Hi there!

I'm trying to implement a workflow that labels pull requests that address dependabot alerts. To identify these PRs my idea was to use the fetch-metadata action and look at the alert-state: if it is OPEN then the PR addresses an open dependabot alert.

However, it seems like the fetch-metadata is not working correctly (or maybe I'm just misunderstanding it).

Observed behaviour

• Dependabot opened a PR that bumps the minimatch dependency from 3.0.4 to 3.1.2:

• This PR addresses a security alert:

• Running fetch-metadata on the PR does not return any alert information (even though alert-lookup is set to true):

Expected behaviour

I expected the fetch-metadata action to output alert information:

outputs.alertState: OPEN
outputs.ghsa-id: GHSA-f8q6-p94x-37v3
outputs.cvss: 7.5

Am I doing something wrong or is this a bug?

Hi @severin, in order to populate that info you'll need to add a PAT to the github-token field. The PAT will require read permissions for security alerts

We have this blurb about this under github-token in the readme, but maybe we should also put it under alert-lookup and compat-lookup?

If you still see this issue after that then lmk and I'll look into this more closely.

Can this be closed now that #466 is merged?