From 4c0a483c95750b188c99bc57987d5132448d0722 Mon Sep 17 00:00:00 2001
From: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Date: Thu, 23 May 2024 10:22:01 +0200
Subject: [PATCH 01/12] Update README.md
---
README.md | 29 ++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/README.md b/README.md
index 9ae9f91ca..37a36dd46 100644
--- a/README.md
+++ b/README.md
@@ -1,17 +1,32 @@
# dependency-review-action
-This action scans your pull requests for dependency changes, and will
-raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/rest/dependency-graph/dependency-review) that diffs the dependencies between any two revisions on your default branch.
+- [Overview](#overview)
+- [Installation](#installation)
+- [Configuration](#configuration)
-The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
+- [Outputs](#outputs)
+- [Getting help](#getting-help)
+- [Contributing](#contributing)
+- [License](#license)
-You can see the results on the job logs:
+## Overview
-
+The dependency review action scans your pull requests for dependency changes, and will raise an error if any vulnerabilities or invalid licenses are being introduced.
+The action is supported by an [API endpoint](https://docs.github.com/en/rest/dependency-graph/dependency-review?apiVersion=2022-11-28) that diffs the dependencies between any two revisions on your default branch.
-or on the job summary:
+When the action runs, you can see the results on:
-
+- The **job logs**, found ....
+
+
+
+- The **job summary**, found ....
+
+
+
+The action is available for:
+- Public repositories
+- Private repositories with a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license.
## Installation
From 258a2295c66bd9f3e899287ebb7d4f71f95a6c26 Mon Sep 17 00:00:00 2001
From: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Date: Thu, 23 May 2024 09:37:47 +0000
Subject: [PATCH 02/12] installation section
---
README.md | 96 +++++++++++++++++++++++++++++--------------------------
1 file changed, 51 insertions(+), 45 deletions(-)
diff --git a/README.md b/README.md
index 37a36dd46..ec33ffda4 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,10 @@
The dependency review action scans your pull requests for dependency changes, and will raise an error if any vulnerabilities or invalid licenses are being introduced.
The action is supported by an [API endpoint](https://docs.github.com/en/rest/dependency-graph/dependency-review?apiVersion=2022-11-28) that diffs the dependencies between any two revisions on your default branch.
+The action is available for:
+- Public repositories
+- Private repositories with a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license.
+
When the action runs, you can see the results on:
- The **job logs**, found ....
@@ -24,58 +28,60 @@ When the action runs, you can see the results on:
-The action is available for:
-- Public repositories
-- Private repositories with a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license.
## Installation
-**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
-
-1. Add a new YAML workflow to your `.github/workflows` folder:
+- [Installation (standard)](#installation)
+- [Installation (GitHub Enterprise Server)](#installation-github-enterprise-server)
-```yaml
-name: 'Dependency Review'
-on: [pull_request]
+#### Installation (standard)
-permissions:
- contents: read
+You can install the action on any public repository, or any organization-owned private repository, provided the organization has a GitHub Advanced Security license.
-jobs:
- dependency-review:
- runs-on: ubuntu-latest
- steps:
- - name: 'Checkout Repository'
- uses: actions/checkout@v4
- - name: 'Dependency Review'
- uses: actions/dependency-review-action@v4
-```
-
-### GitHub Enterprise Server
-
-Make sure
-[GitHub Advanced
-Security](https://docs.github.com/enterprise-server@3.8/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
-and [GitHub
-Connect](https://docs.github.com/enterprise-server@3.8/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
-are enabled, and that you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
-
-You can use the same workflow as above, replacing the `runs-on` value
-with the label of any of your runners (the default label
-is `self-hosted`):
-
-```yaml
-# ...
