Merge branch 'main' into add-summary

Author: Federico Builes

README.md

@@ -1,6 +1,7 @@
 # dependency-review-action
 
-This action scans your pull requests for dependency changes and will raise an error if any new dependencies have existing vulnerabilities. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions.
+This action scans your pull requests for dependency changes, and will
+raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions.
 
 The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
 
@@ -85,6 +86,10 @@ jobs:
           # Possible values: "critical", "high", "moderate", "low"
           # fail-on-severity: critical
           #
+          # Possible values: Any available git ref
+          # base-ref: ${{ github.event.pull_request.base.ref }}
+          # head-ref: ${{ github.event.pull_request.head.ref }}
+          #
           # You can only include one of these two options: `allow-licenses` and `deny-licenses`. These options are not supported on GHES. 
           #
           # Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
@@ -94,6 +99,11 @@ jobs:
           # deny-licenses: LGPL-2.0, BSD-2-Clause
 ```
 
+When the workflow with this action is caused by a `pull_request` or `pull_request_target` event,
+the `base-ref` and `head-ref` values have the defaults as shown above. If the workflow is caused by
+any other event, the `base-ref` and `head-ref` options must be
+explicitly set in the configuration file.
+
 ### Vulnerability Severity
 
 By default the action will fail on any pull request that contains a

__tests__/config.test.ts

@@ -1,5 +1,6 @@
 import {expect, test, beforeEach} from '@jest/globals'
 import {readConfig} from '../src/config'
+import {getRefs} from '../src/git-refs'
 
 // GitHub Action inputs come in the form of environment variables
 // with an INPUT prefix (e.g. INPUT_FAIL-ON-SEVERITY)
@@ -10,9 +11,17 @@ function setInput(input: string, value: string) {
 // We want a clean ENV before each test. We use `delete`
 // since we want `undefined` values and not empty strings.
 function clearInputs() {
-  delete process.env['INPUT_FAIL-ON-SEVERITY']
-  delete process.env['INPUT_ALLOW-LICENSES']
-  delete process.env['INPUT_DENY-LICENSES']
+  const allowedOptions = [
+    'FAIL-ON-SEVERITY',
+    'ALLOW-LICENSES',
+    'DENY-LICENSES',
+    'BASE-REF',
+    'HEAD-REF'
+  ]
+
+  allowedOptions.forEach(option => {
+    delete process.env[`INPUT_${option.toUpperCase()}`]
+  })
 }
 
 beforeEach(() => {
@@ -51,3 +60,25 @@ test('it raises an error when given an unknown severity', async () => {
   setInput('fail-on-severity', 'zombies')
   expect(() => readConfig()).toThrow()
 })
+
+test('it uses the given refs when the event is not a pull request', async () => {
+  setInput('base-ref', 'a-custom-base-ref')
+  setInput('head-ref', 'a-custom-head-ref')
+
+  const refs = getRefs(readConfig(), {
+    payload: {},
+    eventName: 'workflow_dispatch'
+  })
+  expect(refs.base).toEqual('a-custom-base-ref')
+  expect(refs.head).toEqual('a-custom-head-ref')
+})
+
+test('it raises an error when no refs are provided and the event is not a pull request', async () => {
+  const options = readConfig()
+  expect(() =>
+    getRefs(options, {
+      payload: {},
+      eventName: 'workflow_dispatch'
+    })
+  ).toThrow()
+})

action.yml

@@ -10,6 +10,12 @@ inputs:
     description: Don't block PRs below this severity. Possible values are `low`, `moderate`, `high`, `critical`.
     required: false
     default: 'low'
+  base-ref:
+    description: The base git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
+    required: false
+  head-ref:
+    description: The head git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
+    required: false
   allow-licenses:
     description: Comma-separated list of allowed licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
     required: false