Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dependency-submission triggered by tag on default branch does not update dependency results for repository #242

Open
xenoterracide opened this issue Jun 6, 2024 · 7 comments
Labels
investigation Something to investigate

Comments

@xenoterracide
Copy link

Current Behavior

A release is likely to be built of a tag which points to a commit on main

Submitted dependency-graph-reports/release-release.json: The snapshot was accepted, but it is not for the default branch. It will not update dependency results for the repository.

minimal details of workflow,

Expected Behavior

submission to a ref that points to a commit in the default branch should work.

Context (optional)

No response

Steps to Reproduce

obviously you'll have to add some actual gradle build steps, but it's not significant in this issue I think.

on:
  push:
    tags:
      - "v*.*.*"
jobs:
  release:
    runs-on: ubuntu-latest
    timeout-minutes: 5
    permissions:
      contents: write
      packages: write  
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.ref }}
      - ...
      - uses: gradle/actions/dependency-submission@v3

Gradle version

8.7

Build scan URL (optional)

No response

Your Environment (optional)

checkout peformed differently than normal due to actions/checkout#882

I'm not certain whether or not the dependency report should really be used on every build of the default branch vs an actual release. I guess for now it'll have to be every build of the default branch

@bigdaz bigdaz transferred this issue from gradle/gradle Jun 11, 2024
@bigdaz
Copy link
Member

bigdaz commented Jun 11, 2024

Submitted dependency-graph-reports/release-release.json: The snapshot was accepted, but it is not for the default branch. It will not update dependency results for the repository.

This message comes from GitHub. It's surprising that it doesn't resolve the tag to determine which commit/branch it belongs to.

Can you share the content of the uploaded dependency graph file?

@xenoterracide
Copy link
Author

Do you know how to get at it? I don't really want to make a workflow that cats or attaches the file just to do this... but I suppose I could if we need that.

https://github.com/xenoterracide/gradle-semver/actions/runs/9405701870

@bigdaz
Copy link
Member

bigdaz commented Jun 12, 2024

If you pass a dependency-graph: generate-and-upload parameter to gradle/actions/dependency-submission, the file will be saved rather than submitted.

https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#configuration-parameters

@bigdaz
Copy link
Member

bigdaz commented Jul 2, 2024

@xenoterracide the submitted GitHub Dependency Graph file contains a ref attribute as well as a sha value: the action sets these from the github context.

Ideally, these values would be processed on submission: if a Git SHA belongs to the default branch it could then apply to the default branch, irrespective of the Git Ref that it was created from. This doesn't happen, so we'll need to do something in the action.

Here's a workaround you could employ, assuming that this workflow will only be run for tags on the main branch.

env:
  GITHUB_DEPENDENCY_GRAPH_REF: 'refs/heads/main'

A more sophisticated solution would involve checking if the ref was for a tag, then checking if the tag points to a commit on the default branch. But I'd first like confirmation that the simple solution works.

@bigdaz bigdaz changed the title gradle/actions/dependency-submission needs to work on tag builds dependency-submission for tag on default branch does not update dependency results for repository Jul 2, 2024
@bigdaz bigdaz changed the title dependency-submission for tag on default branch does not update dependency results for repository dependency-submission triggered by tag on default branch does not update dependency results for repository Jul 2, 2024
@joschi
Copy link

joschi commented Jul 3, 2024

But I'd first like confirmation that the simple solution works.

I'm not the issue author or in any way affiliated with him, but I can confirm that this is working:
https://github.com/orgs/community/discussions/130713#discussioncomment-9933836

@xenoterracide
Copy link
Author

xenoterracide commented Jul 4, 2024

finally got around to generating the json, which would have been really easy to do yourselves as this really requires a very simple workflow and I don't want to create a ton of tags for the sake o seeing what it does.

Might be worth it to have a feature, or the default be submit and attach instead of submit or attach.

dependency-graph_full-full.json.zip

@xenoterracide
Copy link
Author

xenoterracide commented Jul 4, 2024

this is what it looks like if I submit that env var

Submitted dependency-graph-reports/release-release.json: Dependency results for the repo have been successfully updated.

dependency-graph_full-full.json (2).zip

https://github.com/xenoterracide/gradle-semver/actions/runs/9799510946

sschuberth added a commit to oss-review-toolkit/ort that referenced this issue Sep 27, 2024
Apply the work-around from [1] to associate the dependency graph built
from tags to the `main` branch.

[1]: gradle/actions#242 (comment)

Signed-off-by: Sebastian Schuberth <[email protected]>
sschuberth added a commit to oss-review-toolkit/ort that referenced this issue Sep 27, 2024
Apply the work-around from [1] to associate the dependency graph built
from tags to the `main` branch.

[1]: gradle/actions#242 (comment)

Signed-off-by: Sebastian Schuberth <[email protected]>
@bigdaz bigdaz added the investigation Something to investigate label Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
investigation Something to investigate
Projects
None yet
Development

No branches or pull requests

3 participants