Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remote config file setting not getting set/used #422

Closed
Gomer05 opened this issue Mar 6, 2023 · 2 comments · Fixed by #451 · May be fixed by soloinovator/dependency-review-action#34
Closed

remote config file setting not getting set/used #422

Gomer05 opened this issue Mar 6, 2023 · 2 comments · Fixed by #451 · May be fixed by soloinovator/dependency-review-action#34
Labels
bug Something isn't working

Comments

@Gomer05
Copy link

Gomer05 commented Mar 6, 2023

Setting up dependancy-review to use an external repo for its config.
I can't get the config file settings to actually be used/applied
I have confirmed that the repo is accessable and the config file is being loaded by changing the name of the config file to something that doesn't exist and got an error: "Error: Unable to fetch or parse config file: Error fetching remote config file"
Putting a bad, yaml syntax also generates an error:
Unable to fetch or parse config file: Implicit keys need to be on a single line at line 3, column 1: # Possible values: "critical", "high", "moderate", "low" this-is-notused-bad ^

But no matter what setting I put in the config.yml dependancy-review always reports using its default settings, "fail-on-severity: low", "fail-on-scopes: runtime" not the settings in the config file.

Config that we are testing with, remote repo with the following config:

fail-on-severity: 'critical'
fail-on-scopes:
  - development
  - runtime

Repo that will be using the above config:

name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v3
        with:
          config-file: 'org/sec-github-actions-config/dependancy-review/config.yml@master'
          external-repo-token: ${{ secrets.SEC_DEPENDANCY_REVIEW }}

But when the action runs it always reports the following in the action:

Run actions/dependency-review-action@v3
  with:
    config-file: org/sec-github-actions-config/dependancy-review/config.yml@master
    external-repo-token: ***
    repo-token: ***
    fail-on-severity: low
    fail-on-scopes: runtime

So my custom setting are not being used/applied but I get no error loading/parsing the file. Running the action in debug mode didn't give any extra info/errors.

I'm testing with a Pipfile that only has a 'high' issue in it related to the lxml package.

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[[source]]

[dev-packages]

[packages]
python-json-logger = "==2.0.1"
lxml = "==4.6.1"
boto3 = "*"

[requires]
python_version = "3.8"

Any ideas on what am I missing/doing wrong?

@Gomer05 Gomer05 changed the title remote config file setting note set/used remote config file setting not getting set/used Mar 6, 2023
@febuiles
Copy link
Contributor

febuiles commented Mar 6, 2023

Hi @Gomer05. Thank you for the report. I have been able to reproduce it. Here's the failing log: https://github.com/future-funk/studious-giggle/actions/runs/4341088504/jobs/7580269884. I'll take a look at the soon.

Reproduction steps

I created a new repo. Its config file points to future-funk/miniature-waddle , the repo containing the actual configuration.

Expected behavior

The output of the run containing fail-on-severity: critical, the value specified in the external config.

Current behavior
We're outputting (and scanning) the action's default values (fail-on-severity: low).

@febuiles
Copy link
Contributor

@Gomer05 This should be fixed now in the main branch, and will make it to the next release, thanks again for the report!

If you want to test it works, you can replace the v3 for main in your workflow file, e.g.

        uses: actions/dependency-review-action@main

Something to note: The documentation was updated with some mistakes in another PR. I've changed it back, it but it's not super clear so here it goes again: key names in external config files should use underscores (_), not dashes (-). This means that the external configuration file keys should read like fail_on_severity, not fail-on-severity. I'll get back to fixing this in another PR (unless you want to open one first! 😅)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
2 participants