Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicate dependencies in GitHub Dependency Graph when combined with Dependency Review #482

Open
lislei opened this issue Dec 9, 2024 · 3 comments
Open

Duplicate dependencies in GitHub Dependency Graph when combined with Dependency Review #482

lislei opened this issue Dec 9, 2024 · 3 comments
Labels
cannot reproduce Issue cannot be reproduced

Comments

@lislei
Copy link

lislei commented Dec 9, 2024

The project I am working on have been observed duplicate entries in the GitHub Dependency Graph come and go for quite some time.
We have based or workflows on this demo as it is referenced by the documentation for configuring dependency-review together dependency-submission based on Gradle manifest files.

With some help from GitHub support, we have been able to reproduce this behaviour in this fork of this demo here
https://github.com/lislei/github-dependency-submission-demo-test

We have yet no answers to what the issue, but it seems like to involve the different "correlator" values. The one used for dependency-submission workflow is different than the dependency-review workflow.

Could someone please look into this?
Thank you for considering this.
@lislei lislei mentioned this issue Dec 9, 2024
Open
@bigdaz bigdaz transferred this issue from gradle/github-dependency-submission-demo Dec 12, 2024
@bigdaz bigdaz changed the title Duplicate dependencies in GitHub Dependency Graph Duplicate dependencies in GitHub Dependency Graph when combined with Dependency Review Dec 12, 2024
@bigdaz bigdaz added the bug Something isn't working label Dec 12, 2024
@lislei
Copy link
Author

lislei commented Dec 20, 2024

Relaying the answer from GitHub support:

Hello,

Thank you for your patience.

Our Engineering team investigated and relayed that the issue here is how the Actions workflows are set up.

Your team currently have the Dependency Submission as a step in the Dependency Review Actions workflow, it's unintuitive >however these should be separate. The current setup will misbehave as it results in the dependency snapshots submitted by the >Dependency Review Actions workflow which produces a different detector name for the dependency snapshots submitted via the >Actions workflow running on the default branch.

We recommend having a single Actions workflow for Dependency Submission that runs both on the default branch and on pull >requests, and then a separate Actions workflow for Dependency Review.

My take on this is to factor out the dependency submission part as a reusable workflow.

@bigdaz
Copy link
Member

bigdaz commented Dec 29, 2024
edited
Loading

Thanks for your detailed report and reproducer.
However, I am unable to generate duplicate dependencies by following your instructions:

  • Cloned the repo, enabling dependency-graph and actions
  • Created a PR that updates a dependency version. Submitting the PR triggers the dependency-review workflow but not the dependency-submission workflow.
  • When the workflow runs, the expected message appears:
Image

@bigdaz bigdaz added cannot reproduce Issue cannot be reproduced and removed bug Something isn't working labels Dec 29, 2024
@lislei
Copy link
Author

lislei commented Jan 6, 2025

Sorry for the messy description.
The action that is missing is to merge the PR bigdaz/github-dependency-submission-demo#1
That should introduce the dependencies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cannot reproduce Issue cannot be reproduced
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bigdaz @lislei