Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency snapshot should use pull_request.head.sha when available #882

Closed
juxtin opened this issue Sep 11, 2023 · 0 comments
Closed

Dependency snapshot should use pull_request.head.sha when available #882

juxtin opened this issue Sep 11, 2023 · 0 comments
Labels
bug Something isn't working
Milestone
2.9.0

Comments

@juxtin
Copy link

juxtin commented Sep 11, 2023
edited

馃憢 from the Dependency Graph team at GitHub!

Last week, we shipped support for submitted dependencies in dependency review.

For the most part, this action seems to already do everything necessary to work properly with dependency review, but there is one tiny exception.

What we're asking

$GITHUB_SHA should be set to the value of github.event.pull_request.head.sha whenever that variable is populated, i.e. when in the context of a pull request.

Why

When submitting a snapshot, https://github.com/gradle/github-dependency-graph-gradle-plugin uses the $GITHUB_SHA environment variable as the SHA of the dependency snapshot. This is perfectly correct for push events, but unfortunately it's not the value we need for pull_request events. In a pull request, GITHUB_SHA is set to the "last merge commit on the GITHUB_REF branch", which is sadly irrelevant to the dependency graph.

Instead, we should submit a snapshot for the head SHA of the PR, which can be extracted from the pull_request object with the equivalent of github.event.pull_request.head.sha.

Actions that use our official javascript dependency-submission-toolkit get this fix for free, but that doesn't apply to github-dependency-graph-gradle-plugin. In that case, we're limited to setting the SHA by overriding the $GITHUB_SHA env var as described in the docs.

You can see how we get the right value in the toolkit here for reference.
@bigdaz bigdaz mentioned this issue Sep 11, 2023
Closed
This was referenced Sep 11, 2023
Closed
Closed
@bigdaz bigdaz added the bug Something isn't working label Sep 21, 2023
@bigdaz bigdaz modified the milestones: 2.8.1, 2.9.0 Sep 21, 2023
bigdaz added a commit that referenced this issue Sep 26, 2023
@bigdaz
Use correct SHA for pull request events
6c884fd 
In a pull request, GITHUB_SHA is set to the "last merge commit on the GITHUB_REF branch".
This isn't the correct value to use when generating a dependency graph.
This changes to use the value of `pull_request.head.sha`, which is the correct
value for a dependency graph.

Fixes #882
@bigdaz bigdaz closed this as completed in 87ccc98 Sep 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
2.9.0
2 participants
@bigdaz @juxtin