Comments (6)
@nedbat Hi, and thanks for the feedback. This feature was added so people could perform static runs with hardcoded values, so I have not seen it being used as part of pulls alone. What happens if you use the before
and after
values provided by the pull
event?
from dependency-review-action.
Sorry, to be clear, the two lines I put in seem to work well. It compares master to the tip of the push, so it's checking what will happen when the branch is merged, unless I've misunderstood.
I guess I could also use ${{ github.event.base_ref }}
and ${{ github.event.before }}
to check what the push is actually changing.
In either case, a bit of doc in the readme about how to use the setting would remove some uncertainty.
from dependency-review-action.
@nedbat thanks, and apologies for the misunderstanding, I'm glad it was working! A rewrite of the README is in the works (it's too long atm), if you want to help out feel free to open a PR with an example for these options.
from dependency-review-action.
@febuiles Hi, I don't think I've got my settings right yet. On a pull request across forks, I got this result:
Run actions/dependency-review-action@v3
with:
base-ref: master
head-ref: xml_duplicate_fix
repo-token: ***
fail-on-severity: low
fail-on-scopes: runtime
Error: Bad Request
As above, I am using:
base-ref: ${{ github.event.pull_request.base.ref || 'master' }}
head-ref: ${{ github.event.pull_request.head.ref || github.ref }}
I guess I need something to properly deal with forks?
from dependency-review-action.
This seems to have worked:
base-ref: ${{ github.event.pull_request.base.sha || 'master' }}
head-ref: ${{ github.event.pull_request.head.sha || github.ref }}
from dependency-review-action.
@nedbat that's very interesting! The API for Dependency Review only supports changes against the default branch (usually master
or main
), which is why base
has to be part of that branch.
from dependency-review-action.
Related Issues (20)
- Allow this action to run on branch HOT 4
- Latest release breaks dependabot HOT 3
- Configuring allow-dependencies-licenses fails the action HOT 3
- Error :- Purl String argument is required . HOT 4
- Adding a license in 'allow-dependencies-licenses' does not prevent it from being populated in "invalid-license-changes" HOT 6
- Job Summary Size Limitation aborts the job HOT 2
- `fail-on-severity` should still show lower severity vulnerabilities
- [BUG] When the report exceeds 64KB pr issue is not created since it exceeds max comment issue HOT 1
- Why is this not named `dependency-review` HOT 1
- Job Summary Size Limitation aborts the job [BUG] HOT 10
- [BUG] Release 4.3.4 breaking change with SPDX expressions HOT 9
- [BUG] Action Is Now Unable To Parse NPM pURL Without a Namespace HOT 8
- [BUG] Listing too many allow-dependencies-licenses makes the summary output unreadable
- Duplicate
- Support for GHES
- Report of existing Branch
- Packages being flagged incorrectly with invalid SPDX license definitions HOT 6
- [BUG] `allow-dependencies-licenses` not respected after changing from `==` to `>=` with Python
- Print `Dependency Changes` in PR comment
- [BUG] Error "fetch failed" when using proxy HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-review-action.