actions · febuiles · Aug 18, 2022 · Jul 21, 2022 · Jul 30, 2022
@@ -1,12 +1,11 @@
 # dependency-review-action
 
-This action scans your pull requests for dependency changes and will raise an error if any new dependencies have existing vulnerabilities. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions.
+This action scans your pull requests for dependency changes and will raise an error if any dependencies introduced/updated between the head and base ref have existing vulnerabilities. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions.
 
 The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
 
 <img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
 
-
 ## Installation
 
 1. Add a new YAML workflow to your `.github/workflows` folder:
@@ -31,6 +30,7 @@ jobs:
 Please keep in mind that you need a GitHub Advanced Security license if you're running this action on private repos.
 
 ## Configuration
+
 You can pass additional options to the Dependency Review
 Action using your workflow file. Here's an example workflow with
 all the possible configurations:
@@ -52,6 +52,10 @@ jobs:
           # Possible values: "critical", "high", "moderate", "low"
           # fail-on-severity: critical
           #
+          # Possible values: Any available git ref
+          # base-ref: ${{ github.event.pull_request.base.ref }}
+          # head-ref: ${{ github.event.pull_request.head.ref }}
+          #
           # You can only include one of these two options: `allow-licenses` and `deny-licenses`
           #
           # Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
@@ -61,6 +65,10 @@ jobs:
           # deny-licenses: LGPL-2.0, BSD-2-Clause
 ```
 
+When the workflow with this action is caused by a `pull_request` or `pull_request_target` event,
+the `base-ref` and `head-ref` values have defaults as shown above. If the workflow is caused by
+any other event, the `base-ref` and `head-ref` options must be explicitly set in the config.
+
 ### Vulnerability Severity
 
 By default the action will fail on any pull request that contains a
@@ -107,13 +115,13 @@ to filter. A couple of examples:
 
 **Important**
 
-* The action will only accept one of the two parameters; an error will
-be raised if you provide both.
-* By default both parameters are empty (no license checking is
-performed).
-* We don't have license information for all of your dependents. If we
-can't detect the license for a dependency **we will inform you, but the
-action won't fail**.
+- The action will only accept one of the two parameters; an error will
+  be raised if you provide both.
+- By default both parameters are empty (no license checking is
+  performed).
+- We don't have license information for all of your dependents. If we
+  can't detect the license for a dependency **we will inform you, but the
+  action won't fail**.
 
 ## Blocking pull requests
 
@@ -131,4 +139,5 @@ We are grateful for any contributions made to this project.
 Please read [CONTRIBUTING.MD](https://github.com/actions/dependency-review-action/blob/main/CONTRIBUTING.md) to get started.
 
 ## License
+
 This project is released under the [MIT License](https://github.com/actions/dependency-review-action/blob/main/LICENSE).
@@ -1,5 +1,6 @@
 import {expect, test, beforeEach} from '@jest/globals'
 import {readConfig} from '../src/config'
+import {getRefs} from '../src/git-refs'
 
 // GitHub Action inputs come in the form of environment variables
 // with an INPUT prefix (e.g. INPUT_FAIL-ON-SEVERITY)
@@ -13,6 +14,8 @@ function clearInputs() {
   delete process.env['INPUT_FAIL-ON-SEVERITY']
   delete process.env['INPUT_ALLOW-LICENSES']
   delete process.env['INPUT_DENY-LICENSES']
+  delete process.env['INPUT_BASE-REF']
+  delete process.env['INPUT_HEAD-REF']
 }
 
 beforeEach(() => {
@@ -51,3 +54,25 @@ test('it raises an error when given an unknown severity', async () => {
   setInput('fail-on-severity', 'zombies')
   expect(() => readConfig()).toThrow()
 })
+
+test('it uses the given refs when the event is not a pull request', async () => {
+  setInput('base-ref', 'a-custom-base-ref')
+  setInput('head-ref', 'a-custom-head-ref')
+
+  const refs = getRefs(readConfig(), {
+    payload: {},
+    eventName: 'workflow_dispatch'
+  })
+  expect(refs.base).toEqual('a-custom-base-ref')
+  expect(refs.head).toEqual('a-custom-head-ref')
+})
+
+test('it raises an error when no refs are provided and the event is not a pull request', async () => {
+  const options = readConfig()
+  expect(() =>
+    getRefs(options, {
+      payload: {},
+      eventName: 'workflow_dispatch'
+    })
+  ).toThrow()
+})
@@ -10,6 +10,12 @@ inputs:
     description: Don't block PRs below this severity. Possible values are `low`, `moderate`, `high`, `critical`.
     required: false
     default: 'low'
+  base-ref:
+    description: The base git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
+    required: false
+  head-ref:
+    description: The head git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
+    required: false
   allow-licenses:
     description: Comma-separated list of allowed licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
     required: false