Support Dependency Review Action

Author: maennchen

.github/actions/setup-runtime-env/action.yml

@@ -18,7 +18,7 @@ runs:
     - name: "Cache Deps / Build"
       uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
-        path: >-
+        path: |-
           deps
           _build
         key: "${{ format('{0}-{1}-{2}', inputs.mix-env, hashFiles('.tool-versions'), hashFiles('mix.exs')) }}"

.github/workflows/part_report_deps.yml

@@ -8,18 +8,18 @@ permissions:
 
 jobs:
   binary:
-
     permissions:
       contents: write
 
     strategy:
       matrix:
         runner:
           - ubuntu-24.04 # X64
-          - ubuntu-24.04-arm # ARM64
-          - macos-13 # ARM64
-          - macos-15 # X64
-          - windows-2025 # X64
+          # TODO: Re-enable
+          # - ubuntu-24.04-arm # ARM64
+          # - macos-13 # ARM64
+          # - macos-15 # X64
+          # - windows-2025 # X64
           # Not currently supported by Burrito
           # - windows-11-arm # ARM64
 

.github/workflows/pr.yml

@@ -56,6 +56,8 @@ jobs:
   dependency-review:
     name: "Dependency Review"
 
+    needs: ['report_deps']
+
     runs-on: ubuntu-latest
 
     steps:

README.md

@@ -54,6 +54,32 @@ jobs:
       - uses: erlef/mix-dependency-submission@v1
 ```
 
+### Example Using `actions/dependency-review-action`
+
+```yaml
+name: "Mix Dependency Submission"
+
+on:
+  push:
+    branches:
+      - "main"
+  pull_request: {}
+
+# The API requires write permission on the repository to submit dependencies
+permissions:
+  contents: write
+
+jobs:
+  report_mix_deps:
+    name: "Report Mix Dependencies"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: erlef/mix-dependency-submission@v1
+      - uses: actions/dependency-review-action@v4
+        if: "${{ github.event_name == 'pull_request' }}"
+```
+
 ## Inputs
 
 | Name           | Description                                                                                 | Default                     |

lib/mix_dependency_submission/cli.ex

@@ -18,7 +18,7 @@ defmodule MixDependencySubmission.CLI do
 
       iex> argv =
       ...>   ~w[--github-repository org/repo --github-job-id 123 --github-workflow build --sha sha --ref refs/heads/main --github-token ghp_xxx]
-      ...> 
+      ...>
       ...> result = MixDependencySubmission.CLI.parse!(argv)
       ...> result.options.github_repository
       "org/repo"
@@ -81,7 +81,7 @@ defmodule MixDependencySubmission.CLI do
             help: "GitHub Actions Workflow Name"
           ),
         sha:
-          optimus_options_with_env_default("GITHUB_SHA",
+          sha_option(
             value_name: "SHA",
             long: "--sha",
             help: "Current Git SHA"
@@ -140,4 +140,41 @@ defmodule MixDependencySubmission.CLI do
       :error -> [required: true]
     end ++ details
   end
+
+  @spec sha_option(Keyword.t()) :: Keyword.t()
+  defp sha_option(base_opts) do
+    # If the GitHub event is a pull request, we need to use the head SHA of the PR
+    # instead of the commit SHA of the workflow run.
+    # This is because the workflow run is triggered by the base commit of the PR,
+    # and we want to report the dependencies of the head commit.
+    # See: https://github.com/github/dependency-submission-toolkit/blob/72f5e31325b5e1bcc91f1b12eb7abe68e75b2105/src/snapshot.ts#L36-L61
+    case load_pr_head_sha() do
+      {:ok, sha} ->
+        Keyword.put(base_opts, :sha, sha)
+
+      :error ->
+        # If we can't load the PR head SHA, we fall back to the default behavior
+        # of using the GITHUB_SHA environment variable.
+        optimus_options_with_env_default("GITHUB_SHA", base_opts)
+    end
+  end
+
+  # Note that pull_request_target is omitted here.
+  # That event runs in the context of the base commit of the PR,
+  # so the snapshot should not be associated with the head commit.
+
+  @pr_events ~w[pull_request pull_request_comment pull_request_review pull_request_review_comment]
+
+  @spec load_pr_head_sha :: {:ok, <<_::320>>} | :error
+  defp load_pr_head_sha do
+    with {:ok, event} when event in @pr_events <- System.fetch_env("GITHUB_EVENT_NAME"),
+         {:ok, event_path} <- System.fetch_env("GITHUB_EVENT_PATH") do
+      event_details_json = File.read!(event_path)
+
+      IO.puts(event_details_json)
+
+      %{"pull_request" => %{"head" => %{"sha" => sha}}} = JSON.decode!(event_details_json)
+      {:ok, sha}
+    end
+  end
 end

mix.exs

@@ -48,11 +48,13 @@ defmodule MixDependencySubmission.MixProject do
         steps: [:assemble, &Burrito.wrap/1],
         burrito: [
           targets: [
-            Linux_X64: [os: :linux, cpu: :x86_64],
-            Linux_ARM64: [os: :linux, cpu: :aarch64],
-            macOS_X64: [os: :darwin, cpu: :x86_64],
-            macOS_ARM64: [os: :darwin, cpu: :aarch64],
-            Windows_X64: [os: :windows, cpu: :x86_64]
+            Linux_X64: [os: :linux, cpu: :x86_64]#,
+            # TODO: Re-enable
+            # Linux_ARM64: [os: :linux, cpu: :aarch64],
+            # macOS_X64: [os: :darwin, cpu: :x86_64],
+            # macOS_ARM64: [os: :darwin, cpu: :aarch64],
+            # Windows_X64: [os: :windows, cpu: :x86_64]
+
             # Not currently supported by Burrito
             # Windows_ARM64: [os: :windows, cpu: :aarch64]
           ]