Check projects in CI¶
dfetch check exits non-zero when any project is out-of-date or has local
changes, making it a natural pipeline gate. Each supported CI system has its
own report format so findings surface natively inside the platform’s UI.
Running dfetch check in CI — run
dfetch checkas a pipeline stepJenkins (warnings-ng) — surface results in the Jenkins warnings-ng plugin
GitHub Actions (SARIF) — upload SARIF results to GitHub code scanning
GitLab CI (Code Climate) — publish code-quality reports in GitLab merge requests
Running dfetch check in CI¶
Report issues found during check.
DFetch can report the results of Check in a format usable by several other tools. See the respective sections for details about using and configuring those reporters.
All reports can contain the following results:
unfetched-projectProject was never fetched. Fetch it using dfetch update.
up-to-date-projectProject is up-to-date.
unavailable-project-versionRequested project version is unavailable at the remote.
pinned-but-out-of-date-projectProject is pinned, but out-of-date. Either ignore this message, or update the version in the manifest.
out-of-date-projectProject is out-of-date. Update the project using dfetch update.
local-changes-in-projectProject was locally changed. Create a patch file using dfetch diff and add it to your manifest using the patch attribute.
Note
When a dfetch check is performed on a different platform than the original
dfetch update the line-endings might result in a false positive of local-changes-in-project.
Without extra flags the results are printed to stdout and the build fails if any issue is found:
$ dfetch check
Pass a --*-json flag to write a machine-readable report and continue
collecting results before deciding the build outcome (each section below shows
the exact flag).
Jenkins (warnings-ng)¶
Dfetch writes a report in the warnings-ng native JSON format that the warnings-ng plugin can ingest directly.
Severity mapping
Dfetch result |
Severity |
Meaning |
|---|---|---|
unfetched |
high |
Project was never fetched |
out-of-date |
normal |
A newer version is available |
pinned-out-of-date |
low |
Pinned to a specific version; newer version exists |
Jenkins will show an overview of all issues:
Clicking an issue navigates to the exact line in the manifest:
Pipeline snippet
/* Linux agent */
sh 'dfetch check --jenkins-json jenkins.json'
/* Windows agent */
bat 'dfetch check --jenkins-json jenkins.json'
recordIssues tool: issues(pattern: 'jenkins.json', name: 'DFetch')
Use quality gate configuration in the warnings-ng plugin to control when the build fails — for example, allow pinned-out-of-date without failing.
Example: A newer tag is available than in manifest
../features/check-report-jenkins.feature¶
Given the manifest 'dfetch.yaml'
"""
manifest:
version: '0.0'
remotes:
- name: github-com-dfetch-org
url-base: https://github.com/dfetch-org/test-repo
projects:
- name: ext/test-repo-tag-v1
tag: v1
dst: ext/test-repo-tag-v1
"""
When I run "dfetch check --jenkins-json jenkins.json"
Then the 'jenkins.json' file contains
"""
{
"_class": "io.jenkins.plugins.analysis.core.restapi.ReportApi",
"issues": [
{
"fileName": "dfetch.yaml",
"severity": "High",
"message": "ext/test-repo-tag-v1 : ext/test-repo-tag-v1 was never fetched!",
"description": "The manifest requires version 'v1' of ext/test-repo-tag-v1. it was never fetched, fetch it with 'dfetch update ext/test-repo-tag-v1'. The latest version available is 'v2.0'",
"lineStart": 9,
"lineEnd": 9,
"columnStart": 13,
"columnEnd": 32
}
]
}
"""
Example: Check is done after an update
../features/check-report-jenkins.feature¶
Given the manifest 'dfetch.yaml'
"""
manifest:
version: '0.0'
remotes:
- name: github-com-dfetch-org
url-base: https://github.com/dfetch-org/test-repo
projects:
- name: ext/test-repo-rev-only
revision: e1fda19a57b873eb8e6ae37780594cbb77b70f1a
dst: ext/test-repo-rev-only
- name: ext/test-rev-and-branch
revision: 8df389d0524863b85f484f15a91c5f2c40aefda1
branch: main
dst: ext/test-rev-and-branch
"""
