Description
Describe the bug
When using dependency-review-action@v4.5.0 inside a reusable workflow invoked from another repository, the action consistently logs::
No snapshots were found for the head SHA <commit-hash>.
This warning also appears on the comment added to the PR. I'm using this in a reusable workflow, triggered by workflow_call with head-ref and base-ref being passed to the workflow as inputs (as recommended in the docs for non-pull request triggered jobs).
To troubleshoot this, I’ve also attempted::
- Checking out the PR ref with
actions/checkout - Manually submitting a dependency snapshot for head-ref using the Dependency Graph API.
- Confirming the snapshot was accepted in the workflow logs.
- Setting
retry-on-snapshot-warnings: trueand waiting up to about 10 minutes for the dependency graph to update.
Despite that, the action still mostly works, but it adds the warning above that I'd like to fix or suppress.
To Reproduce
Create a reusable workflow e.g. my-org/my-gha-repo/.github/workflows/dependency_review.yml
name: "Dependency Review"
on:
workflow_call:
inputs:
base-ref:
description: 'Custom git base reference'
required: false
default: ''
type: string
head-ref:
description: 'Custom git head reference'
required: false
default: ''
type: string
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
base-ref: ${{ inputs.base-ref }}
head-ref: ${{ inputs.head-ref }}
retry-on-snapshot-warnings: true
Then, call the reusable workflow from a different repository (where dependency-review-action works fine in a standalone workflow), e.g. my-org/my-other-repo/.github/workflows/dependency_review_pr.yml
name: 'Dependency Review'
on:
pull_request:
branches:
- main
jobs:
dependency-review:
permissions:
pull-requests: write
contents: write
uses: my-org/my-gha-repo/.github/workflows/dependency_review.yml@main
with:
base-ref: ${{ github.event.pull_request.base.sha }}
head-ref: ${{ github.event.pull_request.head.sha }}
Expected behavior
Basically the action should act as it does when used by itself in a standalone repo (no retries required, no head SHA snapshot errors).
- If
dependency-review-actiondoes not require snapshots for PR branches, it should allow suppressing this warning. - If a valid snapshot exists for head-ref, the action should detect it correctly and not log repeated warnings.
Action version
Using actions/dependency-review-action@v4 (v4.5.0)
Examples
Example workflows above. I can drop them in a public repo if necessary.
Additional context
As I said, I've also tried adding jobs to this reusable workflow to generate a SBOM/dependency snapshot for the head ref and upload that to the dependency submission API, but that doesn't resolve the problem. I am able to generate and upload the SBOM, and it's ACCEPTED, but since it's not for the default branch I'm not sure if Dependency Review can find it:
SBOM upload response: 201 {
id: 12345678,
created_at: '2025-02-05T02:34:11.184Z',
result: 'ACCEPTED',
message: 'The snapshot was accepted, but it is not for the default branch. It will not update dependency results for the repository.'
}
And the subsequent DR job can't seem to find the snapshot:
Run actions/dependency-review-action@v4
with:
base-ref: <base SHA>
head-ref: <head SHA>
repo-token: ***
No snapshots were found for the head SHA
[retries for a few times up to 10 mins]
..though since generating a snapshot isn't required when using Dependency Review by itself in a repo on: pull_request, I wouldn't expect that I'd need to do it manually from within a reusable workflow.
I've looked at other Issues and didn't see any related info. E.g. #626 is somewhat related but seems like a different issue. And #30 / release 2.1.0 seems to imply that what I'm trying is possible, but not sure what's going wrong with the snapshot.
Basically, is there a known configuration required for dependency-review-action to work inside a reusable workflow, or an option to suppress this warning when snapshots are not available for PR branches?
Thanks!