github-script VS dependabot-core

It's also possible to use output through the github-script action.

I wrote a custom script to parse PR comments as input commands to interface with Terraform CLI, returning the output as bot comments. Each step of the workflow relies on GitHub Actions, including actions/github-script to interact with GitHub's API (while brushing up on my JavaScript!).

You can generate what to annotate with a few lines of shell and then use gihub-script

Nice idea, worth mentioning other features:

* Reusable workflows (note: matrix strategy doesn't work here): https://docs.github.com/en/actions/using-workflows/reusing-w...

* Composite actions: https://docs.github.com/en/actions/creating-actions/creating...

* Script as action: https://github.com/actions/github-script

* Using GitHub Packages and artifacts: https://docs.github.com/en/actions/publishing-packages/about...

* Using docker-compose-like services that run alongside of the container: https://docs.github.com/en/actions/using-containerized-servi...

And many, many more :)

actions/github-script@v5

This workflow makes use of the awesome github-script that makes working with API's a breeze!

GitHub support hasn't been helpful so far. If you use Chrome on Linux, type xfce4-screenshooter or flameshot and grab a screenshot. Then navigate to any issue or PR, for example, https://github.com/actions/github-script/issues/187 and in the comment box at the bottom, type Ctrl-V. Either you'll see your image get uploaded or you won't. You don't need to save nor submit the comment.

Note at the end of the bash, and we are leveraging a curl command to talk directly to the GitHub API. This curl command is meant for simplicity. All of this could have been done using the octokit.rest.js library or better github-script.

In this post, I am going to focus on the API and actions/github-script. This action makes it easy to quickly write a script in your workflow that uses the GitHub API and includes the workflow run context.

My new github action follows a simple workflow: Whenever a user opens a pull request to the repository with the configured workflow, a comment is made on the PR with a greeting to the user and another comment with the statistics about the repository and PR are posted. Used the github-scripts (https://github.com/actions/github-script) action to get the API and context to write my own script in the workflow. It was a very fun exercise for me. Thankyou Dev Team for this cool contest!

Oh yes, https://github.com/dependabot/dependabot-core/issues/3253. I wouldn't go so far as saying it was locked because it was too uncivil, mostly just because "additional commentary wasn't adding value" ;)

Your read on the situation is spot on, and no, it doesn't look like it's been "fixed" (mostly because "fixing it would re-introduce the same potential vulnerability).

Storybook is great and all, but these days nearly every Dependabot alert I get is about a sub-dependency of Storybook. Since Dependabot doesn't currently allow you to ignore dev dependencies and only check production dependencies [0], this makes Storybook a Big Noise Generator and every time I dismiss another alert from it, I can't help but wonder if there's a better option out there.

[0] https://github.com/dependabot/dependabot-core/issues/2521

P.S. While this being a powerful and handy tool itself, it is only a part of Dependabot’s capabilities. If you are interested, you’ll find more about them in the GitHub docs.

Hello! I'm using Helm in K8s and curious if there is a solution that could keep tabs on the deployed chart dependency versions and either alert us when something is out of date or when a new release is available. Does this exist? I was thinking something like Dependabot or Renovate, but neither seems to be able to manage this.

- https://github.com/dependabot/dependabot-core

An important point is that this kind of metadata often needs to be accessible from outside the build system itself. You need that for example in order to integration with renovate-bot or github's dependabot, to check your dependencies against CVEs, to build SBOMs and various other additional tasks that are not part of the build itself, but related to the build's metadata. This is all functionality I don't want to reimplement, I want to use what's already out there. And for that the build system needs to have some minimum amount of compatibility with existing standard metadata files like pom.xml or build.gradle

To avoid any potential data breaches, it is recommended that users upgrade to a patched version of MinIO (RELEASE.2023-03-20T20-16-18Z) and integrate security tooling such as docker-cli-scan or use Github’s built-in monitoring for supply chain vulnerabilities, which already contains a record referencing this vulnerability.

I recognize that it does not handle chart updates, but it's might still ease the burden of applying minor releases easily etc. For the chart versions themselves, unfortunately dependabot does not support this and will not, but something like renovatebot does. Could be worth looking into as a dual approach

Disclosure: Renovate author

Renovate is indeed AGPL, but if you're just running it as a CLI, do you think there's anything to "watch out for"? It does not make any project you run it against AGPL, that's for sure.

Also you should be aware that dependabot-core, which dependabot-gitlab wraps, is not technically Open Source at all: https://github.com/dependabot/dependabot-core/blob/main/LICE...

Waiting for Yarn v2/v3 support in Dependabot has been a saga.

https://github.com/dependabot/dependabot-core/issues/1297