We were trying to build some logic on top of fetch-metadata action but when it came to real PRs we've seen one major issue.
When using api we could see the GHSA ID was found easily and we could tie it to it
When we checked the same for fetch-metadata it is empty. The permissions are properly set. See:
Action version tested: 25dd0e3 (v3.1.0).
Fetch metadata reports:
Outputting metadata for 1 updated dependency
outputs.dependency-names: github.com/jackc/pgx/v5
outputs.dependency-type: indirect
outputs.update-type: version-update:semver-minor
outputs.directory: /
outputs.package-ecosystem: go_modules
outputs.target-branch: master
outputs.previous-version: 5.5.5
outputs.new-version: 5.9.2
outputs.compatibility-score: 0
outputs.maintainer-changes: false
outputs.dependency-group:
outputs.alert-state:
outputs.ghsa-id:
outputs.cvss: 0
While API shows
gh api "repos/$OWNER/$REPO/dependabot/alerts?state=open&per_page=5" \
--jq '.[] | {ghsa: .security_advisory.ghsa_id, package: .dependency.package.name, state}'
{
"ghsa": "GHSA-j88v-2chj-qfwx",
"package": "github.com/jackc/pgx/v5",
"state": "open"
}
{
"ghsa": "GHSA-9jj7-4m8r-rfcm",
"package": "github.com/jackc/pgx/v5",
"state": "open"
}
...
Why is this difference. We need fetch-metadata to be reliable
We were trying to build some logic on top of fetch-metadata action but when it came to real PRs we've seen one major issue.
When using api we could see the GHSA ID was found easily and we could tie it to it
When we checked the same for fetch-metadata it is empty. The permissions are properly set. See:
Action version tested: 25dd0e3 (v3.1.0).
Fetch metadata reports:
While API shows
Why is this difference. We need fetch-metadata to be reliable