Warn on dependency-graph-submit failure

A common issue when submitting a dependency graph is that the required 'contents: write' permission is not set. We now catch any dependency submission failure and inform the user to check that the required permissions are available.
2025-11-04 09:58:56 +08:00 · 2023-09-30 08:37:51 -06:00
parent f92e7c3428
commit c3bdce8205
1 changed files with 28 additions and 11 deletions
--- a/src/dependency-graph.ts
+++ b/src/dependency-graph.ts
@@ -4,6 +4,7 @@ import * as github from '@actions/github'
 import * as glob from '@actions/glob'
 import * as toolCache from '@actions/tool-cache'
 import {GitHub} from '@actions/github/lib/utils'
+import {RequestError} from '@octokit/request-error'
 import type {PullRequestEvent} from '@octokit/webhooks-types'

 import * as path from 'path'
@@ -70,21 +71,37 @@ async function downloadAndSubmitDependencyGraphs(): Promise<void> {
 }

 async function submitDependencyGraphs(dependencyGraphFiles: string[]): Promise<void> {
-    const octokit = getOctokit()
-
    for (const jsonFile of dependencyGraphFiles) {
-        const jsonContent = fs.readFileSync(jsonFile, 'utf8')
-
-        const jsonObject = JSON.parse(jsonContent)
-        jsonObject.owner = github.context.repo.owner
-        jsonObject.repo = github.context.repo.repo
-        const response = await octokit.request('POST /repos/{owner}/{repo}/dependency-graph/snapshots', jsonObject)
-
-        const relativeJsonFile = getRelativePathFromWorkspace(jsonFile)
-        core.notice(`Submitted ${relativeJsonFile}: ${response.data.message}`)
+        try {
+            await submitDependencyGraphFile(jsonFile)
+        } catch (error) {
+            if (error instanceof RequestError) {
+                const relativeJsonFile = getRelativePathFromWorkspace(jsonFile)
+                core.warning(
+                    `Failed to submit dependency graph ${relativeJsonFile}.\n` +
+                        "Please ensure that the 'contents: write' permission is available for the workflow job.\n" +
+                        "Note that this permission is never available for a 'pull_request' trigger from a repository fork."
+                )
+            } else {
+                throw error
+            }
+        }
    }
 }

+async function submitDependencyGraphFile(jsonFile: string): Promise<void> {
+    const octokit = getOctokit()
+    const jsonContent = fs.readFileSync(jsonFile, 'utf8')
+
+    const jsonObject = JSON.parse(jsonContent)
+    jsonObject.owner = github.context.repo.owner
+    jsonObject.repo = github.context.repo.repo
+    const response = await octokit.request('POST /repos/{owner}/{repo}/dependency-graph/snapshots', jsonObject)
+
+    const relativeJsonFile = getRelativePathFromWorkspace(jsonFile)
+    core.notice(`Submitted ${relativeJsonFile}: ${response.data.message}`)
+}
+
 async function retrieveDependencyGraphs(workspaceDirectory: string): Promise<string[]> {
    if (github.context.payload.workflow_run) {
        return await retrieveDependencyGraphsForWorkflowRun(github.context.payload.workflow_run.id, workspaceDirectory)