Dependency Review ジョブが失敗したら、PR にコメントする #96
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
masutaka
commented
Feb 20, 2025
| inputs: | ||
| comment-summary-in-pr: | ||
| description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests | ||
| default: on-failure |
There was a problem hiding this comment.
actions/dependency-review-action のデフォルト never です。
https://github.com/actions/dependency-review-action/blob/v4.5.0/README.md?plain=1#L113
route06/actions/.github/workflows/dependency_review.yml を使うと、デフォルトで PR にコメントしてくれますが、permissions の設定が必要になりました。
Merged
masutaka
added a commit
to masutaka/github-nippou
that referenced
this pull request
Mar 4, 2025
masutaka
added a commit
to masutaka/masutaka-feed
that referenced
this pull request
Mar 5, 2025
masutaka
added a commit
to masutaka/compare_linker
that referenced
this pull request
Mar 5, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
変更概要
.github/workflows/dependency_review.yml デフォルトで、PR にコメントするようにしました。
そのためにはユーザー側で permissions を設定する必要があるため、破壊的な変更とは言えないまでも、近い変更にはなっています。
背景
Dependency Review ジョブが失敗すると CI が落ちるので気づくことはできます。
ただ、"▶Vulnerabilities" をクリックしないと分かりません。
🔗 https://github.com/masutaka/sandbox/actions/runs/13430473078/job/37521109378
一方で Summary をクリックすると分かりやすい結果を確認できることは、気づくのが難しいです。
🔗 https://github.com/masutaka/sandbox/actions/runs/13430473078
別な話として、巨大な PR では脆弱性が見つかる以外で Dependency Review ジョブが失敗することがあります。
参考
こんな振る舞いだった。
bracesdependency and update lockfile masutaka/sandbox#104 (comment)1のコメントが編集される1のコメントはそのまま当該コードはこのあたり。
https://github.com/actions/dependency-review-action/blob/v4.5.0/src/comment-pr.ts#L41-L58