v0.1.0

.github/workflows/check-dist.yml

@@ -23,10 +23,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Set Node.js 16.x
+      - name: Set Node.js 20.x
         uses: actions/[email protected]
         with:
-          node-version: 16.x
+          node-version: 20.x
 
       - name: Install dependencies
         run: npm ci

.github/workflows/test.yml

@@ -1,20 +1,28 @@
 name: "Test"
+
 on:
   pull_request:
   workflow_dispatch:
   push:
     branches:
       - main
       - 'releases/*'
-  workflow_dispatch:
 
 permissions: 
   id-token: write
   contents: write
 
 jobs:
+  test-npm:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          npm ci
+          # npm run test
+
   # test action works running from the graph
-  test:
+  test-action:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4

action.yml

@@ -14,7 +14,7 @@ inputs:
     required: false
     default: '*.spdx.json'
 runs:
-  using: 'node16'
+  using: 'node20'
   main: 'dist/index.js'
 branding:
   icon: 'upload-cloud'

index.js

@@ -3,19 +3,12 @@
 const fs = require('fs');
 const glob = require('glob');
 
-import {
-  PackageCache,
-  BuildTarget,
-  Package,
-  Snapshot,
-  Manifest,
-  submitSnapshot
-} from '@github/dependency-submission-toolkit'
+const toolkit = require('@github/dependency-submission-toolkit');
 
 async function run() {
   let manifests = getManifestsFromSpdxFiles(searchFiles());
 
-  let snapshot = new Snapshot({
+  let snapshot = new toolkit.Snapshot({
       name: "spdx-to-dependency-graph-action",
       version: "0.0.1",
       url: "https://github.com/advanced-security/spdx-dependency-submission-action",
@@ -30,13 +23,13 @@
     snapshot.addManifest(manifest);
   });
 
-  submitSnapshot(snapshot);
+  toolkit.submitSnapshot(snapshot);
 }
 
 function getManifestFromSpdxFile(document, fileName) {
   core.debug(`getManifestFromSpdxFile processing ${fileName}`);
 
-  let manifest = new Manifest(document.name, fileName);
+  let manifest = new toolkit.Manifest(document.name, fileName);
 
   core.debug(`Processing ${document.packages?.length} packages`);
 
@@ -61,9 +54,9 @@
 
     let relationships = document.relationships?.find(rel => rel.relatedSpdxElement == pkg.SPDXID && rel.relationshipType == "DEPENDS_ON" && rel.spdxElementId != "SPDXRef-RootPackage");
     if (relationships != null && relationships.length > 0) {
-      manifest.addIndirectDependency(new Package(purl));
+      manifest.addIndirectDependency(new toolkit.Package(purl));
     } else {
-      manifest.addDirectDependency(new Package(purl));
+      manifest.addDirectDependency(new toolkit.Package(purl));
     }
   });
   return manifest;
@@ -89,7 +82,9 @@
 // Fixes issues with an escaped version string
 function replaceVersionEscape(purl) {
   // Some tools are failing to escape the namespace, so we will escape it to work around that
-  purl = purl.replace("/@", "/%40");
+  // @ -> %40
+  // ^ -> %5E
+  purl = purl.replace("/@", "/%40").replace("^", "%5E");
 
   //If there's an "@" in the purl, then we don't need to do anything.
   if (purl != null && purl != undefined && !purl?.includes("@")) {