Document how to properly use base-ref

[nedbat]

I wanted to run this action on pushes, so I needed to specify base-ref and head-ref. I wasn't sure how to do it, so I searched GitHub for uses. A few things there seemed not right, because they set the two refs to be the same, but they are a comparison, so don't they have to be different?

https://github.com/fixator10/Fixator10-Cogs/blob/b6fd04ab5490862be71f3e31a7c1aa70282eead2/.github/workflows/dependency-review.yml#LL21-L22C76

          base-ref: ${{ github.event.pull_request.base.ref || github.ref }}
          head-ref: ${{ github.event.pull_request.head.ref || github.ref }}

https://github.com/marinchuck/test3/blob/6c0eaa622f8e2236a5f4bec5c16d822457225017/.github/workflows/ci-pipeline.yml#L79-L80

                    base-ref: main
                    head-ref: main

Others had more elaborate settings, but often hard-coded the base ref:
https://github.com/Infineon/ek-based-onboarding-optiga-tpm/blob/b00aefa07591394210d39fe306d704b52a23c270/.github/workflows/main.yml#L24-L25

          head-ref: ${{ github.ref }}
          base-ref: ec53ee4956ff702efdf1f7a06c87fdfe821dff0f

I used this:

          base-ref: ${{ github.event.pull_request.base.ref || 'master' }}
          head-ref: ${{ github.event.pull_request.head.ref || github.ref }}

What is the right way to do this? An example in the README would help people a lot I think.

[febuiles]

@nedbat Hi, and thanks for the feedback. This feature was added so people could perform static runs with hardcoded values, so I have not seen it being used as part of pulls alone. What happens if you use the before and after values provided by the pull event?

[nedbat]

Sorry, to be clear, the two lines I put in seem to work well. It compares master to the tip of the push, so it's checking what will happen when the branch is merged, unless I've misunderstood.

I guess I could also use ${{ github.event.base_ref }} and ${{ github.event.before }} to check what the push is actually changing.

In either case, a bit of doc in the readme about how to use the setting would remove some uncertainty.

[febuiles]

@nedbat thanks, and apologies for the misunderstanding, I'm glad it was working! A rewrite of the README is in the works (it's too long atm), if you want to help out feel free to open a PR with an example for these options.

[nedbat]

@febuiles Hi, I don't think I've got my settings right yet. On a pull request across forks, I got this result:

Run actions/dependency-review-action@v3
  with:
    base-ref: master
    head-ref: xml_duplicate_fix
    repo-token: ***
    fail-on-severity: low
    fail-on-scopes: runtime
Error: Bad Request

As above, I am using:

          base-ref: ${{ github.event.pull_request.base.ref || 'master' }}
          head-ref: ${{ github.event.pull_request.head.ref || github.ref }}

I guess I need something to properly deal with forks?

[nedbat]

This seems to have worked:

          base-ref: ${{ github.event.pull_request.base.sha || 'master' }}
          head-ref: ${{ github.event.pull_request.head.sha || github.ref }}

[febuiles]

@nedbat that's very interesting! The API for Dependency Review only supports changes against the default branch (usually master or main), which is why base has to be part of that branch.