Skip to content

nodesource/ncm-report-github-action

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.github/workflows
.github/workflows
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 
entrypoint.sh
entrypoint.sh
 
 

Repository files navigation

NCM Report Github Action

NodeSource Certification process

This action generates and prints a project-wide report of directory risk and quality of installed or specified packages.

Inputs

token

Default: <empty>

Required Learn more about obtaining NodeSource service tokens and configuring permissions here. We recommend you using repository Secrets to store this value and use it in the workflow.

long

Default: no

Optional Set yes if you want the report display a list of all modules.

compliance

Default: no

Optional Set yes if you want the report only display non-compliant packages.

security

Default: no

Optional Set yes if you want the report only display packages with vulnerabilities.

github_token

Default: ${{ secrets.GITHUB_TOKEN }}

Required Set to pass the internal GitHub Token for NCM to update the check and make annotations. Use the default value (${{ secrets.GITHUB_TOKEN }}), you don't need to create any token in Secrets for this, GitHub automatically creates and sets this in the Action context.

github_job_name

Default: <empty>

Required You need to set the same name you set to your job. If not, annotations will not be able to be included in your PR or RunCheck.

Example usage

This action can be used in the following scenarios:

  • Default report:
uses: nodesource/ncm-report-github-action@master
with:
  token: ${{ secrets.NCM_TOKEN }}
  github_token: ${{ secrets.GITHUB_TOKEN }}
  github_job_name: N|S -> NCM Pipeline
  • Long version of the report:
uses: nodesource/ncm-report-github-action@master
with:
  token: ${{ secrets.NCM_TOKEN }}
  long: 'yes'
  github_token: ${{ secrets.GITHUB_TOKEN }}
  github_job_name: N|S -> NCM Pipeline
  • Report with compliance only informaiton:
uses: nodesource/ncm-report-github-action@master
with:
  token: ${{ secrets.NCM_TOKEN }}
  compliance: 'yes'
  github_token: ${{ secrets.GITHUB_TOKEN }}
  github_job_name: N|S -> NCM Pipeline
  • Report with package vulnerabilities only informaiton:
uses: nodesource/ncm-report-github-action@master
with:
  token: ${{ secrets.NCM_TOKEN }}
  compliance: 'yes'
  github_token: ${{ secrets.GITHUB_TOKEN }}
  github_job_name: N|S -> NCM Pipeline

To generate the report, NCM needs to get your node_modules folder to analyze and compare data, so, you might need to use more actions to get your code inside the workflow and the dependencies installed. We recommend you using:

- uses: actions/checkout@v2
- run: npm install

Feel free to check the workflow in github/workflows/ncm-report.yml for reference and real world usage example.

About

GitHub Action for NCM

Topics

workflow annotations vulnerabilities ncm

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

3 watching

Forks

1 fork
Report repository

Releases 1

GitHub Integration: Code risk, compliance and security action for PRs on Node.js Latest
Mar 30, 2021

Packages

 
 
 

Languages