Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alert metadata lookup not working as expected #464

Closed
severin opened this issue Oct 30, 2023 · 2 comments
Closed

Alert metadata lookup not working as expected #464

severin opened this issue Oct 30, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@severin
Copy link

severin commented Oct 30, 2023

Hi there!

I'm trying to implement a workflow that labels pull requests that address dependabot alerts. To identify these PRs my idea was to use the fetch-metadata action and look at the alert-state: if it is OPEN then the PR addresses an open dependabot alert.

However, it seems like the fetch-metadata is not working correctly (or maybe I'm just misunderstanding it).

Observed behaviour

  • Dependabot opened a PR that bumps the minimatch dependency from 3.0.4 to 3.1.2:
Screenshot 2023-10-30 at 11 41 45
  • This PR addresses a security alert:
Screenshot 2023-10-30 at 11 42 07
  • Running fetch-metadata on the PR does not return any alert information (even though alert-lookup is set to true):
Screenshot 2023-10-30 at 11 42 39

Expected behaviour

I expected the fetch-metadata action to output alert information:

outputs.alertState: OPEN
outputs.ghsa-id: GHSA-f8q6-p94x-37v3
outputs.cvss: 7.5

Am I doing something wrong or is this a bug?
@severin severin added the bug Something isn't working label Oct 30, 2023
@Nishnha
Copy link
Member

Nishnha commented Nov 1, 2023
edited
Loading

Hi @severin, in order to populate that info you'll need to add a PAT to the github-token field. The PAT will require read permissions for security alerts

We have this blurb about this under github-token in the readme, but maybe we should also put it under alert-lookup and compat-lookup?

If you still see this issue after that then lmk and I'll look into this more closely.

Nishnha added a commit that referenced this issue Nov 1, 2023
@Nishnha
Add blurbs about using a PAT to the readme
1c52d60 
Add more blurbs about using a PAT to the readme under the `alert-lookup` and `compat-lookup` descriptions

Follow up on #464
@Nishnha Nishnha mentioned this issue Nov 1, 2023
Merged
@jeffwidman
Copy link
Member

Can this be closed now that #466 is merged?

@severin severin closed this as completed Nov 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@severin @jeffwidman @Nishnha