[!INFO] This repo is a scuffed Gitea port of the
[original](https://github.com/oke-py/npm-audit-action) project

# npm audit action

[![Coverage Status](https://coveralls.io/repos/github/oke-py/npm-audit-action/badge.svg?branch=main)](https://coveralls.io/github/oke-py/npm-audit-action?branch=main)

GitHub Action to run `npm audit`

## Feature

### Create a Pull Request comment

If vulnerabilities are found by `npm audit`, Action triggered by PR creates a
comment.

### Create an Issue

If vulnerabilities are found by `npm audit`, Action triggered by push, schedule
creates the following GitHub Issue.

![image](https://github.com/oke-py/npm-audit-action/blob/main/issue.png)

## Usage

### Inputs

|     Parameter      | Required |          Default Value          | Description                                                         |
| :----------------: | :------: | :-----------------------------: | :------------------------------------------------------------------ |
|    audit_level     |  false   |               low               | The value of `--audit-level` flag                                   |
|   create_issues    |  false   |              true               | Flag to create issues when vulnerabilities are found                |
| create_pr_comments |  false   |              true               | Flag to create pr comments when vulnerabilities are found           |
|   dedupe_issues    |  false   |              false              | Flag to de-dupe against open issues                                 |
|   github_context   |  false   |     `${{ toJson(github) }}`     | The `github` context                                                |
|    github_token    |   true   |               N/A               | GitHub Access Token.<br>${{ secrets.GITHUB_TOKEN }} is recommended. |
|  issue_assignees   |  false   |               N/A               | Issue assignees (separated by commma)                               |
|    issue_labels    |  false   |               N/A               | Issue labels (separated by commma)                                  |
|    issue_title     |  false   | npm audit found vulnerabilities | Issue title                                                         |
|     json_flag      |  false   |              false              | Run `npm audit` with `--json`                                       |
|  production_flag   |  false   |              false              | Run `npm audit` with `--omit=dev`                                   |
| working_directory  |  false   |               N/A               | The directory which contains package.json                           |

### Outputs

| Parameter name | Description                                         |
| :------------: | :-------------------------------------------------- |
|   npm_audit    | The output of the npm audit report in a text format |

## Example Workflow

```yaml
name: npm audit

on:
  pull_request:
  push:
    branches:
      - main
      - 'releases/*'
# on:
#   schedule:
#     - cron: '0 10 * * *'

jobs:
  scan:
    name: npm audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: install dependencies
        run: npm ci
      - uses: oke-py/npm-audit-action@v3
        with:
          audit_level: moderate
          github_token: ${{ secrets.GITHUB_TOKEN }}
          issue_assignees: oke-py
          issue_labels: vulnerability,test
          dedupe_issues: true
```

## Development

### Running Tests

This project uses [Vitest](https://vitest.dev/) for testing. To run the tests,
use the following command:

```bash
npm run test
```

Vitest will execute all test files and provide a detailed report of the results.
For coverage reports, you can use:

```bash
npm run test:coverage
```

Ensure all dependencies are installed before running the tests:

```bash
npm ci
```

---

This action is inspired by
[homoluctus/gitrivy](https://github.com/homoluctus/gitrivy).