This is an open issue that my PR depends on.

Currently, GitHub does a fantastic job of translating the #5 format into a link to the associated PR or issue. The current functionality relies on this. But many times, people will paste partial or full links instead of just typing the number.

For example:

• gregsdennis/dependencies-action#1
• https://github.com/gregsdennis/dependencies-action/pulls/1

The proposal is to support extracting the issue numbers from partial and full links.

This is a first step toward supporting links in other repos.

Current Behavior

When listing multiple PR dependencies by full URL, only the first one is matched and checked, independently of whether it's merged or not.

Expected Behavior

All dependencies are matched/checked

Example

I've set up an example repository that replicates this issue.
The repo has 3 open PRs that target main and depend on each other as such:

graph LR
PR1 ---> PR3
PR2 ---> PR3

In the PR3 checks, you can see the following output (from this action):

[...]
Found full-url dependency in 'Depends on https://github.com/leocencetti/pr_deps_check_example/pull/1'
Found no dependency in 'Depends on https://github.com/leocencetti/pr_deps_check_example/pull/2'
[...]

note the Found no dependency line.

As mentioned before, the behavior is the same if PR1 is merged, or the order is swapped.

When u create a PR from a fork the workflow will not run.
Please make it possible for the workflow to run when a pr is created from a fork

Would be nice if it adds a label to the PR that indicates that the PR is dependent/blocked

If "depends on" or "blocked by" value isn't set in the body the check is failing on 404

RequestError [HttpError]: Not Found
    at /home/runner/work/_actions/gregsdennis/dependencies-action/main/node_modules/@octokit/request/dist-node/index.js:66:23
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async run (/home/runner/work/_actions/gregsdennis/dependencies-action/main/index.js:78:39) {
  status: 404,

Commit example

Expected behaviour is if the body is empty or no string match the check should pass through or have a custom flag to ignore 404 responses

We are getting this warning using this action (v1.2.3) for some time:

Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16: gregsdennis/dependencies-action

Similarly to #14, Node.js 16 is now deprecated as well. Here is the warning for reference:

Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: gregsdennis/[email protected]. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.

At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.

Below you can see the KB of your GITHUB Action.

name: 'PR Dependency Check'
github-token:
  environment-variable-name: GITHUB_TOKEN
  permissions:
    pull-requests: read
    pull-requests-reason: to check PRs for dependencies
    issues: read
    issues-reason: to check issues for dependencies 
#Reference: https://github.com/gregsdennis/dependencies-action/blob/047fc2563e29739c28c31d007d3f8862d02dca57/index.js#L91

If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.

This issue is automatically created by our analysis bot, feel free to close after reading :)

References:

GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.

Once parsing partial and full PR links has been worked out, it should be a small step to also extract the owner and repo names.

https://github.com/gregsdennis/dependencies-action/blob/main/node_modules/.bin/uuid is symlink

Hello, thanks for creating this cool action

I opened the link to the example in the readme, it leads me to the wrong page like:

Caused by the extra s in the url (i.e. should be pull/5 instead of pulls/5)

Should be easy to fix, I can submit a PR if you want

Cheers

There are some variations here:

• depends on [this issue](#5)
• [depends on this issue](#5)

The hyperlink portion of the Markdown must be a full link. The other formats aren't supported.

we're using GHE enterprise, and we're unable to use this GitHub actions workflow since it's using a specific github.com regex.
https://github.com/gregsdennis/dependencies-action/blob/main/index.js#L9
https://github.com/gregsdennis/dependencies-action/blob/main/index.js#L10

is it possible to either:

• Define a custom regex that we can inject using global env variable
• Make the GitHub url within the regex as a variable so that we can override it if needed

Example of link for a PR on Github enterprise: https://mygheurl.com/OWNER/REPO_NAME/pull/3