erlef · maennchen · Apr 26, 2025 · Apr 26, 2025
diff --git a/.github/actions/setup-runtime-env/action.yml b/.github/actions/setup-runtime-env/action.yml
@@ -18,7 +18,7 @@ runs:
     - name: "Cache Deps / Build"
       uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
-        path: >-
+        path: |-
           deps
           _build
         key: "${{ format('{0}-{1}-{2}', inputs.mix-env, hashFiles('.tool-versions'), hashFiles('mix.exs')) }}"

diff --git a/.github/workflows/part_report_deps.yml b/.github/workflows/part_report_deps.yml
@@ -8,7 +8,6 @@ permissions:
 
 jobs:
   binary:
-
     permissions:
       contents: write
 

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -56,6 +56,8 @@ jobs:
   dependency-review:
     name: "Dependency Review"
 
+    needs: ['report_deps']
+
     runs-on: ubuntu-latest
 
     steps:

diff --git a/README.md b/README.md
@@ -54,6 +54,32 @@ jobs:
       - uses: erlef/mix-dependency-submission@v1
 ```
 
+### Example Using `actions/dependency-review-action`
+
+```yaml
+name: "Mix Dependency Submission"
+
+on:
+  push:
+    branches:
+      - "main"
+  pull_request: {}
+
+# The API requires write permission on the repository to submit dependencies
+permissions:
+  contents: write
+
+jobs:
+  report_mix_deps:
+    name: "Report Mix Dependencies"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: erlef/mix-dependency-submission@v1
+      - uses: actions/dependency-review-action@v4
+        if: "${{ github.event_name == 'pull_request' }}"
+```
+
 ## Inputs
 
 | Name           | Description                                                                                 | Default                     |

diff --git a/lib/mix_dependency_submission/cli.ex b/lib/mix_dependency_submission/cli.ex
@@ -81,7 +81,7 @@ defmodule MixDependencySubmission.CLI do
             help: "GitHub Actions Workflow Name"
           ),
         sha:
-          optimus_options_with_env_default("GITHUB_SHA",
+          sha_option(
             value_name: "SHA",
             long: "--sha",
             help: "Current Git SHA"
@@ -140,4 +140,41 @@ defmodule MixDependencySubmission.CLI do
       :error -> [required: true]
     end ++ details
   end
+
+  @spec sha_option(Keyword.t()) :: Keyword.t()
+  defp sha_option(base_opts) do
+    # If the GitHub event is a pull request, we need to use the head SHA of the PR
+    # instead of the commit SHA of the workflow run.
+    # This is because the workflow run is triggered by the base commit of the PR,
+    # and we want to report the dependencies of the head commit.
+    # See: https://github.com/github/dependency-submission-toolkit/blob/72f5e31325b5e1bcc91f1b12eb7abe68e75b2105/src/snapshot.ts#L36-L61
+    case load_pr_head_sha() do
+      {:ok, sha} ->
+        Keyword.put(base_opts, :default, sha)
+
+      :error ->
+        # If we can't load the PR head SHA, we fall back to the default behavior
+        # of using the GITHUB_SHA environment variable.
+        optimus_options_with_env_default("GITHUB_SHA", base_opts)
+    end
+  end
+
+  # Note that pull_request_target is omitted here.
+  # That event runs in the context of the base commit of the PR,
+  # so the snapshot should not be associated with the head commit.
+
+  @pr_events ~w[pull_request pull_request_comment pull_request_review pull_request_review_comment]
+
+  @spec load_pr_head_sha :: {:ok, <<_::320>>} | :error
+  defp load_pr_head_sha do
+    with {:ok, event} when event in @pr_events <- System.fetch_env("GITHUB_EVENT_NAME"),
+         {:ok, event_path} <- System.fetch_env("GITHUB_EVENT_PATH") do
+      event_details_json = File.read!(event_path)
+
+      %{"pull_request" => %{"head" => %{"sha" => <<_binary::320>> = sha}}} =
+        JSON.decode!(event_details_json)
+
+      {:ok, sha}
+    end
+  end
 end
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,7 +8,6 @@ permissions: @@
     jobs:
       binary:
         permissions:
           contents: write
@@ Expand Down @@