Restore dependency-submission workflow, fixed for consistent runs#1800
Merged
Conversation
…dabot/fork PR guard Signed-off-by: Marvin Froeder <velo.br@gmail.com>
Signed-off-by: Marvin Froeder <velo.br@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Restores the
Dependabot Dependency Submissionworkflow removed in 69d8be1 ("Removing as can't get it working in a consistent manner"), with the inconsistency causes fixed.Why it was flaky in 2024
permissions:block — submission needscontents: write; runs with a read-only default token 403'd on the snapshot POST.pull_request— including Dependabot's PRs, whose runs always get a read-onlyGITHUB_TOKENregardless of the permissions block. With this repo's volume of dependabot PRs, the check showed red constantly while pushes to master worked, i.e. "inconsistent".What changed vs the old version
permissions: contents: writedeclared explicitly.dependabot[bot]and fork PRs (read-only token → guaranteed 403); they show as skipped, not failed.schedule+workflow_dispatchas self-healing/manual triggers.-Pexamplesso example modules (the quarkus one carries real compile-scope netty) are part of the graph.maven-dependency-submission-action@v5.0.0, checkout/setup-java to v4, with maven caching.The workflow name and job id are kept identical to the 2024 version on purpose: the snapshot job correlator (
build) must match so the first run on master supersedes the stale December 2024 snapshot that is the source of ~25 of the 31 open Dependabot alerts (see #1799 for the analysis; the one real vulnerability is patched there).Verification
depgraph-maven-plugin:4.0.3:graph -DgraphFormat=json -Pexamples -Dtoolchain.skip=true) was run locally against this branch: BUILD SUCCESS, 37 module graphs generated.Dependabot Dependency Submission / buildcheck exercises the full path end to end (same-repo human PR → write token → real submission against the PR ref).After merging: the push to master runs the workflow and refreshes the graph; stale alerts should then auto-resolve. It can also be triggered immediately via
workflow_dispatch.🤖 Generated with Claude Code