Comments (5)
Third time is a charm...
- The action failed on the initial PR created by Dependabot
- To try and make it pass, I did a
@dependabot recreate
, but it failed again. Then I logged this issue - I committed a change to the workflow to give write permission on PRs. Then it passed.
I faced the same issue on other PRs, where it also disappeared for some reason, so it occurs more often. Please look into it.
from dependency-review-action.
It might have been related to the way the workflow was set up:
dependency-submission:
name: Publish dependencies
needs:
- build-check-publish
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout src repo
uses: actions/checkout@v4
- name: Set up JDK
uses: actions/[email protected]
with:
distribution: 'temurin'
java-version: 17
- name: Publish Gradle dependencies
uses: gradle/actions/dependency-submission@v3
review-dependencies:
name: Review dependencies
needs:
- dependency-submission
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Review dependencies
uses: actions/[email protected]
with:
comment-summary-in-pr: on-failure
The review-dependencies
job defines a needs
for the submission job, so the data should be available, but it might be that something went wrong in that area.
I've now combined the two:
dependency-submission-and-review:
name: Publish and review dependencies
needs:
- build-check-publish
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- name: Checkout src repo
uses: actions/checkout@v4
- name: Set up JDK
uses: actions/[email protected]
with:
distribution: 'temurin'
java-version: 17
- name: Publish Gradle dependencies
uses: gradle/actions/dependency-submission@v3
- name: Review dependencies
uses: actions/[email protected]
with:
comment-summary-in-pr: on-failure
Let's see whether it still occasionally fails.
from dependency-review-action.
I stumbled upon the same issue, sometimes it find nothing:
The number of snapshots compared for the base SHA (0) and the head SHA (1) do not match. You may see unexpected additions in the diff.
Did not try both step in the same job but since the documented way works most of the time..
from dependency-review-action.
👋 this is a known quirk of the behavior of Dependency Review—if we don't have the same number of snapshots on each side of the comparison then we can report a lot of misleading additions/removals.
Putting everything in the same job (with dependency-review-action last) is the ideal solution, but you can also set retry-on-snapshot-warnings
to true
and that should help to prevent this from happening. If you go that route, you may also need to tune retry-on-snapshot-warnings-timeout
to be able to accommodate all the related steps.
I'll close this for now, but feel free to let us know again if you see anything unexpected.
from dependency-review-action.
Putting everything in the same job (with dependency-review-action last) is the ideal solution
Ok !
For the record I was already using retry-on-snapshot-warnings
, retry-on-snapshot-warnings-timeout
with a fair timeout I believe (5min, way longer than the time it takes for the submission to run).
I retried the failed workflow 3-4 times to no avail. I recreated a new PR with the same changes and it worked first try (without changing the review workflow).
I guess what's frustrating is that I can't tell what's going on, what is published too late? attached to a wrong sha1? 🤷🏻
If it happen again I'll try the method of having both submission & review in the same job (and might dig in the APIs used by the actions to see if I can understand what happen).
from dependency-review-action.
Related Issues (20)
- Unknown License but license available via github API HOT 2
- Package Deny List Ignores Version HOT 3
- Some Settings In External Configuration Overridden By Inline Defaults HOT 5
- Reachability - Add a flag to only block only on reachable dependencies.
- Invalid SPDX License should (as opt-in?) be counted as warning HOT 2
- Add Scopes to Scanned Manifest Files inventory
- Blocking issues (should block but does not) HOT 5
- Add list of resolved vulnerabilities to the PR Comment / Logs
- Invalid URL for OpenSSF Scorecard Package HOT 3
- Create a PR check for default values in action.yml
- Bug: Some repos get error "fetch failed" when fetching v4.2.3 HOT 3
- Action fails to decorate PR when text is too long HOT 2
- Deny Packages Icon should be Red X (not a yellow warning) HOT 3
- Feature Request: Block on unknown licenses HOT 1
- `warn_only` Does Not Apply When Using a Deny List HOT 1
- error "fetch failed" with v4.2.5 HOT 3
- Scorecard table URLs include duplicate https:// HOT 3
- MIT is an invalid SPDX license identifier? HOT 2
- Question: Is this action limited to revisions on the _default_ branch only? HOT 2
- Conflict between vulnerabilities in scorecard vs check
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-review-action.