-
Notifications
You must be signed in to change notification settings - Fork 102
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unclear error message when GitHub dependency graph is disabled #164
Comments
I also get this error on one repo where security graph is enabled. Just a bunch of mysterious 403: Forbidden with no way to debug. |
@WillDaSilva Thanks for bringing this up 🙇. Are you seeing this in public repos? private? both? I have yet to try and reproduce, but I'm not surprised to see this given our lack of awareness of forks. |
Here's an example run where it occurred: https://github.com/WillDaSilva/meltano/actions/runs/2713985191. Please ignore the debugging print statements. That repository was/is public, and is a fork of https://github.com/meltano/meltano/ When that workflow was run the security graph was disabled. After enabling the security graph I ran the workflow again, and it behaved properly. |
@febuiles This also happens if the repo is not public and GHAS is not enabled on the repo. |
@febuiles
as @WillDaSilva mentioned the returned exception from
|
@tspascoal thank you for the snippet, I hope folks find it useful while we find a longer term solution. The story behind forks is not great atm (e.g. you can enable Dependency Graph but you can't disable it, package mapping does not work 100% of the time), and I'd like to take some time to see if there's fixes that can be made over there instead of moving this logic to handle faulty cases to the action. |
Getting the same error (namely Here's the config we use: # Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
# Possible values: "critical", "high", "moderate", "low"
fail-on-severity: high
# Complete list of configuration options:
# https://github.com/actions/dependency-review-action#configuration-options And here's the log with debug enabled:
|
@Snailedlt is the organization where you're running this part of GitHub Advanced Security? I think that's the only requirement we have for private repos. |
@febuiles I'm not sure. How do I check that? If that's the issue, I would hope there was a better error message though |
@Snailedlt Advanced Security is a paid product, if you're not sure you can talk to the organization/enterprise owner. Another way to find out if Advanced Security is enabled for the repo is is to see if you have the rich diff enabled for manifests in private repos. Can you see a rich diff of the PR where the Action run is failing? |
@febuiles Thanks for the details. I'm not an organization owner, so I can't check if we have Advanced Security in an easy way. However it seems like it's disabled, since we don't have a rich diff as far as I can tell: |
@Snailedlt thanks for the extra details. I think we can use @tspascoal's code snippet from above to fix the, but we need to confirm if 403s can also come from invalid Keeping this as an enhancement issue open until someone can contribute a PR, if not I hope we can get to this by the next major release. |
When a GitHub repository is newly forked, it has the dependency graph feature disabled by default. If
dependency-review-action
is used on one of these freshly cloned repositories, it errors with the following message:The error handling code that produces this unclear message is:
Specifically, it's the
core.setFailed(error.message)
fallback that is responsible.Printing out the error message using
core.debug(JSON.stringify(error, Object.getOwnPropertyNames(error)))
results in the following:It's clear that this ought to result in the
Dependency review is not supported on this repository [...]
error message, but for some reason isn't.The text was updated successfully, but these errors were encountered: