mirror of
https://github.com/dependabot/fetch-metadata.git
synced 2026-03-12 18:07:12 -04:00
Make new "get-alerts" functionality off by default
This commit is contained in:
Michael Waddell
15
README.md
15
README.md
@@ -25,8 +25,17 @@ jobs:
|
||||
uses: dependabot/fetch-metadata@v1.1.1
|
||||
with:
|
||||
github-token: "${{ secrets.GITHUB_TOKEN }}"
|
||||
alert-lookup: true
|
||||
```
|
||||
|
||||
Supported inputs are:
|
||||
|
||||
- `github-token` (REQUIRED string)
|
||||
- The `GITHUB_TOKEN` secret
|
||||
- `alert-lookup` (boolean)
|
||||
- If `true`, then call populate the `alert-state`, `ghsa-id` and `cvss` outputs.
|
||||
- Defaults to `false`
|
||||
|
||||
Subsequent actions will have access to the following outputs:
|
||||
|
||||
- `steps.dependabot-metadata.outputs.dependency-names`
|
||||
@@ -48,11 +57,11 @@ Subsequent actions will have access to the following outputs:
|
||||
- `steps.dependabot-metadata.outputs.new-version`
|
||||
- The version that this PR updates the dependency to.
|
||||
- `steps.dependabot-metadata.outputs.alert-state`
|
||||
- If this PR is associated with a security alert, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
|
||||
- If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
|
||||
- `steps.dependabot-metadata.outputs.ghsa-id`
|
||||
- If this PR is associated with a security alert, this contains the GHSA-ID of that alert.
|
||||
- If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the GHSA-ID of that alert.
|
||||
- `steps.dependabot-metadata.outputs.cvss`
|
||||
- If this PR is associated with a security alert, this contains the CVSS value of that alert (otherwise it contains 0).
|
||||
- If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the CVSS value of that alert (otherwise it contains 0).
|
||||
|
||||
**Note:** These outputs will only be populated if the target Pull Request was opened by Dependabot and contains
|
||||
**only** Dependabot-created commits.
|
||||
|
||||
@@ -4,6 +4,9 @@ branding:
|
||||
icon: 'search'
|
||||
color: 'blue'
|
||||
inputs:
|
||||
alert-lookup:
|
||||
type: boolean
|
||||
description: 'If true, then call populate the `alert-state`, `ghsa-id` and `cvss` outputs'
|
||||
github-token:
|
||||
description: 'The GITHUB_TOKEN secret'
|
||||
required: true
|
||||
@@ -27,11 +30,11 @@ outputs:
|
||||
new-version:
|
||||
description: 'The version that this PR updates the dependency to.'
|
||||
alert-state:
|
||||
description: 'If this PR is associated with a security alert, this contains the current state of that alert (OPEN, FIXED or DISMISSED).'
|
||||
description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the current state of that alert (OPEN, FIXED or DISMISSED).'
|
||||
ghsa-id:
|
||||
description: 'If this PR is associated with a security alert, this contains the GHSA-ID of that alert.'
|
||||
description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the GHSA-ID of that alert.'
|
||||
cvss:
|
||||
description: 'If this PR is associated with a security alert, this contains the CVSS value of that alert (otherwise it contains 0).'
|
||||
description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the CVSS value of that alert (otherwise it contains 0).'
|
||||
runs:
|
||||
using: 'node12'
|
||||
main: 'dist/index.js'
|
||||
|
||||
8
dist/index.js
generated
vendored
8
dist/index.js
generated
vendored
@@ -13457,6 +13457,7 @@ function parse(commitMessage, branchName, mainBranch, lookup) {
|
||||
return update_metadata_awaiter(this, void 0, void 0, function* () {
|
||||
const bumpFragment = commitMessage.match(/^Bumps .* from (?<from>\d[^ ]*) to (?<to>\d[^ ]*)\.$/m);
|
||||
const yamlFragment = commitMessage.match(/^-{3}\n(?<dependencies>[\S|\s]*?)\n^\.{3}\n/m);
|
||||
const lookupFn = lookup !== null && lookup !== void 0 ? lookup : (() => Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 }));
|
||||
if ((yamlFragment === null || yamlFragment === void 0 ? void 0 : yamlFragment.groups) && branchName.startsWith('dependabot')) {
|
||||
const data = yaml.parse(yamlFragment.groups.dependencies);
|
||||
// Since we are on the `dependabot` branch (9 letters), the 10th letter in the branch name is the delimiter
|
||||
@@ -13467,7 +13468,7 @@ function parse(commitMessage, branchName, mainBranch, lookup) {
|
||||
if (data['updated-dependencies']) {
|
||||
return yield Promise.all(data['updated-dependencies'].map((dependency, index) => update_metadata_awaiter(this, void 0, void 0, function* () {
|
||||
const dirname = `/${chunks.slice(2, -1 * (1 + (dependency['dependency-name'].match(/\//g) || []).length)).join(delim) || ''}`;
|
||||
return Object.assign({ dependencyName: dependency['dependency-name'], dependencyType: dependency['dependency-type'], updateType: dependency['update-type'], directory: dirname, packageEcosystem: chunks[1], targetBranch: mainBranch, prevVersion: index === 0 ? prev : '', newVersion: index === 0 ? next : '' }, yield lookup(dependency['dependency-name'], index === 0 ? prev : '', dirname));
|
||||
return Object.assign({ dependencyName: dependency['dependency-name'], dependencyType: dependency['dependency-type'], updateType: dependency['update-type'], directory: dirname, packageEcosystem: chunks[1], targetBranch: mainBranch, prevVersion: index === 0 ? prev : '', newVersion: index === 0 ? next : '' }, yield lookupFn(dependency['dependency-name'], index === 0 ? prev : '', dirname));
|
||||
})));
|
||||
}
|
||||
}
|
||||
@@ -13591,7 +13592,10 @@ function run() {
|
||||
// Validate the job
|
||||
const commitMessage = yield getMessage(githubClient, github.context);
|
||||
const branchNames = getBranchNames(github.context);
|
||||
const alertLookup = (name, version, directory) => getAlert(name, version, directory, githubClient, github.context);
|
||||
let alertLookup;
|
||||
if (core.getInput('alert-lookup')) {
|
||||
alertLookup = (name, version, directory) => getAlert(name, version, directory, githubClient, github.context);
|
||||
}
|
||||
if (commitMessage) {
|
||||
// Parse metadata
|
||||
core.info('Parsing Dependabot metadata');
|
||||
|
||||
@@ -129,8 +129,7 @@ test('it only returns information within the first fragment if there are multipl
|
||||
'\n' +
|
||||
'Signed-off-by: dependabot[bot] <support@github.com>'
|
||||
|
||||
const getAlert = async () => Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 })
|
||||
const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot|nuget|coffee-rails', 'main', getAlert)
|
||||
const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot|nuget|coffee-rails', 'main', undefined)
|
||||
|
||||
expect(updatedDependencies).toHaveLength(1)
|
||||
|
||||
|
||||
@@ -21,9 +21,10 @@ export interface alertLookup {
|
||||
(dependencyName: string, dependencyVersion: string, directory: string): Promise<dependencyAlert>;
|
||||
}
|
||||
|
||||
export async function parse (commitMessage: string, branchName: string, mainBranch: string, lookup: alertLookup): Promise<Array<updatedDependency>> {
|
||||
export async function parse (commitMessage: string, branchName: string, mainBranch: string, lookup?: alertLookup): Promise<Array<updatedDependency>> {
|
||||
const bumpFragment = commitMessage.match(/^Bumps .* from (?<from>\d[^ ]*) to (?<to>\d[^ ]*)\.$/m)
|
||||
const yamlFragment = commitMessage.match(/^-{3}\n(?<dependencies>[\S|\s]*?)\n^\.{3}\n/m)
|
||||
const lookupFn = lookup ?? (() => Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 }))
|
||||
|
||||
if (yamlFragment?.groups && branchName.startsWith('dependabot')) {
|
||||
const data = YAML.parse(yamlFragment.groups.dependencies)
|
||||
@@ -46,7 +47,7 @@ export async function parse (commitMessage: string, branchName: string, mainBran
|
||||
targetBranch: mainBranch,
|
||||
prevVersion: index === 0 ? prev : '',
|
||||
newVersion: index === 0 ? next : '',
|
||||
...await lookup(dependency['dependency-name'], index === 0 ? prev : '', dirname)
|
||||
...await lookupFn(dependency['dependency-name'], index === 0 ? prev : '', dirname)
|
||||
}
|
||||
}))
|
||||
}
|
||||
|
||||
@@ -51,9 +51,9 @@ async function check (args: any): Promise<void> {
|
||||
if (commitMessage) {
|
||||
console.log('This appears to be a valid Dependabot Pull Request.')
|
||||
const branchNames = getBranchNames(newContext)
|
||||
const alertLookup = (name, version, directory) => getAlert(name, version, directory, githubClient, actionContext)
|
||||
const lookupFn = (name, version, directory) => getAlert(name, version, directory, githubClient, actionContext)
|
||||
|
||||
const updatedDependencies = await parse(commitMessage, branchNames.headName, branchNames.baseName, alertLookup)
|
||||
const updatedDependencies = await parse(commitMessage, branchNames.headName, branchNames.baseName, lookupFn)
|
||||
|
||||
if (updatedDependencies.length > 0) {
|
||||
console.log('Updated dependencies:')
|
||||
|
||||
@@ -78,7 +78,7 @@ test('it sets the updated dependency as an output for subsequent actions', async
|
||||
'Signed-off-by: dependabot[bot] <support@github.com>'
|
||||
const mockAlert = { alertState: 'FIXED', ghsaId: 'GSHA', cvss: 3.4 }
|
||||
|
||||
jest.spyOn(core, 'getInput').mockReturnValue('mock-token')
|
||||
jest.spyOn(core, 'getInput').mockImplementation(jest.fn((name) => { return name == 'github-token' ? 'mock-token' : '' }))
|
||||
jest.spyOn(util, 'getBranchNames').mockReturnValue({ headName: 'dependabot|nuget|feature1', baseName: 'main' })
|
||||
jest.spyOn(dependabotCommits, 'getMessage').mockImplementation(jest.fn(
|
||||
() => Promise.resolve(mockCommitMessage)
|
||||
@@ -106,9 +106,9 @@ test('it sets the updated dependency as an output for subsequent actions', async
|
||||
targetBranch: 'main',
|
||||
prevVersion: '4.0.1',
|
||||
newVersion: '4.2.2',
|
||||
alertState: 'FIXED',
|
||||
ghsaId: 'GSHA',
|
||||
cvss: 3.4
|
||||
alertState: '',
|
||||
ghsaId: '',
|
||||
cvss: 0
|
||||
}
|
||||
]
|
||||
)
|
||||
@@ -121,9 +121,9 @@ test('it sets the updated dependency as an output for subsequent actions', async
|
||||
expect(core.setOutput).toBeCalledWith('target-branch', 'main')
|
||||
expect(core.setOutput).toBeCalledWith('previous-version', '4.0.1')
|
||||
expect(core.setOutput).toBeCalledWith('new-version', '4.2.2')
|
||||
expect(core.setOutput).toBeCalledWith('alert-state', 'FIXED')
|
||||
expect(core.setOutput).toBeCalledWith('ghsa-id', 'GSHA')
|
||||
expect(core.setOutput).toBeCalledWith('cvss', 3.4)
|
||||
expect(core.setOutput).toBeCalledWith('alert-state', '')
|
||||
expect(core.setOutput).toBeCalledWith('ghsa-id', '')
|
||||
expect(core.setOutput).toBeCalledWith('cvss', 0)
|
||||
})
|
||||
|
||||
test('if there are multiple dependencies, it summarizes them', async () => {
|
||||
|
||||
@@ -24,7 +24,10 @@ export async function run (): Promise<void> {
|
||||
// Validate the job
|
||||
const commitMessage = await verifiedCommits.getMessage(githubClient, github.context)
|
||||
const branchNames = util.getBranchNames(github.context)
|
||||
const alertLookup = (name, version, directory) => verifiedCommits.getAlert(name, version, directory, githubClient, github.context)
|
||||
let alertLookup: updateMetadata.alertLookup | undefined
|
||||
if (core.getInput('alert-lookup')) {
|
||||
alertLookup = (name, version, directory) => verifiedCommits.getAlert(name, version, directory, githubClient, github.context)
|
||||
}
|
||||
|
||||
if (commitMessage) {
|
||||
// Parse metadata
|
||||
|
||||
Reference in New Issue
Block a user