dependency-submission triggered by tag on default branch does not update dependency results for repository

[xenoterracide]

Current Behavior

A release is likely to be built of a tag which points to a commit on main

Submitted dependency-graph-reports/release-release.json: The snapshot was accepted, but it is not for the default branch. It will not update dependency results for the repository.

minimal details of workflow,

Expected Behavior

submission to a ref that points to a commit in the default branch should work.

Context (optional)

No response

Steps to Reproduce

obviously you'll have to add some actual gradle build steps, but it's not significant in this issue I think.

on:
  push:
    tags:
      - "v*.*.*"
jobs:
  release:
    runs-on: ubuntu-latest
    timeout-minutes: 5
    permissions:
      contents: write
      packages: write  
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.ref }}
      - ...
      - uses: gradle/actions/dependency-submission@v3

Gradle version

8.7

Build scan URL (optional)

No response

Your Environment (optional)

checkout peformed differently than normal due to https://github.com/actions/checkout/issues/882

I'm not certain whether or not the dependency report should really be used on every build of the default branch vs an actual release. I guess for now it'll have to be every build of the default branch

[bigdaz]

Submitted dependency-graph-reports/release-release.json: The snapshot was accepted, but it is not for the default branch. It will not update dependency results for the repository.

This message comes from GitHub. It's surprising that it doesn't resolve the tag to determine which commit/branch it belongs to.

Can you share the content of the uploaded dependency graph file?

[xenoterracide]

Do you know how to get at it? I don't really want to make a workflow that cats or attaches the file just to do this... but I suppose I could if we need that.

https://github.com/xenoterracide/gradle-semver/actions/runs/9405701870

[bigdaz]

If you pass a dependency-graph: generate-and-upload parameter to gradle/actions/dependency-submission, the file will be saved rather than submitted.

https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#configuration-parameters

[bigdaz]

@xenoterracide the submitted GitHub Dependency Graph file contains a ref attribute as well as a sha value: the action sets these from the github context.

Ideally, these values would be processed on submission: if a Git SHA belongs to the default branch it could then apply to the default branch, irrespective of the Git Ref that it was created from. This doesn't happen, so we'll need to do something in the action.

Here's a workaround you could employ, assuming that this workflow will only be run for tags on the main branch.

env:
  GITHUB_DEPENDENCY_GRAPH_REF: 'refs/heads/main'

A more sophisticated solution would involve checking if the ref was for a tag, then checking if the tag points to a commit on the default branch. But I'd first like confirmation that the simple solution works.

[joschi]

But I'd first like confirmation that the simple solution works.

I'm not the issue author or in any way affiliated with him, but I can confirm that this is working: https://github.com/orgs/community/discussions/130713#discussioncomment-9933836

[xenoterracide]

finally got around to generating the json, which would have been really easy to do yourselves as this really requires a very simple workflow and I don't want to create a ton of tags for the sake o seeing what it does.

Might be worth it to have a feature, or the default be submit and attach instead of submit or attach.

dependency-graph_full-full.json.zip

[xenoterracide]

this is what it looks like if I submit that env var

Submitted dependency-graph-reports/release-release.json: Dependency results for the repo have been successfully updated.

dependency-graph_full-full.json (2).zip

https://github.com/xenoterracide/gradle-semver/actions/runs/9799510946