oss-review-toolkit · tsteenbe · Nov 6, 2025 · Nov 5, 2025 · Nov 5, 2025 · Nov 5, 2025
diff --git a/NOTICE b/NOTICE
@@ -3,3 +3,4 @@ The ORT Project <https://oss-review-toolkit.org>
 Copyright (C) 2020-2022 HERE Europe B.V.
 Copyright (C) 2022 Alliander N.V.
 Copyright (C) 2022 EPAM Systems, Inc.
+Copyright (C) 2024-2025 Thomas Steenbergen
diff --git a/README.md b/README.md
@@ -1,11 +1,15 @@
 # GitHub Action for ORT
 
-Run licensing, security and best practices checks and generate reports/SBOMs using [ORT][ort].
+Run licensing, security, best practices checks and generate reports/Software Bill of Materials (SBOMs) using [ORT][ort]
+within [GitHub Actions][gh-action-docs].
 
 ## Usage
 
 See [action.yml](action.yml)
 
+Note: All examples below use the main branch.
+When implementing the GitHub Action for ORT in production, it's recommended to use the latest [tags][ort-gh-action-tags].
+
 ### Basic
 
 ```yaml
@@ -16,9 +20,9 @@ jobs:
       - name: Use HTTPS instead of SSH for Git cloning
         run: git config --global url.https://github.com/.insteadOf ssh://[email protected]/
       - name: Checkout project
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
       - name: Run GitHub Action for ORT
-        uses: oss-review-toolkit/ort-ci-github-action@v1
+        uses: oss-review-toolkit/ort-ci-github-action@main
 ```
 
 Alternatively, you can also use ORT to download the project sources using Git, Git-repo, Mercurial or Subversion.
@@ -31,7 +35,7 @@ jobs:
       - name: Use HTTPS instead of SSH for Git cloning
         run: git config --global url.https://github.com/.insteadOf ssh://[email protected]/
       - name: Run GitHub Action for ORT
-        uses: oss-review-toolkit/ort-ci-github-action@v1
+        uses: oss-review-toolkit/ort-ci-github-action@main
         with:
           vcs-url: 'https://github.com/jshttp/mime-types.git'
 ```
@@ -58,11 +62,11 @@ jobs:
       - name: Use HTTPS instead of SSH for Git cloning
         run: git config --global url.https://github.com/.insteadOf ssh://[email protected]/
       - name: Checkout project
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
         with:
           repository: 'jshttp/mime-types'
       - name: Run GitHub Action for ORT
-        uses: oss-review-toolkit/ort-ci-github-action@v1
+        uses: oss-review-toolkit/ort-ci-github-action@main
         with:
           allow-dynamic-versions: 'true'
           ort-cli-args: '-P ort.analyzer.enabledPackageManagers=NPM,Yarn,Yarn2'
@@ -80,11 +84,11 @@ jobs:
       - name: Use HTTPS instead of SSH for Git cloning
         run: git config --global url.https://github.com/.insteadOf ssh://[email protected]/
       - name: Checkout project
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
         with:
           repository: 'jshttp/mime-types'
       - name: Run GitHub Action for ORT
-        uses: oss-review-toolkit/ort-ci-github-action@v1
+        uses: oss-review-toolkit/ort-ci-github-action@main
         with:
           allow-dynamic-versions: 'true'
           ort-cli-analyze-args: >
@@ -99,7 +103,7 @@ Set `fail-on` to fail the action if:
 - policy violations reported by Evaluator exceed the `severeRuleViolationThreshold` level.
 - security issues reported by the Advisor exceed the `severeIssueThreshold` level.
 
-By default `severeRuleViolationThreshold` and `severeIssueThreshold` are set to `WARNING` 
+By default `severeRuleViolationThreshold` and `severeIssueThreshold` are set to `WARNING`
 but you can change this to for example `ERROR` in your [config.yml][ort-config-yml].
 
 ```yaml
@@ -110,11 +114,11 @@ jobs:
       - name: Use HTTPS instead of SSH for Git cloning
         run: git config --global url.https://github.com/.insteadOf ssh://[email protected]/
       - name: Checkout project
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
         with:
           repository: 'jshttp/mime-types'
       - name: Run GitHub Action for ORT
-        uses: oss-review-toolkit/ort-ci-github-action@v1
+        uses: oss-review-toolkit/ort-ci-github-action@main
         with:
           allow-dynamic-versions: 'true'
           fail-on: 'violations'
@@ -132,7 +136,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout project
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
         with:
           repository: 'jshttp/mime-types'
       - name: Add .netrc
@@ -155,7 +159,7 @@ jobs:
             StrictHostKeyChecking no
           END
       - name: Run GitHub Action for ORT
-        uses: oss-review-toolkit/ort-ci-github-action@v1
+        uses: oss-review-toolkit/ort-ci-github-action@main
         with:
           allow-dynamic-versions: 'true'
 ```
@@ -178,14 +182,14 @@ jobs:
           git config --global url."https://oauth2:${{ secrets.PERSONAL_TOKEN_2 }}@git.example.com/".insteadOf "ssh://[email protected]/"
           git config --global url."https://oauth2:${{ secrets.PERSONAL_TOKEN_2 }}@git.example.com/".insteadOf "https://git.example.com/"
       - name: Checkout project
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
         with:
           repository: 'example-org/alpha'
           ref: 'master'
           github-server-url: 'https://git.example.com'
           token: ${{ secrets.PERSONAL_TOKEN_2 }}
       - name: Run GitHub action for ORT
-        uses: oss-review-toolkit/ort-ci-github-action@v1
+        uses: oss-review-toolkit/ort-ci-github-action@main
         with:
           ort-config-repository: 'https://oauth2:${{ secrets.PERSONAL_TOKEN_2 }}@git.example.com/ort-project/ort-config.git'
           run: >
@@ -212,10 +216,10 @@ jobs:
             sw-name: beta
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
         with:
           repository: ${{ matrix.repository }}
-      - uses: oss-review-toolkit/ort-ci-github-action@v1
+      - uses: oss-review-toolkit/ort-ci-github-action@main
         with:
           sw-name: ${{ matrix.sw-name }}
 ```
@@ -225,7 +229,7 @@ jobs:
 Use `ort-config-repository` to specify the location of your ORT global configuration repository.
 If `ort-config-revision` is not automatically latest state of configuration repository will be used.
 
-Alternatively, you can also place your ORT global configuration files in `~/.ort/config` 
+Alternatively, you can also place your ORT global configuration files in `~/.ort/config`
 prior to running GitHub Action for ORT.
 
 ```yaml
@@ -236,11 +240,11 @@ jobs:
       - name: Use HTTPS instead of SSH for Git cloning
         run: git config --global url.https://github.com/.insteadOf ssh://[email protected]/
       - name: Checkout project
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
         with:
           repository: 'jshttp/mime-types'
       - name: Run GitHub Action for ORT
-        uses: oss-review-toolkit/ort-ci-github-action@v1
+        uses: oss-review-toolkit/ort-ci-github-action@main
         with:
           ort-config-repository: 'https://github.com/oss-review-toolkit/ort-config'
           ort-config-revision: 'e4ae8f0a2d0415e35d80df0f48dd95c90a992514'
@@ -256,9 +260,9 @@ jobs:
       - name: Use HTTPS instead of SSH for Git cloning
         run: git config --global url.https://github.com/.insteadOf ssh://[email protected]/
       - name: Checkout project
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
       - name: Run GitHub Action for ORT
-        uses: oss-review-toolkit/ort-ci-github-action@v1
+        uses: oss-review-toolkit/ort-ci-github-action@main
         with:
           image: 'my-org/ort-images/ort:latest'
 ```
@@ -282,12 +286,12 @@ jobs:
       - name: Use HTTPS instead of SSH for Git cloning
         run: git config --global url.https://github.com/.insteadOf ssh://[email protected]/
       - name: Checkout project
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
         with:
           repository: 'jshttp/mime-types'
           ref: '2.1.35'
       - name: Run GitHub Action for ORT
-        uses: oss-review-toolkit/ort-ci-github-action@v1
+        uses: oss-review-toolkit/ort-ci-github-action@main
         with:
           db-url: ${{ secrets.POSTGRES_URL }}
           db-username: ${{ secrets.POSTGRES_USERNAME }}
@@ -305,9 +309,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout project
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
       - name: Run GitHub Action for ORT
-        uses: oss-review-toolkit/ort-ci-github-action@v1
+        uses: oss-review-toolkit/ort-ci-github-action@main
         with:
           run: >
             cache-dependencies,
@@ -327,17 +331,19 @@ to any of your questions we recommend you [join our Slack community][ort-slack].
 
 # License
 
-Copyright (C) 2020-2022 [The ORT Project Authors](./NOTICE).
+Copyright (C) 2020-2025 [The ORT Project Authors](./NOTICE).
 
 See the [LICENSE](./LICENSE) file in the root of this project for license details.
 
 OSS Review Toolkit (ORT) is a [Linux Foundation project][lf] and part of [ACT][act].
 
 [act]: https://automatecompliance.org/
+[gh-action-docs]: https://docs.github.com/en/actions
 [gh-action-secrets]: https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository
 [gh-tokens]: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
 [ort]: https://github.com/oss-review-toolkit/ort
 [ort-config-yml]: https://github.com/oss-review-toolkit/ort/blob/main/model/src/main/resources/reference.yml
 [ort-contributing-md]: https://github.com/oss-review-toolkit/.github/blob/main/CONTRIBUTING.md
+[ort-gh-action-tags]: https://github.com/oss-review-toolkit/ort-ci-github-action/tags
 [ort-slack]: http://slack.oss-review-toolkit.org
 [lf]: https://www.linuxfoundation.org