Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
149 commits
Select commit Hold shift + click to select a range
70e1d26
Test deny list
claire153 Aug 13, 2025
9ca24b6
Add new package
claire153 Aug 13, 2025
6e2bbef
Add deprecation warning, fix lint issues
claire153 Aug 14, 2025
c1fa9df
Build
claire153 Aug 14, 2025
a92a9da
Add one more line break
claire153 Aug 14, 2025
7d16ba5
Add one more line break
claire153 Aug 14, 2025
3fb5c61
Add one more line break
claire153 Aug 14, 2025
6e80be3
Add one more line break
claire153 Aug 14, 2025
659a1e1
Update copy and styling
claire153 Aug 14, 2025
493bee0
Remove test package
claire153 Aug 14, 2025
7cf33ac
Remove test deny list
claire153 Aug 14, 2025
3eb6279
Re-add test package. Only show warning in summary if option is used. …
claire153 Aug 15, 2025
e85d57a
Remove test code
claire153 Aug 15, 2025
5558c35
Address discrepancy between docs and reality
ahpook Aug 16, 2025
77184c6
Fix tests
claire153 Aug 18, 2025
d8073c4
Merge pull request #958 from actions/claire153/deprecate-deny-lists
claire153 Aug 18, 2025
fac3d41
Bump the minor-updates group across 1 directory with 5 updates (#956)
dependabot[bot] Aug 18, 2025
1c73553
Merge pull request #960 from ahpook/ahpook/address-docs-dashes
dangoor Aug 18, 2025
bc41886
Cut 4.7.2 version release (#964)
claire153 Aug 18, 2025
74c8179
Bump brace-expansion
dependabot[bot] Aug 18, 2025
ef00a0a
add permissions to workflows
AshelyTC Aug 19, 2025
ab52490
remove ruby
AshelyTC Aug 19, 2025
bde0129
Merge pull request #966 from actions/ashelytc/add-permissions
AshelyTC Aug 20, 2025
8d420b8
Merge branch 'main' into dependabot/npm_and_yarn/multi-c22e25d29b
AshelyTC Aug 20, 2025
d38d1a4
Merge pull request #965 from actions/dependabot/npm_and_yarn/multi-c2…
AshelyTC Aug 20, 2025
fc5fd66
Claire153/fix spamming mentioned issue (#974)
claire153 Aug 26, 2025
595b5ae
Update package version (#975)
claire153 Aug 26, 2025
c6a7eb7
Extract ruby code
ljones140 Aug 28, 2025
85c8e53
Scan ruby
ljones140 Aug 28, 2025
e86e969
Update scripts/scan_pr_lib.rb
ljones140 Aug 28, 2025
6fad417
Merge pull request #978 from actions/ljones140/make-ruby-code-scannable
ljones140 Aug 29, 2025
e3fdf0f
This ensures large allow or deny lists don't create huge comments
jasperkamerling Jul 30, 2025
e0cedc5
feat: add large summary handling with artifact upload
MattMencel Apr 11, 2025
b472ec9
Add a quick regression test for the artefact summary
brrygrdn Sep 26, 2025
8151009
Merge pull request #986 from actions/brrygrdn/rc-4.7.4
brrygrdn Sep 26, 2025
eacde78
Update version
brrygrdn Sep 26, 2025
31c9f17
Merge pull request #987 from actions/rc-4.7.4
brrygrdn Sep 26, 2025
1688b74
Bump to a 4.8.0
brrygrdn Sep 26, 2025
56339e5
Merge pull request #988 from actions/brrygrdn/rc-4.8.0
brrygrdn Sep 26, 2025
2440f52
Bump actions/stale from 9.1.0 to 10.1.0
dependabot[bot] Oct 6, 2025
71365c7
(bug) Fix spamming link test in deprecation warning (again)
ahpook Oct 10, 2025
e63da9a
Merge pull request #1000 from actions/ahpook/deprecation-redux
ahpook Oct 10, 2025
4552948
Bump version for 4.8.1 release
ahpook Oct 10, 2025
40c09b7
Merge pull request #1001 from actions/ahpook/v4.8.1-release
ahpook Oct 10, 2025
0f943b2
Bump github/codeql-action from 3 to 4
dependabot[bot] Oct 13, 2025
3084754
Scope warning about private repositories
jsoref Apr 14, 2025
07b9157
Merge pull request #920 from jsoref/issue-919
ahpook Oct 17, 2025
4603a62
Make handleLargeSummary also update core.summary
gitulisca Oct 22, 2025
140b44b
Remove trailing whitespace from blank line
gitulisca Oct 22, 2025
99ce29f
Update README with allowed-dependencies-licenses example
danielhardej Oct 23, 2025
7a99011
Add dist files
gitulisca Oct 27, 2025
8e51299
Merge pull request #1007 from gitulisca/gitulisca/summary-size-limit
ljones140 Oct 27, 2025
3f464ea
Merge pull request #1009 from danielhardej/patch-1
dangoor Nov 4, 2025
622445f
Remove unused import
jsoref Nov 5, 2025
c4b82d3
Reword comment-summary-in-pr description
jsoref Nov 5, 2025
8fd9b22
link: the configuration
jsoref Apr 15, 2025
6b5a983
link: full list of configuration options
jsoref Apr 15, 2025
5f8348a
Add alt text for screen to create arelease
jsoref Nov 5, 2025
3660056
Add alt text for screen showing Release Action
jsoref Nov 5, 2025
4fa8b92
Add alt text for screen to create a PAT
jsoref Nov 5, 2025
752c046
spelling: github
jsoref Apr 15, 2025
b4849e7
spelling: lodash
jsoref Apr 15, 2025
5975520
spelling: statement
jsoref Apr 15, 2025
247f07b
spelling: summary
jsoref Apr 15, 2025
66054da
spelling: vuln
jsoref Apr 15, 2025
d456bae
spelling: vulnerabilities
jsoref Apr 15, 2025
355d25e
Merge pull request #921 from jsoref/spelling
dangoor Nov 5, 2025
75e65b4
Generate dist files on main branch
dangoor Nov 5, 2025
94004c3
Remove dist directory change blocking
dangoor Nov 5, 2025
4004cfa
Merge pull request #1012 from actions/dangoor/saner-workflows
dangoor Nov 6, 2025
9b42b7e
Remove bad token reference
dangoor Nov 6, 2025
f620fd1
Merge pull request #1013 from actions/dangoor/token-fix
dangoor Nov 6, 2025
28647f4
Fix PURL parsing by removing encodeURI
danielhardej Nov 7, 2025
5fd2f98
Bump @types/jest to version 29.5.14
danielhardej Nov 7, 2025
19f9360
Update package-lock.json
danielhardej Nov 7, 2025
ebabd31
Merge pull request #1008 from danielhardej/danielhardej-patch-20251023
dangoor Nov 7, 2025
70cb25e
4.8.2 release
dangoor Nov 10, 2025
49ffd9f
Update CONTRIBUTING to reflect the need to build
dangoor Nov 10, 2025
02930b2
Update CONTRIBUTING to reflect new guidelines
dangoor Nov 10, 2025
3c4e3dc
Merge pull request #1016 from actions/dra-release
dangoor Nov 10, 2025
289863a
GitHub Actions can't push to our protected main
dangoor Nov 10, 2025
125b995
Merge pull request #1017 from actions/remove-non-working-workflow
dangoor Nov 11, 2025
805c0b2
Bump actions/setup-node from 4 to 6
dependabot[bot] Nov 11, 2025
14edcb1
Bump js-yaml
dependabot[bot] Nov 17, 2025
1a02685
Merge pull request #995 from actions/dependabot/github_actions/action…
brrygrdn Nov 27, 2025
a2014a1
Merge pull request #1003 from actions/dependabot/github_actions/githu…
brrygrdn Nov 27, 2025
35ccfd2
Merge pull request #1005 from actions/dependabot/github_actions/actio…
brrygrdn Nov 27, 2025
1d60e0d
Bump actions/checkout from 4 to 6
dependabot[bot] Nov 27, 2025
ad048f7
Upgrade glob to a fixed version
brrygrdn Nov 27, 2025
20b998d
Merge pull request #1024 from actions/brrygrdn/update-glob
brrygrdn Nov 28, 2025
774d14b
Merge pull request #1020 from actions/dependabot/npm_and_yarn/multi-7…
brrygrdn Nov 28, 2025
d45151f
Addressing vulnerabilities
Ahmed3lmallah Jan 5, 2026
76bfce5
optimize import
Ahmed3lmallah Jan 5, 2026
98884d4
Merge pull request #1036 from actions/ae/vuln-fixes
Ahmed3lmallah Jan 6, 2026
2af9bac
Add patched version column to vulnerability summary with multi-range …
Copilot Feb 6, 2026
ee66ea1
Implement review fixes: semver library, scoping, case-insensitive mat…
Copilot Feb 8, 2026
539c79b
Implement review feedback: concurrency limiting, semver coercion, log…
Copilot Feb 9, 2026
a7c7f3b
Bump fast-xml-parser from 5.3.3 to 5.3.5
dependabot[bot] Feb 11, 2026
68e9887
Merge pull request #1050 from actions/dependabot/npm_and_yarn/fast-xm…
ljones140 Feb 17, 2026
2e1cf54
Properly truncate long summaries and catch errors
juxtin Feb 17, 2026
b379e2e
Bump fast-xml-parser from 5.3.5 to 5.3.6
dependabot[bot] Feb 18, 2026
a6c34d8
Address review feedback: deterministic tests, cached normalization, s…
Copilot Feb 18, 2026
f0033fc
Merge pull request #1053 from actions/dependabot/npm_and_yarn/fast-xm…
ahpook Feb 18, 2026
43f5f02
Merge pull request #1052 from actions/juxtin/fix-long-summaries
ahpook Feb 19, 2026
8b76656
