Merge pull request #290 from actions/cn/scan_pr

Enable setting configuration options for local testing

.github/dependency-review-config.yml

@@ -1 +0,0 @@
-fail-on-severity: low

CONTRIBUTING.md

@@ -1,4 +1,5 @@
 # Contributing
+
 [fork]: https://github.com/actions/dependency-review-action/fork
 [pr]: https://github.com/actions/dependency-review-action/compare
 [code-of-conduct]: CODE_OF_CONDUCT.md
@@ -9,7 +10,6 @@ Contributions to this project are
 [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license)
 to the public under the [project's open source license](LICENSE).
 
-
 Please note that this project is released with a [Contributor Code of
 Conduct][code-of-conduct]. By participating in this project you agree
 to abide by its terms.
@@ -20,7 +20,6 @@ This Action makes an authenticated query to the Dependency Graph Diff
 API endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`)
 to find out the set of added and removed dependencies for each manifest.
 
-
 ### Bootstrapping the project
 
 ```
@@ -35,7 +34,7 @@ npm install
 npm run test
 ```
 
-*Note*: We don't have any useful tests yet, contributions are welcome!
+_Note_: We don't have any useful tests yet, contributions are welcome!
 
 ## Local Development
 
@@ -56,16 +55,24 @@ Like this:
 $ GITHUB_TOKEN=my-secret-token ./scripts/scan_pr https://github.com/actions/dependency-review-action/pull/3
 ```
 
+[Configuration options](README.md#configuration-options) can be set by
+passing an external YAML  [configuration file](README.md#configuration-file) to the
+`scan_pr` script with the `-c`/`--config-file` option:
+
+```sh
+$ GITHUB_TOKEN=<token> ./scripts/scan_pr --config-file my_custom_config.yml <pr_url> 
+```
+
 ## Submitting a pull request
 
 0. [Fork][fork] and clone the repository
-0. Configure and install the dependencies: `npm install`
-0. Make sure the tests pass on your machine: `npm run test`
-0. Create a new branch: `git checkout -b my-branch-name`
-0. Make your change, add tests, and make sure the tests still pass
-0. Make sure to build and package before pushing: `npm run build && npm run package`
-0. Push to your fork and [submit a pull request][pr]
-0. Pat your self on the back and wait for your pull request to be reviewed and merged.
+1. Configure and install the dependencies: `npm install`
+2. Make sure the tests pass on your machine: `npm run test`
+3. Create a new branch: `git checkout -b my-branch-name`
+4. Make your change, add tests, and make sure the tests still pass
+5. Make sure to build and package before pushing: `npm run build && npm run package`
+6. Push to your fork and [submit a pull request][pr]
+7. Pat your self on the back and wait for your pull request to be reviewed and merged.
 
 Here are a few things you can do that will increase the likelihood of your pull request being accepted:
 
@@ -77,21 +84,21 @@ Here are a few things you can do that will increase the likelihood of your pull
 
 1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json).
 1. Go to [Draft a new
-release](https://github.com/actions/dependency-review-action/releases/new)
-in the Releases page.
-2. Make sure that the `Publish this Action to the GitHub Marketplace`
-checkbox is enabled
+   release](https://github.com/actions/dependency-review-action/releases/new)
+   in the Releases page.
+1. Make sure that the `Publish this Action to the GitHub Marketplace`
+   checkbox is enabled
 
 <img width="481" alt="Screenshot 2022-06-15 at 12 08 19" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
 
 3. Click "Choose a tag" and then "Create new tag", where the tag name
-will be your version prefixed by a `v` (e.g. `v1.2.3`).
+   will be your version prefixed by a `v` (e.g. `v1.2.3`).
 4. Use a version number for the release title (e.g. "1.2.3").
 
 <img width="700" alt="Screenshot 2022-06-15 at 12 08 36" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
 
 5. Add your release notes. If this is a major version make sure to
-include a small description of the biggest changes in the new version.
+   include a small description of the biggest changes in the new version.
 6. Click "Publish Release".
 
 You now have a tag and release using the semver version you used
@@ -102,6 +109,7 @@ automatically getting all the
 minor/patch updates.
 
 To do this just checkout `main`, force-create a new annotated tag, and push it:
+
 ```
 git tag -fa v2 -m "Updating v2 to 2.3.4"
 git push origin v2 --force

scripts/scan_pr

@@ -3,22 +3,52 @@ require 'json'
 require 'tempfile'
 require 'open3'
 require 'bundler/inline'
+require 'optparse'
 
 gemfile do
   source 'https://rubygems.org'
   gem 'octokit'
 end
 
+config_file = nil
 github_token = ENV["GITHUB_TOKEN"]
+
 if !github_token || github_token.empty?
   puts "Please set the GITHUB_TOKEN environment variable"
   exit -1
 end
 
-arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(ARGV[0])
+op = OptionParser.new do |opts|
+  usage = <<EOF
+Run Dependency Review on a repository.
+
+\e[1mUsage:\e[22m
+  scripts/scan_pr [options] <pr_url>
+
+\e[1mExample:\e[22m
+  scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294
+
+EOF
+
+  opts.banner = usage
+
+  opts.on('-c', '--config-file <FILE>', 'Use an external configuration file') do |cf|
+    config_file = cf
+  end
+
+  opts.on("-h", "--help", "Prints this help") do
+    puts opts
+    exit
+  end
+end
+
+op.parse!
+
+# make sure we have a NWO somewhere in the parameters
+arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(ARGV.join(" "))
 
 if arg.nil?
-  puts "Usage: script/scan_pr <pr_url>"
+  puts op
   exit -1
 end
 
@@ -33,7 +63,8 @@ event_file.write("{ \"pull_request\": #{pr.to_h.to_json}}")
 event_file.close
 
 action_inputs = {
-  "repo-token" => github_token
+  "repo-token": github_token,
+  "config-file": config_file
 }
 
 dev_cmd_env = {