actions
diff --git a/‎__tests__/fixtures/config-allow-sample.yml‎
Lines changed: 2 additions & 2 deletions b/‎__tests__/fixtures/config-allow-sample.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎__tests__/fixtures/inline-license-config-sample.yml‎
Lines changed: 1 addition & 1 deletion b/‎__tests__/fixtures/inline-license-config-sample.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎__tests__/summary.test.ts‎
Lines changed: 75 additions & 1 deletion b/‎__tests__/summary.test.ts‎
Lines changed: 75 additions & 1 deletion
diff --git a/‎dist/index.js‎
Lines changed: 38 additions & 15 deletions b/‎dist/index.js‎
Lines changed: 38 additions & 15 deletions
diff --git a/‎dist/index.js.map‎
Lines changed: 1 addition & 1 deletion b/‎dist/index.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/comment-pr.ts‎
Lines changed: 3 additions & 5 deletions b/‎src/comment-pr.ts‎
Lines changed: 3 additions & 5 deletions
diff --git a/‎src/main.ts‎
Lines changed: 17 additions & 3 deletions b/‎src/main.ts‎
Lines changed: 17 additions & 3 deletions
@@ -1,4 +1,4 @@
 fail_on_severity: critical
 allow_licenses:
-  - "BSD"
-  - "GPL 2"
+  - 'BSD'
+  - 'GPL 2'
@@ -1 +1 @@
-allow-licenses: "MIT, GPL-2.0-only"
+allow-licenses: 'MIT, GPL-2.0-only'
@@ -1,5 +1,5 @@
 import {expect, jest, test} from '@jest/globals'
-import {Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
+import {Change, Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
 import * as summary from '../src/summary'
 import * as core from '@actions/core'
 import {createTestChange} from './fixtures/create-test-change'
@@ -109,6 +109,80 @@ test('prints headline as h1', () => {
   expect(text).toContain('<h1>Dependency Review</h1>')
 })
 
+test('returns minimal summary in case the core.summary is too large for a PR comment', () => {
+  let changes: Changes = [
+    createTestChange({name: 'lodash', version: '1.2.3'}),
+    createTestChange({name: 'colors', version: '2.3.4'}),
+    createTestChange({name: '@foo/bar', version: '*'})
+  ]
+
+  let minSummary: string = summary.addSummaryToSummary(
+    changes,
+    emptyInvalidLicenseChanges,
+    emptyChanges,
+    scorecard,
+    defaultConfig
+  )
+
+  // side effect DR report into core.summary as happens in main.ts
+  summary.addScannedDependencies(changes)
+  const text = core.summary.stringify()
+
+  expect(text).toContain('<h1>Dependency Review</h1>')
+  expect(minSummary).toContain('# Dependency Review')
+
+  expect(text).toContain('❌ 3 vulnerable package(s)')
+  expect(text).not.toContain('* ❌ 3 vulnerable package(s)')
+  expect(text).toContain('lodash')
+  expect(text).toContain('colors')
+  expect(text).toContain('@foo/bar')
+
+  expect(minSummary).toContain('* ❌ 3 vulnerable package(s)')
+  expect(minSummary).not.toContain('lodash')
+  expect(minSummary).not.toContain('colors')
+  expect(minSummary).not.toContain('@foo/bar')
+
+  expect(text.length).toBeGreaterThan(minSummary.length)
+})
+
+test('returns minimal summary formatted for posting as a PR comment', () => {
+  const OLD_ENV = process.env
+
+  let changes: Changes = [
+    createTestChange({name: 'lodash', version: '1.2.3'}),
+    createTestChange({name: 'colors', version: '2.3.4'}),
+    createTestChange({name: '@foo/bar', version: '*'})
+  ]
+
+  process.env.GITHUB_SERVER_URL = 'https://github.com'
+  process.env.GITHUB_REPOSITORY = 'owner/repo'
+  process.env.GITHUB_RUN_ID = 'abc-123-xyz'
+
+  let minSummary: string = summary.addSummaryToSummary(
+    changes,
+    emptyInvalidLicenseChanges,
+    emptyChanges,
+    scorecard,
+    defaultConfig
+  )
+
+  process.env = OLD_ENV
+
+  // note: no Actions context values in unit test env
+  const expected = `
+# Dependency Review
+The following issues were found:
+* ❌ 3 vulnerable package(s)
+* ✅ 0 package(s) with incompatible licenses
+* ✅ 0 package(s) with invalid SPDX license definitions
+* ✅ 0 package(s) with unknown licenses.
+
+[View full job summary](https://github.com/owner/repo/actions/runs/abc-123-xyz)
+  `.trim()
+
+  expect(minSummary).toEqual(expected)
+})
+
 test('only includes "No vulnerabilities or license issues found"-message if both are configured and nothing was found', () => {
   summary.addSummaryToSummary(
     emptyChanges,
 
@@ -5,6 +5,8 @@ import * as retry from '@octokit/plugin-retry'
 import {RequestError} from '@octokit/request-error'
 import {ConfigurationOptions} from './schemas'
 
+export const MAX_COMMENT_LENGTH = 65536
+
 const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
 const octo = new retryingOctokit(
   githubUtils.getOctokitOptions(core.getInput('repo-token', {required: true}))
@@ -14,13 +16,9 @@ const octo = new retryingOctokit(
 const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
 
 export async function commentPr(
-  summary: typeof core.summary,
+  commentContent: string,
   config: ConfigurationOptions
 ): Promise<void> {
-  const commentContent = summary.stringify()
-
-  core.setOutput('comment-content', commentContent)
-
   if (
     !(
       config.comment_summary_in_pr === 'always' ||
 
@@ -22,7 +22,7 @@ import * as summary from './summary'
 import {getRefs} from './git-refs'
 
 import {groupDependenciesByManifest} from './utils'
-import {commentPr} from './comment-pr'
+import {commentPr, MAX_COMMENT_LENGTH} from './comment-pr'
 import {getDeniedChanges} from './deny'
 
 async function delay(ms: number): Promise<void> {
@@ -127,7 +127,7 @@ async function run(): Promise<void> {
 
     const scorecard = await getScorecardLevels(filteredChanges)
 
-    summary.addSummaryToSummary(
+    const minSummary = summary.addSummaryToSummary(
       vulnerableChanges,
       invalidLicenseChanges,
       deniedChanges,
@@ -166,7 +166,21 @@ async function run(): Promise<void> {
     core.setOutput('dependency-changes', JSON.stringify(changes))
     summary.addScannedDependencies(changes)
     printScannedDependencies(changes)
-    await commentPr(core.summary, config)
+
+    // include full summary in output; Actions will truncate if oversized
+    let rendered = core.summary.stringify()
+    core.setOutput('comment-content', rendered)
+
+    // if the summary is oversized, replace with minimal version
+    if (rendered.length >= MAX_COMMENT_LENGTH) {
+      core.debug(
+        'The comment was too big for the GitHub API. Falling back on a minimum comment'
+      )
+      rendered = minSummary
+    }
+
+    // update the PR comment if needed with the right-sized summary
+    await commentPr(rendered, config)
   } catch (error) {
     if (error instanceof RequestError && error.status === 404) {
       core.setFailed(
-Original file line number
+Diff line change
@@ @@ -1,4 +1,4 @@ @@
 fail_on_severity: critical
 allow_licenses:
 -  - "BSD"
 -  - "GPL 2"
 +  - 'BSD'
 +  - 'GPL 2'
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-allow-licenses: "MIT, GPL-2.0-only"`
	`1`	`+allow-licenses: 'MIT, GPL-2.0-only'`