name: 'Fetch Metadata from Dependabot PRs'
description: 'Extract information from about the dependency being updated by a Dependabot-generated PR'
branding:
  icon: 'search'
  color: 'blue'
inputs:
  alert-lookup:
    type: boolean
    description: 'If true, then populate the `alert-state`, `ghsa-id` and `cvss` outputs'
  compat-lookup:
    type: boolean
    description: 'If true, then populate the `compatibility-score` output'
  github-token:
    description: 'The GITHUB_TOKEN secret'
    default: ${{ github.token }}
  skip-commit-verification:
    type: boolean
    description: 'If true, the action will not expect Dependabot commits to be verified. This should be set as `true` in GHES environments'
    default: false
  skip-verification:
    type: boolean
    description: 'If true, the action will not validate the user or the commit verification status'
    default: false
outputs:
  dependency-names:
    description: 'A comma-separated list of all package names updated.'
  dependency-type:
    description: 'The type of dependency has determined this PR to be, e.g. "direct:production".'
  update-type:
    description: 'The highest semver change being made by this PR, e.g. "version-update:semver-major"'
  updated-dependencies-json:
    description: 'A JSON string containing the full information about each updated Dependency.'
  directory:
    description: 'The `directory` configuration that was used by dependabot for this updated Dependency.'
  package-ecosystem:
    description: 'The `package-ecosystem` configuration that was used by dependabot for this updated Dependency.'
  target-branch:
    description: 'The `target-branch` configuration that was used by dependabot for this updated Dependency.'
  previous-version:
    description: 'The version that this PR updates the dependency from.'
  new-version:
    description: 'The version that this PR updates the dependency to.'
  alert-state:
    description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the current state of that alert (OPEN, FIXED or DISMISSED).'
  ghsa-id:
    description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the GHSA-ID of that alert.'
  cvss:
    description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the CVSS value of that alert (otherwise it contains 0).'
  compatibility-score:
    description: 'If this PR has a known compatibility score and `compat-lookup` is `true`, this contains the compatibility score (otherwise it contains 0).'
  maintainer-changes:
    description: 'Whether or not the the body of this PR contains the phrase "Maintainer changes" which is an indicator of whether or not any maintainers have changed.'
  dependency-group:
    description: 'The dependency group that the PR is associated with (otherwise it is an empty string).'
runs:
  using: 'node20'
  main: 'dist/index.js'