dependency-review-action icon indicating copy to clipboard operation
dependency-review-action copied to clipboard

Published 20 hours ago verified publisher icon actions

Blocking issues (should block but does not)

Open austimkelly opened this issue 11 months ago • 1 comments

I've seen issues with license detection and package manager issues but I've not seen these two specifically raised.

  1. There's no way to block an unknown license. This would be ideal because you run the risk of introducing copy-left licenses. I'd love a simple flag that blocked on unknown licenses. Additionally, allow-licenses and deny-licenses cannot be used together.
  2. The deny-packages does not block, only warns. Not sure why I only get warnings on this, but the docs say it will block.

Here's a readme and PR showing the issues (there's a couple more I showed in the readme):

  • PR: https://github.com/austimkelly/dependecy-review-study/pull/1
  • README: https://github.com/austimkelly/dependecy-review-study/tree/develop

austimkelly avatar Mar 15 '24 13:03 austimkelly

Hi @austimkelly, thank you for the feedback!

re:

Additionally, allow-licenses and deny-licenses cannot be used together.

This is by design. I've updated the readme to clarify the behavior.

jonjanego avatar Mar 15 '24 16:03 jonjanego

@austimkelly looking at your example PR I see Error: Dependency review detected denied packages. in the action logs and the check failing (which is the purpose of deny_packages). Am I missing something where, or what is your expected behavior for the option?

febuiles avatar Mar 26 '24 07:03 febuiles

@austimkelly looking at your example PR I see Error: Dependency review detected denied packages. in the action logs and the check failing (which is the purpose of deny_packages). Am I missing something where, or what is your expected behavior for the option?

Hi @febuiles Thanks for checking this out. Here's the PR annotations I'm seeing where the denied packages are reported as warnings:

Screenshot 2024-03-26 at 8 04 00 AM Screenshot 2024-03-26 at 8 04 09 AM

My expectation is that these would have red X next to them an also provide a non-zero return to fail the check.

I think I see what I missed now here in the logs:

Screenshot 2024-03-26 at 8 06 51 AM

I was looking for an Error in the Denied section in the logs and not the top level which does report an action. A couple of suggestions:

  1. Make sure a red X is next to any denied packages in the PR annotation summary
  2. Can you report an Error in the Denied section?

So just a little UX issue, but it does seem to make the check fail.

Thanks for taking the time to review my issue.

austimkelly avatar Mar 26 '24 12:03 austimkelly

@austimkelly Thanks for the clarification. I think your suggestions make sense and would improve

Do you mind opening a new issue with the feature request? This helps with our board's automations.

febuiles avatar Mar 27 '24 13:03 febuiles

Thanks @febuiles, split to:

https://github.com/actions/dependency-review-action/issues/732 https://github.com/actions/dependency-review-action/issues/731

austimkelly avatar Mar 27 '24 13:03 austimkelly