resideo / actions Goto Github PK

It seems that Github Token is required even if user requests no github comment to be added.

This is not a huge issue in most cases, but still adds a bit complexity and makes it harder to run locally. Also the error message is not the clearest.

Error: Parameter token or opts.auth is required
| at Object.getAuthString (/run/act/actions/resideo-actions-twistlock@518f3232f66fc45b1d74ccec9dcfffe664df67ba/twistlock/dist/index.js:1:49929)
| at Object.getOctokitOptions (/run/act/actions/resideo-actions-twistlock@518f3232f66fc45b1d74ccec9dcfffe664df67ba/twistlock/dist/index.js:1:51407)
| at Object.getOctokit (/run/act/actions/resideo-actions-twistlock@518f3232f66fc45b1d74ccec9dcfffe664df67ba/twistlock/dist/index.js:1:49117)
| at /run/act/actions/resideo-actions-twistlock@518f3232f66fc45b1d74ccec9dcfffe664df67ba/twistlock/dist/index.js:21:394441
| at /run/act/actions/resideo-actions-twistlock@518f3232f66fc45b1d74ccec9dcfffe664df67ba/twistlock/dist/index.js:21:394882
| at Object. (/run/act/actions/resideo-actions-twistlock@518f3232f66fc45b1d74ccec9dcfffe664df67ba/twistlock/dist/index.js:21:394921)

It looks like it should be enough to make this initialization conditional in index.ts
const token = core.getInput("token") === "" ? process.env.GITHUB_TOKEN || "" : core.getInput("token"); const octokit = github.getOctokit(token);

Unless it's really used for something else than github comment, then of course it makes sense to keep it as it is.

Note from Warren

I'm creating this issue as I received a security alert, but it cannot auto-generate a PR. I've copied the details below.

Security Alert Info

1 minimist vulnerability found in yarn.lock

Remediation
Upgrade minimist to version 1.2.2 or later. For example:

minimist@^1.2.2:
version "1.2.2"
Always verify the validity and compatibility of suggestions with your codebase.

Details
GHSA-7fhm-mqm4-2wp7
moderate severity
Vulnerable versions: < 1.2.2
Patched version: 1.2.2

There are high severity security vulnerabilities in two of ESLints dependencies:

• acorn
• minimist

The releases 1.8.3 and lower of svjsl (JSLib-npm) are vulnerable, but only if installed in a developer environment. A patch has been released (v1.8.4) which fixes these vulnerabilities.

Identifiers:

CVE-2020-7598
SNYK-JS-ACORN-559469 (does not have a CVE identifier)

Motivation

Don't repeat ourselves with Services show details.

Approach

Will be solely a .demo test drive. This will be a component that can be added to related Show pages, such as Location, Account, and Device. *For this task data will be null

• Create src/components/Services/ServiceSummary.demo.tsx
• This will display the Service heading of Type as h2 then Alarm Reporting Number
• Update test/account-show-test.demo.ts to account for new display fields

https://github.com/resideo/zeus/runs/710458651?check_suite_focus=true

Running json_locator for: gateways/production/mirage/resolvers
122
Running json_locator for: gateways/production/mirage
123
Running json_locator for: gateways/production/miragegateways/production
124
Skipping gateways/production/miragegateways/production because the directory does not exist.

It looks like json_locator might be receiving a weirdly concatenated string?