Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider combining this action with dependabot/fetch-metadata to support multi-dependency updates #209

Open
AlCalzone opened this issue Mar 7, 2023 · 3 comments
Open

Consider combining this action with dependabot/fetch-metadata to support multi-dependency updates #209

AlCalzone opened this issue Mar 7, 2023 · 3 comments

Comments

@AlCalzone
Copy link
Contributor

I've noticed that this action fails when Dependabot creates a single PR for multiple updates. It is possible though to combine this with a helper-action from Dependabot to fetch the update metadata in a standardized format, making a lot of parsing here unnecessary:

# ...
      - name: Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v1
        with:
          github-token: ${{ secrets.PAT }} # This must be a personal access token to fetch if a PR closes a security issue

The result can then be passed to this action:

# ...
        env:
          updatedDependenciesJson: ${{ steps.dependabot-metadata.outputs.updated-dependencies-json }}

which can then be parsed using JSON.parse and contains something like this:

[
	{
		dependencyName: 'prettier',
		dependencyType: 'direct:development',
		updateType: 'version-update:semver-patch',
		directory: '/prettier-and-types',
		packageEcosystem: 'npm_and_yarn',
		targetBranch: 'master',
		prevVersion: '',
		newVersion: '',
		compatScore: 0,
		alertState: '',
		ghsaId: '',
		cvss: 0
	},
	{
		dependencyName: '@types/prettier',
		dependencyType: 'direct:development',
		updateType: 'version-update:semver-patch',
		directory: '/',
		packageEcosystem: 'npm_and_yarn',
		targetBranch: 'master',
		prevVersion: '',
		newVersion: '',
		compatScore: 0,
		alertState: '', // <-- THIS will be "OPEN" if there is an open security issue
		ghsaId: '',
		cvss: 0
	}
]
@hendrickson-tyler
Copy link

Would love to see this enhancement as well. This is made especially important by the grouped version updates feature that was just released as a public beta for Dependabot.

@ahmadnassri
Copy link
Owner

this is the plan, a complete re-write to make it compatible / dependant on dependabot/fetch-metadata

@hendrickson-tyler
Copy link

@ahmadnassri Apologies for tagging you, but I'm curious on how this re-write is going? I have a lot more of my Dependabot updates grouped these days, so this feature would definitely be appreciated. Thanks for all your work on this action!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ahmadnassri @hendrickson-tyler @AlCalzone