Alert metadata lookup not working as expected
severin opened this issue · comments
Hi there!
I'm trying to implement a workflow that labels pull requests that address dependabot alerts. To identify these PRs my idea was to use the fetch-metadata action and look at the alert-state
: if it is OPEN
then the PR addresses an open dependabot alert.
However, it seems like the fetch-metadata is not working correctly (or maybe I'm just misunderstanding it).
Observed behaviour
- Dependabot opened a PR that bumps the minimatch dependency from 3.0.4 to 3.1.2:
- This PR addresses a security alert:
- Running
fetch-metadata
on the PR does not return any alert information (even thoughalert-lookup
is set totrue
):
Expected behaviour
I expected the fetch-metadata
action to output alert information:
outputs.alertState: OPEN
outputs.ghsa-id: GHSA-f8q6-p94x-37v3
outputs.cvss: 7.5
Am I doing something wrong or is this a bug?
Hi @severin, in order to populate that info you'll need to add a PAT to the github-token
field. The PAT will require read permissions for security alerts
We have this blurb about this under github-token
in the readme, but maybe we should also put it under alert-lookup
and compat-lookup
?
If you still see this issue after that then lmk and I'll look into this more closely.
Can this be closed now that #466 is merged?