Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support GitHub dependencies review action/api #879

Closed
hfhbd opened this issue Sep 9, 2023 · 7 comments
Closed

Support GitHub dependencies review action/api #879

hfhbd opened this issue Sep 9, 2023 · 7 comments
Assignees
@bigdaz
Labels
enhancement New feature or request
Milestone
2.9.0

Comments

@hfhbd
Copy link

hfhbd commented Sep 9, 2023

Currently, the dependency submission is called in the Post step, not directly after the execution of Gradle. This is incompatible with the https://github.com/actions/dependency-review-action, which validates the submitted dependencies (from a PR) and will fail your build, eg if you submit vulnerabilities in the PR. The review action needs to be run after Gradle and after the submission of dependencies.
@hfhbd
Copy link
Author

hfhbd commented Sep 9, 2023
edited
Loading

Hm, don't know if this is a GitHub issue, but the workaround to run the review action in another job didn't work:

  reviewDependencies:
    runs-on: ubuntu-latest
    needs:
      - build
    if: github.event_name == 'pull_request'
    steps:
      - uses: actions/dependency-review-action@v3
        with:
          retry-on-snapshot-warnings: true

https://github.com/hfhbd/ComposeTodo/blob/603a57e66752a8f2f7602a32f2fd657053a77437/.github/workflows/CI.yml

Update: This feature isn't yet implemented according to the issue tracker: actions/dependency-review-action#545, but the docs already mention it: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together

Alternative: gradle-build-action could call the GitHub review REST api too (or via opt-in).

@hfhbd hfhbd changed the title Upload dependency submission after Gradle run Support GitHub dependencies review action/api Sep 9, 2023
@bigdaz
Copy link
Member

bigdaz commented Sep 11, 2023

Thanks for trying this out. The action was never tested with the dependency-review-action, since it wasn't compatible with Dependency Submission at the time.

It looks like #882 will address the underlying issue. I'll leave this open until we can confirm that things are working.

@felickz
Copy link

felickz commented Sep 13, 2023

relevant announcement: https://github.blog/changelog/2023-09-08-dependency-review-support-for-dependency-submission-results/

@bigdaz bigdaz modified the milestones: 2.8.1, 2.9.0 Sep 21, 2023
@bigdaz bigdaz added the enhancement New feature or request label Sep 25, 2023
@bigdaz bigdaz self-assigned this Sep 25, 2023
@bigdaz
Copy link
Member

bigdaz commented Sep 26, 2023

@hfhbd A fix for this issue has been added to the main branch. It would be helpful if you could test it out: you can do this by referencing gradle/gradle-build-action@main in your workflow.

@hfhbd hfhbd mentioned this issue Sep 27, 2023
Merged
@hfhbd
Copy link
Author

hfhbd commented Sep 27, 2023

@bigdaz This fix works 🎉 https://github.com/hfhbd/ComposeTodo/actions/runs/6326657590/job/17181840284

@bigdaz
Copy link
Member

bigdaz commented Sep 29, 2023

Thanks for checking. I'll release v2.9.0 shortly with this fix.

@bigdaz bigdaz closed this as completed Sep 29, 2023
@bigdaz
Copy link
Member

bigdaz commented Oct 1, 2023

@hfhbd You should be able to switch back to v2, since v2.9.0 now includes this fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bigdaz bigdaz

Labels
enhancement New feature or request
Projects
None yet
Milestone
2.9.0
Development

No branches or pull requests
3 participants
@bigdaz @felickz @hfhbd