Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependabot/fetch-metadata action to v1.7.0 #82

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

chore(deps): update dependabot/fetch-metadata action to v1.7.0 #82

wants to merge 1 commit into from

Conversation

mend-for-github-com[bot]
Copy link

@mend-for-github-com mend-for-github-com bot commented Oct 30, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
dependabot/fetch-metadata action minor v1.1.1 -> v1.7.0

Release Notes

dependabot/fetch-metadata (dependabot/fetch-metadata)

v1.7.0

Compare Source

What's Changed

New Contributors

Full Changelog: dependabot/fetch-metadata@v1.6.0...v1.7.0

v1.6.0

Compare Source

What's Changed

New Contributors

Full Changelog: dependabot/fetch-metadata@v1...v1.6.0

v1.5.1

Compare Source

What's Changed

Bugfix:

Dep bumps that are trivial so decided to keep this a patch release:

Internal-facing infra changes:

Full Changelog: dependabot/fetch-metadata@v1...v1.5.1

v1.5.0

Compare Source

What's Changed

New Features:

Bumped Deps:

Docs:

Code cleanup:

Full Changelog: dependabot/fetch-metadata@v1...v1.5.0

v1.4.0

Compare Source

New Features

Bugfix

Dep Bumps

Other

New Contributors

Full Changelog: dependabot/fetch-metadata@v1...v1.4.0

v1.3.6

Compare Source

What's Changed

New Contributors

Full Changelog: dependabot/fetch-metadata@v1...v1.3.6

v1.3.5

Compare Source

What's Changed

New Contributors

Full Changelog: dependabot/fetch-metadata@v1...v1.3.5

v1.3.4

Compare Source

What's Changed

New Contributors

Full Changelog: dependabot/fetch-metadata@v1.3.3...v1.3.4

v1.3.3

Compare Source

What's Changed

New Contributors

Full Changelog: dependabot/fetch-metadata@v1.3.2...v1.3.3

v1.3.2

Compare Source

What's Changed

New Contributors

Full Changelog: dependabot/fetch-metadata@v1.3.1...v1.3.2

v1.3.1

Compare Source

Highlights

This release is primarily catching up on our dependencies, but it also includes a few bug fixes:

What's Changed

New Contributors

Full Changelog: dependabot/fetch-metadata@v1.3.0...v1.3.1

v1.3.0: - Fetch additional metadata via the GitHub API

Compare Source

Highlights

🆕 Fetch additional metadata about Dependabot commits

You can now optionally enable API lookups within the Action to retrieve extra information about Dependabot PRs.

Example:

-- .github/workflows/dependabot-prs.yml
name: Dependabot Pull Request
on: pull_request_target
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Fetch Dependabot metadata
      id: dependabot-metadata
      uses: dependabot/fetch-metadata@v1.3.0
      with:
        alert-lookup: true
        compat-lookup: true

The flags enable the following new outputs:

  • steps.dependabot-metadata.outputs.alert-state
    • If this PR is associated with a security alert and alert-lookup is true, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
  • steps.dependabot-metadata.outputs.ghsa-id
    • If this PR is associated with a security alert and alert-lookup is true, this contains the GHSA-ID of that alert.
  • steps.dependabot-metadata.outputs.cvss
    • If this PR is associated with a security alert and alert-lookup is true, this contains the CVSS value of that alert (otherwise it contains 0).
  • steps.dependabot-metadata.outputs.compatibility-score
    • If this PR has a known compatibility score and compat-lookup is true, this contains the compatibility score (otherwise it contains 0).

Many thanks to @​mwaddell for contributing these additional flags 🥇

The Action no longer fails if other commits are present

We received feedback at this change was highly obtrusive and blocking common workflows that merging in the target branch. Following on from changes in 1.2.1 to make it easier for a user to re-run failed workflows this friction was much more obvious.

Thanks for the feedback, and thanks @​mwaddell for contributing the change.

The Action defaults to using the GITHUB_TOKEN

This makes us consistent with other GitHub Actions such as actions/checkout in using the baseline token provided to the workflow. Since the Action doesn't have any features which require write scopes this defaulting is adequate for all use cases.

Thanks @​jablko for contributing this change 🏆

What's Changed

New Contributors

Full Changelog: dependabot/fetch-metadata@v1.2.1...v1.3.0

v1.2.1: - Workflows may be re-ran by someone other than Dependabot

Compare Source

Highlights:

  • Check the PR author instead of the Action Actor so failed fetch-metadata workflows can be retried, thanks @​mwaddell!
  • Catch up on our dependency updates 😅

What's Changed

Full Changelog: dependabot/fetch-metadata@v1.2.0...v1.2.1

v1.2.0: - Updated outputs

Compare Source

What's Changed

All other changes are dev or build related.

Full Changelog: dependabot/fetch-metadata@v1.1.1...v1.2.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

disabled

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants