Sometimes all dependencies are considered new about dependency-review-action HOT 5 CLOSED

Third time is a charm...

• The action failed on the initial PR created by Dependabot
• To try and make it pass, I did a @dependabot recreate, but it failed again. Then I logged this issue
• I committed a change to the workflow to give write permission on PRs. Then it passed.

I faced the same issue on other PRs, where it also disappeared for some reason, so it occurs more often. Please look into it.

from dependency-review-action.

It might have been related to the way the workflow was set up:

  dependency-submission:
    name: Publish dependencies
    needs:
      - build-check-publish
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Checkout src repo
        uses: actions/checkout@v4
      - name: Set up JDK
        uses: actions/[email protected]
        with:
          distribution: 'temurin'
          java-version: 17
      - name: Publish Gradle dependencies
        uses: gradle/actions/dependency-submission@v3

  review-dependencies:
    name: Review dependencies
    needs:
      - dependency-submission
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    steps:
      - name: Review dependencies
        uses: actions/[email protected]
        with:
          comment-summary-in-pr: on-failure

The review-dependencies job defines a needs for the submission job, so the data should be available, but it might be that something went wrong in that area.

I've now combined the two:

  dependency-submission-and-review:
    name: Publish and review dependencies
    needs:
      - build-check-publish
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Checkout src repo
        uses: actions/checkout@v4
      - name: Set up JDK
        uses: actions/[email protected]
        with:
          distribution: 'temurin'
          java-version: 17
      - name: Publish Gradle dependencies
        uses: gradle/actions/dependency-submission@v3
      - name: Review dependencies
        uses: actions/[email protected]
        with:
          comment-summary-in-pr: on-failure

Let's see whether it still occasionally fails.

from dependency-review-action.

I stumbled upon the same issue, sometimes it find nothing:

The number of snapshots compared for the base SHA (0) and the head SHA (1) do not match. You may see unexpected additions in the diff.

Did not try both step in the same job but since the documented way works most of the time..

from dependency-review-action.

👋 this is a known quirk of the behavior of Dependency Review—if we don't have the same number of snapshots on each side of the comparison then we can report a lot of misleading additions/removals.

Putting everything in the same job (with dependency-review-action last) is the ideal solution, but you can also set retry-on-snapshot-warnings to true and that should help to prevent this from happening. If you go that route, you may also need to tune retry-on-snapshot-warnings-timeout to be able to accommodate all the related steps.

I'll close this for now, but feel free to let us know again if you see anything unexpected.

from dependency-review-action.

Putting everything in the same job (with dependency-review-action last) is the ideal solution

Ok !

For the record I was already using retry-on-snapshot-warnings, retry-on-snapshot-warnings-timeout with a fair timeout I believe (5min, way longer than the time it takes for the submission to run).

I retried the failed workflow 3-4 times to no avail. I recreated a new PR with the same changes and it worked first try (without changing the review workflow).

I guess what's frustrating is that I can't tell what's going on, what is published too late? attached to a wrong sha1? 🤷🏻

If it happen again I'll try the method of having both submission & review in the same job (and might dig in the APIs used by the actions to see if I can understand what happen).

from dependency-review-action.