Add none as option for fail-on-severity #432

tgrall · 2023-03-18T05:34:12Z

This PR contains:

Add the value none as the possible values for the fail-on-severity parameter
not block the PR (raise an alert) in one or more vulnerabilities, or invalid licences are found
a warning is publish
all alerts are printed in the summary (vulnerabilities & licences)
Default behaviour is not changed and the value is set to low

Checks

Document none behaviour
Run tests
Tested with various PR (on my repos)

close #431

febuiles · 2023-03-20T07:38:24Z

@courtneycl more context in #431, thoughts?

swap order to follow what's in the table

courtneycl

Thanks for your contribution and your patience here, @tgrall!

My only thought is around how it's a little inconsistent that fail-on-severity: none covers both vulnerabilities and licenses, when severity just references vulnerabilities. Is it clearer to have a separate parameter, like warn-only: true, that would make it not fail? Does that introduce other complexity or user wonkiness? @febuiles do you have any thoughts?

Regardless, I think this is helpful and would be fine to ship as-is. I'll leave the approval for @febuiles to do a technical pass (it worked great for me when testing).

juxtin · 2023-04-24T20:53:51Z

Thanks again for your contribution, @tgrall! I think the basic idea here is sound, but I agree with @courtneycl about blurring the line between failing on licenses vs failing on vulnerabilities. I would feel more comfortable with keeping the two concepts separate across the possible values for fail-on-severity.

When it comes to licenses, we already have a lot of control for which ones are allowed. Is part of the problem you're addressing here that you'd like to still warn on certain licenses, but not block the PR? If so, perhaps warn-only: true would be a better approach, as Courtney suggested.

Let me know what you think! I know this PR has been open for a while so I'm eager to work with you to get it merged.

tgrall · 2023-05-31T12:50:07Z

@juxtin it kind of fall under my radar, I will get back to it next week and finish the work with @courtneycl proposal

prassiv · 2023-06-08T23:08:46Z

Hey @tgrall . I am interested in this "warn-only: true" option.I would be happy to contribute if you want me to.

tgrall · 2023-06-14T07:32:27Z

Hey @juxtin @courtneycl @febuiles

I have finally update my PR to create and use a new parameter warn-only.

I have tested the behaviour directly on workflow, but I do not know how to write a automatic test for this feature. (I have only created a test for the configuration)

Let me know if You need more do add more test and pointing me to the a good starting point, or anything else

prassiv · 2023-07-05T17:20:46Z

Hey @juxtin @courtneycl @febuiles @cnagadya - Any feedback on this PR? I am interested in this PR and would love to help get it merged

__tests__/config.test.ts

github-actions · 2024-01-27T00:07:32Z

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

of failing

tgrall · 2024-01-28T14:59:01Z

@juxtin : I have reworked the PR:

merge the change from main
applied your comment from July

jonjanego

readme and wording changes

README.md

action.yml

juxtin · 2024-01-29T22:51:41Z

Big thanks to @jonjanego for the review! I certainly endorse his comments and I'll be happy to merge this when those are addressed.

