V1.3.0 release notes

[brrygrdn]

Highlights

🆕 Fetch additional metadata about Dependabot commits

You can now optionally enable API lookups within the Action to retrieve extra information about Dependabot PRs.

Example:

-- .github/workflows/dependabot-prs.yml
name: Dependabot Pull Request
on: pull_request_target
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Fetch Dependabot metadata
      id: dependabot-metadata
      uses: dependabot/fetch-metadata@v1.3.0
      with:
        alert-lookup: true
        compat-lookup: true

The flags enable the following new outputs:

• steps.dependabot-metadata.outputs.alert-state
  • If this PR is associated with a security alert and alert-lookup is true, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
• steps.dependabot-metadata.outputs.ghsa-id
  • If this PR is associated with a security alert and alert-lookup is true, this contains the GHSA-ID of that alert.
• steps.dependabot-metadata.outputs.cvss
  • If this PR is associated with a security alert and alert-lookup is true, this contains the CVSS value of that alert (otherwise it contains 0).
• steps.dependabot-metadata.outputs.compatibility-score
  • If this PR has a known compatibility score and compat-lookup is true, this contains the compatibility score (otherwise it contains 0).

Many thanks to @mwaddell for contributing these additional flags 🥇

The Action no longer fails if other commits are present

We received feedback at this change was highly obtrusive and blocking common workflows that merging in the target branch. Following on from changes in 1.2.1 to make it easier for a user to re-run failed workflows this friction was much more obvious.

Thanks for the feedback, and thanks @mwaddell for contributing the change.

The Action defaults to using the GITHUB_TOKEN

This makes us consistent with other GitHub Actions such as actions/checkout in using the baseline token provided to the workflow. Since the Action doesn't have any features which require write scopes this defaulting is adequate for all use cases.

Thanks @jablko for contributing this change 🏆

What's Changed

• Flag security alerts and pass versions through by @mwaddell in Flag security alerts and pass versions through #144
• Updated bump-version to update README.md as well by @mwaddell in Updated bump-version to update README.md as well #163
• Updated README to reference correct version by @mwaddell in Updated README to reference correct version #165
• Allow fetch-metadata to run on a PR even if it has additional commits… by @mwaddell in Allow fetch-metadata to run on a PR even if it has additional commits… #166
• Default github-token by @jablko in Default github-token #83
• Return compatibility score by @mwaddell in Return compatibility score #146

New Contributors

• @jablko made their first contribution in Default github-token #83

Full Changelog: v1.2.1...v1.3.0