Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

V1.3.0 release notes #170

Merged
merged 1 commit into from
Mar 1, 2022
Merged

V1.3.0 release notes #170

merged 1 commit into from
Mar 1, 2022

Conversation

brrygrdn
Copy link
Contributor

Highlights

🆕 Fetch additional metadata about Dependabot commits

You can now optionally enable API lookups within the Action to retrieve extra information about Dependabot PRs.

Example:

-- .github/workflows/dependabot-prs.yml
name: Dependabot Pull Request
on: pull_request_target
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Fetch Dependabot metadata
      id: dependabot-metadata
      uses: dependabot/fetch-metadata@v1.3.0
      with:
        alert-lookup: true
        compat-lookup: true

The flags enable the following new outputs:

  • steps.dependabot-metadata.outputs.alert-state
    • If this PR is associated with a security alert and alert-lookup is true, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
  • steps.dependabot-metadata.outputs.ghsa-id
    • If this PR is associated with a security alert and alert-lookup is true, this contains the GHSA-ID of that alert.
  • steps.dependabot-metadata.outputs.cvss
    • If this PR is associated with a security alert and alert-lookup is true, this contains the CVSS value of that alert (otherwise it contains 0).
  • steps.dependabot-metadata.outputs.compatibility-score
    • If this PR has a known compatibility score and compat-lookup is true, this contains the compatibility score (otherwise it contains 0).

Many thanks to @mwaddell for contributing these additional flags 🥇

The Action no longer fails if other commits are present

We received feedback at this change was highly obtrusive and blocking common workflows that merging in the target branch. Following on from changes in 1.2.1 to make it easier for a user to re-run failed workflows this friction was much more obvious.

Thanks for the feedback, and thanks @mwaddell for contributing the change.

The Action defaults to using the GITHUB_TOKEN

This makes us consistent with other GitHub Actions such as actions/checkout in using the baseline token provided to the workflow. Since the Action doesn't have any features which require write scopes this defaulting is adequate for all use cases.

Thanks @jablko for contributing this change 🏆

What's Changed

New Contributors

Full Changelog: v1.2.1...v1.3.0

@brrygrdn brrygrdn requested a review from a team as a code owner February 28, 2022 18:32
@brrygrdn brrygrdn force-pushed the v1.3.0-release-notes branch from 5dbf555 to 11d3bb7 Compare February 28, 2022 18:33
@brrygrdn brrygrdn merged commit a96c30f into main Mar 1, 2022
@brrygrdn brrygrdn deleted the v1.3.0-release-notes branch March 1, 2022 14:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jurre jurre jurre approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brrygrdn @jurre