Merge pull request #767 from actions/max-comment-length

Fix the max comment length issue

__tests__/fixtures/config-allow-sample.yml

@@ -1,4 +1,4 @@
 fail_on_severity: critical
 allow_licenses:
- - "BSD"
- - "GPL 2"
+ - 'BSD'
+ - 'GPL 2'

__tests__/fixtures/inline-license-config-sample.yml

@@ -1 +1 @@
-allow-licenses: "MIT, GPL-2.0-only"
+allow-licenses: 'MIT, GPL-2.0-only'

__tests__/summary.test.ts

@@ -1,5 +1,5 @@
 import {expect, jest, test} from '@jest/globals'
-import {Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
+import {Change, Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
 import * as summary from '../src/summary'
 import * as core from '@actions/core'
 import {createTestChange} from './fixtures/create-test-change'
@@ -109,6 +109,80 @@ test('prints headline as h1', () => {
  expect(text).toContain('<h1>Dependency Review</h1>')
 })
 
+test('returns minimal summary in case the core.summary is too large for a PR comment', () => {
+ let changes: Changes = [
+ createTestChange({name: 'lodash', version: '1.2.3'}),
+ createTestChange({name: 'colors', version: '2.3.4'}),
+ createTestChange({name: '@foo/bar', version: '*'})
+ ]
+
+ let minSummary: string = summary.addSummaryToSummary(
+ changes,
+ emptyInvalidLicenseChanges,
+ emptyChanges,
+ scorecard,
+ defaultConfig
+ )
+
+ // side effect DR report into core.summary as happens in main.ts
+ summary.addScannedDependencies(changes)
+ const text = core.summary.stringify()
+
+ expect(text).toContain('<h1>Dependency Review</h1>')
+ expect(minSummary).toContain('# Dependency Review')
+
+ expect(text).toContain('❌ 3 vulnerable package(s)')
+ expect(text).not.toContain('* ❌ 3 vulnerable package(s)')
+ expect(text).toContain('lodash')
+ expect(text).toContain('colors')
+ expect(text).toContain('@foo/bar')
+
+ expect(minSummary).toContain('* ❌ 3 vulnerable package(s)')
+ expect(minSummary).not.toContain('lodash')
+ expect(minSummary).not.toContain('colors')
+ expect(minSummary).not.toContain('@foo/bar')
+
+ expect(text.length).toBeGreaterThan(minSummary.length)
+})
+
+test('returns minimal summary formatted for posting as a PR comment', () => {
+ const OLD_ENV = process.env
+
+ let changes: Changes = [
+ createTestChange({name: 'lodash', version: '1.2.3'}),
+ createTestChange({name: 'colors', version: '2.3.4'}),
+ createTestChange({name: '@foo/bar', version: '*'})
+ ]
+
+ process.env.GITHUB_SERVER_URL = 'https://github.com'
+ process.env.GITHUB_REPOSITORY = 'owner/repo'
+ process.env.GITHUB_RUN_ID = 'abc-123-xyz'
+
+ let minSummary: string = summary.addSummaryToSummary(
+ changes,
+ emptyInvalidLicenseChanges,
+ emptyChanges,
+ scorecard,
+ defaultConfig
+ )
+
+ process.env = OLD_ENV
+
+ // note: no Actions context values in unit test env
+ const expected = `
+# Dependency Review
+The following issues were found:
+* ❌ 3 vulnerable package(s)
+* ✅ 0 package(s) with incompatible licenses
+* ✅ 0 package(s) with invalid SPDX license definitions
+* ✅ 0 package(s) with unknown licenses.
+
+[View full job summary](https://github.com/owner/repo/actions/runs/abc-123-xyz)
+ `.trim()
+
+ expect(minSummary).toEqual(expected)
+})
+
 test('only includes "No vulnerabilities or license issues found"-message if both are configured and nothing was found', () => {
  summary.addSummaryToSummary(
  emptyChanges,

src/comment-pr.ts

@@ -5,6 +5,8 @@ import * as retry from '@octokit/plugin-retry'
 import {RequestError} from '@octokit/request-error'
 import {ConfigurationOptions} from './schemas'
 
+export const MAX_COMMENT_LENGTH = 65536
+
 const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
 const octo = new retryingOctokit(
  githubUtils.getOctokitOptions(core.getInput('repo-token', {required: true}))
@@ -14,13 +16,9 @@ const octo = new retryingOctokit(
 const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
 
 export async function commentPr(
- summary: typeof core.summary,
+ commentContent: string,
  config: ConfigurationOptions
 ): Promise<void> {
- const commentContent = summary.stringify()
-
- core.setOutput('comment-content', commentContent)
-
  if (
  !(
  config.comment_summary_in_pr === 'always' ||

src/main.ts

@@ -22,7 +22,7 @@ import * as summary from './summary'
 import {getRefs} from './git-refs'
 
 import {groupDependenciesByManifest} from './utils'
-import {commentPr} from './comment-pr'
+import {commentPr, MAX_COMMENT_LENGTH} from './comment-pr'
 import {getDeniedChanges} from './deny'
 
 async function delay(ms: number): Promise<void> {
@@ -127,7 +127,7 @@ async function run(): Promise<void> {
 
  const scorecard = await getScorecardLevels(filteredChanges)
 
- summary.addSummaryToSummary(
+ const minSummary = summary.addSummaryToSummary(
  vulnerableChanges,
  invalidLicenseChanges,
  deniedChanges,
@@ -166,7 +166,21 @@ async function run(): Promise<void> {
  core.setOutput('dependency-changes', JSON.stringify(changes))
  summary.addScannedDependencies(changes)
  printScannedDependencies(changes)
- await commentPr(core.summary, config)
+
+ // include full summary in output; Actions will truncate if oversized
+ let rendered = core.summary.stringify()
+ core.setOutput('comment-content', rendered)
+
+ // if the summary is oversized, replace with minimal version
+ if (rendered.length >= MAX_COMMENT_LENGTH) {
+ core.debug(
+ 'The comment was too big for the GitHub API. Falling back on a minimum comment'
+ )
+ rendered = minSummary
+ }
+
+ // update the PR comment if needed with the right-sized summary
+ await commentPr(rendered, config)
  } catch (error) {
  if (error instanceof RequestError && error.status === 404) {
  core.setFailed(