Add outputs for the changes data

.github/workflows/dependency-review.yml

@@ -10,5 +10,39 @@ jobs:
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v4
-      - name: Dependency Review
+
+      - name: 'Dependency Review'
         uses: actions/dependency-review-action@main
+        id: review
+
+      - name: 'Check comment-content output'
+        if: always()
+        env:
+          COMMENT: ${{ steps.review.outputs.comment-content }}
+        run: |
+          test -n "$COMMENT"
+          echo "$COMMENT"
+
+      - name: 'Check dependency-changes output'
+        if: always()
+        env:
+          DEPENDENCY_CHANGES: ${{ steps.review.outputs.dependency-changes }}
+        run: echo "$DEPENDENCY_CHANGES" | jq
+
+      - name: 'Check vulnerable-changes output'
+        if: always()
+        env:
+          VULNERABLE_CHANGES: ${{ steps.review.outputs.vulnerable-changes }}
+        run: echo "$VULNERABLE_CHANGES" | jq
+
+      - name: 'Check invalid-license-changes output'
+        if: always()
+        env:
+          LICENSE_CHANGES: ${{ steps.review.outputs.invalid-license-changes }}
+        run: echo "$LICENSE_CHANGES" | jq
+
+      - name: 'Check denied-changes output'
+        if: always()
+        env:
+          DENIED_CHANGES: ${{ steps.review.outputs.denied-changes }}
+        run: echo "$DENIED_CHANGES" | jq

README.md

@@ -159,7 +159,14 @@ The Dependency Review GitHub Action check will only block a pull request from be
 
 ## Outputs
 
-`comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
+- `comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
+- `dependency-changes` holds all dependency changes in a JSON format. The following outputs are subsets of `dependency-changes` filtered based on the configuration:
+  - `vulnerable-changes` holds information about dependency changes with vulnerable dependencies in a JSON format.
+  - `invalid-license-changes` holds information about invalid or non-compliant license dependency changes in a JSON format.
+  - `denied-changes` holds information about denied dependency changes in a JSON format.
+
+> [!NOTE]
+> Action outputs [have a size limit](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions): outputs are Unicode strings, and can be a maximum of 1MB
 
 ## Getting help
 

action.yml

@@ -68,6 +68,14 @@ inputs:
 outputs:
   comment-content:
     description: Prepared dependency report comment
+  dependency-changes:
+    description: All dependency changes (JSON)
+  vulnerable-changes:
+    description: Vulnerable dependency changes (JSON)
+  invalid-license-changes:
+    description: Invalid license dependency changes (JSON)
+  denied-changes:
+    description: Denied dependency changes (JSON)
 
 runs:
   using: 'node20'

docs/examples.md

@@ -166,7 +166,8 @@ jobs:
 
 ## Getting the results of the action in a later step
 
-Using the `comment-content` output you can get the results of the action in a workflow step.
+- Using the `comment-content` output you can get the results of the action in a workflow step.
+- Using other outputs like `dependency-changes`, `vulnerable-changes`, `invalid-license-changes` and `denied-changes` you can get the results of the action in JSON format and use them in a programmatic way.
 
 ```yaml
 name: 'Dependency Review'
@@ -190,12 +191,20 @@ jobs:
           deny-licenses: LGPL-2.0, BSD-2-Clause
       - name: 'Report'
         # make sure this step runs even if the previous failed
-        if: ${{ failure() && steps.review.conclusion == 'failure' }}
+        if: always()
         shell: bash
         env:
-          comment: ${{ steps.review.outputs.comment-content }}
-        run: |
-          echo "$comment"  # do something with the comment
+          COMMENT: ${{ steps.review.outputs.comment-content }}
+        run: | # do something with the comment:
+          echo "$COMMENT"
+      - name: 'List vulnerable dependencies'
+        # make sure this step runs even if the previous failed
+        if: always()
+        shell: bash
+        env:
+          VULNERABLE_CHANGES: ${{ steps.review.outputs.vulnerable-changes }}
+        run: | # do something with the JSON:
+          echo "$VULNERABLE_CHANGES" | jq '.[].package_url'
 ```
 
 ## Exclude dependencies from the license check

src/main.ts

@@ -130,18 +130,25 @@ async function run(): Promise<void> {
     }
 
     if (config.vulnerability_check) {
+      core.setOutput('vulnerable-changes', JSON.stringify(vulnerableChanges))
       summary.addChangeVulnerabilitiesToSummary(vulnerableChanges, minSeverity)
       printVulnerabilitiesBlock(vulnerableChanges, minSeverity, warnOnly)
     }
     if (config.license_check) {
+      core.setOutput(
+        'invalid-license-changes',
+        JSON.stringify(invalidLicenseChanges)
+      )
       summary.addLicensesToSummary(invalidLicenseChanges, config)
       printLicensesBlock(invalidLicenseChanges, warnOnly)
     }
     if (config.deny_packages || config.deny_groups) {
+      core.setOutput('denied-changes', JSON.stringify(deniedChanges))
       summary.addDeniedToSummary(deniedChanges)
       printDeniedDependencies(deniedChanges, config)
     }
 
+    core.setOutput('dependency-changes', JSON.stringify(changes))
     summary.addScannedDependencies(changes)
     printScannedDependencies(changes)
     await commentPr(core.summary, config)