address review comments
This commit is contained in:
mchammer01
@@ -50,13 +50,13 @@ The dependency review feature becomes available when you enable the dependency g
|
||||
|
||||
{% data reusables.dependency-review.dependency-review-action-beta-note %}
|
||||
|
||||
The action is available for all public repositories, as well as private repositories that have {% data variables.product.prodname_GH_advanced_security %} enabled.
|
||||
The action is available for {% ifversion not ghae %}all public repositories, as well as {% endif %}private repositories that have {% data variables.product.prodname_GH_advanced_security %} enabled.
|
||||
|
||||
You can use the {% data variables.product.prodname_dependency_review_action %} in your repository to enforce dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository. For more information, see [`dependency-review-action`](https://github.com/actions/dependency-review-action).
|
||||
|
||||
|
||||
|
||||
The {% data variables.product.prodname_dependency_review_action %} check will fail if it discovers any vulnerable package, but will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see "[About protected branches](/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging)."
|
||||
By default, the {% data variables.product.prodname_dependency_review_action %} check will fail if it discovers any vulnerable package, but will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see "[About protected branches](/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging)."
|
||||
|
||||
The action uses the Dependency Review REST API to get the diff of dependency changes between the base commit and head commit. You can use the Dependency Review API to get the diff of dependency changes, including vulnerability data, between any two commits on a repository. For more information, see "[Dependency review](/rest/reference/dependency-graph#dependency-review)."
|
||||
|
||||
|
||||
@@ -65,6 +65,12 @@ The following configuration options are available.
|
||||
| `allow_licenses` | Optional | Contains a list of allowed licenses. You can find the possible values for this parameter in the [Licenses](/rest/licenses) page of the API documentation.</br>The action will fail on pull requests that introduce dependencies with licenses that do not match the list.|
|
||||
| `deny_licenses` | Optional | Contains a list of prohibited licenses. You can find the possible values for this parameter in the [Licenses](/rest/licenses) page of the API documentation.</br>The action will fail on pull requests that introduce dependencies with licenses that match the list.|
|
||||
|
||||
{% tip %}
|
||||
|
||||
**Tip:** The `allow_licenses` and `deny_licenses` options are mutually exclusive.
|
||||
|
||||
{% endtip %}
|
||||
|
||||
This {% data variables.product.prodname_dependency_review_action %} example file illustrates how you can use these configuration options.
|
||||
|
||||
```yaml{:copy}
|
||||
|
||||
Reference in New Issue
Block a user