And all projects are updated
When I run "dfetch check --jenkins-json jenkins.json"
Then the 'jenkins.json' file contains
"""
{
"_class": "io.jenkins.plugins.analysis.core.restapi.ReportApi",
"issues": [
{
"fileName": "dfetch.yaml",
"severity": "Low",
"message": "ext/test-rev-and-branch : ext/test-rev-and-branch wanted & current version is 'main - 8df389d0524863b85f484f15a91c5f2c40aefda1', but 'main - e1fda19a57b873eb8e6ae37780594cbb77b70f1a' is available.",
"description": "The manifest requires version 'main - 8df389d0524863b85f484f15a91c5f2c40aefda1' of ext/test-rev-and-branch. This is also the current version. There is a newer version available 'main - e1fda19a57b873eb8e6ae37780594cbb77b70f1a' You can update the version in the manifest and run 'dfetch update ext/test-rev-and-branch'",
"lineStart": 13,
"lineEnd": 13,
"columnStart": 13,
"columnEnd": 35
}
]
}
"""
Example: Tag is updated in manifest
../features/check-report-jenkins.feature¶
Given the manifest 'dfetch.yaml'
"""
manifest:
version: '0.0'
projects:
- name: ext/test-repo-tag
url: https://github.com/dfetch-org/test-repo
tag: v1
"""
And all projects are updated
When the manifest 'dfetch.yaml' is changed to
"""
manifest:
version: '0.0'
projects:
- name: ext/test-repo-tag
url: https://github.com/dfetch-org/test-repo
tag: v2.0
"""
And I run "dfetch check --jenkins-json jenkins.json"
Then the 'jenkins.json' file contains
"""
{
"_class": "io.jenkins.plugins.analysis.core.restapi.ReportApi",
"issues": [
{
"fileName": "dfetch.yaml",
"severity": "Normal",
"message": "ext/test-repo-tag : ext/test-repo-tag current version is 'v1', the wanted version is 'v2.0', but 'v2.0' is available.",
"description": "The manifest requires version 'v2.0' of ext/test-repo-tag. Currently version 'v1' is present. There is a newer version available 'v2.0'. Please update using 'dfetch update ext/test-repo-tag.",
"lineStart": 5,
"lineEnd": 5,
"columnStart": 13,
"columnEnd": 29
}
]
}
"""
Example: A local change is reported
../features/check-report-jenkins.feature¶
Given a git repository "SomeProject.git"
And a fetched and committed MyProject with the manifest
"""
manifest:
version: 0.0
projects:
- name: SomeProject
url: some-remote-server/SomeProject.git
"""
And "SomeProject/README.md" in MyProject is changed and committed with
"""
An important sentence for the README!
"""
When I run "dfetch check --jenkins-json jenkins.json SomeProject" in MyProject
Then the 'MyProject/jenkins.json' file contains
"""
{
"_class": "io.jenkins.plugins.analysis.core.restapi.ReportApi",
"issues": [
{
"fileName": "dfetch.yaml",
"severity": "Normal",
"message": "SomeProject : SomeProject has local changes, please create a patch file or upstream the changes.",
"description": "SomeProject has local changes, please create a patch file using 'dfetch diff SomeProject. This patch file can either be used to directly from the manifest using the patch attribute, or upstreamed.",
"lineStart": 4,
"lineEnd": 4,
"columnStart": 15,
"columnEnd": 25
}
]
}
"""
Example: Non-existent revision is reported
../features/check-report-jenkins.feature¶
Given a git repository "SomeProject.git"
And the manifest 'dfetch.yaml'
"""
manifest:
version: 0.0
projects:
- name: SomeProject
url: some-remote-server/SomeProject.git
revision: '0123112321234123512361236123712381239123'
"""
When I run "dfetch check --jenkins-json jenkins.json SomeProject"
Then the 'jenkins.json' file contains
"""
{
"_class": "io.jenkins.plugins.analysis.core.restapi.ReportApi",
"issues": [
{
"fileName": "dfetch.yaml",
"severity": "Low",
"message": "SomeProject : SomeProject wanted version is '0123112321234123512361236123712381239123', but '0123112321234123512361236123712381239123' is unavailable.",
"description": "The manifest requires version '0123112321234123512361236123712381239123' of SomeProject. However the version is unavailable ",
"lineStart": 4,
"lineEnd": 4,
"columnStart": 15,
"columnEnd": 25
}
]
}
"""
GitHub Actions (SARIF)¶
Dfetch can upload results to GitHub code scanning as a SARIF report, so findings appear inline in pull requests.
