Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency Review ジョブが失敗したら、PR にコメントする #96

Merged
merged 1 commit into from
Feb 21, 2025
Merged

Dependency Review ジョブが失敗したら、PR にコメントする #96

merged 1 commit into from
Feb 21, 2025
+12 −2

Conversation

masutaka
Copy link
Member

@masutaka masutaka commented Feb 20, 2025
edited
Loading

変更概要

.github/workflows/dependency_review.yml デフォルトで、PR にコメントするようにしました。

そのためにはユーザー側で permissions を設定する必要があるため、破壊的な変更とは言えないまでも、近い変更にはなっています。

背景

Dependency Review ジョブが失敗すると CI が落ちるので気づくことはできます。

ただ、"▶Vulnerabilities" をクリックしないと分かりません。

🔗 https://github.com/masutaka/sandbox/actions/runs/13430473078/job/37521109378

Job status

一方で Summary をクリックすると分かりやすい結果を確認できることは、気づくのが難しいです。

🔗 https://github.com/masutaka/sandbox/actions/runs/13430473078

Workflow summary

別な話として、巨大な PR では脆弱性が見つかる以外で Dependency Review ジョブが失敗することがあります。

参考

こんな振る舞いだった。

  1. 当該 PR で脆弱性が初めて見つかる
  2. PR に commit を追加した。脆弱性は修正されていない
    • Dependency Review の CI が失敗し、1 のコメントが編集される
  3. PR に commit を追加した。脆弱性が修正された
    • Dependency Review の CI が成功する。1 のコメントはそのまま

当該コードはこのあたり。
https://github.com/actions/dependency-review-action/blob/v4.5.0/src/comment-pr.ts#L41-L58

@masutaka masutaka self-assigned this Feb 20, 2025
masutaka
masutaka commented Feb 20, 2025
View reviewed changes
.github/workflows/dependency_review.yml
inputs:
comment-summary-in-pr:
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
default: on-failure
Copy link
Member Author

@masutaka masutaka Feb 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actions/dependency-review-action のデフォルト never です。
https://github.com/actions/dependency-review-action/blob/v4.5.0/README.md?plain=1#L113

route06/actions/.github/workflows/dependency_review.yml を使うと、デフォルトで PR にコメントしてくれますが、permissions の設定が必要になりました。

@masutaka masutaka added the enhancement New feature or request label Feb 20, 2025
@masutaka masutaka marked this pull request as ready for review February 20, 2025 09:54
@masutaka masutaka requested a review from a team as a code owner February 20, 2025 09:54
shige
shige approved these changes Feb 20, 2025
View reviewed changes
Copy link
Member

@shige shige left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 💬

MH4GF
MH4GF approved these changes Feb 21, 2025
View reviewed changes
Copy link
Contributor

@MH4GF MH4GF left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTMです 👍🏻

@masutaka masutaka added this pull request to the merge queue Feb 21, 2025
Merged via the queue into main with commit 9fe6524 Feb 21, 2025
3 checks passed
@masutaka masutaka deleted the dependency_review-comment-summary-in-pr branch February 21, 2025 02:06
@route06-actions-ci route06-actions-ci bot mentioned this pull request Feb 20, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shige shige shige approved these changes

@MH4GF MH4GF MH4GF approved these changes

@TomckySan TomckySan Awaiting requested review from TomckySan TomckySan is a code owner automatically assigned from route06/actions-repo-code-owners

Assignees

@masutaka masutaka

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@masutaka @shige @MH4GF