How to ensure that the review action includes results from newly submitted dependencies using submission API?

[timothyfroehlich]

I don't know if this is over complicating the issue or not, but basically, how do I make sure that the review action takes into account new dependencies that were submitted via the submission API?

I'm getting the Gradle action's new dependency graph support running, which means that any new dependencies added to the Gradle build will not appear in the graph until after the Gradle jobs finish.

So to get the review action to include those results, I'll need to make sure it's job is triggered after all of the Gradle jobs, correct?

[febuiles]

Hi @timothyfroehlich. This is not over complicating the issue at all, being able to create a workflow out of Dependency Review and Dependency Snapshots is not possible at the moment due to the way snapshots are created.

My understanding is that a fix for this is coming soon, and it'll be transparent for the users. I'm leaving this issue open and will update it once the Action has native support for snapshots.

[timothyfroehlich]

Thank you, that's really good to know.

[hfhbd]

@febuiles Could you also recheck the docs https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together? They already mention this feature.

[febuiles]

@hfhbd can you take a look at the latest release (3.1.0) released a couple of days ago? It includes a couple of options that allow the Action to wait for builds to finish before running Dependency Review. @juxtin added some documentation in https://github.com/actions/dependency-review-action/blob/main/docs/examples.md#waiting-for-dependency-submission-jobs-to-complete explaining how this works, please let us know if this solution works for your current use case.

[hfhbd]

@febuiles I tried it in this project/PR: https://github.com/hfhbd/ComposeTodo/pull/792/files, but the snapshot was not found: https://github.com/hfhbd/ComposeTodo/actions/runs/6131147436/job/16641072136?pr=792 The snapshot was uploaded with the previous step: https://github.com/hfhbd/ComposeTodo/actions/runs/6131147436/job/16640863093?pr=792 using https://github.com/gradle/gradle-build-action, which uploads the dependencies during Post action phase.

I used the default timeout of 2 minutes.

Do I/you really need to wait a specific time? Ideally, there would be some event when the dependency submission finished its processing.

[juxtin]

@hfhbd would you mind re-running the dependency review step to see if it picks it up the second time?

[hfhbd]

@juxtin Nope, running it another time didn't work too: https://github.com/hfhbd/ComposeTodo/actions/runs/6136268714/job/16651217350?pr=792
The build step took 25m. The first attempt of reviewDepenencies did run directly after the build step, but failed. I rerun it again 10m later, but the action/api is still unable to find a snapshot in the second attemp.
These are the submitted dependencies: https://github.com/hfhbd/ComposeTodo/suites/16004626460/artifacts/913624762

[juxtin]

@hfhbd Sorry about that! At a glance, it looks like you've got everything configured correctly and I would certainly expect it to work. I'm going to try to reproduce this myself today and I'll see if I can get it fixed.

[juxtin]

@hfhbd I believe I found the issue, so I've opened a PR here: hfhbd/ComposeTodo#797

[juxtin]

We've officially shipped this feature so I'm going to close this issue now.

@hfhbd, the issue you're having with gradle/gradle-build-action is now in their hands and tracked here. For what it's worth, mikepenz/gradle-dependency-submission does appear to work already.