Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 36 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,15 @@ Supported inputs are:
- `github-token` (string)
- The `GITHUB_TOKEN` secret
- Defaults to `${{ github.token }}`
- Note: this must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or an [installation access token (App Token)](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app) if you enable `alert-lookup` or `compat-lookup`.
- Note: this must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or an [installation access token (App Token)](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app) if you enable `alert-lookup`.
- `alert-lookup` (boolean)
- If `true`, then populate the `alert-state`, `ghsa-id` and `cvss` outputs.
- Defaults to `false`
- Note: the `github-token` field must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or an [installation access token (App Token)](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app). For more details, see [this](#use-with-app-token)
- `compat-lookup` (boolean)
- If `true`, then populate the `compatibility-score` output.
- Defaults to `false`
- Note: the `github-token` field must be set to a [personal access token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token).
- Note: To use this field with the default `${{ github.token }}`, `pull-requests: read` permission is required. If your workflow also checks out the repository or otherwise reads repository contents, `contents: read` may also be needed. For more details, see [this](#compatibility-score)
- `skip-commit-verification` (boolean)
- If `true`, then the action will not expect the commits to have a verification signature. **It is required to set this to 'true' in GitHub Enterprise Server**
- Defaults to `false`
Expand Down Expand Up @@ -228,6 +228,40 @@ jobs:
alert-lookup: true
```

### Compatibility score
This is a simple example of how to use `compat-lookup`.

```yml
name: dependabot-compatibility-score

on:
pull_request_target:

Comment on lines +237 to +239

Copilot AI Apr 23, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow example uses the pull_request event, but earlier in the README there’s a note stating “The examples below use pull_request_target for this reason.” Either update that note to clarify that some examples intentionally use pull_request (read-only token, no access to user secrets), or switch this example to pull_request_target and add the corresponding security cautions.

Copilot uses AI. Check for mistakes.

@sue445 sue445 Apr 24, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed at 91d041e

jobs:
dependabot:
runs-on: ubuntu-latest

if: github.event.pull_request.user.login == 'dependabot[bot]'

# Following is required for compat-lookup
permissions:
pull-requests: read

steps:
- uses: actions/checkout@v6

- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
with:
compat-lookup: true

- name: Print compatibility-score
run: echo "COMPATIBILITY_SCORE=${COMPATIBILITY_SCORE}"
env:
COMPATIBILITY_SCORE: ${{ steps.metadata.outputs.compatibility-score }}
```

## Notes for project maintainers:

<details><summary>:book: Release guide</summary>
Expand Down
Loading