Bump dependabot/fetch-metadata from 1.2.1 to 1.3.0 #56

Closed
dependabot[bot] wants to merge 1 commits from dependabot/github_actions/dependabot/fetch-metadata-1.3.0 into master
dependabot[bot] commented 2022-03-02 11:49:36 +03:00 (Migrated from github.com)

Bumps dependabot/fetch-metadata from 1.2.1 to 1.3.0.

Release notes

Sourced from dependabot/fetch-metadata's releases.

v1.3.0 - Fetch additional metadata via the GitHub API

Highlights

🆕 Fetch additional metadata about Dependabot commits

You can now optionally enable API lookups within the Action to retrieve extra information about Dependabot PRs.

Example:

-- .github/workflows/dependabot-prs.yml
name: Dependabot Pull Request
on: pull_request_target
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Fetch Dependabot metadata
      id: dependabot-metadata
      uses: dependabot/fetch-metadata@v1.3.0
      with:
        alert-lookup: true
        compat-lookup: true

The flags enable the following new outputs:

  • steps.dependabot-metadata.outputs.alert-state
    • If this PR is associated with a security alert and alert-lookup is true, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
  • steps.dependabot-metadata.outputs.ghsa-id
    • If this PR is associated with a security alert and alert-lookup is true, this contains the GHSA-ID of that alert.
  • steps.dependabot-metadata.outputs.cvss
    • If this PR is associated with a security alert and alert-lookup is true, this contains the CVSS value of that alert (otherwise it contains 0).
  • steps.dependabot-metadata.outputs.compatibility-score
    • If this PR has a known compatibility score and compat-lookup is true, this contains the compatibility score (otherwise it contains 0).

Many thanks to @​mwaddell for contributing these additional flags 🥇

The Action no longer fails if other commits are present

We received feedback at this change was highly obtrusive and blocking common workflows that merging in the target branch. Following on from changes in 1.2.1 to make it easier for a user to re-run failed workflows this friction was much more obvious.

Thanks for the feedback, and thanks @​mwaddell for contributing the change.

The Action defaults to using the GITHUB_TOKEN

This makes us consistent with other GitHub Actions such as actions/checkout in using the baseline token provided to the workflow. Since the Action doesn't have any features which require write scopes this defaulting is adequate for all use cases.

Thanks @​jablko for contributing this change 🏆

What's Changed

... (truncated)

Commits
  • a96c30f Merge pull request #170 from dependabot/v1.3.0-release-notes
  • 11d3bb7 v1.3.0
  • 0ca01a5 Merge pull request #146 from pangaeatech/get_compat_score
  • f4b2d0d Merge pull request #83 from jablko/patch-1
  • 26e18ca Merge branch 'main' into patch-1
  • a30bbbb Merge pull request #166 from pangaeatech/allow-other-commits
  • 9a3daaf linting
  • 4a87565 Allow fetch-metadata to run on a PR even if it has additional commits, as lon...
  • 749688a Merge pull request #165 from pangaeatech/update_readme
  • 592101e Updated README to reference correct version
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) from 1.2.1 to 1.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dependabot/fetch-metadata/releases">dependabot/fetch-metadata's releases</a>.</em></p> <blockquote> <h2>v1.3.0 - Fetch additional metadata via the GitHub API</h2> <h2>Highlights</h2> <h3>🆕 Fetch additional metadata about Dependabot commits</h3> <p>You can now optionally enable API lookups within the Action to retrieve extra information about Dependabot PRs.</p> <p>Example:</p> <pre lang="yaml"><code>-- .github/workflows/dependabot-prs.yml name: Dependabot Pull Request on: pull_request_target jobs: build: runs-on: ubuntu-latest steps: - name: Fetch Dependabot metadata id: dependabot-metadata uses: dependabot/fetch-metadata@v1.3.0 with: alert-lookup: true compat-lookup: true </code></pre> <p>The flags enable the following new outputs:</p> <ul> <li><code>steps.dependabot-metadata.outputs.alert-state</code> <ul> <li>If this PR is associated with a security alert and <code>alert-lookup</code> is <code>true</code>, this contains the current state of that alert (OPEN, FIXED or DISMISSED).</li> </ul> </li> <li><code>steps.dependabot-metadata.outputs.ghsa-id</code> <ul> <li>If this PR is associated with a security alert and <code>alert-lookup</code> is <code>true</code>, this contains the GHSA-ID of that alert.</li> </ul> </li> <li><code>steps.dependabot-metadata.outputs.cvss</code> <ul> <li>If this PR is associated with a security alert and <code>alert-lookup</code> is <code>true</code>, this contains the CVSS value of that alert (otherwise it contains 0).</li> </ul> </li> <li><code>steps.dependabot-metadata.outputs.compatibility-score</code> <ul> <li>If this PR has a known compatibility score and <code>compat-lookup</code> is <code>true</code>, this contains the compatibility score (otherwise it contains 0).</li> </ul> </li> </ul> <p>Many thanks to <a href="https://github.com/mwaddell"><code>@​mwaddell</code></a> for contributing these additional flags 🥇</p> <h3>The Action no longer fails if other commits are present</h3> <p>We received feedback at this change was highly obtrusive and blocking common workflows that merging in the target branch. Following on from changes in 1.2.1 to make it easier for a user to re-run failed workflows this friction was much more obvious.</p> <p>Thanks for the feedback, and thanks <a href="https://github.com/mwaddell"><code>@​mwaddell</code></a> for contributing the change.</p> <h3>The Action defaults to using the GITHUB_TOKEN</h3> <p>This makes us consistent with other GitHub Actions such as <code>actions/checkout</code> in using the baseline token provided to the workflow. Since the Action doesn't have any features which require write scopes this defaulting is adequate for all use cases.</p> <p>Thanks <a href="https://github.com/jablko"><code>@​jablko</code></a> for contributing this change 🏆</p> <h2>What's Changed</h2> <ul> <li>Flag security alerts and pass versions through by <a href="https://github.com/mwaddell"><code>@​mwaddell</code></a> in <a href="https://github-redirect.dependabot.com/dependabot/fetch-metadata/pull/144">dependabot/fetch-metadata#144</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/dependabot/fetch-metadata/commit/a96c30f6ac86e5673ed0a03957891f85b6d60abc"><code>a96c30f</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/dependabot/fetch-metadata/issues/170">#170</a> from dependabot/v1.3.0-release-notes</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/11d3bb752a019f2f83cdf0c12e4d2a824a81e11b"><code>11d3bb7</code></a> v1.3.0</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/0ca01a55536b0271b86626f1035b1f3a7115d7a8"><code>0ca01a5</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/dependabot/fetch-metadata/issues/146">#146</a> from pangaeatech/get_compat_score</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/f4b2d0d26d01252bacf093980029ea2611cd4c05"><code>f4b2d0d</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/dependabot/fetch-metadata/issues/83">#83</a> from jablko/patch-1</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/26e18ca1197945c72f43ca93f0ecf33eff633813"><code>26e18ca</code></a> Merge branch 'main' into patch-1</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/a30bbbb91c453622d63d4f04598d407a97da52e5"><code>a30bbbb</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/dependabot/fetch-metadata/issues/166">#166</a> from pangaeatech/allow-other-commits</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/9a3daafb32bcef6148a00ad31180618828768b94"><code>9a3daaf</code></a> linting</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/4a8756595b97b6b1817fab0722c46dd030028cea"><code>4a87565</code></a> Allow fetch-metadata to run on a PR even if it has additional commits, as lon...</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/749688a11e60e346b3b415427820516068c79066"><code>749688a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/dependabot/fetch-metadata/issues/165">#165</a> from pangaeatech/update_readme</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/592101e99540be908da10b34af86772e74c67b71"><code>592101e</code></a> Updated README to reference correct version</li> <li>Additional commits viewable in <a href="https://github.com/dependabot/fetch-metadata/compare/v1.2.1...v1.3.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=dependabot/fetch-metadata&package-manager=github_actions&previous-version=1.2.1&new-version=1.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
vtolstov (Migrated from github.com) approved these changes 2022-03-02 11:49:52 +03:00
dependabot[bot] commented 2022-03-05 19:09:10 +03:00 (Migrated from github.com)

Looks like dependabot/fetch-metadata is up-to-date now, so this is no longer needed.

Looks like dependabot/fetch-metadata is up-to-date now, so this is no longer needed.

Pull request closed

Sign in to join this conversation.
No description provided.