Comments (6)
@nedbat Hi, and thanks for the feedback. This feature was added so people could perform static runs with hardcoded values, so I have not seen it being used as part of pulls alone. What happens if you use the before
and after
values provided by the pull
event?
from dependency-review-action.
Sorry, to be clear, the two lines I put in seem to work well. It compares master to the tip of the push, so it's checking what will happen when the branch is merged, unless I've misunderstood.
I guess I could also use ${{ github.event.base_ref }}
and ${{ github.event.before }}
to check what the push is actually changing.
In either case, a bit of doc in the readme about how to use the setting would remove some uncertainty.
from dependency-review-action.
@nedbat thanks, and apologies for the misunderstanding, I'm glad it was working! A rewrite of the README is in the works (it's too long atm), if you want to help out feel free to open a PR with an example for these options.
from dependency-review-action.
@febuiles Hi, I don't think I've got my settings right yet. On a pull request across forks, I got this result:
Run actions/dependency-review-action@v3
with:
base-ref: master
head-ref: xml_duplicate_fix
repo-token: ***
fail-on-severity: low
fail-on-scopes: runtime
Error: Bad Request
As above, I am using:
base-ref: ${{ github.event.pull_request.base.ref || 'master' }}
head-ref: ${{ github.event.pull_request.head.ref || github.ref }}
I guess I need something to properly deal with forks?
from dependency-review-action.
This seems to have worked:
base-ref: ${{ github.event.pull_request.base.sha || 'master' }}
head-ref: ${{ github.event.pull_request.head.sha || github.ref }}
from dependency-review-action.
@nedbat that's very interesting! The API for Dependency Review only supports changes against the default branch (usually master
or main
), which is why base
has to be part of that branch.
from dependency-review-action.
Related Issues (20)
- Invalid SPDX License HOT 6
- Snapshots warnings for NPM projects HOT 2
- Improve Snapshots Experience HOT 1
- "Invalid SPDX License" after upgrading JSTS package HOT 4
- Run `actions/dependency-review-action@v2` `Error: Forbidden`
- Java vulnerability false negative HOT 1
- Bug: Handling Rust/Cargo git dependencies HOT 1
- Use with `scalacenter/sbt-dependency-submission` (Dependency Submission API) HOT 10
- Bug: Error "fetch failed" when fetching v3.1.1 HOT 20
- "Unknown License" reported for reusable workflow dependencies (likely API issue) HOT 2
- Error: Invalid purl: version must be percent-encoded HOT 5
- Unxpected behavior with "fail-on-severity" configuration option HOT 8
- Hide snapshot warning messages if not needed HOT 4
- Python `purl` URLs seem incorrect, some examples don't work HOT 7
- Mark previous PR comment as outdated HOT 4
- No clear Error 403 on submit depenedncy graph for public repo HOT 1
- retry-on-snapshot-warnings - not working as expected on separate snapshot/review workflows HOT 7
- Feature Request: Ensure GitHub Action Dependencies are Pinned HOT 1
- detected a "new" vulnerbility which was already in the project HOT 1
- deny-licenses mistakenly blocking LGPL-3.0 license
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-review-action.