dependency-review-action/action.yml

# Avoid using default values for options here since they will
# end up overriding external configurations.
name: 'Dependency Review'
description: 'Prevent the introduction of dependencies with known vulnerabilities'
author: 'GitHub'
inputs:
  repo-token:
    description: Token for the repository. Can be passed in using `{{ secrets.GITHUB_TOKEN }}`.
    required: false
    default: ${{ github.token }}
  fail-on-severity:
    description: Don't block PRs below this severity. Possible values are `low`, `moderate`, `high`, `critical`.
    required: false
  fail-on-scopes:
    description: Dependency scopes to block PRs on. Comma-separated list. Possible values are 'unknown', 'runtime', and 'development' (e.g. "runtime, development")
    required: false
  base-ref:
    description: The base git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
    required: false
  head-ref:
    description: The head git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
    required: false
  config-file:
    description: A path to the configuration file for the action.
    required: false
  allow-licenses:
    description: Comma-separated list of allowed licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
    required: false
  deny-licenses:
    description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
    required: false
  allow-dependencies-licenses:
    description: Comma-separated list of dependencies in purl format (e.g. "pkg:npm/express, pkg:pip/pycrypto"). These dependencies will be permitted to use any license, no matter what license policy is enforced otherwise.
    required: false
  allow-ghsas:
    description: Comma-separated list of allowed GitHub Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
    required: false
  external-repo-token:
    description: A token for fetching external configuration file if it lives in another repository. It is required if the repository is private
    required: false
  license-check:
    description: A boolean to determine if license checks should be performed
    required: false
  vulnerability-check:
    description: A boolean to determine if vulnerability checks should be performed
    required: false
  comment-summary-in-pr:
    description: A boolean to determine if the report should be posted as a comment in the PR itself. Setting this to true requires you to give the workflow the write permissions for pull-requests
    required: false
runs:
  using: 'node16'
  main: 'dist/index.js'
Remove default values in action.yml 2023-04-06 21:33:35 +02:00			`# Avoid using default values for options here since they will`
			`# end up overriding external configurations.`
initial commit 2022-03-31 18:31:39 +02:00			`name: 'Dependency Review'`
Update action.yml 2022-04-06 16:03:35 -04:00			`description: 'Prevent the introduction of dependencies with known vulnerabilities'`
initial commit 2022-03-31 18:31:39 +02:00			`author: 'GitHub'`
			`inputs:`
			`repo-token:`
Linting YAML 2022-06-14 09:05:05 +02:00			description: Token for the repository. Can be passed in using `{{ secrets.GITHUB_TOKEN }}`.
initial commit 2022-03-31 18:31:39 +02:00			`required: false`
			`default: ${{ github.token }}`
Adding the config definition to action.yml 2022-06-14 07:40:16 +02:00			`fail-on-severity:`
Linting YAML 2022-06-14 09:05:05 +02:00			description: Don't block PRs below this severity. Possible values are `low`, `moderate`, `high`, `critical`.
Adding the config definition to action.yml 2022-06-14 07:40:16 +02:00			`required: false`
add fail-on-scopes input to action config 2022-09-15 20:07:28 +00:00			`fail-on-scopes:`
			`description: Dependency scopes to block PRs on. Comma-separated list. Possible values are 'unknown', 'runtime', and 'development' (e.g. "runtime, development")`
			`required: false`
Support user-provided base/head refs & non-PR workflows 2022-07-21 15:47:05 -04:00			`base-ref:`
			description: The base git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
			`required: false`
			`head-ref:`
			description: The head git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
			`required: false`
Let the users set the path for the config file. 2022-09-20 15:15:14 +02:00			`config-file:`
Fix config-file description in action.yml 2022-10-21 17:38:18 +02:00			`description: A path to the configuration file for the action.`
Let the users set the path for the config file. 2022-09-20 15:15:14 +02:00			`required: false`
Dashes instead of underscores. 2022-06-14 07:50:25 +02:00			`allow-licenses:`
Adding the config definition to action.yml 2022-06-14 07:40:16 +02:00			`description: Comma-separated list of allowed licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")`
			`required: false`
Dashes instead of underscores. 2022-06-14 07:50:25 +02:00			`deny-licenses:`
Adding the config definition to action.yml 2022-06-14 07:40:16 +02:00			`description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")`
			`required: false`
Build and updated README 2023-04-06 09:58:14 +02:00			`allow-dependencies-licenses:`
Update action.yml Co-authored-by: Justin Holguín <juxtin@github.com> 2023-05-17 09:45:02 +02:00			`description: Comma-separated list of dependencies in purl format (e.g. "pkg:npm/express, pkg:pip/pycrypto"). These dependencies will be permitted to use any license, no matter what license policy is enforced otherwise.`
Build and updated README 2023-04-06 09:58:14 +02:00			`required: false`
add allow-ghsas input to action.yml 2022-09-23 19:59:39 +00:00			`allow-ghsas:`
spelling: github Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> 2022-12-08 10:32:03 -05:00			`description: Comma-separated list of allowed GitHub Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")`
add allow-ghsas input to action.yml 2022-09-23 19:59:39 +00:00			`required: false`
Rename config token > external-repo-token 2022-11-08 11:16:26 +00:00			`external-repo-token:`
Complete functionality for handling remote config file 2022-11-04 14:51:41 +00:00			`description: A token for fetching external configuration file if it lives in another repository. It is required if the repository is private`
Adding README and action.yml for external config files. 2022-10-21 17:34:20 +02:00			`required: false`
Updating action.yml to include `*-check` config options. 2022-11-11 14:56:07 +01:00			`license-check:`
			`description: A boolean to determine if license checks should be performed`
			`required: false`
			`vulnerability-check:`
			`description: A boolean to determine if vulnerability checks should be performed`
			`required: false`
Adds option to write summary into a pr comment 2023-02-03 10:35:46 +00:00			`comment-summary-in-pr:`
			`description: A boolean to determine if the report should be posted as a comment in the PR itself. Setting this to true requires you to give the workflow the write permissions for pull-requests`
			`required: false`
initial commit 2022-03-31 18:31:39 +02:00			`runs:`
			`using: 'node16'`
			`main: 'dist/index.js'`