Severity mapping
Dfetch result |
Severity |
Meaning |
|---|---|---|
unfetched |
Error |
Project was never fetched |
out-of-date |
Warning |
A newer version is available |
pinned-out-of-date |
Note |
Pinned; newer version exists |
Results appear on the Actions summary:
A locally changed project surfaces like this:
Clicking details brings you to the manifest entry:
GitHub Actions workflow
The easiest integration is the official action, which runs dfetch check
and uploads the SARIF report in one step:
name: DFetch
on: push
permissions:
contents: read
jobs:
dfetch:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Dfetch SARIF Check
uses: dfetch-org/dfetch@main
with:
working-directory: '.'
To run Dfetch yourself and control the output path:
- run: dfetch check --sarif dfetch.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: dfetch.sarif
For more information see the GitHub SARIF documentation.
Example: A newer tag is available than in manifest
../features/check-report-sarif.feature¶
Given the manifest 'dfetch.yaml'
"""
manifest:
version: '0.0'
remotes:
- name: github-com-dfetch-org
url-base: https://github.com/dfetch-org/test-repo
projects:
- name: ext/test-repo-tag-v1
tag: v1
dst: ext/test-repo-tag-v1
"""
When I run "dfetch check --sarif sarif.json"
Then the 'sarif.json' file contains
"""
{
"runs": [
{
"tool": {
"driver": {
"name": "DFetch",
"informationUri": "https://dfetch.rtfd.io",
"rules": [
{
"id": "unfetched-project",
"help": {
"text": "The project mentioned in the manifest was never fetched, fetch it with 'dfetch update <project>'. After fetching, commit the updated project to your repository."
},
"shortDescription": {
"text": "Project was never fetched"
}
},
{
"id": "up-to-date-project",
"help": {
"text": "The project mentioned in the manifest is up-to-date, everything is ok, nothing to do."
},
"shortDescription": {
"text": "Project is up-to-date"
}
},
{
"id": "unavailable-project-version",
"help": {
"text": "The project mentioned in the manifest is pinned to a specific version, For instance a branch, tag, or revision. However the specific version is not available at the upstream of the project. Check if the remote has the given version. "
},
"shortDescription": {
"text": "Requested project version is unavailable at the remote"
}
},
{
"id": "pinned-but-out-of-date-project",
"help": {
"text": "The project mentioned in the manifest is pinned to a specific version, For instance a branch, tag, or revision. This is currently the state of the project. However a newer version is available at the upstream of the project. Either ignore this warning or update the version to the latest and update using 'dfetch update <project>' and commit the result to your repository."
},
"shortDescription": {
"text": "Project is pinned, but out-of-date"
}
},
{
"id": "out-of-date-project",
"help": {
"text": "The project is configured to always follow the latest version, There is a newer version available at the upstream of the project. Please update the project using 'dfetch update <project>' and commit the result to your repository."
},
"shortDescription": {
"text": "Project is out-of-date"
}
},
{
"id": "local-changes-in-project",
"help": {
"text": "The files of this project are different then when they were added, Please create a patch using 'dfetch diff <project>' and add it to the manifest using the 'patch:' attribute. Or better yet, upstream the changes and update your project. When running 'dfetch check' on a platform with different line endings, then this warning is likely a false positive."
},
"shortDescription": {
"text": "Project was locally changed"
}
}
]
}
},
"artifacts": [
{
"location": {
"uri": "dfetch.yaml"
},
"sourceLanguage": "yaml"
}
],
"results": [
{
"message": {
"text": "ext/test-repo-tag-v1 : ext/test-repo-tag-v1 was never fetched!"
},
"level": "error",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"index": 0,
"uri": "dfetch.yaml"
},
"region": {
"endColumn": 33,
"endLine": 9,
"startColumn": 13,
"startLine": 9
}
}
}
],
"ruleId": "unfetched-project"
}
]
}
],
"version": "2.1.0"
}
"""
Example: Check is done after an update
../features/check-report-sarif.feature¶
Given the manifest 'dfetch.yaml'
"""
manifest:
version: '0.0'
remotes:
- name: github-com-dfetch-org
url-base: https://github.com/dfetch-org/test-repo
projects:
- name: ext/test-repo-rev-only
revision: e1fda19a57b873eb8e6ae37780594cbb77b70f1a
dst: ext/test-repo-rev-only
- name: ext/test-rev-and-branch
revision: 8df389d0524863b85f484f15a91c5f2c40aefda1
branch: main
dst: ext/test-rev-and-branch
"""
And all projects are updated
When I run "dfetch check --sarif sarif.json"
Then the 'sarif.json' file contains
"""
{
"runs": [
{
"tool": {
"driver": {
"name": "DFetch",
"informationUri": "https://dfetch.rtfd.io",
"rules": [
{
"id": "unfetched-project",
"help": {
"text": "The project mentioned in the manifest was never fetched, fetch it with 'dfetch update <project>'. After fetching, commit the updated project to your repository."
},
"shortDescription": {
"text": "Project was never fetched"
}
},
{
"id": "up-to-date-project",
"help": {
"text": "The project mentioned in the manifest is up-to-date, everything is ok, nothing to do."
},
"shortDescription": {
"text": "Project is up-to-date"
}
},
{
"id": "unavailable-project-version",
"help": {
"text": "The project mentioned in the manifest is pinned to a specific version, For instance a branch, tag, or revision. However the specific version is not available at the upstream of the project. Check if the remote has the given version. "
},
"shortDescription": {
"text": "Requested project version is unavailable at the remote"
}
},
{
"id": "pinned-but-out-of-date-project",
"help": {
"text": "The project mentioned in the manifest is pinned to a specific version, For instance a branch, tag, or revision. This is currently the state of the project. However a newer version is available at the upstream of the project. Either ignore this warning or update the version to the latest and update using 'dfetch update <project>' and commit the result to your repository."
},
"shortDescription": {
"text": "Project is pinned, but out-of-date"
}
},
{
"id": "out-of-date-project",
"help": {
"text": "The project is configured to always follow the latest version, There is a newer version available at the upstream of the project. Please update the project using 'dfetch update <project>' and commit the result to your repository."
},
"shortDescription": {
"text": "Project is out-of-date"
}
},
{
"id": "local-changes-in-project",
"help": {
"text": "The files of this project are different then when they were added, Please create a patch using 'dfetch diff <project>' and add it to the manifest using the 'patch:' attribute. Or better yet, upstream the changes and update your project. When running 'dfetch check' on a platform with different line endings, then this warning is likely a false positive."
},
"shortDescription": {
"text": "Project was locally changed"
}
}
]
}
},
"artifacts": [
{
"location": {
"uri": "dfetch.yaml"
},
"sourceLanguage": "yaml"
}
],
"results": [
{
"message": {
"text": "ext/test-rev-and-branch : ext/test-rev-and-branch wanted & current version is 'main - 8df389d0524863b85f484f15a91c5f2c40aefda1', but 'main - e1fda19a57b873eb8e6ae37780594cbb77b70f1a' is available."
},
"level": "note",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"index": 0,
"uri": "dfetch.yaml"
},
"region": {
"endColumn": 36,
"endLine": 13,
"startColumn": 13,
"startLine": 13
}
}
}
],
"ruleId": "pinned-but-out-of-date-project"
}
]
}
],
"version": "2.1.0"
}
"""
Example: Tag is updated in manifest
../features/check-report-sarif.feature¶
Given the manifest 'dfetch.yaml'
"""
manifest:
version: '0.0'
projects:
- name: ext/test-repo-tag
url: https://github.com/dfetch-org/test-repo
tag: v1
"""
And all projects are updated
When the manifest 'dfetch.yaml' is changed to
"""
manifest:
version: '0.0'
projects:
- name: ext/test-repo-tag
url: https://github.com/dfetch-org/test-repo
tag: v2.0
"""
And I run "dfetch check --sarif sarif.json"
Then the 'sarif.json' file contains
"""
{
"runs": [
{
"tool": {
"driver": {
"name": "DFetch",
"informationUri": "https://dfetch.rtfd.io",
"rules": [
{
"id": "unfetched-project",
"help": {
"text": "The project mentioned in the manifest was never fetched, fetch it with 'dfetch update <project>'. After fetching, commit the updated project to your repository."
},
"shortDescription": {
"text": "Project was never fetched"
}
},
{
"id": "up-to-date-project",
"help": {
"text": "The project mentioned in the manifest is up-to-date, everything is ok, nothing to do."
},
"shortDescription": {
"text": "Project is up-to-date"
}
},
{
"id": "unavailable-project-version",
"help": {
"text": "The project mentioned in the manifest is pinned to a specific version, For instance a branch, tag, or revision. However the specific version is not available at the upstream of the project. Check if the remote has the given version. "
},
"shortDescription": {
"text": "Requested project version is unavailable at the remote"
}
},
{
"id": "pinned-but-out-of-date-project",
"help": {
"text": "The project mentioned in the manifest is pinned to a specific version, For instance a branch, tag, or revision. This is currently the state of the project. However a newer version is available at the upstream of the project. Either ignore this warning or update the version to the latest and update using 'dfetch update <project>' and commit the result to your repository."
},
"shortDescription": {
"text": "Project is pinned, but out-of-date"
}
},
{
"id": "out-of-date-project",
"help": {
"text": "The project is configured to always follow the latest version, There is a newer version available at the upstream of the project. Please update the project using 'dfetch update <project>' and commit the result to your repository."
},
"shortDescription": {
"text": "Project is out-of-date"
}
},
{
"id": "local-changes-in-project",
"help": {
"text": "The files of this project are different then when they were added, Please create a patch using 'dfetch diff <project>' and add it to the manifest using the 'patch:' attribute. Or better yet, upstream the changes and update your project. When running 'dfetch check' on a platform with different line endings, then this warning is likely a false positive."
},
"shortDescription": {
"text": "Project was locally changed"
}
}
]
}
},
"artifacts": [
{
"location": {
"uri": "dfetch.yaml"
},
"sourceLanguage": "yaml"
}
],
"results": [
{
"message": {
"text": "ext/test-repo-tag : ext/test-repo-tag current version is 'v1', the wanted version is 'v2.0', but 'v2.0' is available."
},
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"index": 0,
"uri": "dfetch.yaml"
},
"region": {
"endColumn": 30,
"endLine": 5,
"startColumn": 13,
"startLine": 5
}
}
}
],
"ruleId": "out-of-date-project"
}
]
}
],
"version": "2.1.0"
}
"""
Example: A local change is reported
../features/check-report-sarif.feature¶
Given a git repository "SomeProject.git"
And a fetched and committed MyProject with the manifest
"""
manifest:
version: 0.0
projects:
- name: SomeProject
url: some-remote-server/SomeProject.git
"""
And "SomeProject/README.md" in MyProject is changed and committed with
"""
An important sentence for the README!
"""
When I run "dfetch check --sarif sarif.json SomeProject" in MyProject
Then the 'MyProject/sarif.json' file contains
"""
{
"runs": [
{
"tool": {
"driver": {
"name": "DFetch",
"informationUri": "https://dfetch.rtfd.io",
"rules": [
{
"id": "unfetched-project",
"help": {
"text": "The project mentioned in the manifest was never fetched, fetch it with 'dfetch update <project>'. After fetching, commit the updated project to your repository."
},
"shortDescription": {
"text": "Project was never fetched"
}
},
{
"id": "up-to-date-project",
"help": {
"text": "The project mentioned in the manifest is up-to-date, everything is ok, nothing to do."
},
"shortDescription": {
"text": "Project is up-to-date"
}
},
{
"id": "unavailable-project-version",
"help": {
"text": "The project mentioned in the manifest is pinned to a specific version, For instance a branch, tag, or revision. However the specific version is not available at the upstream of the project. Check if the remote has the given version. "
},
"shortDescription": {
"text": "Requested project version is unavailable at the remote"
}
},
{
"id": "pinned-but-out-of-date-project",
"help": {
"text": "The project mentioned in the manifest is pinned to a specific version, For instance a branch, tag, or revision. This is currently the state of the project. However a newer version is available at the upstream of the project. Either ignore this warning or update the version to the latest and update using 'dfetch update <project>' and commit the result to your repository."
},
"shortDescription": {
"text": "Project is pinned, but out-of-date"
}
},
{
"id": "out-of-date-project",
"help": {
"text": "The project is configured to always follow the latest version, There is a newer version available at the upstream of the project. Please update the project using 'dfetch update <project>' and commit the result to your repository."
},
"shortDescription": {
"text": "Project is out-of-date"
}
},
{
"id": "local-changes-in-project",
"help": {
"text": "The files of this project are different then when they were added, Please create a patch using 'dfetch diff <project>' and add it to the manifest using the 'patch:' attribute. Or better yet, upstream the changes and update your project. When running 'dfetch check' on a platform with different line endings, then this warning is likely a false positive."
},
"shortDescription": {
"text": "Project was locally changed"
}
}
]
}
},
"artifacts": [
{
"location": {
"uri": "dfetch.yaml"
},
"sourceLanguage": "yaml"
}
],
"results": [
{
"message": {
"text": "SomeProject : SomeProject has local changes, please create a patch file or upstream the changes."
},
"level": "warning",
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"index": 0,
"uri": "dfetch.yaml"
},
"region": {
"endColumn": 26,
"endLine": 4,
"startColumn": 15,
"startLine": 4
}
}
}
],
"ruleId": "local-changes-in-project"
}
]
}
],
"version": "2.1.0"
}
"""
GitLab CI (Code Climate)¶
Dfetch writes a Code Climate JSON report that GitLab shows inline in merge requests, comparing issues between the feature branch and the base branch.
Severity mapping
Dfetch result |
Severity |
Meaning |
|---|---|---|
unfetched |
major |
Project was never fetched |
out-of-date |
minor |
A newer version is available |
pinned-out-of-date |
info |
Pinned; newer version exists |
GitLab shows the results on the pipeline page:
Clicking an issue navigates to the manifest:
``.gitlab-ci.yml`` snippet
dfetch:
image: "python:3.13"
script:
- pip install dfetch
- dfetch check --code-climate dfetch.json
artifacts:
reports:
codequality: dfetch.json
See GitLab code quality reports for more information.
