advanced-security · GeekMasher · Jun 6, 2024 · Jun 6, 2024 · Jun 6, 2024 · Jun 6, 2024
@@ -23,10 +23,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Set Node.js 16.x
+      - name: Set Node.js latest
         uses: actions/setup-node@v4.0.2
         with:
-          node-version: 16.x
+          node-version: latest
 
       - name: Install dependencies
         run: npm ci

@@ -1,20 +1,33 @@
 name: "Test"
+
 on:
   pull_request:
   workflow_dispatch:
   push:
     branches:
       - main
       - 'releases/*'
-  workflow_dispatch:
 
 permissions: 
   id-token: write
   contents: write
 
 jobs:
+  test-npm:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set Node.js latest
+        uses: actions/setup-node@v4.0.2
+        with:
+          node-version: latest
+
+      - run: |
+          npm ci
+          # npm run test
+
   # test action works running from the graph
-  test:
+  test-action:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4

@@ -0,0 +1,9 @@
+name: "spdx-dependency-submission-action"
+version: 0.1.0
+
+locations:
+  - name: "Docs"
+    paths:
+      - "README.md"
+    patterns:
+      - 'advanced-security/spdx-dependency-submission-action@v([0-9]\.[0-9]\.[0-9])'
@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at opensource@github.com. All
+reported by contacting the project team at <opensource@github.com>. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.
@@ -71,4 +71,4 @@ This Code of Conduct is adapted from the [Contributor Covenant][homepage], versi
 available at [http://contributor-covenant.org/version/1/4][version]
 
 [homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+[version]: http://contributor-covenant.org/version/1/4/
@@ -1,4 +1,4 @@
-## Contributing
+# Contributing
 
 [fork]: https://github.com/advanced-security/spdx-to-dependency-graph-action/fork
 [pr]: https://github.com/github/spdx-to-dependency-graph-action/compare
@@ -29,4 +29,4 @@ Here are a few things you can do that will increase the likelihood of your pull
 
 - [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
 - [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
-- [GitHub Help](https://help.github.com)
+- [GitHub Help](https://help.github.com)
@@ -1,11 +1,13 @@
 # SPDX to Dependency Graph Action
 
-This repository makes it easy to upload an SPDX 2.2 formatted SBOM to GitHub's dependency submission API. This lets you quickly receive Dependabot alerts for package manifests which GitHub doesn't directly support like pnpm or Paket by using existing off-the-shelf SBOM generators. 
+This repository makes it easy to upload an SPDX 2.2 formatted SBOM to GitHub's dependency submission API.
+This lets you quickly receive Dependabot alerts for package manifests which GitHub doesn't directly support like pnpm or Paket by using existing off-the-shelf SBOM generators.
 
-### Example workflow
-This workflow uses the [Microsoft sbom-tool](https://github.com/microsoft/sbom-tool). 
-```yaml
+## Example workflow
+
+This workflow uses the [Microsoft sbom-tool](https://github.com/microsoft/sbom-tool).
 
+```yaml
 name: SBOM upload
 
 on: 
@@ -33,10 +35,23 @@ jobs:
         name: sbom
         path: _manifest/spdx_2.2
     - name: SBOM upload 
-      uses: advanced-security/spdx-dependency-submission-action@v0.0.1
+      uses: advanced-security/spdx-dependency-submission-action@v0.1.0
       with:
         filePath: "_manifest/spdx_2.2/"
-```        
+```
+
+## Support
+
+Please create [GitHub Issues][github-issues] if there are bugs or feature requests.
+
+This project uses [Sematic Versioning (v2)](https://semver.org/) and with major releases, breaking changes will occur.
+
+## License
+
+This project is licensed under the terms of the MIT open source license.
+Please refer to [MIT][license] for the full terms.
+
+<!-- Resources -->
 
-# License
-This project is licensed under the terms of the MIT open source license. Please refere to MIT for the full terms. 
+[license]: ./LICENSE
+[github-issues]: https://github.com/advanced-security/spdx-dependency-submission-action/issues
@@ -1,10 +1,10 @@
-Thanks for helping make GitHub safe for everyone.
-
 # Security
 
+Thanks for helping make GitHub safe for everyone.
+
 GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub).
 
-Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation. 
+Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation.
 
 ## Reporting Security Issues
 
@@ -16,16 +16,16 @@ Instead, please send an email to opensource-security[@]github.com.
 
 Please include as much of the information listed below as you can to help us better understand and resolve the issue:
 
-  * The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
-  * Full paths of source file(s) related to the manifestation of the issue
-  * The location of the affected source code (tag/branch/commit or direct URL)
-  * Any special configuration required to reproduce the issue
-  * Step-by-step instructions to reproduce the issue
-  * Proof-of-concept or exploit code (if possible)
-  * Impact of the issue, including how an attacker might exploit the issue
+* The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
+* Full paths of source file(s) related to the manifestation of the issue
+* The location of the affected source code (tag/branch/commit or direct URL)
+* Any special configuration required to reproduce the issue
+* Step-by-step instructions to reproduce the issue
+* Proof-of-concept or exploit code (if possible)
+* Impact of the issue, including how an attacker might exploit the issue
 
 This information will help us triage your report more quickly.
 
 ## Policy
 
-See [GitHub's Safe Harbor Policy](https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor#1-safe-harbor-terms)
+See [GitHub's Safe Harbor Policy](https://docs.github.com/en/github/site-policy/github-bug-bounty-program-legal-safe-harbor#1-safe-harbor-terms)
@@ -1,14 +1,14 @@
 
-# Support 
+# Support
 
 ## How to file issues and get help
 
 This project uses GitHub issues to track bugs and feature requests. Please search the existing issues before filing new issues to avoid duplicates. For new issues, file your bug or feature request as a new issue.
 
-For help or questions about using this project, please use GitHub discussions. 
+For help or questions about using this project, please use GitHub discussions.
 
-- `SPDX to dependency graph action` is not actively developed but is maintained by GitHub staff. We will do our best to respond to support and community questions in a timely manner. 
+- `SPDX to dependency graph action` is not actively developed but is maintained by GitHub staff. We will do our best to respond to support and community questions in a timely manner.
 
 ## GitHub Support Policy
 
-Support for this project is limited to the resources listed above.
+Support for this project is limited to the resources listed above.
@@ -14,7 +14,7 @@ inputs:
     required: false
     default: '*.spdx.json'
 runs:
-  using: 'node16'
+  using: 'node20'
   main: 'dist/index.js'
 branding:
   icon: 'upload-cloud'