Allow this action to run on branch

[writemevm]

Currently, this action only allows running on PRs. Is it possible to allow this action to run on a specified branch? How will it detect when there is no change in dependencies, yet the issue is introduced by the old version being used?

[felickz]

You can specify the base/head where the diff of those two will be used to create the list of dependencies to review.

dependency-review-action/action.yml

Lines 25 to 30 in 0659a74

	base-ref:
	description: The base git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
	required: false
	head-ref:
	description: The head git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
	required: false

The base/head git ref to be used for this check. Has a default value when the workflow event is pull_request or pull_request_target. Must be provided otherwise.

Ex: https://github.com/ctcampbellcom/WebGoat/actions/runs/8667866545

      head-ref: ${{ github.ref }}
      base-ref: ${{ github.event.repository.default_branch }}

dependency-review Not in the context of a pull request. Skipping comment creation.

[juxtin]

Thank you to @felickz for the very thorough answer on the topic of running on branches!

I'll take the other part of this issue:

How will it detect when there is no change in dependencies, yet the issue is introduced by the old version being used?

That's not really the use case that Dependency Review is intended to solve. It sounds like what you want is something like Dependabot alerts, but with support for multiple branches. Is that right?

[writemevm]

You can specify the base/head where the diff of those two will be used to create the list of dependencies to review.

dependency-review-action/action.yml

Lines 25 to 30 in 0659a74

	base-ref:
	description: The base git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
	required: false
	head-ref:
	description: The head git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
	required: false

The base/head git ref to be used for this check. Has a default value when the workflow event is pull_request or pull_request_target. Must be provided otherwise.

Ex: https://github.com/ctcampbellcom/WebGoat/actions/runs/8667866545

      head-ref: ${{ github.ref }}
      base-ref: ${{ github.event.repository.default_branch }}

dependency-review Not in the context of a pull request. Skipping comment creation.

Thank you @felickz. I will give it a try based on your recommendation and let you know.

[writemevm]

@juxtin - I was looking for something similar to Veracode SCA (https://github.com/marketplace/actions/veracode-dependency-scanning) where I can run the dependency review on a branch or any commit.

This would be a great improvement if it can be supported. Let me know.