Skip to content

Bump dependabot/fetch-metadata from 1.1.1 to 1.3.0

Johannes Arnold requested to merge dependabot/github_actions/dependabot/fetch-metadata-1.3.0 into main

Created by: dependabot[bot]

Bumps dependabot/fetch-metadata from 1.1.1 to 1.3.0.

Release notes

Sourced from dependabot/fetch-metadata's releases.

v1.3.0 - Fetch additional metadata via the GitHub API

Highlights

🆕 Fetch additional metadata about Dependabot commits

You can now optionally enable API lookups within the Action to retrieve extra information about Dependabot PRs.

Example:

-- .github/workflows/dependabot-prs.yml
name: Dependabot Pull Request
on: pull_request_target
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Fetch Dependabot metadata
      id: dependabot-metadata
      uses: dependabot/fetch-metadata@v1.3.0
      with:
        alert-lookup: true
        compat-lookup: true

The flags enable the following new outputs:

  • steps.dependabot-metadata.outputs.alert-state
    • If this PR is associated with a security alert and alert-lookup is true, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
  • steps.dependabot-metadata.outputs.ghsa-id
    • If this PR is associated with a security alert and alert-lookup is true, this contains the GHSA-ID of that alert.
  • steps.dependabot-metadata.outputs.cvss
    • If this PR is associated with a security alert and alert-lookup is true, this contains the CVSS value of that alert (otherwise it contains 0).
  • steps.dependabot-metadata.outputs.compatibility-score
    • If this PR has a known compatibility score and compat-lookup is true, this contains the compatibility score (otherwise it contains 0).

Many thanks to @​mwaddell for contributing these additional flags 🥇

The Action no longer fails if other commits are present

We received feedback at this change was highly obtrusive and blocking common workflows that merging in the target branch. Following on from changes in 1.2.1 to make it easier for a user to re-run failed workflows this friction was much more obvious.

Thanks for the feedback, and thanks @​mwaddell for contributing the change.

The Action defaults to using the GITHUB_TOKEN

This makes us consistent with other GitHub Actions such as actions/checkout in using the baseline token provided to the workflow. Since the Action doesn't have any features which require write scopes this defaulting is adequate for all use cases.

Thanks @​jablko for contributing this change 🏆

What's Changed

... (truncated)

Commits
  • a96c30f Merge pull request #170 from dependabot/v1.3.0-release-notes
  • 11d3bb7 v1.3.0
  • 0ca01a5 Merge pull request #146 from pangaeatech/get_compat_score
  • f4b2d0d Merge pull request #83 from jablko/patch-1
  • 26e18ca Merge branch 'main' into patch-1
  • a30bbbb Merge pull request #166 from pangaeatech/allow-other-commits
  • 9a3daaf linting
  • 4a87565 Allow fetch-metadata to run on a PR even if it has additional commits, as lon...
  • 749688a Merge pull request #165 from pangaeatech/update_readme
  • 592101e Updated README to reference correct version
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Merge request reports