From 66b0cd4ac566301518457e9e8eb7f871b2a566f1 Mon Sep 17 00:00:00 2001 From: sue445 Date: Tue, 31 Mar 2026 00:04:09 +0900 Subject: [PATCH 1/4] doc: Write doc for `compat-lookup` --- README.md | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 48af846d..300dc44b 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ Supported inputs are: - `github-token` (string) - The `GITHUB_TOKEN` secret - Defaults to `${{ github.token }}` - - Note: this must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or an [installation access token (App Token)](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app) if you enable `alert-lookup` or `compat-lookup`. + - Note: this must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or an [installation access token (App Token)](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app) if you enable `alert-lookup`. - `alert-lookup` (boolean) - If `true`, then populate the `alert-state`, `ghsa-id` and `cvss` outputs. - Defaults to `false` @@ -49,7 +49,7 @@ Supported inputs are: - `compat-lookup` (boolean) - If `true`, then populate the `compatibility-score` output. - Defaults to `false` - - Note: the `github-token` field must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). + - Note: To use this field, `contents: read` and `pull-requests: read` permissions are required for `secrets.GITHUB_TOKEN`. For more details, see [this](#compatibility-score) - `skip-commit-verification` (boolean) - If `true`, then the action will not expect the commits to have a verification signature. **It is required to set this to 'true' in GitHub Enterprise Server** - Defaults to `false` @@ -220,6 +220,41 @@ jobs: alert-lookup: true ``` +### Compatibility score +This is a simple example of how to use `compat-lookup`. + +```yml +name: dependabot-compatibility-score + +on: + pull_request: + +jobs: + dependabot: + runs-on: ubuntu-latest + + if: github.actor == 'dependabot[bot]' + + # Following is required for compat-lookup + permissions: + contents: read + pull-requests: read + + steps: + - uses: actions/checkout@v6 + + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + compat-lookup: true + + - name: Print compatibility-score + run: echo "COMPATIBILITY_SCORE=${COMPATIBILITY_SCORE}" + env: + COMPATIBILITY_SCORE: ${{ steps.metadata.outputs.compatibility-score }} +``` + ## Notes for project maintainers:
:book: Release guide From 3d9096286ec94b9a3e043de7d7c9fe1055900edf Mon Sep 17 00:00:00 2001 From: Go Sueyoshi Date: Fri, 24 Apr 2026 09:17:20 +0900 Subject: [PATCH 2/4] Update README.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2499c58b..e495b624 100644 --- a/README.md +++ b/README.md @@ -241,7 +241,7 @@ jobs: dependabot: runs-on: ubuntu-latest - if: github.actor == 'dependabot[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' # Following is required for compat-lookup permissions: From 91d041eb9e4ce000cc75b4387d32e62579ca9155 Mon Sep 17 00:00:00 2001 From: sue445 Date: Fri, 24 Apr 2026 11:09:55 +0900 Subject: [PATCH 3/4] pull_request -> pull_request_target ref. https://github.com/dependabot/fetch-metadata/pull/691#discussion_r3132210404 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e495b624..3c9e46c9 100644 --- a/README.md +++ b/README.md @@ -235,7 +235,7 @@ This is a simple example of how to use `compat-lookup`. name: dependabot-compatibility-score on: - pull_request: + pull_request_target: jobs: dependabot: From 8677c5776c70bf65514d5a816244e206ac36d990 Mon Sep 17 00:00:00 2001 From: sue445 Date: Fri, 24 Apr 2026 11:09:09 +0900 Subject: [PATCH 4/4] `contents: read` is needless when `pull_request_target` and use `${{ github.token }}` instead of `secrets.GITHUB_TOKEN`. ref. https://github.com/dependabot/fetch-metadata/pull/691#discussion_r3132210379 --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 3c9e46c9..f70db096 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ Supported inputs are: - `compat-lookup` (boolean) - If `true`, then populate the `compatibility-score` output. - Defaults to `false` - - Note: To use this field, `contents: read` and `pull-requests: read` permissions are required for `secrets.GITHUB_TOKEN`. For more details, see [this](#compatibility-score) + - Note: To use this field with the default `${{ github.token }}`, `pull-requests: read` permission is required. If your workflow also checks out the repository or otherwise reads repository contents, `contents: read` may also be needed. For more details, see [this](#compatibility-score) - `skip-commit-verification` (boolean) - If `true`, then the action will not expect the commits to have a verification signature. **It is required to set this to 'true' in GitHub Enterprise Server** - Defaults to `false` @@ -245,7 +245,6 @@ jobs: # Following is required for compat-lookup permissions: - contents: read pull-requests: read steps: