search

dependabot / fetch-metadata

Extract information about the dependencies being updated by a Dependabot-generated PR.
MIT License
170 stars 61 forks source link

Revert "Scope app token to only this repo for security" #503

Closed jeffwidman closed 5 months ago

jeffwidman commented 5 months ago

Reverts dependabot/fetch-metadata#501

When I tried to cut a release, this was generating a JSON parsing error:

SyntaxError: Unexpected token 'd', "dependabot"... is not valid JSON
    at JSON.parse (<anonymous>)
    at parseOptions (file:///home/runner/work/_actions/tibdex/github-app-token/3beb63f4bd073e61482598c45c71c1019b59b73a/dist/main/index.js:9:88540)
    at file:///home/runner/work/_actions/tibdex/github-app-token/3beb63f4bd073e6[14](https://github.com/dependabot/fetch-metadata/actions/runs/8369699804/job/22915871426#step:2:15)82598c45c71c1019b59b73a/dist/main/index.js:9:87507
    at run (file:///home/runner/work/_actions/tibdex/github-app-token/3beb63f4bd073e61482598c45c71c1019b59b73a/dist/main/index.js:9:88817)
    at file:///home/runner/work/_actions/tibdex/github-app-token/3beb63f4bd073e61482598c45c71c1019b59b73a/dist/main/index.js:9:87480
    at __nccwpck_require__.a (file:///home/runner/work/_actions/tibdex/github-app-token/3beb63f4bd073e61482598c45c71c1019b59b73a/dist/main/index.js:9:368729)
    at 399 (file:///home/runner/work/_actions/tibdex/github-app-token/3beb63f4bd073e61482598c45c71c1019b59b73a/dist/main/index.js:9:87363)
    at __nccwpck_require__ (file:///home/runner/work/_actions/tibdex/github-app-token/3beb63f4bd073e61482598c45c71c1019b59b73a/dist/main/index.js:9:367817)
    at file:///home/runner/work/_actions/tibdex/github-app-token/3beb63f4bd073e61482598c45c71c1019b59b73a/dist/main/index.js:9:3696[15](https://github.com/dependabot/fetch-metadata/actions/runs/8369699804/job/22915871426#step:2:16)
    at ModuleJob.run (node:internal/modules/esm/module_job:2[17](https://github.com/dependabot/fetch-metadata/actions/runs/8369699804/job/22915871426#step:2:18):25)

It's probably something stupid simple that I overlooked, but I happened to see there's now an official GitHub action that we should probably be using instead as explained by @gr2m for security reasons.

So let's revert this to get releases working, and then I'll file a ticket to track migrating to the new action as a separate follow-on item. We'll need to do this migration in https://github.com/dependabot/dependabot-core/ as well.

jeffwidman commented 5 months ago

Actually, let's fix it this way instead: