Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Use fork of dependency review action #22

Merged
merged 1 commit into from
Nov 6, 2024
Merged

chore: Use fork of dependency review action #22

merged 1 commit into from
Nov 6, 2024

Conversation

jscaltreto
Copy link
Contributor

@jscaltreto jscaltreto commented Nov 5, 2024
edited
Loading

The upstream depenendency-review-action uses the change's package_url (as returned from the dependency graph API) to match against the exclusions passed via allow-dependencies-licenses. However, some changes do not include package_url, but they can still result in the action failing a license check as the check itself doesn't rely on package_url. Currently there's no mechanism in place to exclude a dependency from the license check if the package_url is empty.

I created a fork of the action and added a fallback mechanism that parses source_repository_url to attempt to match based on the repository name using the github PURL type. So allow-dependencies-licenses could include, for example, pkg:github/owner/repo and that would match a change with source_repository_url: "https://github.com/owner/repo".

This doesn't cover all cases; if source_repository_url is empty or doesn't point to a github-hosted repository then it will still fail to match, but this should cover a good number of cases.

@jscaltreto jscaltreto force-pushed the forked-dependency-review-action branch from a0d2a11 to a9c996a Compare November 6, 2024 14:26
@jscaltreto jscaltreto force-pushed the forked-dependency-review-action branch from a9c996a to 2c403ba Compare November 6, 2024 20:42
@jscaltreto jscaltreto marked this pull request as ready for review November 6, 2024 20:44
@jscaltreto jscaltreto merged commit 6779eda into circlefin:master Nov 6, 2024
5 checks passed
@circle-bot-releases circle-bot-releases mentioned this pull request Nov 6, 2024
Merged
jscaltreto pushed a commit that referenced this pull request Nov 6, 2024
@circle-bot-releases
chore(master): release 1.3.2 (auto-release) (#23)
2f3c799 
🤖 I have created a release *beep* *boop*
---


##
[1.3.2](v1.3.1...v1.3.2)
(2024-11-06)


### Miscellaneous Chores

* Use fork of dependency review action
([#22](#22))
([6779eda](6779eda))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@igaskin igaskin igaskin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jscaltreto @igaskin