Bump spdx-expression-parse in the spdx-licenses group across 1 directory
dependabot[bot] Feb 19, 2026
9284e0c
Merge pull request #931 from actions/dependabot/npm_and_yarn/spdx-lic…
ahpook Feb 19, 2026
58be343
Updating package versions for 4.8.3
ahpook Feb 19, 2026
0f22a01
Update CONTRIBUTING for new release process
ahpook Feb 19, 2026
3a8496c
Update generated package files for v4.8.3
ahpook Feb 19, 2026
2ced98c
Compare normalized purls to account for encoding quirks
juxtin Feb 20, 2026
05fe457
Merge pull request #1054 from actions/ahpook/release-4.8.3
ahpook Feb 20, 2026
f68b94a
Merge remote-tracking branch 'origin/main' into juxtin/fix-exclusion-…
juxtin Feb 20, 2026
b49f407
Merge pull request #1056 from actions/juxtin/fix-exclusion-match
juxtin Feb 20, 2026
8cf743c
Make purl comparisons case insensitive
juxtin Feb 20, 2026
dea54b4
Merge pull request #1057 from actions/juxtin/case-sensitivity
juxtin Feb 20, 2026
17d14c0
Bump actions/stale from 10.1.0 to 10.2.0
dependabot[bot] Feb 23, 2026
7863651
fix: only get scorecard levels if user wants to see the OpenSSF score…
jantiebot Feb 26, 2026
24398f0
chore: revert dist changes
jantiebot Feb 27, 2026
e404798
Merge upstream actions/dependency-review-action main
felickz Feb 27, 2026
aa60746
Add 'show-patched-versions' option to configuration and update summar…
felickz Feb 27, 2026
0e129e1
Prettier - Refactor summary table rendering for improved readability
felickz Feb 27, 2026
e8c2f9a
fix: remove inferrable type annotation to pass eslint
felickz Feb 27, 2026
5ecdc4b
Merge pull request #1045 from forks-felickz/main
ahpook Feb 27, 2026
57a3d46
Merge pull request #1060 from jantiebot/main
ahpook Feb 27, 2026
a632b83
Merge pull request #1058 from actions/dependabot/github_actions/actio…
ahpook Mar 2, 2026
4038a34
Merge pull request #1021 from actions/dependabot/github_actions/actio…
ahpook Mar 3, 2026
d02fa39
Updates for release 4.9.0
ahpook Mar 3, 2026
2031cfc
Merge pull request #1064 from actions/ahpook/release-4.9.0
ahpook Mar 3, 2026
cffae74
Add .github/copilot-instructions.md for Copilot coding agent
ahpook Mar 6, 2026
f51df6d
Updates from code review
ahpook Mar 6, 2026
f5b9717
Merge pull request #1067 from ahpook/ahpook/custom-instructions
ahpook Mar 6, 2026
15a4986
fix: patched version display for advisories with non-strict semver ra…
tspascoal Mar 23, 2026
ee2ff40
docs: bump actions/checkout from v4 to v6 in workflow examples
Marukome0743 Mar 24, 2026
c11bf07
Update Node.js runtime from 20 to 24
scottschreckengaust Apr 8, 2026
451707b
Bump spdx-license-ids from 3.0.20 to 3.0.23
mongolyy May 4, 2026
398653e
Merge pull request #1084 from scottschreckengaust/update-node-20-to-24
ahpook May 8, 2026
9ae8e67
Merge pull request #1091 from mongolyy/bump/spdx-license-ids-3.0.23
ahpook May 8, 2026
55d3e75
Merge pull request #1077 from Marukome0743/docs/checkout
ahpook May 8, 2026
05aaaae
run npm audit fix
AshelyTC May 8, 2026
821a21d
update more dependencies
AshelyTC May 8, 2026
b6b7079
update @typescript-eslint/parser to 8.40.0
AshelyTC May 8, 2026
a8e5a7e
Merge pull request #1076 from tspascoal/fix-version-matching-for-non-…
ahpook May 8, 2026
6d92a12
revert @typescript-eslint/parser update
AshelyTC May 8, 2026
454943c
Merge pull request #1094 from actions/ashelytc/security-findings
AshelyTC May 8, 2026
3943c2c
v5.0.0 release branch
ahpook May 8, 2026
eb6c199
update examples to show @v5
ahpook May 8, 2026
a1d282b
Merge pull request #1098 from actions/ahpook/v5-release
ahpook May 8, 2026
1489879
Merge upstream/main to resolve conflicts
niebloomj May 11, 2026
d6742e6
Add show_patched_versions to test mock; regenerate dist
niebloomj May 11, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
111 changes: 111 additions & 0 deletions .github/copilot-instructions.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
# Copilot Coding Agent Instructions

