2022-03-31 18:31:39 +02:00
# Contributing
2022-10-14 12:31:17 +00:00
2022-03-31 18:31:39 +02:00
[fork]: https://github.com/actions/dependency-review-action/fork
[pr]: https://github.com/actions/dependency-review-action/compare
[code-of-conduct]: CODE_OF_CONDUCT.md
Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
Contributions to this project are
[released ](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license )
to the public under the [project's open source license ](LICENSE ).
Please note that this project is released with a [Contributor Code of
Conduct][code-of-conduct]. By participating in this project you agree
to abide by its terms.
### How it works
This Action makes an authenticated query to the Dependency Graph Diff
API endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}` )
to find out the set of added and removed dependencies for each manifest.
### Bootstrapping the project
```
git clone https://github.com/actions/dependency-review-action.git
cd dependency-review-action
npm install
```
### Running the tests
```
npm run test
```
2022-10-14 12:31:17 +00:00
_Note_: We don't have any useful tests yet, contributions are welcome!
2022-03-31 18:31:39 +02:00
## Local Development
2022-10-28 09:54:53 +00:00
It is recommended to have atleast [Node 18 ](https://nodejs.org/en/ ) installed.
2022-03-31 18:31:39 +02:00
We have a script to scan a given PR for vulnerabilities, this will
2022-05-12 10:25:45 +02:00
help you test your local changes. Make sure to [grab a Personal Access Token (PAT) ](https://github.com/settings/tokens ) before proceeding (you'll need `repo` permissions for private repos):
< img width = "480" alt = "Screenshot 2022-05-12 at 10 22 21" src = "https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png" >
The syntax of the script is:
2022-03-31 18:31:39 +02:00
```sh
$ GITHUB_TOKEN=< token > ./scripts/scan_pr < pr_url >
```
Like this:
```sh
$ GITHUB_TOKEN=my-secret-token ./scripts/scan_pr https://github.com/actions/dependency-review-action/pull/3
```
2022-10-21 13:36:00 +02:00
[Configuration options ](README.md#configuration-options ) can be set by
2022-10-28 09:54:53 +00:00
passing an external YAML [configuration file ](README.md#configuration-file ) to the
2022-10-21 13:36:00 +02:00
`scan_pr` script with the `-c` /`--config-file` option:
2022-10-14 12:31:17 +00:00
```sh
2022-10-28 09:54:53 +00:00
$ GITHUB_TOKEN=< token > ./scripts/scan_pr --config-file my_custom_config.yml < pr_url >
2022-10-14 12:31:17 +00:00
```
2022-03-31 18:31:39 +02:00
## Submitting a pull request
0. [Fork][fork] and clone the repository
2022-10-14 12:31:17 +00:00
1. Configure and install the dependencies: `npm install`
2. Make sure the tests pass on your machine: `npm run test`
3. Create a new branch: `git checkout -b my-branch-name`
4. Make your change, add tests, and make sure the tests still pass
5. Make sure to build and package before pushing: `npm run build && npm run package`
6. Push to your fork and [submit a pull request][pr]
7. Pat your self on the back and wait for your pull request to be reviewed and merged.
2022-03-31 18:31:39 +02:00
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
- Write tests.
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
- Write a [good commit message ](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html ).
2022-06-15 14:01:47 +02:00
## Cutting a new release
2022-08-18 16:20:03 +02:00
1. Update the version number in [package.json ](https://github.com/actions/dependency-review-action/blob/main/package.json ).
2022-06-15 14:01:47 +02:00
1. Go to [Draft a new
2022-10-14 12:31:17 +00:00
release](https://github.com/actions/dependency-review-action/releases/new)
in the Releases page.
1. Make sure that the `Publish this Action to the GitHub Marketplace`
checkbox is enabled
2022-06-15 14:03:10 +02:00
< img width = "481" alt = "Screenshot 2022-06-15 at 12 08 19" src = "https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png" >
2022-06-15 14:01:47 +02:00
3. Click "Choose a tag" and then "Create new tag", where the tag name
2022-10-14 12:31:17 +00:00
will be your version prefixed by a `v` (e.g. `v1.2.3` ).
2022-06-15 14:01:47 +02:00
4. Use a version number for the release title (e.g. "1.2.3").
2022-06-15 14:03:10 +02:00
< img width = "700" alt = "Screenshot 2022-06-15 at 12 08 36" src = "https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png" >
2022-06-15 14:01:47 +02:00
5. Add your release notes. If this is a major version make sure to
2022-10-14 12:31:17 +00:00
include a small description of the biggest changes in the new version.
2022-06-15 14:01:47 +02:00
6. Click "Publish Release".
You now have a tag and release using the semver version you used
above. The last remaining thing to do is to move the dynamic version
identifier to match the current SHA. This allows users to adopt a
major version number (e.g. `v1` ) in their workflows while
automatically getting all the
minor/patch updates.
2022-09-20 13:21:38 -07:00
To do this just checkout `main` , force-create a new annotated tag, and push it:
2022-10-14 12:31:17 +00:00
2022-06-15 14:01:47 +02:00
```
2022-11-16 11:36:08 +01:00
git tag -fa v3 -m "Updating v3 to 3.0.1"
git push origin v3 --force
2022-06-15 14:01:47 +02:00
```
2022-03-31 18:31:39 +02:00
## Resources
- [How to Contribute to Open Source ](https://opensource.guide/how-to-contribute/ )
- [Using Pull Requests ](https://help.github.com/articles/about-pull-requests/ )
- [GitHub Help ](https://help.github.com )
