Dependency Review

[MPV]

Does this action work together with GitHub's Dependency Review?

See:

• https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review
• https://github.com/actions/dependency-review-action

[adpi2]

There is a note in Dependency review enforcement stating that it should work:

Note: The dependency review API and the dependency submission API work together. This means that the dependency review API will include dependencies submitted via the dependency submission API. This feature is currently in public beta and subject to change.

If anyone knows how to set them up, we could add it as an example in the README.md.

[MPV]

A basic example (in my mind) should be) — would you agree?

name: Dependency Review

on:
  push:
    branches:
      - master
  pull_request:

permissions:
  contents: write # for submitting dependency graph

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: scalacenter/sbt-dependency-submission@v2
      - uses: actions/dependency-review-action@v3
        if: github.event_name == 'pull_request'

[MPV]

Here is my example live:

• Upgrade Scala 2.13.2 to 2.13.3 MPV/github-dependency-review-for-scala#1

However I haven't gotten it to work yet, as actions/dependency-review-action prints things as:

1. No snapshots were found for the head SHA d4763439a5e5d2b08ddc3cf0d01ab3debb988654.
2. Dependency Changes being empty.

...as seen here:

• https://github.com/MPV/github-dependency-review-for-scala/actions/runs/6767526427/job/18390299078?pr=1

---

So while the dependencies are properly uploaded from master and shown here...

• https://github.com/MPV/github-dependency-review-for-scala/network/dependencies

...and they seem to work fine to submit from the PR/branch too, but I don't see actions/dependency-review-action detecting them yet.

[MPV]

I have a theory what makes it not work in PRs, as mentioned in upstream issue (to be confirmed):

Looks to me it’s using the GITHUB_SHA:

• https://github.com/search?q=repo%3Ascalacenter%2Fsbt-dependency-submission%20sha&type=code

Should it be using something like github.event.pull_request.head.sha instead (if called from a PR)?

As per:

• https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request

See:

• Use with scalacenter/sbt-dependency-submission (Dependency Submission API) actions/dependency-review-action#608

[MPV]

Gradle actions have/had the same issue, as described here:

• How to ensure that the review action includes results from newly submitted dependencies using submission API? actions/dependency-review-action#545 (comment)
• Set GITHUB_SHA to correct value for PRs hfhbd/ComposeTodo#797

[adpi2]

If I understand correctly we should use github.event.pull_request.head.sha, when it is available, instead of GITHUB_SHA. @MPV would you like to contribute?

[MPV]

Seems workaround doesn't work:

• GITHUB_SHA correction for PRs MPV/github-dependency-review-for-scala#5

...so some kind of code change here will be needed here, not sure which exact change.

[adpi2]

I am not sure you can override GITHUB_SHA to some custom value. We should better fix sbt-dependency-submission to read the value from a different env var.

[MPV]

Yeah they describe it in the first sentence here too:

• https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together

[MPV]

If I understand correctly we should use github.event.pull_request.head.sha, when it is available, instead of GITHUB_SHA. @MPV would you like to contribute?

I don't have any idea how to change this repo to get it to work. Ideas?

[johnpangalos]

I made a PR for seeing if the event is a pull request and then using the correct sha. See if that works for you @MPV.