remote config file setting not getting set/used

[Gomer05]

Setting up dependancy-review to use an external repo for its config.
I can't get the config file settings to actually be used/applied
I have confirmed that the repo is accessable and the config file is being loaded by changing the name of the config file to something that doesn't exist and got an error: "Error: Unable to fetch or parse config file: Error fetching remote config file"
Putting a bad, yaml syntax also generates an error:
Unable to fetch or parse config file: Implicit keys need to be on a single line at line 3, column 1: # Possible values: "critical", "high", "moderate", "low" this-is-notused-bad ^

But no matter what setting I put in the config.yml dependancy-review always reports using its default settings, "fail-on-severity: low", "fail-on-scopes: runtime" not the settings in the config file.

Config that we are testing with, remote repo with the following config:

fail-on-severity: 'critical'
fail-on-scopes:
  - development
  - runtime

Repo that will be using the above config:

name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v3
        with:
          config-file: 'org/sec-github-actions-config/dependancy-review/config.yml@master'
          external-repo-token: ${{ secrets.SEC_DEPENDANCY_REVIEW }}

But when the action runs it always reports the following in the action:

Run actions/dependency-review-action@v3
  with:
    config-file: org/sec-github-actions-config/dependancy-review/config.yml@master
    external-repo-token: ***
    repo-token: ***
    fail-on-severity: low
    fail-on-scopes: runtime

So my custom setting are not being used/applied but I get no error loading/parsing the file. Running the action in debug mode didn't give any extra info/errors.

I'm testing with a Pipfile that only has a 'high' issue in it related to the lxml package.

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[[source]]

[dev-packages]

[packages]
python-json-logger = "==2.0.1"
lxml = "==4.6.1"
boto3 = "*"

[requires]
python_version = "3.8"

Any ideas on what am I missing/doing wrong?

[febuiles]

Hi @Gomer05. Thank you for the report. I have been able to reproduce it. Here's the failing log: https://github.com/future-funk/studious-giggle/actions/runs/4341088504/jobs/7580269884. I'll take a look at the soon.

Reproduction steps

I created a new repo. Its config file points to future-funk/miniature-waddle , the repo containing the actual configuration.

Expected behavior

The output of the run containing fail-on-severity: critical, the value specified in the external config.

Current behavior
We're outputting (and scanning) the action's default values (fail-on-severity: low).

[febuiles]

@Gomer05 This should be fixed now in the main branch, and will make it to the next release, thanks again for the report!

If you want to test it works, you can replace the v3 for main in your workflow file, e.g.

        uses: actions/dependency-review-action@main

Something to note: The documentation was updated with some mistakes in another PR. I've changed it back, it but it's not super clear so here it goes again: key names in external config files should use underscores (_), not dashes (-). This means that the external configuration file keys should read like fail_on_severity, not fail-on-severity. I'll get back to fixing this in another PR (unless you want to open one first! 😅)