Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Github action broken with 4.0.1 #65

Closed
ydaveluy opened this issue Feb 15, 2024 · 10 comments
Closed

Github action broken with 4.0.1 #65

ydaveluy opened this issue Feb 15, 2024 · 10 comments

Comments

@ydaveluy
Copy link

The release 4.0.1 rise this error in github action:

ReferenceError: require is not defined in ES module scope, you can use import instead
This file is being treated as an ES module because it has a '.js' file extension and '/home/runner/work/_actions/advanced-security/maven-dependency-submission-action/v4/dist/package.json' contains "type": "module". To treat it as a CommonJS script, rename it to use the '.cjs' file extension.
    at eval (eval at 5178 (file:///home/runner/work/_actions/advanced-security/maven-dependency-submission-action/v4/node_modules/@vercel/ncc/dist/ncc/@@notfound.js:1:1), <anonymous>:1:1)
    at Object.5178 (file:///home/runner/work/_actions/advanced-security/maven-dependency-submission-action/v4/node_modules/@vercel/ncc/dist/ncc/@@notfound.js:1:1)
    at __nccwpck_require__ (file:///home/runner/work/_actions/advanced-security/maven-dependency-submission-action/v4/webpack/bootstrap:21:1)
    at file:///home/runner/work/_actions/advanced-security/maven-dependency-submission-action/v4/dist/index.js:30938:35
    at file:///home/runner/work/_actions/advanced-security/maven-dependency-submission-action/v4/dist/index.js:30986:3
    at ModuleJob.run (node:internal/modules/esm/module_job:217:25)
    at ModuleLoader.import (node:internal/modules/esm/loader:316:24)
    at loadESM (node:internal/process/esm_loader:34:7)
    at handleMainPromise (node:internal/modules/run_main:66:[12](https://github.com/ThalesGroup/xsmp-modeler-core/actions/runs/7920338388/job/21629031180#step:3:13))

My project pipeline is available here :
https://github.com/ThalesGroup/xsmp-modeler-core/actions/runs/7920338388/job/21629031180
@jorsmatthys
Copy link

Same, we upgraded our workflows to use 'v4' yesterday (when v4.0.0 was still the latest), tested, and everything was working, then this morning we got reports of workflows failing with the message above.

@scordio
Copy link

scordio commented Feb 16, 2024

Another example at: https://github.com/assertj/assertj/actions/runs/7927779861/job/21644776887

@wdittmer-jumbo
Copy link

wdittmer-jumbo commented Feb 16, 2024
edited

pinning it to 4.0.0 seems to work:
uses: advanced-security/maven-dependency-submission-action@v4.0.0

But hopefully it is fixed soon instead of going over all pipelines and setting it to 4.0.0

ascopes added a commit to ascopes/protobuf-maven-plugin that referenced this issue Feb 17, 2024
@ascopes
Pin maven-dependency-submission-action to v1.0.0
ae76a4a 
See advanced-security/maven-dependency-submission-action#65
@fugerit79
Copy link

fugerit79 commented Feb 17, 2024
edited

Same here.

Using it on many workflows

Tag v4.0.0 is working :
https://github.com/fugerit-org/query-export-tool/actions/runs/7942612673

Tag v4 is broken :
https://github.com/fugerit-org/query-export-tool/actions/runs/7942591428

Any plan of quick fix?

Thanks in advance.

fugerit79 added a commit to fugerit-org/query-export-tool that referenced this issue Feb 17, 2024
@fugerit79
DISABLE_MAVEN_DEPENDENCY_SUBMISSION variable for build_maven_package.yml
bdec053 
Upgraded build_maven_package workflow to version 1.0.1

As a fix to :

advanced-security/maven-dependency-submission-action#65

As 'advanced-security/maven-dependency-submission-action' is an optional step, now it is possible to skip it with a variable (I set it on account level, so all my workflows are affected)
@fugerit79
Copy link

While waiting for a fix, I'm adding this condition on my workflows :

https://github.com/fugerit-org/query-export-tool/blob/main/.github/workflows/build_maven_package.yml

      # Optional: Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
      - name: Update dependency graph
        # if DISABLE_MAVEN_DEPENDENCY_SUBMISSION is set to true, skip this step
        if: ${{ vars.DISABLE_MAVEN_DEPENDENCY_SUBMISSION != 'true' }}
        uses: advanced-security/maven-dependency-submission-action@main

Setting github variable DISABLE_MAVEN_DEPENDENCY_SUBMISSION to true at account level, the step will be disabled.
(I decided to do it as this is an optional step, basically skipping it does not compromise completely the result).

ascopes added a commit to ascopes/java-compiler-testing that referenced this issue Feb 17, 2024
@ascopes
Freeze dependency submission action
e7ed5b9 
See advanced-security/maven-dependency-submission-action#65

Signed-off-by: Ashley <73482956+ascopes@users.noreply.github.com>
@wjglerum
Copy link

Experiencing the same errors on multiple repositories now, which are blocking the PR merges right now. Will probably disable it for now.

@wjglerum
Copy link

@peter-murray any feedback? Seems like this PR broke things for everyone #62

sebastiankirsch added a commit to sebastiankirsch/postgres-timeout that referenced this issue Feb 21, 2024
@sebastiankirsch
Pinned maven-dependency-submission-action v4.0.0
8004b34 
See advanced-security/maven-dependency-submission-action#65
@ecki
Copy link

ecki commented Feb 23, 2024

Dependabot will upgrade to the 4.0.1 hash and in the process breaking builds - what's worse most config does not submit and therefore detect the problem in the PR builds.

@jebeaudet jebeaudet mentioned this issue Feb 23, 2024
Closed
1 task
@ghost ghost mentioned this issue Feb 23, 2024
Closed
@michaelcoll michaelcoll mentioned this issue Feb 27, 2024
Closed
@ianrobrien
Copy link

I'm having this issue in my private and public repos. Also in all of my organization's repos.

For now I've just pinned to version v4.0.0 and told Dependabot to ignore this minor version.

Any idea what the fix is? I thought it could be due to permissions but adding contents write hasn't helped.

matthiasr added a commit to prometheus/cloudwatch_exporter that referenced this issue Mar 3, 2024
@matthiasr
Downgrade advanced-security/maven-dependency-submission-action action
b41c472 
Due to advanced-security/maven-dependency-submission-action#65.
@matthiasr matthiasr mentioned this issue Mar 3, 2024
Merged
matthiasr added a commit to prometheus/cloudwatch_exporter that referenced this issue Mar 3, 2024
@matthiasr
Downgrade advanced-security/maven-dependency-submission-action action
1b67642 
Due to advanced-security/maven-dependency-submission-action#65.

Signed-off-by: Matthias Rampke <matthias@prometheus.io>
hangy added a commit to openfoodfacts/scrypt-password-hash-provider that referenced this issue Mar 4, 2024
@hangy
build(deps): downgrade advanced-security/maven-dependency-submission…
effb61f 
…-action

advanced-security/maven-dependency-submission-action#65
hangy added a commit to hangy/scrypt-password-hash-provider that referenced this issue Mar 4, 2024
@hangy
build(deps): downgrade advanced-security/maven-dependency-submission…
b4ea841 
…-action

advanced-security/maven-dependency-submission-action#65
@felickz
Copy link

felickz commented Mar 5, 2024
edited

While we wait for a fix - the @v4 floating version should be back to old behavior. The change in 4.0.1 rolled back with 4.0.2.

See #70

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@ecki @peter-murray @felickz @wjglerum @ianrobrien @fugerit79 @ydaveluy @scordio @jorsmatthys @wdittmer-jumbo