Add trusty scores

[therealnb]

This is some work to include trusty scores in the dependency review action.

There are some more unit tests and this has been manually tested with https://github.com/StacklokLabs/DepRevTest/actions.

Many thanks.

CC @lukehinds

[jonjanego]

Hi @lukehinds and @therealnb !

Some initial comments and observations:

• In the results, what is the "+ / -" column indicating? It seems to be including two pieces of information, a "+" or "-", then an overall stoplight measure for the package. I think this should be broken into two separate columns, although i'm not sure what the "+" or "-" indicates?
• This PR also includes a change to dependency-review.yml which is the workflow definition for the repository that runs dependency review on itself. It's included a change to run it against your action - which we won't be able to merge.

I'll make some other suggestions and feedback inline in the PR

[jonjanego]

Some initial feedback; not a tech review

[therealnb]

@jonjanego thanks for the feedback.

+/- is whether the file was added or removed. The next symbol is whether this is a good idea or not. Basically, removing any file is safe (green tick). Adding one with a score lower than the configured levels might get a warning or a cross.

I did consider only showing files that were added, but it might be useful context to show the ones that are removed too (i.e. removing a high scoring one and replacing it with a low scoring one). I am open to suggestions here.

I'll work on your other comments.

Cheers

[jonjanego]

@jonjanego thanks for the feedback.

+/- is whether the file was added or removed. The next symbol is whether this is a good idea or not. Basically, removing any file is safe (green tick). Adding one with a score lower than the configured levels might get a warning or a cross.

I did consider only showing files that were added, but it might be useful context to show the ones that are removed too (i.e. removing a high scoring one and replacing it with a low scoring one). I am open to suggestions here.

I'll work on your other comments.

Cheers

thanks for the clarification. i think it's fine to include that, but a bit of UX feedback would be to split that information into two separate columns. it's a cleaner view that way.

[therealnb]

I just saw your comment after I committed this code
StacklokLabs@73dc706
Which is another way to do it.

See https://github.com/StacklokLabs/DepRevTest/actions/runs/9131982560?pr=5 for an example.

If you want I can revert and we can have two columns. Let me know.

[therealnb]

For information these ones

Dependency Change	Version	Score	Not Malicious	Not Deprecated	Not Archived
❌ added bugsnagmw	1.0.3	0	❌	✅	✅
⚠️ added psycopg	3.1.18		✅	✅	✅
⚠️ added psycopg_pool	3.2.1		✅	✅	✅
⚠️ added pyarrow	16.0.0		✅	✅	✅
⚠️ added python_json_logger	2.0.7		✅	✅	✅
⚠️ added scikit_learn	1.4.2		✅	✅	✅
⚠️ added slack_sdk	3.27.1		✅	✅	✅

Are a bug I found in our ingestion. There is a fix for those that should be deployed next week.