advanced-security / maven-dependency-submission-action

GitHub Action for submitting Maven dependencies
MIT License
48 stars 24 forks source link

Correlator race condition when using matrices #73

Open ebickle opened 7 months ago

ebickle commented 7 months ago

We have many repositories that contain multiple maven "aggregator projects" in a single repository. In other words, there are multiple pom.xml files where two or more are not a sub-module of another.

This means that we need to run maven-dependency-submission-action multiple times for a single commit. One way we do this by using a matrix in a workflow, a bit like this:

jobs:
  dependency-submission-maven:
    name: Dependency Submission - Maven
    runs-on: ubuntu-latest

    permissions:
      contents: write

    strategy: 
      matrix:
        directory: 
          - project-one
          - project-two

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up JDK
        uses: actions/setup-java@v4
        with:
          java-version: 11
          distribution: temurin

      - name: Submit Dependency Snapshot
        uses: advanced-security/maven-dependency-submission-action@v4
        with:
          directory: ${{ matrix.directory }}

However, this causes a race condition where the last dependency submission "wins" and overwrites the manifest of another. We can see this in the job and detector fields of the submission:

   "job": {
        "correlator": "dependency-submission-maven",
        "id": "8748150998"
    },
    "detector": {
        "name": "maven-dependency-submission-action",
        "url": "https://github.com/advanced-security/maven-dependency-submission-action",
        "version": "4.0.2"
    }

The @github/dependency-submission-toolkit dependency defaults to setting job.correlator to the job id, which is constant when a using matrix or other technique that submits multiple snapshot in the same workflow. This ends up creating a significant challenge whenever there are multiple "root" projects (of any type) in a repository, a pattern very common with monorepos.

A possible solution would be to add a correlator input field to the action.yml file. When set, the value of inputs.correlator would be used instead of the default. This design mimics the category field of the CodeQL actions but is somewhat non-intuitive.

Alternate solutions are more difficult to implement and have more tradeoffs, but could include:

I'm leaning towards the correlator input field option due to it's simplicity and alignment with CodeQL, but wanted to check in first. I'm not quite sure what the long term direction of this action is, particularly given the GitHub roadmap item relating to Maven scanning.