This repository is archived.

danger-action is no longer actively maintained.

If your goal is to report lint results (ESLint, Android Lint, Checkstyle, RuboCop, etc.) on GitHub, please use the recommended replacement:

MeilCli/common-lint-reporter

It supports many lint formats, offers flexible reporting (check-run / PR comment / inline comments), and solves permission issues with workflow_run (especially useful for Dependabot or OSS contributions).

→ See usage example

Execute danger action for GitHub Actions.

This action must set-up Ruby and Bundler.

Recommendation: set up Ruby 2.6 or higher

name: CI

on:
  pull_request:
    branches:
      - master
      
jobs:
  danger:
    runs-on: ubuntu-latest
    if: github.event_name  == 'pull_request' # if only run pull request when multiple trigger workflow
    steps:
    - uses: actions/checkout@v4
    - uses: ruby/setup-ruby@v1
      with:
        ruby-version: '2.6'
    - uses: actions/cache@v4
      with:
        path: vendor/bundle
        key: ${{ runner.os }}-gems-${{ hashFiles('Gemfile') }} # change your gemfile path
        restore-keys: |
          ${{ runner.os }}-gems-
    - uses: MeilCli/danger-action@v6
      with:
        plugins_file: 'Gemfile'
        install_path: 'vendor/bundle'
        danger_file: 'Dangerfile'
        danger_id: 'danger-pr'
      env:
        DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}

You can also pin to a specific release version in the format @v6.x.x

• danger_version
  • optional
  • version information with gem styled
  • default: >= 6.0.0
• danger_version_file
  • optional
  • danger version file
  • default: .tool-versions
• danger_version_file_format
  • optional
  • danger version file format. more detail
  • default: asdf
• plugins_file
  • optional
  • gemfile path for danger plugin. if set plugins_file, action do not exec gem install danger
• install_path
  • optional
  • bundle install path, Useful instead of bundle config path
• danger_file
  • required
  • dangerfile path for running danger
• danger_id
  • required
  • danger id is an identifier string, example(danger-pr, danger-CI, etc..)
• fail_on_stderr_when_bundler
  • optional
  • action fail when bundler output stderr
  • default: false
• fail_on_stderr_when_danger
  • optional
  • action fail when danger output stderr
  • default: false

• DANGER_GITHUB_API_TOKEN
  • required
  • GitHub Token using by Danger
  • recommendation value: ${{ secrets.GITHUB_TOKEN }}

name: CI

on:
  pull_request:
    branches:
      - master
      
jobs:
  danger:
    runs-on: ubuntu-latest
    if: github.event_name  == 'pull_request' # if only run pull request when multiple trigger workflow
    steps:
    - uses: actions/checkout@v4
    - uses: ruby/setup-ruby@v1
      with:
        ruby-version: '2.6'
    - uses: actions/cache@v4
      with:
        path: vendor/bundle
        key: ${{ runner.os }}-gems-${{ hashFiles('.github/Gemfile') }} # change your gemfile path
        restore-keys: |
          ${{ runner.os }}-gems-
    - uses: MeilCli/danger-action@v6
      with:
        plugins_file: '.github/Gemfile'
        install_path: 'vendor/bundle'
        danger_file: '.github/Dangerfile'
        danger_id: 'danger-pr'
      env:
        DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}

danger-action can escape path of Gemfile. so you can put Gemfile on no-current directory.

github-actions token has not write permission at triggered by pull_request that created from forked repository or created by dependabot. This reason is for security

ref: Keeping your GitHub Actions and workflows secure: Preventing pwn requests

In this case, danger cannot use GitHub API because readonly token. And, Using pull_request_target is an option, but it have the security concerns.

If your needs is report of lint-result, recommending MeilCli/common-lint-reporter. Its action resolve this problem by using workflow_run. see: More information

see Contributing.md