Action fails to decorate PR when text is too long

[henriquevcosta]

I just ran this action in a repo where the action failed with the error below and no content at all was posted to the workflow.

Would it be possible, in these cases, to leave a PR comment with the semantic of "The dependency review found new vulnerabilities in this change but was unable to display them here. You can see them in the output of the build here: <link to the action output/logs>" ? I know that a failed Check already has some of this semantic, but creating a comment provides a place to centralize discussion and clarity to developers.

Additionally, of course, maybe consider reviewing the output format to get more compact output in these cases by removing the "Scanned manifest files" section or trimming vulnerability descriptions to a fixed number of characters?

Warning: Unable to comment summary to pull-request, received error: Validation Failed: {"resource":"IssueComment","code":"unprocessable","field":"data","message":"Body is too long (maximum is 65536 characters)"}

[febuiles]

@henriquevcosta thanks for the report. Can you post the configuration you're using for the Action?

[henriquevcosta]

@febuiles Please see below. This is in a reusable workflow called from elsewhere, I've left the value of those inputs in comments.

    if: github.event_name == 'pull_request'
    steps:
      - name: Perform dependency review
        uses: actions/dependency-review-action@v4
        with:
          comment-summary-in-pr: on-failure
          license-check: false
          allow-ghsas: ${{ inputs.allow-ghsas }}  #  value: ''
          fail-on-severity: ${{ inputs.fail-severity }}  #  value: 'low'