tgrall · 2024-02-01T05:04:39Z

@juxtin : I have applied @jonjanego suggestions

jonjanego

lgtm

action.yml

…#621) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) | action | minor | `v4.0.0` -> `v4.1.2` | --- ### Release Notes <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v4.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.2): 4.1.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2) #### What's Changed - Expose dependency comment content by [@jsoref](https://togithub.com/jsoref) in [https://github.com/actions/dependency-review-action/pull/696](https://togithub.com/actions/dependency-review-action/pull/696) **Full Changelog**: actions/dependency-review-action@v4.1.1...v4.1.2 ### [`v4.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.1): 4.1.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1) #### What's Changed - Bump `undici` to fix [GHSA-wqq4-5wpv-mx2g](https://togithub.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g) - Bump [@types/node](https://togithub.com/types/node) from 20.11.17 to 20.11.19 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/693](https://togithub.com/actions/dependency-review-action/pull/693) **Full Changelog**: actions/dependency-review-action@v4.1.0...v4.1.1 ### [`v4.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.0): 4.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.0.0...v4.1.0) #### What's Changed - Add `warn-only` by [@tgrall](https://togithub.com/tgrall) in [https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432) Added a new configuration option (`warn-only`, boolean) that makes the action always succeed while still displaying found vulnerabilities in the log. - Create stale.yaml by [@jonjanego](https://togithub.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671) - Use manual codeql config by [@juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/678](https://togithub.com/actions/dependency-review-action/pull/678) - Multiple dependency updates (see the changelog below for more information) #### New Contributors - [@jonjanego](https://togithub.com/jonjanego) made their first contribution in [https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671) - [@tgrall](https://togithub.com/tgrall) made their first contribution in [https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432) **Full Changelog**: actions/dependency-review-action@v4...v4.1.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/xmldom/xmldom).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | major | `v3.6.0` -> `v4.1.1` | | [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) | action | major | `v2.5.1` -> `v4.2.5` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | minor | `v4.0.0` -> `v4.3.1` | | [defenseunicorns/uds-common](https://togithub.com/defenseunicorns/uds-common) | | patch | `v0.3.3` -> `v0.3.9` | | [defenseunicorns/uds-common](https://togithub.com/defenseunicorns/uds-common) | action | patch | `v0.3.3` -> `v0.3.9` | | [defenseunicorns/uds-common-tasks](https://togithub.com/defenseunicorns/uds-common-tasks) | | patch | `v0.3.3` -> `v0.3.9` | | [defenseunicorns/zarf](https://togithub.com/defenseunicorns/zarf) | | minor | `v0.29.1` -> `v0.32.6` | | [docker/login-action](https://togithub.com/docker/login-action) | action | digest | `343f7c4` -> `e92390c` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v3.22.12` -> `v3.24.9` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | major | `v2.24.5` -> `v3.24.9` | | [golangci/golangci-lint](https://togithub.com/golangci/golangci-lint) | repository | minor | `v1.55.2` -> `v1.57.2` | | [google-github-actions/release-please-action](https://togithub.com/google-github-actions/release-please-action) | action | minor | `v4.0.2` -> `v4.1.0` | | [python-jsonschema/check-jsonschema](https://togithub.com/python-jsonschema/check-jsonschema) | repository | minor | `0.27.4` -> `0.28.0` | | [renovatebot/pre-commit-hooks](https://togithub.com/renovatebot/pre-commit-hooks) | repository | minor | `37.165.5` -> `37.275.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. Note: The `pre-commit` manager in Renovate is not supported by the `pre-commit` maintainers or community. Please do not report any problems there, instead [create a Discussion in the Renovate repository](https://togithub.com/renovatebot/renovate/discussions/new) if you have any questions. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v4.1.1`](https://togithub.com/actions/checkout/releases/tag/v4.1.1) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.0...v4.1.1) ##### What's Changed - Update CODEOWNERS to Launch team by [@joshmgross](https://togithub.com/joshmgross) in [https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510) - Correct link to GitHub Docs by [@peterbe](https://togithub.com/peterbe) in [https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511) - Link to release page from what's new section by [@cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1514](https://togithub.com/actions/checkout/pull/1514) ##### New Contributors - [@joshmgross](https://togithub.com/joshmgross) made their first contribution in [https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510) - [@peterbe](https://togithub.com/peterbe) made their first contribution in [https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511) **Full Changelog**: https://github.com/actions/checkout/compare/v4.1.0...v4.1.1 ### [`v4.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410) [Compare Source](https://togithub.com/actions/checkout/compare/v4.0.0...v4.1.0) - [Add support for partial checkout filters](https://togithub.com/actions/checkout/pull/1396) ### [`v4.0.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v400) [Compare Source](https://togithub.com/actions/checkout/compare/v3.6.0...v4.0.0) - [Support fetching without the --progress option](https://togithub.com/actions/checkout/pull/1067) - [Update to node20](https://togithub.com/actions/checkout/pull/1436) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v4.2.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.5): 4.2.5 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5) #### What's Changed - Fixed a bug where some configuration options in external files were not being properly picked up -- [https://github.com/actions/dependency-review-action/pull/722](https://togithub.com/actions/dependency-review-action/pull/722) - Bump eslint from 8.56.0 to 8.57.0 **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5 ### [`v4.2.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.4) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4) #### What's Changed Fixed a bug in the output of OpenSSF cards for GitHub Actions. #### New Contributors - [@sporkmonger](https://togithub.com/sporkmonger) made their first contribution in [https://github.com/actions/dependency-review-action/pull/721](https://togithub.com/actions/dependency-review-action/pull/721) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4 ### [`v4.2.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.3): 4.2.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3) #### What's Changed - Set comment as output by [@jsoref](https://togithub.com/jsoref) in [https://github.com/actions/dependency-review-action/pull/698](https://togithub.com/actions/dependency-review-action/pull/698) - Add support for calculating OpenSSF Scorecards by [@jhutchings1](https://togithub.com/jhutchings1) in [https://github.com/actions/dependency-review-action/pull/709](https://togithub.com/actions/dependency-review-action/pull/709) - Add outputs for the changes data by [@laughedelic](https://togithub.com/laughedelic) in [https://github.com/actions/dependency-review-action/pull/707](https://togithub.com/actions/dependency-review-action/pull/707) #### New Contributors - [@jhutchings1](https://togithub.com/jhutchings1) made their first contribution in [https://github.com/actions/dependency-review-action/pull/709](https://togithub.com/actions/dependency-review-action/pull/709) - [@laughedelic](https://togithub.com/laughedelic) made their first contribution in [https://github.com/actions/dependency-review-action/pull/707](https://togithub.com/actions/dependency-review-action/pull/707) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3 ### [`v4.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.3): 4.1.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3) Fixes a bug in 4.1.2 that would introduce comments in every pull request, regardless of the user's configuration (see [https://github.com/actions/dependency-review-action/issues/697](https://togithub.com/actions/dependency-review-action/issues/697)). **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3 ### [`v4.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.2): 4.1.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2) #### What's Changed - Expose dependency comment content by [@jsoref](https://togithub.com/jsoref) in [https://github.com/actions/dependency-review-action/pull/696](https://togithub.com/actions/dependency-review-action/pull/696) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2 ### [`v4.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.1): 4.1.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1) #### What's Changed - Bump `undici` to fix [GHSA-wqq4-5wpv-mx2g](https://togithub.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g) - Bump [@types/node](https://togithub.com/types/node) from 20.11.17 to 20.11.19 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/693](https://togithub.com/actions/dependency-review-action/pull/693) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1 ### [`v4.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.0): 4.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.0.0...v4.1.0) #### What's Changed - Add `warn-only` by [@tgrall](https://togithub.com/tgrall) in [https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432) Added a new configuration option (`warn-only`, boolean) that makes the action always succeed while still displaying found vulnerabilities in the log. - Create stale.yaml by [@jonjanego](https://togithub.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671) - Use manual codeql config by [@juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/678](https://togithub.com/actions/dependency-review-action/pull/678) - Multiple dependency updates (see the changelog below for more information) #### New Contributors - [@jonjanego](https://togithub.com/jonjanego) made their first contribution in [https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671) - [@tgrall](https://togithub.com/tgrall) made their first contribution in [https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4...v4.1.0 ### [`v4.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.0.0) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0) - Update action to Node 20 by [@takost](https://togithub.com/takost) in [https://github.com/actions/dependency-review-action/pull/639](https://togithub.com/actions/dependency-review-action/pull/639) - Dependabot updates, see the full changelog for more details. #### New Contributors - [@takost](https://togithub.com/takost) made their first contribution in [https://github.com/actions/dependency-review-action/pull/639](https://togithub.com/actions/dependency-review-action/pull/639) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0 ### [`v3.1.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.5): 3.1.5 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5) #### What's Changed - Smaller `per_page` when requesting diff by [@hmaurer](https://togithub.com/hmaurer) in [https://github.com/actions/dependency-review-action/pull/649](https://togithub.com/actions/dependency-review-action/pull/649) - Update dependencies: - Bump [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.10.0 to 6.13.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/630](https://togithub.com/actions/dependency-review-action/pull/630) - Bump prettier from 3.0.3 to 3.1.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/629](https://togithub.com/actions/dependency-review-action/pull/629) - Bump [@types/jest](https://togithub.com/types/jest) from 29.5.8 to 29.5.11 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/637](https://togithub.com/actions/dependency-review-action/pull/637) - Bump nodemon from 3.0.1 to 3.0.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/636](https://togithub.com/actions/dependency-review-action/pull/636) - Replace pip -> pypi in PURL examples by [@febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/638](https://togithub.com/actions/dependency-review-action/pull/638) - Bump [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.12.0 to 6.15.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/644](https://togithub.com/actions/dependency-review-action/pull/644) - Bump eslint from 8.53.0 to 8.56.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/640](https://togithub.com/actions/dependency-review-action/pull/640) - Bump [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.13.1 to 6.16.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/645](https://togithub.com/actions/dependency-review-action/pull/645) - Bump prettier from 3.1.0 to 3.1.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/646](https://togithub.com/actions/dependency-review-action/pull/646) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5 ### [`v3.1.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.4): 3.1.4 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4) #### What's Changed - Fixed a [bug](https://togithub.com/actions/dependency-review-action/issues/618) with severity filtering when using the `allow_ghsas` option: [https://github.com/actions/dependency-review-action/pull/623](https://togithub.com/actions/dependency-review-action/pull/623). - Updates dependencies: - Bump [@types/node](https://togithub.com/types/node) from 16.18.61 to 16.18.62 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/619](https://togithub.com/actions/dependency-review-action/pull/619) action/pull/620 - Bump [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.11.0 to 6.12.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/625](https://togithub.com/actions/dependency-review-action/pull/625) - Bump typescript from 5.2.2 to 5.3.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/624](https://togithub.com/actions/dependency-review-action/pull/624) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.4 ### [`v3.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.3): 3.1.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3) #### What's Changed - Fixes purl "version must be percent-encoded" by [@theztefan](https://togithub.com/theztefan) in [https://github.com/actions/dependency-review-action/pull/617](https://togithub.com/actions/dependency-review-action/pull/617) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.3 ### [`v3.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.2): 3.1.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2) #### What's Changed - Fix a regression for setups using self-hosted runners behind HTTP proxies:[@febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/611](https://togithub.com/actions/dependency-review-action/pull/611) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.2 ### [`v3.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.1): 3.1.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1) #### What's Changed - Update a bunch of dependencies, including major version upgrades for `octokit`, `@actions/github` and `typescript`. **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1 ### [`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0): 3.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0) #### What's New Added support for dependencies submitted through the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together). This includes two new configuration parameters: `retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`. #### What's Changed - Fix(docs): Correct action input name by [@oerd](https://togithub.com/oerd) in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) #### New Contributors - [@oerd](https://togithub.com/oerd) made their first contribution in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.0 ### [`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8): 3.0.8 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8) #### What's Changed Added `on-failure` option to `comment-summary-in-pr` setting by [@sgmurphy](https://togithub.com/sgmurphy) in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) Previous configuration files using `true`/`false` for `comment-summary-in-pr` will be mapped automatically to the new values, but we encourage you to update to `always`/`on-failure`/`never`. #### New Contributors - [@sgmurphy](https://togithub.com/sgmurphy) made their first contribution in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.8 ### [`v3.0.7`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.7): 3.0.7 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.6...v3.0.7) #### What's Changed - Make GHES support / setup more clear by [@rajbos](https://togithub.com/rajbos) in [https://github.com/actions/dependency-review-action/pull/534](https://togithub.com/actions/dependency-review-action/pull/534) - Add an option to deny packages or groups of packages by [@adrienpessu](https://togithub.com/adrienpessu) in [https://github.com/actions/dependency-review-action/pull/544](https://togithub.com/actions/dependency-review-action/pull/544) #### New Contributors - [@rajbos](https://togithub.com/rajbos) made their first contribution in [https://github.com/actions/dependency-review-action/pull/534](https://togithub.com/actions/dependency-review-action/pull/534) - [@adrienpessu](https://togithub.com/adrienpessu) made their first contribution in [https://github.com/actions/dependency-review-action/pull/544](https://togithub.com/actions/dependency-review-action/pull/544) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.7 ### [`v3.0.6`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.6): 3.0.6 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.5...v3.0.6) Fixes a bug introduced in 3.0.5 where we raised PURL errors when Dependency Graph returns an empty `package_url`. ### [`v3.0.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.5): 3.0.5 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.4...v3.0.5) #### What's Changed Thanks to [@theztefan](https://togithub.com/theztefan), we now have a new `allow-dependencies-licenses` option that takes a list of dependencies that will be excluded from license checks. See the [configuration options](https://togithub.com/actions/dependency-review-action#configuration-options) for more information on how to use it. - Exclude dependencies from license checks by [@theztefan](https://togithub.com/theztefan) in [https://github.com/actions/dependency-review-action/pull/423](https://togithub.com/actions/dependency-review-action/pull/423) - Documentation examples by [@theztefan](https://togithub.com/theztefan) in [https://github.com/actions/dependency-review-action/pull/423](https://togithub.com/actions/dependency-review-action/pull/423) - Show snapshot warnings in the summary by [@juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/439](https://togithub.com/actions/dependency-review-action/pull/439) - Fix default values for fail-on-severity by [@febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/451](https://togithub.com/actions/dependency-review-action/pull/451) - Updated dependencies. #### New Contributors - [@juxtin](https://togithub.com/juxtin) made their first contribution in [https://github.com/actions/dependency-review-action/pull/439](https://togithub.com/actions/dependency-review-action/pull/439) - [@theztefan](https://togithub.com/theztefan) made their first contribution in [https://github.com/actions/dependency-review-action/pull/423](https://togithub.com/actions/dependency-review-action/pull/423) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.5 ### [`v3.0.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.4): 3.0.4 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.3...v3.0.4) #### What's New? The Action can now publish a comment in the pull request if the `comment-summary-in-pr` option is set. More information can be found in the [README](https://togithub.com/actions/dependency-review-action#configuration-options). #### New Contributors - [@davelosert](https://togithub.com/davelosert) made their first contribution in [https://github.com/actions/dependency-review-action/pull/393](https://togithub.com/actions/dependency-review-action/pull/393) #### Changelog - Write Summary as comment to the pull request by [@davelosert](https://togithub.com/davelosert) in [https://github.com/actions/dependency-review-action/pull/393](https://togithub.com/actions/dependency-review-action/pull/393) - Adjust summary format by [@davelosert](https://togithub.com/davelosert) in [https://github.com/actions/dependency-review-action/pull/416](https://togithub.com/actions/dependency-review-action/pull/416) - Security updates. **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.4 ### [`v3.0.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.3): 3.0.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.2...v3.0.3) #### What's Changed - Use cache in check-dist.yml by [@jongwooo](https://togithub.com/jongwooo) in [https://github.com/actions/dependency-review-action/pull/359](https://togithub.com/actions/dependency-review-action/pull/359) - Fix Dependency Review API response error handling by [@felickz](https://togithub.com/felickz) in [https://github.com/actions/dependency-review-action/pull/370](https://togithub.com/actions/dependency-review-action/pull/370) - Security updates #### New Contributors - [@jongwooo](https://togithub.com/jongwooo) made their first contribution in [https://github.com/actions/dependency-review-action/pull/359](https://togithub.com/actions/dependency-review-action/pull/359) - [@felickz](https://togithub.com/felickz) made their first contribution in [https://github.com/actions/dependency-review-action/pull/370](https://togithub.com/actions/dependency-review-action/pull/370) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.3 ### [`v3.0.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.2): 3.0.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.1...v3.0.2) This release fixes spelling errors [https://github.com/actions/dependency-review-action/pull/348](https://togithub.com/actions/dependency-review-action/pull/348) and upgrades dependencies to fix known vulnerabilities **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.2 ### [`v3.0.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.1): 3.0.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.0...v3.0.1) This release contains the following bugfixes: - Fixing API URL for GHES: [https://github.com/actions/dependency-review-action/pull/331](https://togithub.com/actions/dependency-review-action/pull/331) - Improve list handling for external config files: [https://github.com/actions/dependency-review-action/pull/330](https://togithub.com/actions/dependency-review-action/pull/330) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.1 ### [`v3.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.0): 3.0.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.5.1...v3.0.0) #### Breaking Changes By default the action now expects [SPDX-compliant licenses](https://spdx.org/licenses/) everywhere. If you were previously using license names in the allow or deny lists make sure they're valid! #### What's Changed ##### Support for external configuration files You can now specify a [configuration file external to your repository](https://togithub.com/actions/dependency-review-action/#configuration-file). This allows organizations to have a single configuration file for all their repos. ##### Broader license support We've added support for a much broader set of project licenses by using GitHub's [Licenses API](https://docs.github.com/en/rest/licenses). ##### SPDX Compliance All of our license-related code now expects [SPDX-compliant licenses or expressions](https://spdx.org/licenses/). This allows us to standardize on a license naming scheme that already supports `OR`/`AND` expressions. ##### Disable individual checks You can now use the boolean options `license-check` and `vulnerability-check` to disable either one of the checks. More information in [our configuration options](https://togithub.com/actions/dependency-review-action/#configuration-options). #### Thanks Contributors for this release include: - [@cnagadya](https://togithub.com/cnagadya) - [@courtneycl](https://togithub.com/courtneycl) - [@ericcornelissen](https://togithub.com/ericcornelissen) - [@elireisman](https://togithub.com/elireisman) - [@hmaurer](https://togithub.com/hmaurer) Thanks everyone! **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v2...v3.0.0 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.3.1`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.1) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.0...v4.3.1) - Bump [@actions/artifacts](https://togithub.com/actions/artifacts) to latest version to include [updated GHES host check](https://togithub.com/actions/toolkit/pull/1648) ### [`v4.3.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.2.0...v4.3.0) ##### What's Changed - Reorganize upload code in prep for merge logic & add more tests by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/504](https://togithub.com/actions/upload-artifact/pull/504) - Add sub-action to merge artifacts by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/505](https://togithub.com/actions/upload-artifact/pull/505) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4...v4.3.0 ### [`v4.2.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.2.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.1.0...v4.2.0) ##### What's Changed - Ability to overwrite an Artifact by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/501](https://togithub.com/actions/upload-artifact/pull/501) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4...v4.2.0 ### [`v4.1.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.1.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.0.0...v4.1.0) #### What's Changed - Add migrations docs by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/482](https://togithub.com/actions/upload-artifact/pull/482) - Update README.md by [@samuelwine](https://togithub.com/samuelwine) in [https://github.com/actions/upload-artifact/pull/492](https://togithub.com/actions/upload-artifact/pull/492) - Support artifact-url output by [@konradpabjan](https://togithub.com/konradpabjan) in [https://github.com/actions/upload-artifact/pull/496](https://togithub.com/actions/upload-artifact/pull/496) - Update readme to reflect new 500 artifact per job limit by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/497](https://togithub.com/actions/upload-artifact/pull/497) #### New Contributors - [@samuelwine](https://togithub.com/samuelwine) made their first contribution in [https://github.com/actions/upload-artifact/pull/492](https://togithub.com/actions/upload-artifact/pull/492) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4...v4.1.0 </details> <details> <summary>defenseunicorns/uds-common (defenseunicorns/uds-common)</summary> ### [`v0.3.9`](https://togithub.com/defenseunicorns/uds-common/releases/tag/v0.3.9) [Compare Source](https://togithub.com/defenseunicorns/uds-common/compare/v0.3.8...v0.3.9) ##### Miscellaneous - fix missing keys in setup actions ([#93](https://togithub.com/defenseunicorns/uds-common/issues/93)) ([39d7395](https://togithub.com/defenseunicorns/uds-common/commit/39d73955ebb35f4e844a45fe23a7acf7d65d239a)) ### [`v0.3.8`](https://togithub.com/defenseunicorns/uds-common/releases/tag/v0.3.8) [Compare Source](https://togithub.com/defenseunicorns/uds-common/compare/v0.3.7...v0.3.8) ##### Miscellaneous - add upgrade tests to common ([#91](https://togithub.com/defenseunicorns/uds-common/issues/91)) ([bb2e590](https://togithub.com/defenseunicorns/uds-common/commit/bb2e59021355172db2cfcca7dbf5a2434ce41b6d)) - **deps:** update dependency defenseunicorns/uds-cli to v0.10.1 ([#84](https://togithub.com/defenseunicorns/uds-common/issues/84)) ([6b455b7](https://togithub.com/defenseunicorns/uds-common/commit/6b455b7cef8ddab022c758a6309d8993f0a564b7)) - **deps:** update dependency defenseunicorns/uds-core to v0.17.0 ([#83](https://togithub.com/defenseunicorns/uds-common/issues/83)) ([b8d8181](https://togithub.com/defenseunicorns/uds-common/commit/b8d818165c7c676f56898c2d15ae14a2f7ff5f0c)) - **deps:** update uds common package dependencies to v6.6.1 ([#92](https://togithub.com/defenseunicorns/uds-common/issues/92)) ([862b635](https://togithub.com/defenseunicorns/uds-common/commit/862b63512b4b53ff963b85e25e8011818bb8e4e3)) - update registry login to happen in the common env setup action ([#88](https://togithub.com/defenseunicorns/uds-common/issues/88)) ([b7bce88](https://togithub.com/defenseunicorns/uds-common/commit/b7bce888d1d62c5d382d7d88a54e59da72e0d3ae)) ### [`v0.3.7`](https://togithub.com/defenseunicorns/uds-common/releases/tag/v0.3.7) [Compare Source](https://togithub.com/defenseunicorns/uds-common/compare/v0.3.6...v0.3.7) ##### Miscellaneous - remove schedule on renovate ([#85](https://togithub.com/defenseunicorns/uds-common/issues/85)) ([fda7e57](https://togithub.com/defenseunicorns/uds-common/commit/fda7e57ad878cc70bf3905948911daa84c67db27)) - update k3d-core-istio-dev to k3d-core-slim-dev ([#86](https://togithub.com/defenseunicorns/uds-common/issues/86)) ([aa0e6da](https://togithub.com/defenseunicorns/uds-common/commit/aa0e6dad40126ead465b102ea28a3ac961883493)) ### [`v0.3.6`](https://togithub.com/defenseunicorns/uds-common/releases/tag/v0.3.6) [Compare Source](https://togithub.com/defenseunicorns/uds-common/compare/v0.3.5...v0.3.6) ##### Miscellaneous - hotfix the spoof containing a dash in the input and add a publish step ([#81](https://togithub.com/defenseunicorns/uds-common/issues/81)) ([f9c7aac](https://togithub.com/defenseunicorns/uds-common/commit/f9c7aac4a30e5c3e627c44946f2f212af1573b39)) ### [`v0.3.5`](https://togithub.com/defenseunicorns/uds-common/releases/tag/v0.3.5) [Compare Source](https://togithub.com/defenseunicorns/uds-common/compare/v0.3.4...v0.3.5) ##### Miscellaneous - fix spoof to not include a dash ([#79](https://togithub.com/defenseunicorns/uds-common/issues/79)) ([5d1738b](https://togithub.com/defenseunicorns/uds-common/commit/5d1738ba0ca2cd19c7fdf6dfe6873339e129c3bb)) ### [`v0.3.4`](https://togithub.com/defenseunicorns/uds-common/releases/tag/v0.3.4) [Compare Source](https://togithub.com/defenseunicorns/uds-common/compare/v0.3.3...v0.3.4) ##### Miscellaneous - add the ability to spoof to common ([#77](https://togithub.com/defenseunicorns/uds-common/issues/77)) ([49634e1](https://togithub.com/defenseunicorns/uds-common/commit/49634e1b69c6b2eadcc2497f6baba8bd349f3d38)) - **deps:** update dependency defenseunicorns/uds-core to v0.16.1 ([#72](https://togithub.com/defenseunicorns/uds-common/issues/72)) ([32d1ad6](https://togithub.com/defenseunicorns/uds-common/commit/32d1ad6812a3ef6ad750447296f5644b14ff2855)) </details> <details> <summary>defenseunicorns/uds-common-tasks (defenseunicorns/uds-common-tasks)</summary> ### [`v0.3.9`](https://togithub.com/defenseunicorns/uds-common/releases/tag/v0.3.9) [Compare Source](https://togithub.com/defenseunicorns/uds-common-tasks/compare/v0.3.8...v0.3.9) ##### Miscellaneous - fix missing keys in setup actions ([#93](https://togithub.com/defenseunicorns/uds-common/issues/93)) ([39d7395](https://togithub.com/defenseunicorns/uds-common/commit/39d73955ebb35f4e844a45fe23a7acf7d65d239a)) ### [`v0.3.8`](https://togithub.com/defenseunicorns/uds-common/releases/tag/v0.3.8) [Compare Source](https://togithub.com/defenseunicorns/uds-common-tasks/compare/v0.3.7...v0.3.8) ##### Miscellaneous - add upgrade tests to common ([#91](https://togithub.com/defenseunicorns/uds-common/issues/91)) ([bb2e590](https://togithub.com/defenseunicorns/uds-common/commit/bb2e59021355172db2cfcca7dbf5a2434ce41b6d)) - **deps:** update dependency defenseunicorns/uds-cli to v0.10.1 ([#84](https://togithub.com/defenseunicorns/uds-common/issues/84)) ([6b455b7](https://togithub.com/defenseunicorns/uds-common/commit/6b455b7cef8ddab022c758a6309d8993f0a564b7)) - **deps:** update dependency defenseunicorns/uds-core to v0.17.0 ([#83](https://togithub.com/defenseunicorns/uds-common/issues/83)) ([b8d8181](https://togithub.com/defenseunicorns/uds-common/commit/b8d818165c7c676f56898c2d15ae14a2f7ff5f0c)) - **deps:** update uds common package dependencies to v6.6.1 ([#92](https://togithub.com/defenseunicorns/uds-common/issues/92)) ([862b635](https://togithub.com/defenseunicorns/uds-common/commit/862b63512b4b53ff963b85e25e8011818bb8e4e3)) - update registry login to happen in the common env setup action ([#88](https://togithub.com/defenseunicorns/uds-common/issues/88)) ([b7bce88](https://togithub.com/defenseunicorns/uds-common/commit/b7bce888d1d62c5d382d7d88a54e59da72e0d3ae)) ### [`v0.3.7`](https://togithub.com/defenseunicorns/uds-common/releases/tag/v0.3.7) [Compare Source](https://togithub.com/defenseunicorns/uds-common-tasks/compare/v0.3.6...v0.3.7) ##### Miscellaneous - remove schedule on renovate ([#85](https://togithub.com/defenseunicorns/uds-common/issues/85)) ([fda7e57](https://togithub.com/defenseunicorns/uds-common/commit/fda7e57ad878cc70bf3905948911daa84c67db27)) - update k3d-core-istio-dev to k3d-core-slim-dev ([#86](https://togithub.com/defenseunicorns/uds-common/issues/86)) ([aa0e6da](https://togithub.com/defenseunicorns/uds-common/commit/aa0e6dad40126ead465b102ea28a3ac961883493)) ### [`v0.3.6`](https://togithub.com/defenseunicorns/uds-common/releases/tag/v0.3.6) [Compare Source](https://togithub.com/defenseunicorns/uds-common-tasks/compare/v0.3.5...v0.3.6) ##### Miscellaneous - hotfix the spoof containing a dash in the input and add a publish step ([#81](https://togithub.com/defenseunicorns/uds-common/issues/81)) ([f9c7aac](https://togithub.com/defenseunicorns/uds-common/commit/f9c7aac4a30e5c3e627c44946f2f212af1573b39)) ### [`v0.3.5`](https://togithub.com/defenseunicorns/uds-common/releases/tag/v0.3.5) [Compare Source](https://togithub.com/defenseunicorns/uds-common-tasks/compare/v0.3.4...v0.3.5) ##### Miscellaneous - fix spoof to not include a dash ([#79](https://togithub.com/defenseunicorns/uds-common/issues/79)) ([5d1738b](https://togithub.com/defenseunicorns/uds-common/commit/5d1738ba0ca2cd19c7fdf6dfe6873339e129c3bb)) ### [`v0.3.4`](https://togithub.com/defenseunicorns/uds-common/releases/tag/v0.3.4) [Compare Source](https://togithub.com/defenseunicorns/uds-common-tasks/compare/v0.3.3...v0.3.4) ##### Miscellaneous - add the ability to spoof to common ([#77](https://togithub.com/defenseunicorns/uds-common/issues/77)) ([49634e1](https://togithub.com/defenseunicorns/uds-common/commit/49634e1b69c6b2eadcc2497f6baba8bd349f3d38)) - **deps:** update dependency defenseunicorns/uds-core to v0.16.1 ([#72](https://togithub.com/defenseunicorns/uds-common/issues/72)) ([32d1ad6](https://togithub.com/defenseunicorns/uds-common/commit/32d1ad6812a3ef6ad750447296f5644b14ff2855)) </details> <details> <summary>defenseunicorns/zarf (defenseunicorns/zarf)</summary> ### [`v0.32.6`](https://togithub.com/defenseunicorns/zarf/releases/tag/v0.32.6) [Compare Source](https://togithub.com/defenseunicorns/zarf/compare/v0.32.5...v0.32.6) ##### \[0.32.6] - 2024-03-22 > trying out some different release note generators, formatting may vary for a few releases while we figure out what works best ~[@Noxsios](https://togithub.com/Noxsios) ##### 🚀 Features - \[**ALPHA**] feat: package generation ALPHA by [@andrewg-xyz](https://togithub.com/andrewg-xyz) in [#2269](https://togithub.com/defenseunicorns/zarf/pull/2269) - *(lib)* feat(lib): configurable log file location by [@Noxsios](https://togithub.com/Noxsios) in [#2380](https://togithub.com/defenseunicorns/zarf/pull/2380) - \[**BREAKING**] feat!: filter package components with strategy interface by [@Noxsios](https://togithub.com/Noxsios) in [#2321](https://togithub.com/defenseunicorns/zarf/pull/2321) ##### 🐛 Bug Fixes - fix: refactor create stages into separate lib by [@lucasrod16](https://togithub.com/lucasrod16) in [#2223](https://togithub.com/defenseunicorns/zarf/pull/2223) - fix: handle registry caBundle as a multiline string by [@AbrohamLincoln](https://togithub.com/AbrohamLincoln) in [#2381](https://togithub.com/defenseunicorns/zarf/pull/2381) - *(regression)* fix: populate `p.sbomViewFiles` on `deploy` and `mirror` by [@lucasrod16](https://togithub.com/lucasrod16) in [#2386](https://togithub.com/defenseunicorns/zarf/pull/2386) - fix: allow absolute paths for differential packages by [@AustinAbro321](https://togithub.com/AustinAbro321) in [#2397](https://togithub.com/defenseunicorns/zarf/pull/2397) - fix: hotfix skeleton publish by [@Noxsios](https://togithub.com/Noxsios) in [#2398](https://togithub.com/defenseunicorns/zarf/pull/2398) ##### 🚜 Refactor - refactor: split helpers/exec libs by [@Racer159](https://togithub.com/Racer159) in [#2379](https://togithub.com/defenseunicorns/zarf/pull/2379) ##### 🧪 Testing - test: data injection flake by [@lucasrod16](https://togithub.com/lucasrod16) in [#2361](https://togithub.com/defenseunicorns/zarf/pull/2361) ##### ⚙️ Miscellaneous Tasks - ci: add commitlint workflow and update contributing guide by [@lucasrod16](https://togithub.com/lucasrod16) in [#2391](https://togithub.com/defenseunicorns/zarf/pull/2391) ##### 🛡️ Security - *(release)* build: create PRs on `homebrew-tap` by [@Noxsios](https://togithub.com/Noxsios) in [#2385](https://togithub.com/defenseunicorns/zarf/pull/2385) **Full Changelog**: https://github.com/defenseunicorns/zarf/compare/v0.32.5...v0.32.6 ### [`v0.32.5`](https://togithub.com/defenseunicorns/zarf/releases/tag/v0.32.5) [Compare Source](https://togithub.com/defenseunicorns/zarf/compare/v0.32.4...v0.32.5) ##### \[0.32.5] - 2024-03-11 > trying out some different release note generators, formatting may vary for a few releases while we figure out what works best ~[@Noxsios](https://togithub.com/Noxsios) ##### 🚀 Features - feat: add missing vendored tool version commands by [@eddiezane](https://togithub.com/eddiezane) in [#2232](https://togithub.com/defenseunicorns/zarf/pull/2232) - feat: add `--why` flag for `zarf dev find-images` by [@waveywaves](https://togithub.com/waveywaves) in [#2309](https://togithub.com/defenseunicorns/zarf/pull/2309) - feat: set variables on find images by [@AustinAbro321](https://togithub.com/AustinAbro321) in [#2282](https://togithub.com/defenseunicorns/zarf/pull/2282) - feat: add configurable backoff and retries for Zarf operations by [@Racer159](https://togithub.com/Racer159) in [#2345](https://togithub.com/defenseunicorns/zarf/pull/2345) ##### 🐛 Bug Fixes - *(deps)*: update github.com/anchore/clio digest to [`abcb719`](https://togithub.com/defenseunicorns/zarf/commit/abcb719) by [@renovate](https://togithub.com/renovate)\[bot] in [#2347](https://togithub.com/defenseunicorns/zarf/pull/2347) - *(ci)*: change ECR image to docker.io image by [@AustinAbro321](https://togithub.com/AustinAbro321) in [#2353](https://togithub.com/defenseunicorns/zarf/pull/2353) - fix: added OCI Image Index mediaType by [@mdaizcorbe](https://togithub.com/mdaizcorbe) in [#2352](https://togithub.com/defenseunicorns/zarf/pull/2352) - fix: package publish progress bar frozen at zero by [@Noxsios](https://togithub.com/Noxsios) in [#2367](https://togithub.com/defenseunicorns/zarf/pull/2367) - *(release)* hotfix `publish` not respecting source package architecture by [@Noxsios](https://togithub.com/Noxsios) in [#2376](https://togithub.com/defenseunicorns/zarf/pull/2376) ##### 📚 Documentation - chore: fix spelling by [@AustinAbro321](https://togithub.com/AustinAbro321) in [#2333](https://togithub.com/defenseunicorns/zarf/pull/2333) - docs: formatting and grammar by [@beholdenkey](https://togithub.com/beholdenkey) in [#2350](https://togithub.com/defenseunicorns/zarf/pull/2350) ##### ⚙️ Miscellaneous Tasks - chore: sorted go imports by [@naveensrinivasan](https://togithub.com/naveensrinivasan) in [#2349](https://togithub.com/defenseunicorns/zarf/pull/2349) - chore: fix bb test by [@AustinAbro321](https://togithub.com/AustinAbro321) in [#2340](https://togithub.com/defenseunicorns/zarf/pull/2340) - chore: update CODEOWNERS with [@AustinAbro321](https://togithub.com/AustinAbro321) by [@Racer159](https://togithub.com/Racer159) in [#2354](https://togithub.com/defenseunicorns/zarf/pull/2354) - chore: refactor and purify the OCI library within Zarf by [@AustinAbro321](https://togithub.com/AustinAbro321) in [#2235](https://togithub.com/defenseunicorns/zarf/pull/2235) - chore: default to temp zarf cache in e2e tests by [@AustinAbro321](https://togithub.com/AustinAbro321) in [#2355](https://togithub.com/defenseunicorns/zarf/pull/2355) ##### 🛡️ Security - chore: configure agent server to avoid slowloris attack by [@naveensrinivasan](https://togithub.com/naveensrinivasan) in [#2342](https://togithub.com/defenseunicorns/zarf/pull/2342) - chore: fix implicit memory aliasing in for loop by [@naveensrinivasan](https://togithub.com/naveensrinivasan) in [#2341](https://togithub.com/defenseunicorns/zarf/pull/2341) - *(release)*: update release workflow to use token from gh app by [@Noxsios](https://togithub.com/Noxsios) in [#2368](https://togithub.com/defenseunicorns/zarf/pull/2368) - *(release)*: use release environment secrets by [@Noxsios](https://togithub.com/Noxsios) in [#2374](https://togithub.com/defenseunicorns/zarf/pull/2374) ##### First Time Contributors - [@eddiezane](https://togithub.com/eddiezane) made their first contribution in [#2232](https://togithub.com/defenseunicorns/zarf/issues/2232) - [@beholdenkey](https://togithub.com/beholdenkey) made their first contribution in [#2350](https://togithub.com/defenseunicorns/zarf/issues/2350) - [@mdaizcorbe](https://togithub.com/mdaizcorbe) made their first contribution in [#2352](https://togithub.com/defenseunicorns/zarf/issues/2352) **Full Changelog**: https://github.com/defenseunicorns/zarf/compare/v0.32.4...v0.32.5 ### [`v0.32.4`](https://togithub.com/defenseunicorns/zarf/releases/tag/v0.32.4) [Compare Source](https://togithub.com/defenseunicorns/zarf/compare/v0.32.3...v0.32.4) ##### What's Changed ##### Fixes - Improve `cmd` failure messaging when no timeout or retries are given by [@docandrew](https://togithub.com/docandrew) in [https://github.com/defenseunicorns/zarf/pull/2301](https://togithub.com/defenseunicorns/zarf/pull/2301) - Revert init package storageclass checks for git server and seed registry by [@lucasrod16](https://togithub.com/lucasrod16) in [https://github.com/defenseunicorns/zarf/pull/2311](https://togithub.com/defenseunicorns/zarf/pull/2311) - Fix multi-part tarballs being mismatched sizes by [@Racer159](https://togithub.com/Racer159) in [https://github.com/defenseunicorns/zarf/pull/2314](https://togithub.com/defenseunicorns/zarf/pull/2314) - Change text template detection to check first *and* last 512 bytes by [@WeaponX314](https://togithub.com/WeaponX314) in [https://github.com/defenseunicorns/zarf/pull/2310](https://togithub.com/defenseunicorns/zarf/pull/2310) - Improve `zarf tools registry prune` messaging by [@Racer159](https://togithub.com/Racer159) in [https://github.com/defenseunicorns/zarf/pull/2323](https://togithub.com/defenseunicorns/zarf/pull/2323) - Add http request header timeout to mitigate stalling image push by [@Racer159](https://togithub.com/Racer159) in [https://github.com/defenseunicorns/zarf/pull/2319](https://togithub.com/defenseunicorns/zarf/pull/2319) - Allow host+subpath as the source registry for `--registry-override` in package create by [@waveywaves](https://togithub.com/waveywaves) in [https://github.com/defenseunicorns/zarf/pull/2306](https://togithub.com/defenseunicorns/zarf/pull/2306) ##### Dependencies - Update github.com/anchore/clio digest to [`cb94e40`](https://togithub.com/defenseunicorns/zarf/commit/cb94e40) by [@renovate](https://togithub.com/renovate) in [https://github.com/defenseunicorns/zarf/pull/2294](https://togithub.com/defenseunicorns/zarf/pull/2294), [https://github.com/defenseunicorns/zarf/pull/2297](https://togithub.com/defenseunicorns/zarf/pull/2297) and [https://github.com/defenseunicorns/zarf/pull/2300](https://togithub.com/defenseunicorns/zarf/pull/2300) - **\[security]** Update module helm.sh/helm/v3 to v3.14.2 by [@renovate](https://togithub.com/renovate) in [https://github.com/defenseunicorns/zarf/pull/2307](https://togithub.com/defenseunicorns/zarf/pull/2307) and [https://github.com/defenseunicorns/zarf/pull/2329](https://togithub.com/defenseunicorns/zarf/pull/2329) - Update actions/checkout action to v4 by [@renovate](https://togithub.com/renovate) in [https://github.com/defenseunicorns/zarf/pull/2317](https://togithub.com/defenseunicorns/zarf/pull/2317) - Update actions/dependency-review-action action to v4 by [@renovate](https://togithub.com/renovate) in [https://github.com/defenseunicorns/zarf/pull/2318](https://togithub.com/defenseunicorns/zarf/pull/2318) ##### Docs - Update [Zarf roadmap](https://docs.zarf.dev/docs/roadmap) per 2024 goals by [@Racer159](https://togithub.com/Racer159) in [https://github.com/defenseunicorns/zarf/pull/2305](https://togithub.com/defenseunicorns/zarf/pull/2305) ##### Development - Included Dependency Review action for PR reviews by [@naveensrinivasan](https://togithub.com/naveensrinivasan) in [https://github.com/defenseunicorns/zarf/pull/2298](https://togithub.com/defenseunicorns/zarf/pull/2298) - Resolve CodeQL linting issues across Zarf by [@Racer159](https://togithub.com/Racer159) in [https://github.com/defenseunicorns/zarf/pull/2322](https://togithub.com/defenseunicorns/zarf/pull/2322) ##### New Contributors - [@docandrew](https://togithub.com/docandrew) made their first contribution in [https://github.com/defenseunicorns/zarf/pull/2301](https://togithub.com/defenseunicorns/zarf/pull/2301) - [@naveensrinivasan](https://togithub.com/naveensrinivasan) made their first contribution in [https://github.com/defenseunicorns/zarf/pull/2298](https://togithub.com/defenseunicorns/zarf/pull/2298) - [@waveywaves](https://togithub.com/waveywaves) made their first contribution in [https://github.com/defenseunicorns/zarf/pull/2306](https://togithub.com/defenseunicorns/zarf/pull/2306) **Full Changelog**: https://github.com/defenseunicorns/zarf/compare/v0.32.3...v0.32.4 ### [`v0.32.3`](https://togithub.com/defenseunicorns/zarf/releases/tag/v0.32.3) [Compare Source](https://togithub.com/defenseunicorns/zarf/compare/v0.32.2...v0.32.3) ##### What's Changed ##### Fixes - Properly handle panic that could occur during checksum validation by [@mjnagel](https://togithub.com/mjnagel) in [https://github.com/defenseunicorns/zarf/pull/2262](https://togithub.com/defenseunicorns/zarf/pull/2262) - Add the `--key` flag to the init cmd to properly allow for signed init packages by [@dgershman](https://togithub.com/dgershman) in [https://github.com/defenseunicorns/zarf/pull/2259](https://togithub.com/defenseunicorns/zarf/pull/2259) - Restore destroy script functionality during `zarf destroy` by [@Racer159](https://togithub.com/Racer159) in [https://github.com/defenseunicorns/zarf/pull/2274](https://togithub.com/defenseunicorns/zarf/pull/2274) - Fix symlink inclusion within component resources by [@dgershman](https://togithub.com/dgershman) in [https://github.com/defenseunicorns/zarf/pull/2256](https://togithub.com/defenseunicorns/zarf/pull/2256) - Use memory friendly file split logic for partial packages by [@daniel-palmer-gu](https://togithub.com/daniel-palmer-gu) in [https://github.com/defenseunicorns/zarf/pull/2264](https://togithub.com/defenseunicorns/zarf/pull/2264) - Fix reproducible tarball creation on Windows systems by [@Noxsios](https://togithub.com/Noxsios) in [https://github.com/defenseunicorns/zarf/pull/2293](https://togithub.com/defenseunicorns/zarf/pull/2293) ##### Docs - Make branding more consistent and add community meetup references to docs by [@Racer159](https://togithub.com/Racer159) in [https://github.com/defenseunicorns/zarf/pull/2258](https://togithub.com/defenseunicorns/zarf/pull/2258) ##### Dependencies - Update github.com/anchore/clio digest by [@renovate](https://togithub.com/renovate) in [https://github.com/defenseunicorns/zarf/pull/2277](https://togithub.com/defenseunicorns/zarf/pull/2277) and [https://github.com/defenseunicorns/zarf/pull/2283](https://togithub.com/defenseunicorns/zarf/pull/2283) - Update all non-major dependencies (including Gitea v1.21.5, Syft v0.100.0, K9s v0.31.7 and Crane v0.19.0) by [@renovate](https://togithub.com/renovate) in [https://github.com/defenseunicorns/zarf/pull/2187](https://togithub.com/defenseunicorns/zarf/pull/2187) ##### Development - Add a more robust chart search regexManager by [@Racer159](https://togithub.com/Racer159) in [https://github.com/defenseunicorns/zarf/pull/2278](https://togithub.com/defenseunicorns/zarf/pull/2278) and [https://github.com/defenseunicorns/zarf/pull/2284](https://togithub.com/defenseunicorns/zarf/pull/2284) - Partial refactor of injector logic in `k8s`, and `cluster` packages by [@chrishorton](https://togithub.com/chrishorton) in [https://github.com/defenseunicorns/zarf/pull/2271](https://togithub.com/defenseunicorns/zarf/pull/2271) ##### New Contributors - [@daniel-palmer-gu](https://togithub.com/daniel-palmer-gu) made their first contribution in [https://github.com/defenseunicorns/zarf/pull/2264](https://togithub.com/defenseunicorns/zarf/pull/2264) **Full Changelog**: https://github.com/defenseunicorns/zarf/compare/v0.32.2...v0.32.3 ### [`v0.32.2`](https://togithub.com/defenseunicorns/zarf/releases/tag/v0.32.2) [Compare Source](https://togithub.com/defenseunicorns/zarf/compare/v0.32.1...v0.32.2) #### What's Changed #### Features - Support authenticated Helm repositories that have been configured with `helm repo add` by [@AustinAbro321](https://togithub.com/AustinAbro321) in [https://github.com/defenseunicorns/zarf/pull/2196](https://togithub.com/defenseunicorns/zarf/pull/2196) - Verify that the specified storage class exists during `zarf init` by [@lucasrod16](https://togithub.com/lucasrod16) in [https://github.com/defenseunicorns/zarf/pull/2180](https://togithub.com/defenseunicorns/zarf/pull/2180) - Check for available node resources before building injector pod by [@chrishorton](https://togithub.com/chrishorton) in [https://github.com/defenseunicorns/zarf/pull/2220](https://togithub.com/defenseunicorns/zarf/pull/2220) - Officially support yaml extensions within the `zarf.yaml` using `x-` keys by [@AustinAbro321](https://togithub.com/AustinAbro321) in [https://github.com/defenseunicorns/zarf/pull/2217](https://togithub.com/defenseunicorns/zarf/pull/2217) #### Fixes - Fix the inclusion of helm sub commands when rendering `zarf tools help` by [@jbrewer3](https://togithub.com/jbrewer3) in [https://github.com/defenseunicorns/zarf/pull/2216](https://togithub.com/defenseunicorns/zarf/pull/2216) #### Docs - Fix typos in the extension `README.md` by [@mjnagel](https://togithub.com/mjnagel) in [https://github.com/defenseunicorns/zarf/pull/2227](https://togithub.com/defenseunicorns/zarf/pull/2227) - Fix a small grammatical error in the base `README.md` by [@cmwylie19](https://togithub.com/cmwylie19) in [https://github.com/defenseunicorns/zarf/pull/2219](https://togithub.com/defenseunicorns/zarf/pull/2219) #### Dependencies - Update github.com/anchore/clio digest to [`89e2fe8`](https://togithub.com/defenseunicorns/zarf/commit/89e2fe8) by [@renovate](https://togithub.com/renovate) in [https://github.com/defenseunicorns/zarf/pull/2214](https://togithub.com/defenseunicorns/zarf/pull/2214) - Update github.com/anchore/clio digest to [`a5e93b6`](https://togithub.com/defenseunicorns/zarf/commit/a5e93b6) by [@renovate](https://togithub.com/renovate) in [https://github.com/defenseunicorns/zarf/pull/2229](https://togithub.com/defenseunicorns/zarf/pull/2229) - Update github.com/anchore/stereoscope digest to [`eb656fc`](https://togithub.com/defenseunicorns/zarf/commit/eb656fc) by [@renovate](https://togithub.com/renovate) in [https://github.com/defenseunicorns/zarf/pull/2230](https://togithub.com/defenseunicorns/zarf/pull/2230) #### Development - Remove workflow for automatically adding issues to the zarf project by [@YrrepNoj](https://togithub.com/YrrepNoj) in [https://github.com/defenseunicorns/zarf/pull/2239](https://togithub.com/defenseunicorns/zarf/pull/2239) - Delete unnecessary waitgroup from concurrencyTools by [@AustinAbro321](https://togithub.com/AustinAbro321) in [https://github.com/defenseunicorns/zarf/pull/2244](https://togithub.com/defenseunicorns/zarf/pull/2244) - Update `NewOrasRemote` to take `ocispec.Platform` as an argument by [@decleaver](https://togithub.com/decleaver) in [https://github.com/defenseunicorns/zarf/pull/2241](https://togithub.com/defenseunicorns/zarf/pull/2241) #### New Contributors - [@jbrewer3](https://togithub.com/jbrewer3) made their first contribution in [https://github.com/defenseunicorns/zarf/pull/2216](https://togithub.com/defenseunicorns/zarf/pull/2216) - [@chrishorton](https://togithub.com/chrishorton) made their first contribution in [https://github.com/defenseunicorns/zarf/pull/2220](https://togithub.com/defenseunicorns/zarf/pull/2220) **Full Changelog**: https://github.com/defenseunicorns/zarf/compare/v0.32.1...v0.32.2 ### [`v0.32.1`](https://togithub.com/defenseunicorns/zarf/releases/tag/v0.32 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/uds-package-mattermost).  --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Wayne Starr <me@racer159.com>

Add none as option for fail-on-severity

621d03b

tgrall requested a review from a team as a code owner March 18, 2023 05:34

tgrall and others added 2 commits March 20, 2023 09:07

fix linter/format

cc302f4

Update README.md

78f160d

swap order to follow what's in the table

courtneycl reviewed Apr 3, 2023

View reviewed changes

courtneycl requested a review from febuiles April 3, 2023 20:37

tgrall added 9 commits June 12, 2023 11:26

add new parameter warn_only

0b053fc

new build

a3a8a9c

new build

d833109

wan only

f1e6d67

new dev

995bb84

fix ini of warn-only param

9b290a1

warn_only_test_

7ed3405

update doc

13c4496

update documentation

3b37a4e

juxtin reviewed Jul 6, 2023

View reviewed changes

__tests__/config.test.ts Outdated Show resolved Hide resolved

Abuchtela mentioned this pull request Sep 22, 2023

[Snyk] Upgrade @octokit/plugin-retry from 4.1.1 to 4.1.6 Abuchtela/dependency-review-action#4

Open

github-actions bot added the Stale label Jan 27, 2024

tgrall added 5 commits January 28, 2024 10:16

merge from main and fix code review comment from @juxtin

fc49851

package the action

f157684

fix typo in readme

d6f324d

set status to low when warn-only is set to true

f91404c

Fix vulnerability check to print warnings instead

0bab6ff

of failing

tgrall added 5 commits January 28, 2024 14:54

Fix license printing bug in main.ts

b0a705d

debug behavior

ee5bd47

dist

9e251a5

new debug test

2c52685

finalize testing

05d8612

github-actions bot removed the Stale label Jan 29, 2024

jonjanego requested changes Jan 29, 2024

View reviewed changes

README.md Outdated Show resolved Hide resolved

README.md Outdated Show resolved Hide resolved

action.yml Outdated Show resolved Hide resolved

Update Readme and action.yml based on review comments

98e8293

fix ci failure on format-check

8f3df4d

tgrall requested a review from jonjanego February 2, 2024 05:10

jonjanego approved these changes Feb 2, 2024

View reviewed changes

juxtin reviewed Feb 2, 2024

View reviewed changes

action.yml Outdated Show resolved Hide resolved

fix reviewed done by @juxtin - bad line in yml

c2936a6

juxtin merged commit 60f93ef into actions:main Feb 11, 2024
6 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add none as option for fail-on-severity #432

Add none as option for fail-on-severity #432

tgrall commented Mar 18, 2023

febuiles commented Mar 20, 2023

courtneycl left a comment

juxtin commented Apr 24, 2023

tgrall commented May 31, 2023

prassiv commented Jun 8, 2023

tgrall commented Jun 14, 2023 •

edited

Loading

prassiv commented Jul 5, 2023

github-actions bot commented Jan 27, 2024

tgrall commented Jan 28, 2024

jonjanego left a comment

juxtin commented Jan 29, 2024

tgrall commented Feb 1, 2024

jonjanego left a comment

Add none as option for fail-on-severity #432

Add none as option for fail-on-severity #432

Conversation

tgrall commented Mar 18, 2023

This PR contains:

Checks

febuiles commented Mar 20, 2023

courtneycl left a comment

Choose a reason for hiding this comment

juxtin commented Apr 24, 2023

tgrall commented May 31, 2023

prassiv commented Jun 8, 2023

tgrall commented Jun 14, 2023 • edited Loading

prassiv commented Jul 5, 2023

github-actions bot commented Jan 27, 2024

tgrall commented Jan 28, 2024

jonjanego left a comment

Choose a reason for hiding this comment

juxtin commented Jan 29, 2024

tgrall commented Feb 1, 2024

jonjanego left a comment

Choose a reason for hiding this comment

tgrall commented Jun 14, 2023 •

edited

Loading