Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve error messages for external config files #330

Merged
merged 11 commits into from Nov 16, 2022

Conversation

febuiles
Copy link
Collaborator

@febuiles febuiles commented Nov 15, 2022

We're currently showing the wrong error message (can't fetch config file) whenever the external config file cannot be parsed. This issue was surfaced in this PR comment.

This PR corrects the behavior of comma-separated lists in both inline and external config files, it also updates the error messages to move closer to the user expectations.

@febuiles febuiles requested a review from a team as a code owner November 15, 2022 06:51
src/config.ts Outdated
// handle the case where the user has a singe or invalid license
// in the config file
if (typeof licenses === 'string') {
validateLicenses(key, [licenses])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it intended to treat the whole provided value as one license? This might be confusing in the case of the reported issue. Or maybe we should just throw an error for non list values provided 🤔

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original comment had this structure for an external config file:

allow-licenses: FOO, BAR, BAZ, BLA

In YAML that is equal to allow-licenses: "FOO, BAR, BAZ, BLA" which is indeed one license.

I think the confusion stems from the fact that in the inline configuration you can provide a list by using commas (GitHub Actions don't support array-like inputs), while the external config file expect YAML lists.

Now that you bring this up I'm noticing that I'm likely blowing up our inline license parsing with this change and I need to make some changes, right? 😅

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd thought bit would only impact the config file parsing and yes, now I see the source of confusion you pointed out

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the confusion stems from the fact that in the inline configuration you can provide a list by using commas (GitHub Actions don't support array-like inputs), while the external config file expect YAML lists.

@febuiles I think that's definitely a problem; we should not have a discrepancy between the inline configuration and the external configuration. Is there anything stopping us from parsing the external configuration in the same way as we parse the inline configuration, while also allowing YAML arrays?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hmaurer I just did a quick read of the SPDX license names guidelines and they specifically ask not to use commas in the full name/ID. I think supporting the same format with commas for both config options is what makes sense here.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This went from being a "Fix an error message" PR to "Fix lists and also an error messages". I've updated the PR description and cleaned up the code a bit to account for the cases where we have comma-separated lists in external configs.

const invalid_licenses = licenses.filter(license => !isSPDXValid(license))

if (invalid_licenses.length > 0) {
throw new Error(
`Invalid license(s) in ${key}: ${invalid_licenses.join(', ')}`
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed the formatting since it was making it hard to debug failures. This resulted in a couple of changes in the tests where we perform string comparisons.

@febuiles
Copy link
Collaborator Author

@cnagadya @hmaurer I've updated the PR to add support for inline config lists, would appreciate another review.

Copy link
Contributor

@cnagadya cnagadya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, great job also adding the other listy fields 🥳

# Conflicts:
#	dist/index.js.map
@febuiles febuiles merged commit ea0f469 into main Nov 16, 2022
karfau pushed a commit to xmldom/xmldom that referenced this pull request Sep 29, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action)
| action | major | `v2.5.1` -> `v3.1.0` |

---

### Release Notes

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0):
3.1.0

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0)

#### What's New

Added support for dependencies submitted through the [dependency
submission
API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together).
This includes two new configuration parameters:
`retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`.

#### What's Changed

- Fix(docs): Correct action input name by
[@&#8203;oerd](https://togithub.com/oerd) in
[actions/dependency-review-action#551

#### New Contributors

- [@&#8203;oerd](https://togithub.com/oerd) made their first
contribution in
[actions/dependency-review-action#551

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.0

###
[`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8):
3.0.8

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8)

#### What's Changed

Added `on-failure` option to `comment-summary-in-pr` setting by
[@&#8203;sgmurphy](https://togithub.com/sgmurphy) in
[actions/dependency-review-action#540

Previous configuration files using `true`/`false` for
`comment-summary-in-pr` will be mapped automatically to the new values,
but we encourage you to update to `always`/`on-failure`/`never`.

#### New Contributors

- [@&#8203;sgmurphy](https://togithub.com/sgmurphy) made their first
contribution in
[actions/dependency-review-action#540

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.8

###
[`v3.0.7`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.7):
3.0.7

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.6...v3.0.7)

#### What's Changed

- Make GHES support / setup more clear by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[actions/dependency-review-action#534
- Add an option to deny packages or groups of packages by
[@&#8203;adrienpessu](https://togithub.com/adrienpessu) in
[actions/dependency-review-action#544

#### New Contributors

- [@&#8203;rajbos](https://togithub.com/rajbos) made their first
contribution in
[actions/dependency-review-action#534
- [@&#8203;adrienpessu](https://togithub.com/adrienpessu) made their
first contribution in
[actions/dependency-review-action#544

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.7

###
[`v3.0.6`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.6):
3.0.6

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.5...v3.0.6)

Fixes a bug introduced in 3.0.5 where we raised PURL errors when
Dependency Graph returns an empty `package_url`.

###
[`v3.0.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.5):
3.0.5

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.4...v3.0.5)

#### What's Changed

Thanks to [@&#8203;theztefan](https://togithub.com/theztefan), we now
have a new `allow-dependencies-licenses` option that takes a list of
dependencies that will be excluded from license checks. See the
[configuration
options](https://togithub.com/actions/dependency-review-action#configuration-options)
for more information on how to use it.

- Exclude dependencies from license checks by
[@&#8203;theztefan](https://togithub.com/theztefan) in
[actions/dependency-review-action#423
- Documentation examples by
[@&#8203;theztefan](https://togithub.com/theztefan) in
[actions/dependency-review-action#423
- Show snapshot warnings in the summary by
[@&#8203;juxtin](https://togithub.com/juxtin) in
[actions/dependency-review-action#439
- Fix default values for fail-on-severity by
[@&#8203;febuiles](https://togithub.com/febuiles) in
[actions/dependency-review-action#451
-   Updated dependencies.

#### New Contributors

- [@&#8203;juxtin](https://togithub.com/juxtin) made their first
contribution in
[actions/dependency-review-action#439
- [@&#8203;theztefan](https://togithub.com/theztefan) made their first
contribution in
[actions/dependency-review-action#423

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.5

###
[`v3.0.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.4):
3.0.4

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.3...v3.0.4)

#### What's New?

The Action can now publish a comment in the pull request if the
`comment-summary-in-pr` option is set. More information can be found in
the
[README](https://togithub.com/actions/dependency-review-action#configuration-options).

#### New Contributors

- [@&#8203;davelosert](https://togithub.com/davelosert) made their first
contribution in
[actions/dependency-review-action#393

#### Changelog

- Write Summary as comment to the pull request by
[@&#8203;davelosert](https://togithub.com/davelosert) in
[actions/dependency-review-action#393
- Adjust summary format by
[@&#8203;davelosert](https://togithub.com/davelosert) in
[actions/dependency-review-action#416
-   Security updates.

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.4

###
[`v3.0.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.3):
3.0.3

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.2...v3.0.3)

#### What's Changed

- Use cache in check-dist.yml by
[@&#8203;jongwooo](https://togithub.com/jongwooo) in
[actions/dependency-review-action#359
- Fix Dependency Review API response error handling by
[@&#8203;felickz](https://togithub.com/felickz) in
[actions/dependency-review-action#370
-   Security updates

#### New Contributors

- [@&#8203;jongwooo](https://togithub.com/jongwooo) made their first
contribution in
[actions/dependency-review-action#359
- [@&#8203;felickz](https://togithub.com/felickz) made their first
contribution in
[actions/dependency-review-action#370

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.3

###
[`v3.0.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.2):
3.0.2

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.1...v3.0.2)

This release fixes spelling errors
[actions/dependency-review-action#348
and upgrades dependencies to fix known vulnerabilities

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.2

###
[`v3.0.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.1):
3.0.1

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.0...v3.0.1)

This release contains the following bugfixes:

- Fixing API URL for GHES:
[actions/dependency-review-action#331
- Improve list handling for external config files:
[actions/dependency-review-action#330

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.1

###
[`v3.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.0):
3.0.0

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v2.5.1...v3.0.0)

#### Breaking Changes

By default the action now expects [SPDX-compliant
licenses](https://spdx.org/licenses/) everywhere. If you were previously
using license names in the allow or deny lists make sure they're valid!

#### What's Changed

##### Support for external configuration files

You can now specify a [configuration file external to your
repository](https://togithub.com/actions/dependency-review-action/#configuration-file).
This allows organizations to have a single configuration file for all
their repos.

##### Broader license support

We've added support for a much broader set of project licenses by using
GitHub's [Licenses API](https://docs.github.com/en/rest/licenses).

##### SPDX Compliance

All of our license-related code now expects [SPDX-compliant licenses or
expressions](https://spdx.org/licenses/). This allows us to standardize
on a license naming scheme that already supports `OR`/`AND` expressions.

##### Disable individual checks

You can now use the boolean options `license-check` and
`vulnerability-check` to disable either one of the checks. More
information in [our configuration
options](https://togithub.com/actions/dependency-review-action/#configuration-options).

#### Thanks

Contributors for this release include:

-   [@&#8203;cnagadya](https://togithub.com/cnagadya)
-   [@&#8203;courtneycl](https://togithub.com/courtneycl)
-   [@&#8203;ericcornelissen](https://togithub.com/ericcornelissen)
-   [@&#8203;elireisman](https://togithub.com/elireisman)
-   [@&#8203;hmaurer](https://togithub.com/hmaurer)

Thanks everyone!
**Full Changelog**:
actions/dependency-review-action@v2...v3.0.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/xmldom/xmldom).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4wLjMiLCJ1cGRhdGVkSW5WZXIiOiIzNy4wLjMiLCJ0YXJnZXRCcmFuY2giOiJtYXN0ZXIifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Racer159 pushed a commit to defenseunicorns/zarf that referenced this pull request Feb 20, 2024
)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/dependency-review-action](https://togithub.com/actions/dependency-review-action)
| action | major | `v2.5.1` -> `v4.1.3` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v4.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.3):
4.1.3

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3)

Fixes a bug in 4.1.2 that would introduce comments in every pull
request, regardless of the user's configuration (see
[actions/dependency-review-action#697).

**Full Changelog**:
actions/dependency-review-action@v4.1.2...v4.1.3

###
[`v4.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.2):
4.1.2

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2)

#### What's Changed

- Expose dependency comment content by
[@&#8203;jsoref](https://togithub.com/jsoref) in
[actions/dependency-review-action#696

**Full Changelog**:
actions/dependency-review-action@v4.1.1...v4.1.2

###
[`v4.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.1):
4.1.1

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1)

#### What's Changed

- Bump `undici` to fix
[GHSA-wqq4-5wpv-mx2g](https://togithub.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g)
- Bump [@&#8203;types/node](https://togithub.com/types/node) from
20.11.17 to 20.11.19 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[actions/dependency-review-action#693

**Full Changelog**:
actions/dependency-review-action@v4.1.0...v4.1.1

###
[`v4.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.0):
4.1.0

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v4.0.0...v4.1.0)

#### What's Changed

- Add `warn-only` by [@&#8203;tgrall](https://togithub.com/tgrall) in
[actions/dependency-review-action#432

Added a new configuration option (`warn-only`, boolean) that makes the
action always succeed while still displaying found vulnerabilities in
the log.

- Create stale.yaml by
[@&#8203;jonjanego](https://togithub.com/jonjanego) in
[actions/dependency-review-action#671
- Use manual codeql config by
[@&#8203;juxtin](https://togithub.com/juxtin) in
[actions/dependency-review-action#678
- Multiple dependency updates (see the changelog below for more
information)

#### New Contributors

- [@&#8203;jonjanego](https://togithub.com/jonjanego) made their first
contribution in
[actions/dependency-review-action#671
- [@&#8203;tgrall](https://togithub.com/tgrall) made their first
contribution in
[actions/dependency-review-action#432

**Full Changelog**:
actions/dependency-review-action@v4...v4.1.0

###
[`v4.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.0.0)

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0)

- Update action to Node 20 by
[@&#8203;takost](https://togithub.com/takost) in
[actions/dependency-review-action#639
-   Dependabot updates, see the full changelog for more details.

#### New Contributors

- [@&#8203;takost](https://togithub.com/takost) made their first
contribution in
[actions/dependency-review-action#639

**Full Changelog**:
actions/dependency-review-action@v3.1.5...v4.0.0

###
[`v3.1.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.5):
3.1.5

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5)

#### What's Changed

- Smaller `per_page` when requesting diff by
[@&#8203;hmaurer](https://togithub.com/hmaurer) in
[actions/dependency-review-action#649
-   Update dependencies:
- Bump
[@&#8203;typescript-eslint/parser](https://togithub.com/typescript-eslint/parser)
from 6.10.0 to 6.13.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[actions/dependency-review-action#630
- Bump prettier from 3.0.3 to 3.1.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[actions/dependency-review-action#629
- Bump [@&#8203;types/jest](https://togithub.com/types/jest) from 29.5.8
to 29.5.11 by [@&#8203;dependabot](https://togithub.com/dependabot) in
[actions/dependency-review-action#637
- Bump nodemon from 3.0.1 to 3.0.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[actions/dependency-review-action#636
- Replace pip -> pypi in PURL examples by
[@&#8203;febuiles](https://togithub.com/febuiles) in
[actions/dependency-review-action#638
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin)
from 6.12.0 to 6.15.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[actions/dependency-review-action#644
- Bump eslint from 8.53.0 to 8.56.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[actions/dependency-review-action#640
- Bump
[@&#8203;typescript-eslint/parser](https://togithub.com/typescript-eslint/parser)
from 6.13.1 to 6.16.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[actions/dependency-review-action#645
- Bump prettier from 3.1.0 to 3.1.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[actions/dependency-review-action#646

**Full Changelog**:
actions/dependency-review-action@v3.1.4...v3.1.5

###
[`v3.1.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.4):
3.1.4

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4)

#### What's Changed

- Fixed a
[bug](https://togithub.com/actions/dependency-review-action/issues/618)
with severity filtering when using the `allow_ghsas` option:
[actions/dependency-review-action#623.

-   Updates dependencies:
- Bump [@&#8203;types/node](https://togithub.com/types/node) from
16.18.61 to 16.18.62 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[actions/dependency-review-action#619
        action/pull/620
- Bump
[@&#8203;typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin)
from 6.11.0 to 6.12.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[actions/dependency-review-action#625
- Bump typescript from 5.2.2 to 5.3.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[actions/dependency-review-action#624

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.4

###
[`v3.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.3):
3.1.3

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3)

#### What's Changed

- Fixes purl "version must be percent-encoded" by
[@&#8203;theztefan](https://togithub.com/theztefan) in
[actions/dependency-review-action#617

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.3

###
[`v3.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.2):
3.1.2

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2)

#### What's Changed

- Fix a regression for setups using self-hosted runners behind HTTP
proxies:[@&#8203;febuiles](https://togithub.com/febuiles) in
[actions/dependency-review-action#611

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.2

###
[`v3.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.1):
3.1.1

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1)

#### What's Changed

- Update a bunch of dependencies, including major version upgrades for
`octokit`, `@actions/github` and `typescript`.

**Full Changelog**:
actions/dependency-review-action@v3.1.0...v3.1.1

###
[`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0):
3.1.0

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0)

#### What's New

Added support for dependencies submitted through the [dependency
submission
API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together).
This includes two new configuration parameters:
`retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`.

#### What's Changed

- Fix(docs): Correct action input name by
[@&#8203;oerd](https://togithub.com/oerd) in
[actions/dependency-review-action#551

#### New Contributors

- [@&#8203;oerd](https://togithub.com/oerd) made their first
contribution in
[actions/dependency-review-action#551

**Full Changelog**:
actions/dependency-review-action@v3...v3.1.0

###
[`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8):
3.0.8

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8)

#### What's Changed

Added `on-failure` option to `comment-summary-in-pr` setting by
[@&#8203;sgmurphy](https://togithub.com/sgmurphy) in
[actions/dependency-review-action#540

Previous configuration files using `true`/`false` for
`comment-summary-in-pr` will be mapped automatically to the new values,
but we encourage you to update to `always`/`on-failure`/`never`.

#### New Contributors

- [@&#8203;sgmurphy](https://togithub.com/sgmurphy) made their first
contribution in
[actions/dependency-review-action#540

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.8

###
[`v3.0.7`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.7):
3.0.7

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.6...v3.0.7)

#### What's Changed

- Make GHES support / setup more clear by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[actions/dependency-review-action#534
- Add an option to deny packages or groups of packages by
[@&#8203;adrienpessu](https://togithub.com/adrienpessu) in
[actions/dependency-review-action#544

#### New Contributors

- [@&#8203;rajbos](https://togithub.com/rajbos) made their first
contribution in
[actions/dependency-review-action#534
- [@&#8203;adrienpessu](https://togithub.com/adrienpessu) made their
first contribution in
[actions/dependency-review-action#544

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.7

###
[`v3.0.6`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.6):
3.0.6

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.5...v3.0.6)

Fixes a bug introduced in 3.0.5 where we raised PURL errors when
Dependency Graph returns an empty `package_url`.

###
[`v3.0.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.5):
3.0.5

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.4...v3.0.5)

#### What's Changed

Thanks to [@&#8203;theztefan](https://togithub.com/theztefan), we now
have a new `allow-dependencies-licenses` option that takes a list of
dependencies that will be excluded from license checks. See the
[configuration
options](https://togithub.com/actions/dependency-review-action#configuration-options)
for more information on how to use it.

- Exclude dependencies from license checks by
[@&#8203;theztefan](https://togithub.com/theztefan) in
[actions/dependency-review-action#423
- Documentation examples by
[@&#8203;theztefan](https://togithub.com/theztefan) in
[actions/dependency-review-action#423
- Show snapshot warnings in the summary by
[@&#8203;juxtin](https://togithub.com/juxtin) in
[actions/dependency-review-action#439
- Fix default values for fail-on-severity by
[@&#8203;febuiles](https://togithub.com/febuiles) in
[actions/dependency-review-action#451
-   Updated dependencies.

#### New Contributors

- [@&#8203;juxtin](https://togithub.com/juxtin) made their first
contribution in
[actions/dependency-review-action#439
- [@&#8203;theztefan](https://togithub.com/theztefan) made their first
contribution in
[actions/dependency-review-action#423

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.5

###
[`v3.0.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.4):
3.0.4

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.3...v3.0.4)

#### What's New?

The Action can now publish a comment in the pull request if the
`comment-summary-in-pr` option is set. More information can be found in
the
[README](https://togithub.com/actions/dependency-review-action#configuration-options).

#### New Contributors

- [@&#8203;davelosert](https://togithub.com/davelosert) made their first
contribution in
[actions/dependency-review-action#393

#### Changelog

- Write Summary as comment to the pull request by
[@&#8203;davelosert](https://togithub.com/davelosert) in
[actions/dependency-review-action#393
- Adjust summary format by
[@&#8203;davelosert](https://togithub.com/davelosert) in
[actions/dependency-review-action#416
-   Security updates.

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.4

###
[`v3.0.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.3):
3.0.3

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.2...v3.0.3)

#### What's Changed

- Use cache in check-dist.yml by
[@&#8203;jongwooo](https://togithub.com/jongwooo) in
[actions/dependency-review-action#359
- Fix Dependency Review API response error handling by
[@&#8203;felickz](https://togithub.com/felickz) in
[actions/dependency-review-action#370
-   Security updates

#### New Contributors

- [@&#8203;jongwooo](https://togithub.com/jongwooo) made their first
contribution in
[actions/dependency-review-action#359
- [@&#8203;felickz](https://togithub.com/felickz) made their first
contribution in
[actions/dependency-review-action#370

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.3

###
[`v3.0.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.2):
3.0.2

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.1...v3.0.2)

This release fixes spelling errors
[actions/dependency-review-action#348
and upgrades dependencies to fix known vulnerabilities

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.2

###
[`v3.0.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.1):
3.0.1

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.0...v3.0.1)

This release contains the following bugfixes:

- Fixing API URL for GHES:
[actions/dependency-review-action#331
- Improve list handling for external config files:
[actions/dependency-review-action#330

**Full Changelog**:
actions/dependency-review-action@v3...v3.0.1

###
[`v3.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.0):
3.0.0

[Compare
Source](https://togithub.com/actions/dependency-review-action/compare/v2.5.1...v3.0.0)

#### Breaking Changes

By default the action now expects [SPDX-compliant
licenses](https://spdx.org/licenses/) everywhere. If you were previously
using license names in the allow or deny lists make sure they're valid!

#### What's Changed

##### Support for external configuration files

You can now specify a [configuration file external to your
repository](https://togithub.com/actions/dependency-review-action/#configuration-file).
This allows organizations to have a single configuration file for all
their repos.

##### Broader license support

We've added support for a much broader set of project licenses by using
GitHub's [Licenses API](https://docs.github.com/en/rest/licenses).

##### SPDX Compliance

All of our license-related code now expects [SPDX-compliant licenses or
expressions](https://spdx.org/licenses/). This allows us to standardize
on a license naming scheme that already supports `OR`/`AND` expressions.

##### Disable individual checks

You can now use the boolean options `license-check` and
`vulnerability-check` to disable either one of the checks. More
information in [our configuration
options](https://togithub.com/actions/dependency-review-action/#configuration-options).

#### Thanks

Contributors for this release include:

-   [@&#8203;cnagadya](https://togithub.com/cnagadya)
-   [@&#8203;courtneycl](https://togithub.com/courtneycl)
-   [@&#8203;ericcornelissen](https://togithub.com/ericcornelissen)
-   [@&#8203;elireisman](https://togithub.com/elireisman)
-   [@&#8203;hmaurer](https://togithub.com/hmaurer)

Thanks everyone!
**Full Changelog**:
actions/dependency-review-action@v2...v3.0.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/defenseunicorns/zarf).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMDAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIwMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants