For the most part, this action seems to already do everything necessary to work properly with dependency review, but there is one tiny exception.
What we're asking
$GITHUB_SHA should be set to the value of github.event.pull_request.head.sha whenever that variable is populated, i.e. when in the context of a pull request.
Why
When submitting a snapshot, https://github.com/gradle/github-dependency-graph-gradle-plugin uses the $GITHUB_SHA environment variable as the SHA of the dependency snapshot. This is perfectly correct for push events, but unfortunately it's not the value we need for pull_request events. In a pull request, GITHUB_SHA is set to the "last merge commit on the GITHUB_REF branch", which is sadly irrelevant to the dependency graph.
Instead, we should submit a snapshot for the head SHA of the PR, which can be extracted from the pull_request object with the equivalent of github.event.pull_request.head.sha.
Actions that use our official javascript dependency-submission-toolkit get this fix for free, but that doesn't apply to github-dependency-graph-gradle-plugin. In that case, we're limited to setting the SHA by overriding the $GITHUB_SHA env var as described in the docs.
You can see how we get the right value in the toolkit here for reference.
👋 from the Dependency Graph team at GitHub!
Last week, we shipped support for submitted dependencies in dependency review.
For the most part, this action seems to already do everything necessary to work properly with dependency review, but there is one tiny exception.
What we're asking
$GITHUB_SHAshould be set to the value ofgithub.event.pull_request.head.shawhenever that variable is populated, i.e. when in the context of a pull request.Why
When submitting a snapshot, https://github.com/gradle/github-dependency-graph-gradle-plugin uses the
$GITHUB_SHAenvironment variable as the SHA of the dependency snapshot. This is perfectly correct forpushevents, but unfortunately it's not the value we need forpull_requestevents. In a pull request,GITHUB_SHAis set to the "last merge commit on the GITHUB_REF branch", which is sadly irrelevant to the dependency graph.Instead, we should submit a snapshot for the head SHA of the PR, which can be extracted from the
pull_requestobject with the equivalent ofgithub.event.pull_request.head.sha.Actions that use our official javascript dependency-submission-toolkit get this fix for free, but that doesn't apply to github-dependency-graph-gradle-plugin. In that case, we're limited to setting the SHA by overriding the
$GITHUB_SHAenv var as described in the docs.You can see how we get the right value in the toolkit here for reference.