diff --git a/.github/actions/setup-runtime-env/action.yml b/.github/actions/setup-runtime-env/action.yml index 320e57b..d8c314b 100644 --- a/.github/actions/setup-runtime-env/action.yml +++ b/.github/actions/setup-runtime-env/action.yml @@ -18,7 +18,7 @@ runs: - name: "Cache Deps / Build" uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: - path: >- + path: |- deps _build key: "${{ format('{0}-{1}-{2}', inputs.mix-env, hashFiles('.tool-versions'), hashFiles('mix.exs')) }}" diff --git a/.github/workflows/part_report_deps.yml b/.github/workflows/part_report_deps.yml index fd8c342..4e187cc 100644 --- a/.github/workflows/part_report_deps.yml +++ b/.github/workflows/part_report_deps.yml @@ -8,7 +8,6 @@ permissions: jobs: binary: - permissions: contents: write diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 094645a..443af65 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -56,6 +56,8 @@ jobs: dependency-review: name: "Dependency Review" + needs: ['report_deps'] + runs-on: ubuntu-latest steps: diff --git a/README.md b/README.md index 457b104..19d4095 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,32 @@ jobs: - uses: erlef/mix-dependency-submission@v1 ``` +### Example Using `actions/dependency-review-action` + +```yaml +name: "Mix Dependency Submission" + +on: + push: + branches: + - "main" + pull_request: {} + +# The API requires write permission on the repository to submit dependencies +permissions: + contents: write + +jobs: + report_mix_deps: + name: "Report Mix Dependencies" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: erlef/mix-dependency-submission@v1 + - uses: actions/dependency-review-action@v4 + if: "${{ github.event_name == 'pull_request' }}" +``` + ## Inputs | Name | Description | Default | diff --git a/lib/mix_dependency_submission/cli.ex b/lib/mix_dependency_submission/cli.ex index 60084d4..8d0ffdf 100644 --- a/lib/mix_dependency_submission/cli.ex +++ b/lib/mix_dependency_submission/cli.ex @@ -81,7 +81,7 @@ defmodule MixDependencySubmission.CLI do help: "GitHub Actions Workflow Name" ), sha: - optimus_options_with_env_default("GITHUB_SHA", + sha_option( value_name: "SHA", long: "--sha", help: "Current Git SHA" @@ -140,4 +140,41 @@ defmodule MixDependencySubmission.CLI do :error -> [required: true] end ++ details end + + @spec sha_option(Keyword.t()) :: Keyword.t() + defp sha_option(base_opts) do + # If the GitHub event is a pull request, we need to use the head SHA of the PR + # instead of the commit SHA of the workflow run. + # This is because the workflow run is triggered by the base commit of the PR, + # and we want to report the dependencies of the head commit. + # See: https://github.com/github/dependency-submission-toolkit/blob/72f5e31325b5e1bcc91f1b12eb7abe68e75b2105/src/snapshot.ts#L36-L61 + case load_pr_head_sha() do + {:ok, sha} -> + Keyword.put(base_opts, :default, sha) + + :error -> + # If we can't load the PR head SHA, we fall back to the default behavior + # of using the GITHUB_SHA environment variable. + optimus_options_with_env_default("GITHUB_SHA", base_opts) + end + end + + # Note that pull_request_target is omitted here. + # That event runs in the context of the base commit of the PR, + # so the snapshot should not be associated with the head commit. + + @pr_events ~w[pull_request pull_request_comment pull_request_review pull_request_review_comment] + + @spec load_pr_head_sha :: {:ok, <<_::320>>} | :error + defp load_pr_head_sha do + with {:ok, event} when event in @pr_events <- System.fetch_env("GITHUB_EVENT_NAME"), + {:ok, event_path} <- System.fetch_env("GITHUB_EVENT_PATH") do + event_details_json = File.read!(event_path) + + %{"pull_request" => %{"head" => %{"sha" => <<_binary::320>> = sha}}} = + JSON.decode!(event_details_json) + + {:ok, sha} + end + end end