From c3bdce8205a605900ae79f6a0718ab0ebecc55af Mon Sep 17 00:00:00 2001 From: daz Date: Sat, 30 Sep 2023 08:37:51 -0600 Subject: [PATCH] Warn on dependency-graph-submit failure A common issue when submitting a dependency graph is that the required 'contents: write' permission is not set. We now catch any dependency submission failure and inform the user to check that the required permissions are available. --- src/dependency-graph.ts | 39 ++++++++++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 11 deletions(-) diff --git a/src/dependency-graph.ts b/src/dependency-graph.ts index 6aa8305..ef5815d 100644 --- a/src/dependency-graph.ts +++ b/src/dependency-graph.ts @@ -4,6 +4,7 @@ import * as github from '@actions/github' import * as glob from '@actions/glob' import * as toolCache from '@actions/tool-cache' import {GitHub} from '@actions/github/lib/utils' +import {RequestError} from '@octokit/request-error' import type {PullRequestEvent} from '@octokit/webhooks-types' import * as path from 'path' @@ -70,21 +71,37 @@ async function downloadAndSubmitDependencyGraphs(): Promise { } async function submitDependencyGraphs(dependencyGraphFiles: string[]): Promise { - const octokit = getOctokit() - for (const jsonFile of dependencyGraphFiles) { - const jsonContent = fs.readFileSync(jsonFile, 'utf8') - - const jsonObject = JSON.parse(jsonContent) - jsonObject.owner = github.context.repo.owner - jsonObject.repo = github.context.repo.repo - const response = await octokit.request('POST /repos/{owner}/{repo}/dependency-graph/snapshots', jsonObject) - - const relativeJsonFile = getRelativePathFromWorkspace(jsonFile) - core.notice(`Submitted ${relativeJsonFile}: ${response.data.message}`) + try { + await submitDependencyGraphFile(jsonFile) + } catch (error) { + if (error instanceof RequestError) { + const relativeJsonFile = getRelativePathFromWorkspace(jsonFile) + core.warning( + `Failed to submit dependency graph ${relativeJsonFile}.\n` + + "Please ensure that the 'contents: write' permission is available for the workflow job.\n" + + "Note that this permission is never available for a 'pull_request' trigger from a repository fork." + ) + } else { + throw error + } + } } } +async function submitDependencyGraphFile(jsonFile: string): Promise { + const octokit = getOctokit() + const jsonContent = fs.readFileSync(jsonFile, 'utf8') + + const jsonObject = JSON.parse(jsonContent) + jsonObject.owner = github.context.repo.owner + jsonObject.repo = github.context.repo.repo + const response = await octokit.request('POST /repos/{owner}/{repo}/dependency-graph/snapshots', jsonObject) + + const relativeJsonFile = getRelativePathFromWorkspace(jsonFile) + core.notice(`Submitted ${relativeJsonFile}: ${response.data.message}`) +} + async function retrieveDependencyGraphs(workspaceDirectory: string): Promise { if (github.context.payload.workflow_run) { return await retrieveDependencyGraphsForWorkflowRun(github.context.payload.workflow_run.id, workspaceDirectory)