Trust these instructions. Only search the codebase if information here is incomplete or found to be in error.

## Repository Overview

**dependency-review-action** is a GitHub Action (TypeScript/Node.js 24) that scans pull requests for dependency changes, raising errors for vulnerabilities or invalid licenses. It queries the GitHub Dependency Review API, evaluates changes against configured rules, and produces job summaries and PR comments. The action entry point is `dist/index.js` (bundled via `ncc`). The repo is small (~15 source files, ~15 test files).

## Build & Validation Commands

For CI-parity installs and local validation, run `npm ci --ignore-scripts` before other commands. This is the install step used in CI; release workflows may follow different install instructions (see CONTRIBUTING).

| Task | Command | Notes |
| ------------ | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
| Install | `npm ci --ignore-scripts` | ~45s. Use `--ignore-scripts` for CI-parity installs; release workflows may use `npm i` per CONTRIBUTING. |
| Build | `npm run build` | Compiles `src/*.ts` → `lib/*.js` via `tsc -p tsconfig.build.json`. ~5s. |
| Test | `npm test` | Runs Jest. ~8s. All tests should pass. |
| Lint | `npm run lint` | ESLint on `src/**/*.ts`. Ignore the TS version warning—it still passes. |
| Format check | `npm run format-check` | Prettier check on `**/*.ts`. |
| Format fix | `npm run format` | Auto-fix formatting with Prettier. |
| Package | `npm run package` | Bundles the action entrypoint (`package.json#main`) → `dist/index.js` via `ncc`. ~7s. Do NOT include `dist/` changes in non-release PRs. |
| All | `npm run all` | Runs: build → format → lint → package → test (in that order). |

### Validation Sequence After Making Changes

Always run these commands in this order to validate changes:

```sh
npm run build
npm run format-check
npm run lint
npm test
```

If format-check fails, run `npm run format` to auto-fix, then re-check.

### CI Checks (`.github/workflows/ci.yml`)

CI runs on PRs (excluding `**.md` changes) with Node 24:

1. **test** job: `npm ci --ignore-scripts` → `npm test`
2. **lint** job: `npm ci --ignore-scripts` → `npm run format-check` → `npm run lint`

Additional workflows: `dependency-review.yml` (self-test), `codeql.yml` (CodeQL analysis), `stale.yaml` (stale issues).

## Project Layout

```
src/ # TypeScript source (edit these files)
main.ts # Entry point — orchestrates the action (532 lines)
schemas.ts # Zod schemas & TypeScript types for all data structures
config.ts # Reads action inputs + external YAML config
dependency-graph.ts # GitHub API client for dependency diff
filter.ts # Filters changes by severity, scope, allowed advisories
licenses.ts # License validation against allow/deny lists
deny.ts # Package/group deny-listing logic
purl.ts # Package URL (PURL) parser
spdx.ts # SPDX license expression handling
scorecard.ts # OpenSSF Scorecard integration
summary.ts # Summary/report generation (736 lines, largest module)
comment-pr.ts # Posts/updates PR comments with results
git-refs.ts # Resolves base/head git refs from event payload
utils.ts # Shared utilities (Octokit client, grouping helpers)
lib/ # Compiled JS output (from `npm run build`). Gitignored.
dist/ # Bundled action (from `npm run package`). Committed but do NOT include changes in normal PRs - only pull requests which are creating new releases should have these files changed.
__tests__/ # Jest test files (*.test.ts)
test-helpers.ts # setInput()/clearInputs() helpers for test env vars
fixtures/ # YAML config samples and factory helpers
create-test-change.ts # Factory for mock Change objects
create-test-vulnerability.ts # Factory for mock vulnerability objects
scripts/ # Dev/debug utilities (scan_pr for manual testing, create_summary.ts for preview)
action.yml # Action metadata — inputs, outputs, and `runs.main: dist/index.js`
```

### Configuration Files

| File | Purpose |
| --------------------- | ---------------------------------------------------------------------------- |
| `tsconfig.json` | Base TypeScript config (ES6 target, CommonJS, strict mode) |
| `tsconfig.build.json` | Build config — extends base, includes only `src/`, outputs to `lib/` |
| `jest.config.js` | Jest config — uses `ts-jest`, matches `**/*.test.ts` |
| `.eslintrc.json` | ESLint — `plugin:github/recommended`, strict TS rules, no semicolons |
| `.prettierrc.json` | Prettier — no semis, single quotes, no bracket spacing, trailing comma: none |
| `.prettierignore` | Ignores `dist/`, `lib/`, `node_modules/` |

### Key TypeScript/Style Rules

- No semicolons (enforced by ESLint and Prettier)
- Single quotes, no trailing commas
- `@typescript-eslint/no-explicit-any: error` — never use `any`
- `@typescript-eslint/explicit-function-return-type: error` — all functions need return types (expressions exempt)
- Unused function parameters/args must be prefixed with `_` (e.g. `_unused`); unused variables should be removed
- Use Zod schemas (in `src/schemas.ts`) for all data validation and type definitions
- Config option defaults belong in Zod schemas, NOT in `action.yml`

### Testing Patterns

- Tests use Jest with `ts-jest` transform — no build step needed before running tests
- Use `__tests__/test-helpers.ts` `setInput(name, value)` to mock action inputs (sets `INPUT_*` env vars)
- Use `__tests__/fixtures/create-test-change.ts` and `create-test-vulnerability.ts` for test data factories
- Test files follow `__tests__/<module>.test.ts` naming convention
- Tests run directly against TypeScript source (not compiled JS)

### Important Notes

- The action runs on `node24` (declared in `action.yml`)
- Source imports often use relative `../src/` paths (e.g. `import {readConfig} from '../src/config'`)
- Adding a new action input requires changes in: `action.yml` (input definition), `src/schemas.ts` (Zod schema with default), `src/config.ts` (reading the input), and relevant source/test files
- `dist/index.js` is committed for GitHub Actions but PR contributors should NOT include `dist/` changes — maintainers handle rebuilding
- The `lib/` directory is gitignored
- Scorecard tests make real HTTP calls to `api.securityscorecards.dev` and `deps.dev`
54 changes: 0 additions & 54 deletions .github/workflows/check-dist.yml

This file was deleted.

15 changes: 9 additions & 6 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,17 @@ on:
paths-ignore:
- '**.md'

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: 20
node-version: 24
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
Expand All @@ -27,10 +30,10 @@ jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: 20
node-version: 24
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,15 @@ jobs:
strategy:
fail-fast: false
matrix:
language: [ 'javascript-typescript', 'actions' ]
language: [ 'javascript-typescript', 'actions', 'ruby' ]

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v6

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -38,11 +38,11 @@ jobs:
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
config: |
paths-ignore:
paths-ignore:
- dist/index.js
- dist/sourcemap-register.js

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: Dependency Review
uses: ./
2 changes: 1 addition & 1 deletion .github/workflows/stale.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9.1.0
- uses: actions/stale@v10.2.0
name: Clean up stale PRs and Issues
with:
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity for 180 days. You can: comment on the PR or remove the stale label to hold stalebot off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details."
Expand Down
60 changes: 29 additions & 31 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,11 @@ If you'd like to make a contribution yourself, we ask that before significant ef

## Stalebot

We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see the configuration [here](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see [the configuration](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.

## Development lifecycle

Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.

### High level overview of the action

Expand All @@ -50,10 +50,9 @@ Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed,

#### Manually testing for vulnerabilities

We have a script to scan a given PR for vulnerabilities, this will
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
We have a script to scan a given PR for vulnerabilities, which will help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):

<img width="480" alt="Screenshot 2022-05-12 at 10 22 21" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
<img width="480" alt="Screen to create a PAT with a note of `dr-token`, 30 day duration (expiring Jun 11, 2022), with `repo` scopes selected" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">

The syntax of the script is:

Expand Down Expand Up @@ -87,8 +86,9 @@ _Note_: We don't have a very comprehensive test suite, so any contributions to t

1. Create a new branch: `git checkout -b my-branch-name`
2. Make your change, add tests, and make sure the tests still pass
3. Make sure to build and package before pushing: `npm run build && npm run package`
4. Push to your fork and [submit a pull request][pr]
3. Push to your fork and [submit a pull request][pr]

(note: we don't recommend including changes to the `dist` directory in your pull request, because changes there have an increased likelihood of conflicts.)

Here are a few things you can do that will increase the likelihood of your pull request being accepted:

Expand All @@ -105,40 +105,38 @@ Here are a few things you can do that will increase the likelihood of your pull

_Note: these instructions are for maintainers_

1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
1. Go to [Draft a new
release](https://github.com/actions/dependency-review-action/releases/new)
in the Releases page.
1. Make sure that the `Publish this Action to the GitHub Marketplace`
checkbox is enabled
- Create a local branch based on the `main` of the upstream repo.
- Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
- Update the dist files by running `npm run build` and `npm run package`
- Submit a PR based on your branch and have another maintainer review/approve it.
- Once merged, go to [Draft a new release](https://github.com/actions/dependency-review-action/releases/new) in the Releases page.
- Make sure that the `Publish this Action to the GitHub Marketplace` checkbox is enabled

<img width="481" alt="Screen showing Release Action with Publish this Action to the GitHub Marketplace checked" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">

<img width="481" alt="Screenshot 2022-06-15 at 12 08 19" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
- Click "Choose a tag" and then "Create new tag", where the tag name
will be your version prefixed by a `v` (e.g. `v1.2.3`).
- Use a version number for the release title (e.g. "1.2.3").

3. Click "Choose a tag" and then "Create new tag", where the tag name
will be your version prefixed by a `v` (e.g. `v1.2.3`).
4. Use a version number for the release title (e.g. "1.2.3").
<img width="700" alt="Create an action release in categories Security + Dependency management from branch main creating tag v2.0.0 on publish" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">

<img width="700" alt="Screenshot 2022-06-15 at 12 08 36" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
- Add your release notes. If this is a major version make sure to include details about any breaking changes in the new version.
- Click "Publish Release".

5. Add your release notes. If this is a major version make sure to
include a small description of the biggest changes in the new version.
6. Click "Publish Release".
You now have a tag and release using the semver version you used above. The last remaining thing to do is to update the major version branch to match the current release. This allows users to adopt a major version number (e.g. `v4`) in their workflows while automatically getting all the minor/patch updates.

You now have a tag and release using the semver version you used
above. The last remaining thing to do is to move the dynamic version
identifier to match the current SHA. This allows users to adopt a
major version number (e.g. `v1`) in their workflows while
automatically getting all the
minor/patch updates.
As of v4.8.3, we use a **branch** (not a force-pushed tag) for the major version pointer. This is important because force-pushing tags breaks GitHub's auto-generated release changelog links (see [#1035](https://github.com/actions/dependency-review-action/issues/1035)) and violates git's (unenforced) expectation that tags are immutable.

To do this just checkout `main`, force-create a new annotated tag, and push it:
To update the major version branch:

```
git tag -fa v4 -m "Updating v4 to 4.0.1"
git push origin v4 --force
git checkout main
git pull origin main
git branch -f v4 HEAD
git push origin v4
```
</details>

</details>

## Resources

Expand Down
Loading