `compat-lookup` is `true`, this contains the compatibility score (otherwise it contains 0).'
runs:
using: 'node12'
main: 'dist/index.js'

3
dist/index.js generated vendored
View File

@@ -9302,10 +9302,11 @@ function run() {
if (core.getInput('alert-lookup')) {
alertLookup = (name, version, directory) => verifiedCommits.getAlert(name, version, directory, githubClient, github.context);
}
const scoreLookup = core.getInput('compat-lookup') ? verifiedCommits.getCompatibility : undefined;
if (commitMessage) {
// Parse metadata
core.info('Parsing Dependabot metadata');
const updatedDependencies = yield updateMetadata.parse(commitMessage, branchNames.headName, branchNames.baseName, alertLookup, verifiedCommits.getCompatibility);
const updatedDependencies = yield updateMetadata.parse(commitMessage, branchNames.headName, branchNames.baseName, alertLookup, scoreLookup);
if (updatedDependencies.length > 0) {
output.set(updatedDependencies);
}

3
src/main.ts
View File

@@ -28,12 +28,13 @@ export async function run (): Promise<void> {
if (core.getInput('alert-lookup')) {
alertLookup = (name, version, directory) => verifiedCommits.getAlert(name, version, directory, githubClient, github.context)
}
const scoreLookup = core.getInput('compat-lookup') ? verifiedCommits.getCompatibility : undefined
if (commitMessage) {
// Parse metadata
core.info('Parsing Dependabot metadata')
const updatedDependencies = await updateMetadata.parse(commitMessage, branchNames.headName, branchNames.baseName, alertLookup, verifiedCommits.getCompatibility)
const updatedDependencies = await updateMetadata.parse(commitMessage, branchNames.headName, branchNames.baseName, alertLookup, scoreLookup)
if (updatedDependencies.length > 0) {
output.set(updatedDependencies)