Merge branch 'main' into WillDaSilva-main.

Took the time to tweak the README. # Conflicts: # README.md # dist/index.js.map
actions · Aug 18, 2022 · 54af7c7 · 54af7c7
2 parents 15d1857 + f2e57a1
commit 54af7c7
Show file tree

Hide file tree

Showing 6 changed files with 2,519 additions and 1,566 deletions.
diff --git a/README.md b/README.md
@@ -1,13 +1,16 @@
 # dependency-review-action
 
-This action scans your pull requests for dependency changes and will raise an error if any dependencies introduced/updated between the head and base ref have existing vulnerabilities. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions.
+This action scans your pull requests for dependency changes, and will
+raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions.
 
 The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
 
 <img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
 
 ## Installation
 
+**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
+
 1. Add a new YAML workflow to your `.github/workflows` folder:
 
 ```yaml
@@ -27,7 +30,32 @@ jobs:
         uses: actions/dependency-review-action@v2
 ```
 
-Please keep in mind that you need a GitHub Advanced Security license if you're running this action on private repos.
+### GitHub Enterprise Server
+
+This action is available in GHES starting with version 3.6. Make sure
+[GitHub Advanced
+Security](https://docs.github.com/en/[email protected]/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
+and [GitHub
+Connect](https://docs.github.com/en/[email protected]/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
+are enabled.
+
+You can use the same workflow as above, replacing the `runs-on` value
+with the label of any of your runners (the default label
+is `self-hosted`):
+
+```yaml
+
+# ...
+
+jobs:
+  dependency-review:
+    runs-on: self-hosted
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v3
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v2
+```
 
 ## Configuration
 
@@ -56,7 +84,7 @@ jobs:
           # base-ref: ${{ github.event.pull_request.base.ref }}
           # head-ref: ${{ github.event.pull_request.head.ref }}
           #
-          # You can only include one of these two options: `allow-licenses` and `deny-licenses`
+          # You can only include one of these two options: `allow-licenses` and `deny-licenses`. These options are not supported on GHES. 
           #
           # Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
           # allow-licenses: GPL-3.0, BSD-3-Clause, MIT
@@ -66,8 +94,9 @@ jobs:
 ```
 
 When the workflow with this action is caused by a `pull_request` or `pull_request_target` event,
-the `base-ref` and `head-ref` values have defaults as shown above. If the workflow is caused by
-any other event, the `base-ref` and `head-ref` options must be explicitly set in the config.
+the `base-ref` and `head-ref` values have the defaults as shown above. If the workflow is caused by
+any other event, the `base-ref` and `head-ref` options must be
+explicitly set in the configuration file.
 
 ### Vulnerability Severity
 
@@ -90,7 +119,7 @@ This example will only fail on pull requests with `critical` and `high` vulnerab
 You can set the action to fail on pull requests based on the licenses of the dependencies
 they introduce. With `allow-licenses` you can define the list of licenses
 your repository will accept. Alternatively, you can use `deny-licenses` to only
-forbid a subset of licenses.
+forbid a subset of licenses. These options are not supported on GHES.
 
 You can use the [Licenses
 API](https://docs.github.com/en/rest/licenses) to see the full list of
@@ -115,13 +144,24 @@ to filter. A couple of examples:
 
 **Important**
 
+<<<<<<< HEAD
 - The action will only accept one of the two parameters; an error will
   be raised if you provide both.
 - By default both parameters are empty (no license checking is
   performed).
 - We don't have license information for all of your dependents. If we
   can't detect the license for a dependency **we will inform you, but the
   action won't fail**.
+=======
+* Checking for licenses is not supported on GHES.
+* The action will only accept one of the two parameters; an error will
+be raised if you provide both.
+* By default both parameters are empty (no license checking is
+performed).
+* We don't have license information for all of your dependents. If we
+can't detect the license for a dependency **we will inform you, but the
+action won't fail**.
+>>>>>>> main
 
 ## Blocking pull requests