unistack-org/micro-logger-service
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

Bump dependabot/fetch-metadata from 1.2.1 to 1.3.0 #67

Merged
dependabot[bot] merged 3 commits from dependabot/github_actions/dependabot/fetch-metadata-1.3.0 into master 2022-03-06 09:49:10 +03:00
Conversation 4 Commits 3 Files Changed -
dependabot[bot] commented 2022-03-02 08:23:12 +03:00 (Migrated from github.com)
Copy Link

Bumps dependabot/fetch-metadata from 1.2.1 to 1.3.0.

Release notes

Sourced from dependabot/fetch-metadata's releases.

v1.3.0 - Fetch additional metadata via the GitHub API

Highlights

🆕 Fetch additional metadata about Dependabot commits

You can now optionally enable API lookups within the Action to retrieve extra information about Dependabot PRs.

Example:

-- .github/workflows/dependabot-prs.yml
name: Dependabot Pull Request
on: pull_request_target
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Fetch Dependabot metadata
      id: dependabot-metadata
      uses: dependabot/fetch-metadata@v1.3.0
      with:
        alert-lookup: true
        compat-lookup: true

The flags enable the following new outputs:

  • steps.dependabot-metadata.outputs.alert-state
    • If this PR is associated with a security alert and alert-lookup is true, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
  • steps.dependabot-metadata.outputs.ghsa-id
    • If this PR is associated with a security alert and alert-lookup is true, this contains the GHSA-ID of that alert.
  • steps.dependabot-metadata.outputs.cvss
    • If this PR is associated with a security alert and alert-lookup is true, this contains the CVSS value of that alert (otherwise it contains 0).
  • steps.dependabot-metadata.outputs.compatibility-score
    • If this PR has a known compatibility score and compat-lookup is true, this contains the compatibility score (otherwise it contains 0).

Many thanks to @​mwaddell for contributing these additional flags 🥇

The Action no longer fails if other commits are present

We received feedback at this change was highly obtrusive and blocking common workflows that merging in the target branch. Following on from changes in 1.2.1 to make it easier for a user to re-run failed workflows this friction was much more obvious.

Thanks for the feedback, and thanks @​mwaddell for contributing the change.

The Action defaults to using the GITHUB_TOKEN

This makes us consistent with other GitHub Actions such as actions/checkout in using the baseline token provided to the workflow. Since the Action doesn't have any features which require write scopes this defaulting is adequate for all use cases.

Thanks @​jablko for contributing this change 🏆

What's Changed

... (truncated)

Commits
  • a96c30f Merge pull request #170 from dependabot/v1.3.0-release-notes
  • 11d3bb7 v1.3.0
  • 0ca01a5 Merge pull request #146 from pangaeatech/get_compat_score
  • f4b2d0d Merge pull request #83 from jablko/patch-1
  • 26e18ca Merge branch 'main' into patch-1
  • a30bbbb Merge pull request #166 from pangaeatech/allow-other-commits
  • 9a3daaf linting
  • 4a87565 Allow fetch-metadata to run on a PR even if it has additional commits, as lon...
  • 749688a Merge pull request #165 from pangaeatech/update_readme
  • 592101e Updated README to reference correct version
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) from 1.2.1 to 1.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dependabot/fetch-metadata/releases">dependabot/fetch-metadata's releases</a>.</em></p> <blockquote> <h2>v1.3.0 - Fetch additional metadata via the GitHub API</h2> <h2>Highlights</h2> <h3>🆕 Fetch additional metadata about Dependabot commits</h3> <p>You can now optionally enable API lookups within the Action to retrieve extra information about Dependabot PRs.</p> <p>Example:</p> <pre lang="yaml"><code>-- .github/workflows/dependabot-prs.yml name: Dependabot Pull Request on: pull_request_target jobs: build: runs-on: ubuntu-latest steps: - name: Fetch Dependabot metadata id: dependabot-metadata uses: dependabot/fetch-metadata@v1.3.0 with: alert-lookup: true compat-lookup: true </code></pre> <p>The flags enable the following new outputs:</p> <ul> <li><code>steps.dependabot-metadata.outputs.alert-state</code> <ul> <li>If this PR is associated with a security alert and <code>alert-lookup</code> is <code>true</code>, this contains the current state of that alert (OPEN, FIXED or DISMISSED).</li> </ul> </li> <li><code>steps.dependabot-metadata.outputs.ghsa-id</code> <ul> <li>If this PR is associated with a security alert and <code>alert-lookup</code> is <code>true</code>, this contains the GHSA-ID of that alert.</li> </ul> </li> <li><code>steps.dependabot-metadata.outputs.cvss</code> <ul> <li>If this PR is associated with a security alert and <code>alert-lookup</code> is <code>true</code>, this contains the CVSS value of that alert (otherwise it contains 0).</li> </ul> </li> <li><code>steps.dependabot-metadata.outputs.compatibility-score</code> <ul> <li>If this PR has a known compatibility score and <code>compat-lookup</code> is <code>true</code>, this contains the compatibility score (otherwise it contains 0).</li> </ul> </li> </ul> <p>Many thanks to <a href="https://github.com/mwaddell"><code>@​mwaddell</code></a> for contributing these additional flags 🥇</p> <h3>The Action no longer fails if other commits are present</h3> <p>We received feedback at this change was highly obtrusive and blocking common workflows that merging in the target branch. Following on from changes in 1.2.1 to make it easier for a user to re-run failed workflows this friction was much more obvious.</p> <p>Thanks for the feedback, and thanks <a href="https://github.com/mwaddell"><code>@​mwaddell</code></a> for contributing the change.</p> <h3>The Action defaults to using the GITHUB_TOKEN</h3> <p>This makes us consistent with other GitHub Actions such as <code>actions/checkout</code> in using the baseline token provided to the workflow. Since the Action doesn't have any features which require write scopes this defaulting is adequate for all use cases.</p> <p>Thanks <a href="https://github.com/jablko"><code>@​jablko</code></a> for contributing this change 🏆</p> <h2>What's Changed</h2> <ul> <li>Flag security alerts and pass versions through by <a href="https://github.com/mwaddell"><code>@​mwaddell</code></a> in <a href="https://github-redirect.dependabot.com/dependabot/fetch-metadata/pull/144">dependabot/fetch-metadata#144</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/dependabot/fetch-metadata/commit/a96c30f6ac86e5673ed0a03957891f85b6d60abc"><code>a96c30f</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/dependabot/fetch-metadata/issues/170">#170</a> from dependabot/v1.3.0-release-notes</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/11d3bb752a019f2f83cdf0c12e4d2a824a81e11b"><code>11d3bb7</code></a> v1.3.0</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/0ca01a55536b0271b86626f1035b1f3a7115d7a8"><code>0ca01a5</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/dependabot/fetch-metadata/issues/146">#146</a> from pangaeatech/get_compat_score</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/f4b2d0d26d01252bacf093980029ea2611cd4c05"><code>f4b2d0d</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/dependabot/fetch-metadata/issues/83">#83</a> from jablko/patch-1</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/26e18ca1197945c72f43ca93f0ecf33eff633813"><code>26e18ca</code></a> Merge branch 'main' into patch-1</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/a30bbbb91c453622d63d4f04598d407a97da52e5"><code>a30bbbb</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/dependabot/fetch-metadata/issues/166">#166</a> from pangaeatech/allow-other-commits</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/9a3daafb32bcef6148a00ad31180618828768b94"><code>9a3daaf</code></a> linting</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/4a8756595b97b6b1817fab0722c46dd030028cea"><code>4a87565</code></a> Allow fetch-metadata to run on a PR even if it has additional commits, as lon...</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/749688a11e60e346b3b415427820516068c79066"><code>749688a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/dependabot/fetch-metadata/issues/165">#165</a> from pangaeatech/update_readme</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/592101e99540be908da10b34af86772e74c67b71"><code>592101e</code></a> Updated README to reference correct version</li> <li>Additional commits viewable in <a href="https://github.com/dependabot/fetch-metadata/compare/v1.2.1...v1.3.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=dependabot/fetch-metadata&package-manager=github_actions&previous-version=1.2.1&new-version=1.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
vtolstov (Migrated from github.com) approved these changes 2022-03-02 08:23:27 +03:00
dependabot[bot] commented 2022-03-05 19:30:28 +03:00 (Migrated from github.com)
Copy Link

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting `@dependabot rebase`.
github-actions[bot] (Migrated from github.com) approved these changes 2022-03-05 19:34:28 +03:00
github-actions[bot] (Migrated from github.com) approved these changes 2022-03-06 09:48:35 +03:00
Sign in to join this conversation.
Reviewers
No Reviewers
vtolstov
github-actions[bot]
Labels
Clear labels
Kind/Breaking
Breaking change that won't be backward compatible
Kind/Bug
Something is not working
Kind/Documentation
Documentation changes
Kind/Enhancement
Improve existing functionality
Kind/Feature
New functionality
Kind/Security
This is security issue
Kind/Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
atolstikhin devstigneev pugnack vtolstov
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unistack-org/micro-logger-service#67
No description provided.
Delete Branch "dependabot/github_actions/dependabot/fetch-metadata-1.3.0"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?