From cfd751a89418f54f0d3de5735ed380e81d30aafc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Mar 2023 20:27:10 +0000 Subject: [PATCH 1/4] Bump actions/checkout from 2 to 3 Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8bceb78..fb59aa7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,7 +13,7 @@ jobs: build: # make sure build/ci work properly runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # As of 2023-02-22, the ubuntu-latest image uses npm v8.3.1. This version # has a bug that prevents loading dependency-submission-toolkit in the # 'example/' project. npm v8.4.1 (same version in Codespace created on From f74b035f84f5bfe1faa6621be2468d5bfd44c191 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Justin=20Holgu=C3=ADn?= Date: Thu, 16 Mar 2023 16:37:47 +0000 Subject: [PATCH 2/4] SHA for snapshot depends on the event type --- package-lock.json | 6 ++++ package.json | 1 + src/snapshot.test.ts | 86 ++++++++++++++++++++++++++++++++++++++------ src/snapshot.ts | 31 +++++++++++++++- 4 files changed, 113 insertions(+), 11 deletions(-) diff --git a/package-lock.json b/package-lock.json index 7ee817c..5cbbc56 100644 --- a/package-lock.json +++ b/package-lock.json @@ -16,6 +16,7 @@ "@actions/exec": "^1.1.1", "@actions/github": "^5.0.0", "@octokit/rest": "^18.12.0", + "@octokit/webhooks-types": "^6.10.0", "openapi-typescript": "^5.2.0", "packageurl-js": "0.0.6" }, @@ -1314,6 +1315,11 @@ "@octokit/openapi-types": "^12.11.0" } }, + "node_modules/@octokit/webhooks-types": { + "version": "6.10.0", + "resolved": "https://registry.npmjs.org/@octokit/webhooks-types/-/webhooks-types-6.10.0.tgz", + "integrity": "sha512-lDNv83BeEyxxukdQ0UttiUXawk9+6DkdjjFtm2GFED+24IQhTVaoSbwV9vWWKONyGLzRmCQqZmoEWkDhkEmPlw==" + }, "node_modules/@sinonjs/commons": { "version": "1.8.6", "resolved": "https://registry.npmjs.org/@sinonjs/commons/-/commons-1.8.6.tgz", diff --git a/package.json b/package.json index 4fc02d2..c66292e 100644 --- a/package.json +++ b/package.json @@ -38,6 +38,7 @@ "@actions/exec": "^1.1.1", "@actions/github": "^5.0.0", "@octokit/rest": "^18.12.0", + "@octokit/webhooks-types": "^6.10.0", "openapi-typescript": "^5.2.0", "packageurl-js": "0.0.6" }, diff --git a/src/snapshot.test.ts b/src/snapshot.test.ts index e42b104..50b3e05 100644 --- a/src/snapshot.test.ts +++ b/src/snapshot.test.ts @@ -2,7 +2,7 @@ import { context } from '@actions/github' import { Manifest } from './manifest' import { PackageCache } from './package-cache' -import { Snapshot } from './snapshot' +import { shaFromContext, Snapshot } from './snapshot' function roundTripJSON(obj: any): object { return JSON.parse(JSON.stringify(obj)) @@ -20,20 +20,16 @@ manifest.addDirectDependency( manifest.addIndirectDependency(cache.package('pkg:npm/%40actions/core@1.6.0')) // add bogus git data to the context -context.sha = '0000000000000000000000000000000000000000' +context.sha = '1000000000000000000000000000000000000000' context.ref = 'foo/bar/baz' describe('Snapshot', () => { it('renders expected JSON', () => { const snapshot = new Snapshot( - { - name: 'test detector', - url: 'https://github.com/github/dependency-submission-toolkit', - version: '0.0.1' - }, + exampleDetector, context, - { id: '42', correlator: 'test' }, - new Date('2022-06-04T05:07:06.457Z') + exampleJob, + exampleDate ) snapshot.addManifest(manifest) expect(roundTripJSON(snapshot)).toEqual({ @@ -49,7 +45,7 @@ describe('Snapshot', () => { }, ref: 'foo/bar/baz', scanned: '2022-06-04T05:07:06.457Z', - sha: '0000000000000000000000000000000000000000', + sha: '1000000000000000000000000000000000000000', manifests: { test: { resolved: { @@ -73,4 +69,74 @@ describe('Snapshot', () => { } }) }) + + it('gets the correct sha from the context when given a pull request', () => { + const prContext = context + const expectedSha = 'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2' + prContext.eventName = 'pull_request' + prContext.payload.pull_request = { + number: 1, + head: { + sha: expectedSha + } + } + + const snapshot = new Snapshot( + exampleDetector, + prContext, + exampleJob, + exampleDate + ) + + expect(snapshot.sha).toEqual(expectedSha) + }) }) + +describe('shaFromContext', () => { + it('gets the right sha from the context when given a pull_request event', () => { + const expectedSha = '1234567890123456789012345678901234567890' + const prContext = context + prContext.eventName = 'pull_request' + prContext.payload.pull_request = { + number: 1, + head: { + sha: expectedSha + } + } + expect(shaFromContext(prContext)).toEqual(expectedSha) + }) + + it('gets the right sha from the context when given a pull_request_review event', () => { + const expectedSha = 'abcdef1234567890123456789012345678901234' + const prReviewContext = context + prReviewContext.eventName = 'pull_request_review' + prReviewContext.payload.pull_request = { + number: 1, + head: { + sha: expectedSha + } + } + expect(shaFromContext(prReviewContext)).toEqual(expectedSha) + }) + + it('uses the primary sha from the context when given a push event', () => { + const expectedSha = 'def1234567890123456789012345678901234567' + const pushContext = context + pushContext.eventName = 'push' + pushContext.sha = expectedSha + expect(shaFromContext(pushContext)).toEqual(expectedSha) + }) +}) + +const exampleDetector = { + name: 'test detector', + url: 'https://github.com/github/dependency-submission-toolkit', + version: '0.0.1' +} + +const exampleJob = { + id: '42', + correlator: 'test' +} + +const exampleDate = new Date('2022-06-04T05:07:06.457Z') diff --git a/src/snapshot.ts b/src/snapshot.ts index 6fb2316..4e50a7c 100644 --- a/src/snapshot.ts +++ b/src/snapshot.ts @@ -3,6 +3,7 @@ import * as core from '@actions/core' import * as github from '@actions/github' import { Octokit } from '@octokit/rest' import { RequestError } from '@octokit/request-error' +import { PullRequestEvent } from '@octokit/webhooks-types' import { Manifest } from './manifest' @@ -33,6 +34,34 @@ export function jobFromContext(context: Context): Job { } } +/** + * shaFromContext returns the sha of the commit that triggered the action, or the head sha of the PR. + * + * See https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request for more details + * about why this function is necessary, but the short reason is that GITHUB_SHA is _not_ necessarily the head sha + * of the PR when the event is pull_request (or some other related event types). + * + * @param {Context} context + * @returns {string} + */ +export function shaFromContext(context: Context): string { + const pullRequestEvents = [ + 'pull_request', + 'pull_request_comment', + 'pull_request_review', + 'pull_request_review_comment' + // Note that pull_request_target is omitted here. + // That event runs in the context of the base commit of the PR, + // so the snapshot should not be associated with the head commit. + ] + if (pullRequestEvents.includes(context.eventName)) { + const pr = (context.payload as PullRequestEvent).pull_request + return pr.head.sha + } else { + return context.sha + } +} + /** * Detector provides metadata details about the detector used to generate the snapshot */ @@ -104,7 +133,7 @@ export class Snapshot { this.detector = detector this.version = version this.job = job || jobFromContext(context) - this.sha = context.sha + this.sha = shaFromContext(context) this.ref = context.ref this.scanned = date.toISOString() this.manifests = {} From 00b48ea5cc7b9b5004562760a89798023be9ec92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Justin=20Holgu=C3=ADn?= Date: Thu, 16 Mar 2023 17:11:08 +0000 Subject: [PATCH 3/4] Set the eventName to push in tests --- src/snapshot.test.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/src/snapshot.test.ts b/src/snapshot.test.ts index 50b3e05..ce4b233 100644 --- a/src/snapshot.test.ts +++ b/src/snapshot.test.ts @@ -22,6 +22,7 @@ manifest.addIndirectDependency(cache.package('pkg:npm/%40actions/core@1.6.0')) // add bogus git data to the context context.sha = '1000000000000000000000000000000000000000' context.ref = 'foo/bar/baz' +context.eventName = 'push' describe('Snapshot', () => { it('renders expected JSON', () => { From 698cf4f1ed4e0b05c80db8e88010fdafaa95637f Mon Sep 17 00:00:00 2001 From: Dennis Kaarsemaker Date: Wed, 22 Mar 2023 13:50:42 +0100 Subject: [PATCH 4/4] Drop ops_slack from ownership.yaml The field is deprecated, and you have a slack setting for your sev3 alerts which will be used. --- ownership.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/ownership.yaml b/ownership.yaml index 3524793..f31eae5 100644 --- a/ownership.yaml +++ b/ownership.yaml @@ -16,7 +16,6 @@ ownership: exec_sponsor: jacobdepriest product_manager: courtneycl team_slack: dependency-graph - ops_slack: dg-alerts qos: experimental tier: 3 sev1: pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy