Update package.json and README; enable issue creation on manual trigger; add custom labels to new issues

README.md

@@ -36,7 +36,6 @@ It is recommended to add the `paths:` section into the workflow file,
 as it would effectively speed up the CI pipeline, since the audit process
 will not be performed if no dependencies were changed.
 
-
 In case of any security advisories found, [status check](https://help.github.com/en/articles/about-status-checks)
 created by this Action will be marked as "failed".\
 Note that informational advisories are not affecting the check status.
@@ -60,7 +59,7 @@ github-token:
     checks-reason: to create check
 ```
 
-The action does not raise issues when it is not triggered from a "cron" scheduled workflow.
+This action only raises issues when it's triggered from a `cron` scheduled workflow or on manual `workflow_dispatch`
 
 When running the action as scheduled it will crate issues but e.g. in PR / push fails the action.
 
@@ -105,5 +104,26 @@ For each new advisory (including informal) an issue will be created:
 | `token`     | ✓        | [GitHub token], usually a `${{ secrets.GITHUB_TOKEN }}`                    | string |         |
 | `ignore`    |          | Comma-separated list of advisory ids to ignore                             | string |         |
 | `working-directory`|   | The directory of the Cargo.toml / Cargo.lock files to scan.                | string | `.`     |
+| `new-issue-labels` |   | Comma-separated list of Labes to be added to new issues                    | string | `.`     |
 
 [GitHub token]: https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token
+
+## Contribute
+
+### Setting up npm login
+
+This repo uses some npm packages hosted on github.
+To be able to pull these you need to:
+
+1. Under <https://github.com/settings/tokens> - create a `personal access token (classic)` with `read:packages` scope
+
+2. Authenticate to the github npm registry
+
+```sh
+npm login --scope=@clechasseur --auth-type=legacy --registry=https://npm.pkg.github.com
+```
+
+```txt
+Username = Github Username
+Password = Token
+```

package.json

@@ -18,7 +18,7 @@
     },
     "repository": {
         "type": "git",
-        "url": "git+https://github.com/actions-rs/audit.git"
+        "url": "github:rustsec/audit-check"
     },
     "keywords": [
         "actions",
@@ -31,25 +31,27 @@
     "author": "actions-rs",
     "license": "MIT",
     "bugs": {
-        "url": "https://github.com/actions-rs/audit-check/issues"
+        "url": "https://github.com/rustsec/audit-check/issues"
     },
     "dependencies": {
+        "@actions/core": "^1.11.1",
+        "@actions/github": "^6.0.1",
         "@clechasseur/rs-actions-core": "^3.0.5",
         "nunjucks": "^3.2.4"
     },
     "devDependencies": {
-        "@typescript-eslint/parser": "^6.21.0",
+        "@types/jest": "^29.5.12",
+        "@types/node": "^20.11.17",
         "@typescript-eslint/eslint-plugin": "^6.21.0",
-        "ts-node": "^10.9.2",
+        "@typescript-eslint/parser": "^6.21.0",
+        "@vercel/ncc": "0.38.1",
         "eslint": "^8.56.0",
         "eslint-config-prettier": "^9.1.0",
         "eslint-plugin-prettier": "^5.1.3",
-        "@types/jest": "^29.5.12",
-        "@types/node": "^20.11.17",
-        "@vercel/ncc": "0.38.1",
         "jest": "^29.7.0",
+        "prettier": "^3.2.5",
         "ts-jest": "^29.1.2",
-        "typescript": "^5.3.3",
-        "prettier": "^3.2.5"
+        "ts-node": "^10.9.2",
+        "typescript": "^5.3.3"
     }
 }

src/input.ts

@@ -8,13 +8,18 @@ import { input } from '@clechasseur/rs-actions-core';
 export interface Input {
     token: string;
     ignore: string[];
+    new_issue_labels: string[];
     workingDirectory: string;
 }
 
 export function get(): Input {
     return {
         token: input.getInput('token', { required: true }),
         ignore: input.getInputList('ignore', { required: false }),
-        workingDirectory: input.getInput('working-directory', { required: false }) ?? '.',
+        new_issue_labels: input.getInputList('new-issue-labels', {
+            required: false,
+        }),
+        workingDirectory:
+            input.getInput('working-directory', { required: false }) ?? '.',
     };
 }

src/main.ts

@@ -1,5 +1,5 @@
-import * as process from 'process';
 import * as os from 'os';
+import * as process from 'process';
 
 import * as core from '@actions/core';
 import * as github from '@actions/github';
@@ -54,6 +54,7 @@ function removeTrailingSlash(str) {
 }
 
 export async function run(actionInput: input.Input): Promise<void> {
+    const labels = actionInput.new_issue_labels;
     const ignore = actionInput.ignore;
     const workingDirectory = removeTrailingSlash(actionInput.workingDirectory);
     const report = await getData(ignore, workingDirectory);
@@ -90,11 +91,19 @@ export async function run(actionInput: input.Input): Promise<void> {
 
     // const octokit = github.getOctokit(actionInput.token, {userAgent: USER_AGENT});
     const advisories = report.vulnerabilities.list;
-    if (github.context.eventName == 'schedule') {
+    if (
+        github.context.eventName == 'schedule' ||
+        github.context.eventName == 'workflow_dispatch'
+    ) {
         core.debug(
             'Action was triggered on a schedule event, creating an Issues report',
         );
-        await reporter.reportIssues(actionInput.token, advisories, warnings);
+        await reporter.reportIssues(
+            actionInput.token,
+            advisories,
+            warnings,
+            labels,
+        );
     } else {
         core.debug(
             `Action was triggered on a ${github.context.eventName} event, creating a Check report`,

src/reporter.ts

@@ -166,7 +166,7 @@ export async function reportCheck(
     vulnerabilities: Array<interfaces.Vulnerability>,
     warnings: Array<interfaces.Warning>,
 ): Promise<void> {
-    const client = github.getOctokit(token, {userAgent: USER_AGENT});
+    const client = github.getOctokit(token, { userAgent: USER_AGENT });
     const reporter = new checks.CheckReporter(client.rest, 'Security audit');
     const stats = getStats(vulnerabilities, warnings);
     const summary = getSummary(stats);
@@ -235,7 +235,7 @@ async function alreadyReported(
     advisoryId: string,
 ): Promise<boolean> {
     const { owner, repo } = github.context.repo;
-    const client = github.getOctokit(token, {userAgent: USER_AGENT});
+    const client = github.getOctokit(token, { userAgent: USER_AGENT });
     const results = await client.rest.search.issuesAndPullRequests({
         q: `${advisoryId} in:title repo:${owner}/${repo}`,
         per_page: 1, // eslint-disable-line @typescript-eslint/camelcase
@@ -256,10 +256,11 @@ export async function reportIssues(
     token: string,
     vulnerabilities: Array<interfaces.Vulnerability>,
     warnings: Array<interfaces.Warning>,
+    labels: string[],
 ): Promise<void> {
     const { owner, repo } = github.context.repo;
 
-    const client = github.getOctokit(token, {userAgent: USER_AGENT});
+    const client = github.getOctokit(token, { userAgent: USER_AGENT });
 
     for (const vulnerability of vulnerabilities) {
         const reported = await alreadyReported(
@@ -278,6 +279,7 @@ export async function reportIssues(
             repo: repo,
             title: `${vulnerability.advisory.id}: ${vulnerability.advisory.title}`,
             body: body,
+            labels,
         });
         core.info(
             `Created an issue for ${vulnerability.advisory.id}: ${issue.data.html_url}`,