Open xenoterracide opened 1 month ago
Submitted dependency-graph-reports/release-release.json: The snapshot was accepted, but it is not for the default branch. It will not update dependency results for the repository.
This message comes from GitHub. It's surprising that it doesn't resolve the tag to determine which commit/branch it belongs to.
Can you share the content of the uploaded dependency graph file?
Do you know how to get at it? I don't really want to make a workflow that cats or attaches the file just to do this... but I suppose I could if we need that.
https://github.com/xenoterracide/gradle-semver/actions/runs/9405701870
If you pass a dependency-graph: generate-and-upload
parameter to gradle/actions/dependency-submission
, the file will be saved rather than submitted.
https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#configuration-parameters
@xenoterracide the submitted GitHub Dependency Graph file contains a ref
attribute as well as a sha
value: the action sets these from the github context.
Ideally, these values would be processed on submission: if a Git SHA belongs to the default branch it could then apply to the default branch, irrespective of the Git Ref that it was created from. This doesn't happen, so we'll need to do something in the action.
Here's a workaround you could employ, assuming that this workflow will only be run for tags on the main
branch.
env:
GITHUB_DEPENDENCY_GRAPH_REF: 'refs/heads/main'
A more sophisticated solution would involve checking if the ref was for a tag, then checking if the tag points to a commit on the default branch. But I'd first like confirmation that the simple solution works.
But I'd first like confirmation that the simple solution works.
I'm not the issue author or in any way affiliated with him, but I can confirm that this is working: https://github.com/orgs/community/discussions/130713#discussioncomment-9933836
finally got around to generating the json, which would have been really easy to do yourselves as this really requires a very simple workflow and I don't want to create a ton of tags for the sake o seeing what it does.
Might be worth it to have a feature, or the default be submit and attach instead of submit or attach.
this is what it looks like if I submit that env var
Submitted dependency-graph-reports/release-release.json: Dependency results for the repo have been successfully updated.
dependency-graph_full-full.json (2).zip
https://github.com/xenoterracide/gradle-semver/actions/runs/9799510946
Current Behavior
A release is likely to be built of a tag which points to a commit on main
minimal details of workflow,
Expected Behavior
submission to a ref that points to a commit in the default branch should work.
Context (optional)
No response
Steps to Reproduce
obviously you'll have to add some actual gradle build steps, but it's not significant in this issue I think.
Gradle version
8.7
Build scan URL (optional)
No response
Your Environment (optional)
checkout peformed differently than normal due to https://github.com/actions/checkout/issues/882
I'm not certain whether or not the dependency report should really be used on every build of the default branch vs an actual release. I guess for now it'll have to be every build of the default branch