feat: Add inputs for manifest_paths and slack_channel
#192
Conversation
There was a problem hiding this comment.
@stackptr - thanks for putting up this PR! Have some minor comments.
Also, I've updated the PR title to conventional commit.
| slack_channel: | ||
| description: 'Explicit channel for Slack webhook. If omitted, the channel configured in the webhook is used.' | ||
| required: false | ||
| default: '' |
There was a problem hiding this comment.
Can we remove default? It will make checking easier as it will be undefined. Also, it will be inline with other optional fields which don't have any defaults.
| @@ -43,6 +47,8 @@ inputs: | |||
| description: 'Comma separated list of severities. E.g. low,medium,high,critical (NO SPACES BETWEEN COMMA AND SEVERITY)' | |||
| ecosystem: | |||
| description: 'A comma-separated list of ecosystems. If specified, only alerts for these ecosystems will be returned.' | |||
| manifest_paths: | |||
There was a problem hiding this comment.
- Let's call it
manifest - Let's make it a comma separated list, so it can be passed directly to the function - and let's also update the description to switch to
Multi-lineinstead ofcomma-separated
GitHub Docs
There was a problem hiding this comment.
Don't think any of these dist/ files should be checked in with PRs
| @@ -35,6 +35,7 @@ const createAlertBlock = (alert: Alert): KnownBlock => ({ | |||
| text: ` | |||
| *Package:* ${alert.packageName} | |||
| *Repository:* ${getFullRepositoryNameFromAlert(alert)} | |||
| *Manifest path:* ${alert.manifestPath} | |||
There was a problem hiding this comment.
| *Manifest path:* ${alert.manifestPath} | |
| *Manifest:* ${alert.manifestPath} |
| @@ -61,9 +62,12 @@ export const validateSlackWebhookUrl = (url: string): boolean => { | |||
|
|
|||
| export const sendAlertsToSlack = async ( | |||
| webhookUrl: string, | |||
| channel: string, | |||
There was a problem hiding this comment.
Channel should be optional?
| channel: string, | |
| channel?: string, |
| @@ -10,6 +10,7 @@ export type DependabotAlert = | |||
| export interface Alert { | |||
| repository: Repository | |||
| packageName: string | |||
| manifestPath?: string | |||
There was a problem hiding this comment.
| manifestPath?: string | |
| manifest?: string |
| @@ -1,4 +1,4 @@ | |||
| import { getInput, setFailed } from '@actions/core' | |||
| import { getInput, getMultilineInput, setFailed } from '@actions/core' | |||
There was a problem hiding this comment.
Let's use regular getInput for this
| const alerts = | ||
| manifestPaths.length > 0 | ||
| ? fetchedAlerts.filter( | ||
| (alert) => | ||
| alert.manifestPath && | ||
| manifestPaths.some( | ||
| (manifestPath) => manifestPath === alert.manifestPath, | ||
| ), | ||
| ) | ||
| : fetchedAlerts |
There was a problem hiding this comment.
We won't need this if you pass manifest to the function that fetches alerts - it will be passed to the octokit method and it will filter the alerts based on that criteria
|
|
||
| let alerts: Alert[] = [] | ||
| let fetchedAlerts: Alert[] = [] |
There was a problem hiding this comment.
We won't need to change any of this
kunalnagar
changed the title
manifest_paths and slack_channelmanifest_paths and slack_channel
manifest_pathsfilters listed vulnerabilities to specific manifests in a repository andslack_channelallows overriding the default channel specified when creating theslack_webhook. These additional inputs allow individual teams at Freckle to receive alerts for vulnerabilities affecting packages for which they are responsible.Filtering alerts based on
manifest_pathsis tested working in a private repository. Documentation shows identical fields returned for org-level and enterprise alerts, but I do not have a good way to validate for sure.