Example: A newer tag is available than in manifest
../features/check-report-code-climate.feature¶
Given the manifest 'dfetch.yaml'
"""
manifest:
version: '0.0'
remotes:
- name: github-com-dfetch-org
url-base: https://github.com/dfetch-org/test-repo
projects:
- name: ext/test-repo-tag-v1
tag: v1
dst: ext/test-repo-tag-v1
"""
When I run "dfetch check --code-climate code_climate.json"
Then the 'code_climate.json' file contains
"""
[
{
"description": "The manifest requires version 'v1' of ext/test-repo-tag-v1. it was never fetched, fetch it with 'dfetch update ext/test-repo-tag-v1'. The latest version available is 'v2.0'",
"check_name": "unfetched-project",
"categories": [
"Security",
"Bug risk"
],
"fingerprint": "2cc525a6d825f2dc541ade86dfdd351a1a7c47c2b41f3d31fa9b7b19f9400006",
"severity": "major",
"location": {
"path": "dfetch.yaml",
"positions": {
"begin": {
"line": 9,
"column": 13
},
"end": {
"line": 9,
"column": 32
}
}
}
}
]
"""
Example: Check is done after an update
../features/check-report-code-climate.feature¶
Given the manifest 'dfetch.yaml'
"""
manifest:
version: '0.0'
remotes:
- name: github-com-dfetch-org
url-base: https://github.com/dfetch-org/test-repo
projects:
- name: ext/test-repo-rev-only
revision: e1fda19a57b873eb8e6ae37780594cbb77b70f1a
dst: ext/test-repo-rev-only
- name: ext/test-rev-and-branch
revision: 8df389d0524863b85f484f15a91c5f2c40aefda1
branch: main
dst: ext/test-rev-and-branch
"""
And all projects are updated
When I run "dfetch check --code-climate code_climate.json"
Then the 'code_climate.json' file contains
"""
[
{
"description": "The manifest requires version 'main - 8df389d0524863b85f484f15a91c5f2c40aefda1' of ext/test-rev-and-branch. This is also the current version. There is a newer version available 'main - e1fda19a57b873eb8e6ae37780594cbb77b70f1a' You can update the version in the manifest and run 'dfetch update ext/test-rev-and-branch'",
"check_name": "pinned-but-out-of-date-project",
"categories": [
"Security",
"Bug risk"
],
"fingerprint": "ea830628ce63a7d3331e72ce95fa7cd7b2017ed2f17c1e77445d7a3cde140af3",
"severity": "info",
"location": {
"path": "dfetch.yaml",
"positions": {
"begin": {
"line": 13,
"column": 13
},
"end": {
"line": 13,
"column": 35
}
}
}
}
]
"""
Example: Tag is updated in manifest
../features/check-report-code-climate.feature¶
Given the manifest 'dfetch.yaml'
"""
manifest:
version: '0.0'
projects:
- name: ext/test-repo-tag
url: https://github.com/dfetch-org/test-repo
tag: v1
"""
And all projects are updated
When the manifest 'dfetch.yaml' is changed to
"""
manifest:
version: '0.0'
projects:
- name: ext/test-repo-tag
url: https://github.com/dfetch-org/test-repo
tag: v2.0
"""
And I run "dfetch check --code-climate code_climate.json"
Then the 'code_climate.json' file contains
"""
[
{
"description": "The manifest requires version 'v2.0' of ext/test-repo-tag. Currently version 'v1' is present. There is a newer version available 'v2.0'. Please update using 'dfetch update ext/test-repo-tag.",
"check_name": "out-of-date-project",
"categories": [
"Security",
"Bug risk"
],
"fingerprint": "14879c573e42bdc3ef8feb7ea73f23b0894839b859b713dabaf4efa1b4f2537a",
"severity": "minor",
"location": {
"path": "dfetch.yaml",
"positions": {
"begin": {
"line": 5,
"column": 13
},
"end": {
"line": 5,
"column": 29
}
}
}
}
]
"""
Example: A local change is reported
../features/check-report-code-climate.feature¶
Given a git repository "SomeProject.git"
And a fetched and committed MyProject with the manifest
"""
manifest:
version: 0.0
projects:
- name: SomeProject
url: some-remote-server/SomeProject.git
"""
And "SomeProject/README.md" in MyProject is changed and committed with
"""
An important sentence for the README!
"""
When I run "dfetch check --code-climate code_climate.json SomeProject" in MyProject
Then the 'MyProject/code_climate.json' file contains
"""
[
{
"description": "SomeProject has local changes, please create a patch file using 'dfetch diff SomeProject. This patch file can either be used to directly from the manifest using the patch attribute, or upstreamed.",
"check_name": "local-changes-in-project",
"categories": [
"Security",
"Bug risk"
],
"fingerprint": "c9e65f37627d383daf06893c932080d554ef8b9578b81e6d2914f04f0a18c120",
"severity": "minor",
"location": {
"path": "dfetch.yaml",
"positions": {
"begin": {
"line": 4,
"column": 15
},
"end": {
"line": 4,
"column": 25
}
}
}
}
]
"""
