diff --git a/README.md b/README.md index e560afae..f70db096 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ Supported inputs are: - `github-token` (string) - The `GITHUB_TOKEN` secret - Defaults to `${{ github.token }}` - - Note: this must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or an [installation access token (App Token)](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app) if you enable `alert-lookup` or `compat-lookup`. + - Note: this must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or an [installation access token (App Token)](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app) if you enable `alert-lookup`. - `alert-lookup` (boolean) - If `true`, then populate the `alert-state`, `ghsa-id` and `cvss` outputs. - Defaults to `false` @@ -49,7 +49,7 @@ Supported inputs are: - `compat-lookup` (boolean) - If `true`, then populate the `compatibility-score` output. - Defaults to `false` - - Note: the `github-token` field must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). + - Note: To use this field with the default `${{ github.token }}`, `pull-requests: read` permission is required. If your workflow also checks out the repository or otherwise reads repository contents, `contents: read` may also be needed. For more details, see [this](#compatibility-score) - `skip-commit-verification` (boolean) - If `true`, then the action will not expect the commits to have a verification signature. **It is required to set this to 'true' in GitHub Enterprise Server** - Defaults to `false` @@ -228,6 +228,40 @@ jobs: alert-lookup: true ``` +### Compatibility score +This is a simple example of how to use `compat-lookup`. + +```yml +name: dependabot-compatibility-score + +on: + pull_request_target: + +jobs: + dependabot: + runs-on: ubuntu-latest + + if: github.event.pull_request.user.login == 'dependabot[bot]' + + # Following is required for compat-lookup + permissions: + pull-requests: read + + steps: + - uses: actions/checkout@v6 + + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + compat-lookup: true + + - name: Print compatibility-score + run: echo "COMPATIBILITY_SCORE=${COMPATIBILITY_SCORE}" + env: + COMPATIBILITY_SCORE: ${{ steps.metadata.outputs.compatibility-score }} +``` + ## Notes for project maintainers:
:book: Release guide