Comments (9)
I am experiencing the same issue.
from fetch-metadata.
@SalimBensiali your repository is not configured to use Dependabot security updates and alerts:
I updated the README (see #187) to make it explicit that this feature relies upon those being enabled. My apologies for the confusion.
from fetch-metadata.
@mwaddell my repo does have dependabot security updates and alerts enabled. Look at any previously closed dependabot alerts via the auto merge workflow https://github.com/SalimBensiali/le-blanc-jewellery/pulls?q=is%3Apr+is%3Aclosed
The issue I am reporting relates the v1.3.0 new feature alert-lookup
from fetch-metadata.
I think you simply don't have the permissions to view them
from fetch-metadata.
@mwaddell I managed to run the dry-run command which successfully returned the missing metadata for me.
Could it be because your LOCAL_GITHUB_ACCESS_TOKEN
does not give you permission to access the data? Which would be consistent with not seeing that dependabot security alerts and updates are enabled on https://github.com/SalimBensiali/le-blanc-jewellery/security.
from fetch-metadata.
The docs you are linking to in #187 (https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#access-to--dependabot-alerts) do explain why you could not see any dependabot alerts on my repo.
By default, we notify people with admin permissions in the affected repositories about new Dependabot alerts. GitHub never publicly discloses identified vulnerabilities for any repository. You can also make Dependabot alerts visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "Managing security and analysis settings for your repository."
This is further confirmed here.
from fetch-metadata.
@mwaddell you could run the dry-run command off main and my branch and target a test repo you own to verify the bug and the fix. All you need is a repo with a manifest file in the root directory and any dependabot PR.
from fetch-metadata.
Thank you for the additional clarification - I understand now. Thank you for the PR and for updating all the unit tests, I've reviewed and approved the changes for @brrygrdn to merge.
from fetch-metadata.
👍
from fetch-metadata.
Related Issues (20)
- Migrate to node 18 whenever Actions adds support for it. HOT 2
- Fetch Metadata action returns null update-type output for pull requests HOT 14
- Auto-merge not adhering to Branch Protection Rules HOT 3
- Error: Api Error: (404) Not Found HOT 1
- Package ecosystem output for gitsubmodules PRs is inconsistent with dependabot.yml
- `new-version` has trailing whitespace
- Allow for additional event types / Ignore "pull-request"+"pull-request-target" event types? HOT 1
- Support `newVersion` and `prevVersion` for updates with multiple dependencies HOT 2
- Error: github-token is not set! Please add 'github-token: "${{ secrets.GITHUB_TOKEN }}"' to your workflow file. HOT 1
- Add `severity` to the action outputs
- Add alert number to outputs HOT 1
- Alert metadata lookup not working as expected HOT 2
- `fetch-metadata` action returns `/` for directory output HOT 1
- `fetch-metadata` can not fetch metadata when using `workflow_run` event HOT 1
- Directory name is not properly extracted from branch name when using `-` separator. HOT 1
- Multi-segment directory name malformed when using non-standard separator.
- github actor is not dependabot when rerunning the job HOT 1
- Dependabot "update-type" not available in metadata retrieved for PR HOT 6
- Dependabot runs fail due to strict node and npm pinning HOT 5
- Include "outputs.publish-date" HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fetch-metadata.