Expose dependency comment content

actions · Feb 19, 2024 · 64f81cd · 64f81cd
1 parent 0ca1f60
commit 64f81cd
Show file tree

Hide file tree

Showing 7 changed files with 68 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -157,6 +157,10 @@ For more examples of how to use this action and its configuration options, see t
 
 The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
 
+## Outputs
+
+`comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
+
 ## Getting help
 
 If you have bug reports, questions or suggestions please [create a new issue](https://github.com/actions/dependency-review-action/issues/new/choose).

diff --git a/action.yml b/action.yml
@@ -65,6 +65,9 @@ inputs:
     description: When set to `true` this action will always complete with success, overriding the `fail-on-severity` parameter.
     required: false
     default: false
+outputs:
+  comment-content:
+    description: Prepared dependency report comment
 
 runs:
   using: 'node20'

diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/docs/examples.md b/docs/examples.md
@@ -164,6 +164,37 @@ jobs:
           comment-summary-in-pr: always
 ```
 
+## Getting the results of the action in a later step
+
+Using the `comment-content` output you can get the results of the action in a workflow step.
+
+```yaml
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+      - name: 'Dependency Review'
+        id: review
+        uses: actions/dependency-review-action@main
+        with:
+          fail-on-severity: critical
+          deny-licenses: LGPL-2.0, BSD-2-Clause
+      - name: 'Report'
+        shell: bash
+        env:
+          comment: ${{ steps.review.outputs.comment-content }}
+        run: |
+          echo "$comment"
+```
+
 ## Exclude dependencies from the license check
 
 Using the `allow-dependencies-licenses` you can exclude dependencies from the license check. The values should be provided in [purl](https://github.com/package-url/purl-spec) format.

diff --git a/src/comment-pr.ts b/src/comment-pr.ts
@@ -3,6 +3,7 @@ import * as core from '@actions/core'
 import * as githubUtils from '@actions/github/lib/utils'
 import * as retry from '@octokit/plugin-retry'
 import {RequestError} from '@octokit/request-error'
+import {ConfigurationOptions} from './schemas'
 
 const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
 const octo = new retryingOctokit(
@@ -12,15 +13,30 @@ const octo = new retryingOctokit(
 // Comment Marker to identify an existing comment to update, so we don't spam the PR with comments
 const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
 
-export async function commentPr(summary: typeof core.summary): Promise<void> {
+export async function commentPr(
+  summary: typeof core.summary,
+  config: ConfigurationOptions
+): Promise<void> {
+  const commentContent = summary.stringify()
+
+  core.setOutput('comment-content', commentContent)
+
+  if (
+    config.comment_summary_in_pr !== 'always' &&
+    config.comment_summary_in_pr === 'on-failure' &&
+    process.exitCode !== core.ExitCode.Failure
+  ) {
+    return
+  }
+
   if (!github.context.payload.pull_request) {
     core.warning(
       'Not in the context of a pull request. Skipping comment creation.'
     )
     return
   }
 
-  const commentBody = `${summary.stringify()}\n\n${COMMENT_MARKER}`
+  const commentBody = `${commentContent}\n\n${COMMENT_MARKER}`
 
   try {
     const existingCommentId = await findCommentByMarker(COMMENT_MARKER)

diff --git a/src/main.ts b/src/main.ts
@@ -144,13 +144,7 @@ async function run(): Promise<void> {
 
     summary.addScannedDependencies(changes)
     printScannedDependencies(changes)
-    if (
-      config.comment_summary_in_pr === 'always' ||
-      (config.comment_summary_in_pr === 'on-failure' &&
-        process.exitCode === core.ExitCode.Failure)
-    ) {
-      await commentPr(core.summary)
-    }
+    await commentPr(core.summary, config)
   } catch (error) {
     if (error instanceof RequestError && error.status === 404) {
       core.setFailed(