+1. Add a new YAML workflow to your `.github/workflows` folder:
-jobs:
- dependency-review:
- runs-on: self-hosted
- steps:
- - name: 'Checkout Repository'
- uses: actions/checkout@v4
- - name: 'Dependency Review'
- uses: actions/dependency-review-action@v4
-```
+ ```yaml
+ name: 'Dependency Review'
+ on: [pull_request]
+
+ permissions:
+ contents: read
+
+ jobs:
+ dependency-review:
+ runs-on: ubuntu-latest
+ steps:
+ - name: 'Checkout Repository'
+ uses: actions/checkout@v4
+ - name: 'Dependency Review'
+ uses: actions/dependency-review-action@v4
+ ```
+
+#### Installation (GitHub Enterprise Server)
+
+You can install the action on repositories on GitHub Enterprise Server.
+
+1. Ensure [GitHub Advanced Security](https://docs.github.com/en/enterprise-server@3.12/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise) and [GitHub Connect](https://docs.github.com/en/enterprise-server@3.12/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) are enabled for the enterprise.
+2. Ensure you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
+3. Add a new YAML workflow to your `.github/workflows` folder:
+
+ ``` yaml
+ name: 'Dependency Review'
+ on: [pull_request]
+
+ permissions:
+ contents: read
+
+ jobs:
+ dependency-review:
+ runs-on: self-hosted
+ steps:
+ - name: 'Checkout Repository'
+ uses: actions/checkout@v4
+ - name: 'Dependency Review'
+ uses: actions/dependency-review-action@v4
+ ```
+5. In the workflow file, replace the `runs-on` value with the label of any of your runners. (The default value is `self-hosted`.)
## Configuration options
From 9eb0dccbc965d5e9835d7e87c4b254dac2c4e8e0 Mon Sep 17 00:00:00 2001
From: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Date: Thu, 23 May 2024 10:03:57 +0000
Subject: [PATCH 03/12] editing configuration and remaining sections
---
README.md | 150 +++++++++++++++++++++++++++++++++---------------------
1 file changed, 91 insertions(+), 59 deletions(-)
diff --git a/README.md b/README.md
index ec33ffda4..6a840b5df 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
- [Overview](#overview)
- [Installation](#installation)
- [Configuration](#configuration)
-
+- [Using dependency review action to block a pull request from being merged](#using-dependency-review-action-to-block-a-pull-request-from-being-merged)
- [Outputs](#outputs)
- [Getting help](#getting-help)
- [Contributing](#contributing)
@@ -83,9 +83,16 @@ You can install the action on repositories on GitHub Enterprise Server.
```
5. In the workflow file, replace the `runs-on` value with the label of any of your runners. (The default value is `self-hosted`.)
-## Configuration options
+## Configuration
+
+- [Configuration options](#configuration-options)
+- [Configuration methods](#configuration-methods)
+
+### Configuration options
-Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
+There are various configuration options you can use to customize the dependency review action.
+
+All configuration options are optional.
| Option | Usage | Possible values | Default value |
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
@@ -107,81 +114,106 @@ Configure this action by either inlining these options in your workflow file, or
| `show-openssf-scorecard-levels` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
-\*not supported for use with GitHub Enterprise Server
-
-+when `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.
+> [!NOTE]
+> - \* Not supported for use with GitHub Enterprise Server. (Checking for licenses is not supported on GitHub Enterprise Server because the API does not return license information.)
+> - \+ When `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.
+> - The `allow-licenses` and `deny-licenses` options are mutually exclusive; an error will be raised if you provide both.
+> - We don't have license information for all of your dependents. If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
-### Inline Configuration
+### Configuration methods
-You can pass options to the Dependency Review GitHub Action using your workflow file.
+To specify settings for the dependency review action, you can choose from two options:
+- [Option 1: Inline the configuration options]() in your workflow file.
+- [Option 2: Reference an external configuration file]() in your workflow file.
-#### Example
+#### Option 1: Using inline configuration
-```yaml
-name: 'Dependency Review'
-on: [pull_request]
-permissions:
- contents: read
-jobs:
- dependency-review:
- runs-on: ubuntu-latest
- steps:
- - name: 'Checkout Repository'
- uses: actions/checkout@v4
- - name: Dependency Review
- uses: actions/dependency-review-action@v4
- with:
- fail-on-severity: moderate
+You can pass configuration options to the dependency review action using your workflow file.
- # Use comma-separated names to pass list arguments:
- deny-licenses: LGPL-2.0, BSD-2-Clause
-```
+1. In the same YAML workflow file you created during installation, use the `with:` key to specify your chosen settings:
+ ```yaml
+ name: 'Dependency Review'
+ on: [pull_request]
+ permissions:
+ contents: read
+ jobs:
+ dependency-review:
+ runs-on: ubuntu-latest
+ steps:
+ - name: 'Checkout Repository'
+ uses: actions/checkout@v4
+ - name: Dependency Review
+ uses: actions/dependency-review-action@v4
+ with:
+ fail-on-severity: moderate
-### Configuration File
+ # Use comma-separated names to pass list arguments:
+ deny-licenses: LGPL-2.0, BSD-2-Clause
+ ```
-You can use an external configuration file to specify the settings for this action. It can be a local file or a file in an external repository. Refer to the following options for the specification.
+#### Option 2: Using an external configuration file
-| Option | Usage | Possible values |
-| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
-| `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml`
**External repo**: `github/octorepo/dependency-review-config.yml@main` |
-| `external-repo-token` | Specifies a token for fetching the configuration file. It is required if the file resides in a private external repository and for all GitHub Enterprise Server repositories. Create a token in [developer settings](https://github.com/settings/tokens). | Any token with `read` permissions to the repository hosting the config file. |
+You can use an external configuration file to specify settings for this action. The file can be a local file or a file in an external repository.
-#### Example
+1. In the same YAML workflow file you created during installation, use `config-file` to specify that you are using an external configuration file.
-Start by specifying that you will be using an external configuration file:
+ ```yaml
+ name: 'Dependency Review'
+ on: [pull_request]
+ permissions:
+ contents: read
+ jobs:
+ dependency-review:
+ runs-on: ubuntu-latest
+ steps:
+ - name: 'Checkout Repository'
+ uses: actions/checkout@v4
+ - name: Dependency Review
+ uses: actions/dependency-review-action@v4
+ with:
+ config-file: './.github/dependency-review-config.yml'
+ ```
+ | Option | Usage | Possible values |
+ |--------------------- | ----------- | ----------------------------- |
+ | `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml`
**External repo**: `github/octorepo/dependency-review-config.yml@main` |
+2. Optionally, if the file resides in a private external repository, and for all GitHub Enterprise Server repositories, use `external-repo-token` to specify a token for fetching the file.
-```yaml
-- name: Dependency Review
- uses: actions/dependency-review-action@v4
- with:
- config-file: './.github/dependency-review-config.yml'
-```
+ ```yaml
+ - name: Dependency Review
+ uses: actions/dependency-review-action@v4
+ with:
+ config-file: 'github/octorepo/dependency-review-config.yml@main'
+ external-repo-token: 'ghp_123456789abcde'
+ ```
-And then create the file in the path you just specified. Please note
-that the **option names in external files use underscores instead of dashes**:
+ | Option | Usage | Possible values |
+ |--------------------- | ----------- | ----------------------------- |
+ | `external-repo-token` | Specifies a token for fetching the configuration file. It is required if the file resides in a private external repository and for all GitHub Enterprise Server repositories. Create a token in [developer settings](https://github.com/settings/tokens). | Any token with `read` permissions to the repository hosting the config file. |
+3. Create the configuration file in the path you specified for `config-file`.
+4. In the configuration file, specify your chosen settings.
+ ```yaml
+ fail_on_severity: 'critical'
+ allow_licenses:
+ - 'GPL-3.0'
+ - 'BSD-3-Clause'
+ - 'MIT'
+ ```
+> [!NOTE]
+> For external configuration files, the option names use underscores instead of dashes.
+> Example: `fail_on_severity`
-```yaml
-fail_on_severity: 'critical'
-allow_licenses:
- - 'GPL-3.0'
- - 'BSD-3-Clause'
- - 'MIT'
-```
+#### Further example configurations
For more examples of how to use this action and its configuration options, see the [examples](docs/examples.md) page.
-### Considerations
-
-- Checking for licenses is not supported on Enterprise Server as the API does not return license information.
-- The `allow-licenses` and `deny-licenses` options are mutually exclusive; an error will be raised if you provide both.
-- We don't have license information for all of your dependents. If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
-
-## Blocking pull requests
+## Using dependency review action to block a pull request from being merged
-The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
+You can configure your repository to block a pull request from being merged if the pull request fails the dependency review action check. To do this, the repository owner must configure branch protection settings that require the check to pass before merging. For more information, see "[Require status checks before merging](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging)" in GitHub Docs documentation.
## Outputs
+[Insert overview line here - what does output refer to? What / how it is used?]
+
- `comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
- `dependency-changes` holds all dependency changes in a JSON format. The following outputs are subsets of `dependency-changes` filtered based on the configuration:
- `vulnerable-changes` holds information about dependency changes with vulnerable dependencies in a JSON format.
@@ -191,7 +223,7 @@ The Dependency Review GitHub Action check will only block a pull request from be
> [!NOTE]
> Action outputs are unicode strings [with a 1MB size limit](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions).
-> [!IMPORTANT]
+> [!NOTE]
> If you use these outputs in a run-step, you must store the output data in an environment variable instead of using the output directly. Using an output directly might break shell scripts. For example:
>
> ```yaml
From f38966fbec3981afd884ececf78ff29add418611 Mon Sep 17 00:00:00 2001
From: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Date: Thu, 23 May 2024 10:26:42 +0000
Subject: [PATCH 04/12] updating overview
---
README.md | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/README.md b/README.md
index 6a840b5df..7fe9743d6 100644
--- a/README.md
+++ b/README.md
@@ -18,17 +18,19 @@ The action is available for:
- Public repositories
- Private repositories with a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license.
-When the action runs, you can see the results on:
+### Viewing the results
-- The **job logs**, found ....
+When the action runs, you can see the results on:
-
+- The **job logs** page.
+ - Go to the **Actions** tab for the repository and select the relevant workflow run. Then under "Jobs", click **dependency review**.
-- The **job summary**, found ....
+
+- The **job summary** page.
+ - Go to the **Actions** tab for the repository and select the relevant workflow run. Click **Summary**, then scroll to "dependency-review summary".
-
## Installation
- [Installation (standard)](#installation)
From d3670a3e49034f02ae435439550fdff5ab21e757 Mon Sep 17 00:00:00 2001
From: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Date: Thu, 23 May 2024 10:38:06 +0000
Subject: [PATCH 05/12] updating GHES links
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 7fe9743d6..4df28ce72 100644
--- a/README.md
+++ b/README.md
@@ -63,7 +63,7 @@ You can install the action on any public repository, or any organization-owned p
You can install the action on repositories on GitHub Enterprise Server.
-1. Ensure [GitHub Advanced Security](https://docs.github.com/en/enterprise-server@3.12/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise) and [GitHub Connect](https://docs.github.com/en/enterprise-server@3.12/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) are enabled for the enterprise.
+1. Ensure [GitHub Advanced Security](https://docs.github.com/en/enterprise-server@latest/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise) and [GitHub Connect](https://docs.github.com/en/enterprise-server@latest/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) are enabled for the enterprise.
2. Ensure you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
3. Add a new YAML workflow to your `.github/workflows` folder:
From d5b8317942fd4a455922f760d1f8fa21dbefdb37 Mon Sep 17 00:00:00 2001
From: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Date: Fri, 24 May 2024 07:35:18 +0000
Subject: [PATCH 06/12] edits
---
README.md | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/README.md b/README.md
index 4df28ce72..6344d71d4 100644
--- a/README.md
+++ b/README.md
@@ -23,13 +23,16 @@ The action is available for:
When the action runs, you can see the results on:
- The **job logs** page.
- - Go to the **Actions** tab for the repository and select the relevant workflow run. Then under "Jobs", click **dependency review**.
+ 1. Go to the **Actions** tab for the repository and select the relevant workflow run.
+ 1. Then under "Jobs", click **dependency review**.
-
+
- The **job summary** page.
- - Go to the **Actions** tab for the repository and select the relevant workflow run. Click **Summary**, then scroll to "dependency-review summary".
-
+ 1. Go to the **Actions** tab for the repository and select the relevant workflow run.
+ 1. Click **Summary**, then scroll to "dependency-review summary".
+
+
## Installation
@@ -92,7 +95,7 @@ You can install the action on repositories on GitHub Enterprise Server.
### Configuration options
-There are various configuration options you can use to customize the dependency review action.
+There are various configuration options you can use to specify settings for the dependency review action.
All configuration options are optional.
@@ -204,9 +207,10 @@ You can use an external configuration file to specify settings for this action.
> For external configuration files, the option names use underscores instead of dashes.
> Example: `fail_on_severity`
-#### Further example configurations
+#### Further information
-For more examples of how to use this action and its configuration options, see the [examples](docs/examples.md) page.
+- For more examples of how to use this action and its configuration options, see the [examples](docs/examples.md) page.
+- For general information about dependency review on GitHub, see "[About dependency review](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)" in the GitHub Docs documentation.
## Using dependency review action to block a pull request from being merged
@@ -214,7 +218,7 @@ You can configure your repository to block a pull request from being merged if t
## Outputs
-[Insert overview line here - what does output refer to? What / how it is used?]
+[TODO: Insert overview line here - what does output refer to? What / how it is used?]
- `comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
- `dependency-changes` holds all dependency changes in a JSON format. The following outputs are subsets of `dependency-changes` filtered based on the configuration:
From 9770b8da2c5c21d60475918f7011aba0f91fea34 Mon Sep 17 00:00:00 2001
From: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Date: Mon, 27 May 2024 09:13:46 +0200
Subject: [PATCH 07/12] Update README.md
Co-authored-by: Jon Janego
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 6344d71d4..ae7b78e5f 100644
--- a/README.md
+++ b/README.md
@@ -218,7 +218,7 @@ You can configure your repository to block a pull request from being merged if t
## Outputs
-[TODO: Insert overview line here - what does output refer to? What / how it is used?]
+Dependency review action can create [outputs](https://docs.github.com/en/actions/using-jobs/defining-outputs-for-jobs), so that data from its execution can be used by other jobs in a workflow.
- `comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
- `dependency-changes` holds all dependency changes in a JSON format. The following outputs are subsets of `dependency-changes` filtered based on the configuration:
From 2d3c93c0e07e8602f6dbd567d31e468bd13dd8ec Mon Sep 17 00:00:00 2001
From: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Date: Mon, 27 May 2024 09:14:01 +0200
Subject: [PATCH 08/12] Update README.md
Co-authored-by: Jon Janego
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index ae7b78e5f..782a14842 100644
--- a/README.md
+++ b/README.md
@@ -222,7 +222,7 @@ Dependency review action can create [outputs](https://docs.github.com/en/actions
- `comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
- `dependency-changes` holds all dependency changes in a JSON format. The following outputs are subsets of `dependency-changes` filtered based on the configuration:
-- `vulnerable-changes` holds information about dependency changes with vulnerable dependencies in a JSON format.
+ - `vulnerable-changes` holds information about dependency changes with vulnerable dependencies in a JSON format.
- `invalid-license-changes` holds information about invalid or non-compliant license dependency changes in a JSON format.
- `denied-changes` holds information about denied dependency changes in a JSON format.
From 3fe3159bb96095b192bcd99577c5636f07739184 Mon Sep 17 00:00:00 2001
From: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Date: Mon, 27 May 2024 09:15:58 +0200
Subject: [PATCH 09/12] Indenting to match `vulnerable-changes`
---
README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 782a14842..1115f4c57 100644
--- a/README.md
+++ b/README.md
@@ -223,8 +223,8 @@ Dependency review action can create [outputs](https://docs.github.com/en/actions
- `comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
- `dependency-changes` holds all dependency changes in a JSON format. The following outputs are subsets of `dependency-changes` filtered based on the configuration:
- `vulnerable-changes` holds information about dependency changes with vulnerable dependencies in a JSON format.
-- `invalid-license-changes` holds information about invalid or non-compliant license dependency changes in a JSON format.
-- `denied-changes` holds information about denied dependency changes in a JSON format.
+ - `invalid-license-changes` holds information about invalid or non-compliant license dependency changes in a JSON format.
+ - `denied-changes` holds information about denied dependency changes in a JSON format.
> [!NOTE]
> Action outputs are unicode strings [with a 1MB size limit](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions).
From 5751523f41073f72da7a1c70e16a2bb910fbd73c Mon Sep 17 00:00:00 2001
From: Jon Janego
Date: Wed, 29 May 2024 13:21:44 -0500
Subject: [PATCH 10/12] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 1115f4c57..f0a177dd7 100644
--- a/README.md
+++ b/README.md
@@ -123,7 +123,7 @@ All configuration options are optional.
> - \* Not supported for use with GitHub Enterprise Server. (Checking for licenses is not supported on GitHub Enterprise Server because the API does not return license information.)
> - \+ When `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.
> - The `allow-licenses` and `deny-licenses` options are mutually exclusive; an error will be raised if you provide both.
-> - We don't have license information for all of your dependents. If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
+> - If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
### Configuration methods
From c601a5a741792672faae3cf88b8a10b0c43afdd0 Mon Sep 17 00:00:00 2001
From: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Date: Thu, 30 May 2024 11:02:59 +0000
Subject: [PATCH 11/12] combining Output notes
---
README.md | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index f0a177dd7..590cdd6bc 100644
--- a/README.md
+++ b/README.md
@@ -227,9 +227,8 @@ Dependency review action can create [outputs](https://docs.github.com/en/actions
- `denied-changes` holds information about denied dependency changes in a JSON format.
> [!NOTE]
-> Action outputs are unicode strings [with a 1MB size limit](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions).
-
-> [!NOTE]
+> Action outputs are unicode strings [with a 1MB size limit](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions).
+>
> If you use these outputs in a run-step, you must store the output data in an environment variable instead of using the output directly. Using an output directly might break shell scripts. For example:
>
> ```yaml
From 87b53ae475f56342bd6314b323cef6f21c1831c1 Mon Sep 17 00:00:00 2001
From: Anne-Marie <102995847+am-stead@users.noreply.github.com>
Date: Thu, 30 May 2024 11:10:36 +0000
Subject: [PATCH 12/12] add line break
---
README.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 590cdd6bc..0cf37b42d 100644
--- a/README.md
+++ b/README.md
@@ -238,7 +238,8 @@ Dependency review action can create [outputs](https://docs.github.com/en/actions
> echo "$VULNERABLE_CHANGES" | jq
> ```
>
-> instead of direct `echo '${{ steps.review.outputs.vulnerable-changes }}'`. See [examples](docs/examples.md) for more.
+> instead of direct `echo '${{ steps.review.outputs.vulnerable-changes }}'`.
+> See [examples](docs/examples.md) for more.
## Getting help