Comment Summary in PR happens when option not specified

[jeff-tyl]

Recently (beginning 2/19/2024?) our PRs started getting comments added with the results of the Dependency Review even without specifying the comment-summary-in-pr option. It behaves as if the default for this setting is always instead of the documented never.

Our workflow job is defined as:

      - name: Dependency Review
        uses: actions/dependency-review-action@v4
        with:
          fail-on-severity: high
          fail-on-scopes: runtime, development
          retry-on-snapshot-warnings: true

And the output from the job is:

Run actions/dependency-review-action@v4
  with:
    fail-on-severity: high
    fail-on-scopes: runtime, development
    retry-on-snapshot-warnings: true
    repo-token: ***
    retry-on-snapshot-warnings-timeout: 120
    warn-only: false

[febuiles]

@jeff-tyl Thanks for the report. I think I've fixed it in this branch. Can you try using this configuration instead and confirm if fixes the problem?

      - name: Dependency Review
        uses: actions/dependency-review-action@bug-with-comments

(please note re-running the action will pick the v4 version, so you'll need to create a new PR)

[jeff-tyl]

Perhaps I did something wrong, but I still get the comment added to the PR.

Setup job output:

Getting action download info
Download action repository 'actions/checkout@v4' (SHA:b4ffde65f46336ab88eb53be808477a3936bae11)
Download action repository 'actions/dependency-review-action@bug-with-comments' (SHA:11de043a62382a7dbc91695326b27102aae00962)
Complete job name: Dependency Review

Dependency Review job output:

Run actions/dependency-review-action@bug-with-comments
  with:
    fail-on-severity: high
    fail-on-scopes: runtime, development
    retry-on-snapshot-warnings: true
    repo-token: ***
    retry-on-snapshot-warnings-timeout: 120
    warn-only: false

[febuiles]

@jeff-tyl I have pushed new changes to the branch, would you mind testing again? I was able to reproduce locally and I think it's fixed now. Would appreciate a second set of eyes though.

[febuiles]

@jsoref I had to revert how the output gets generated in 9129d7d, right now you'll need to enable comments to get the output object. The original PR had the conditional with && instead of ||, but changing this was still yielding comments. I decided to put the brakes on the new feature while we get this sorted out. Let me know if you want to take a stab at it, if not I'll create a new issue to track this change.

[jeff-tyl]

Confirmed - no comment was added to the PR this time. Thanks