Support looking up snapshot #985
Description
Is your feature request related to a problem? Please describe.
In some repositories the cost of calculating the dependencies is is high enough that they're only calculated on a material change which means that not every commit has a snapshot. This causes an issue with this action.
Describe the solution you'd like
I'd like this action to support looking up the most recent snapshot for the base ref.
Describe alternatives you've considered
I'm currently using this actions pattern to lookup a valid snapshot before calling this action. This whole process would be easier if there was a REST endpoint to lookup the snapshots rather than having to compare and check for errors.
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- name: Lookup snapshot
id: snapshot
env:
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
base_sha="${{ github.event.pull_request.base.sha }}"
head_sha="${{ github.event.pull_request.head.sha }}"
counter="0"
while ((counter < 10)); do
if [[ -z "$(gh api --header "Accept: application/vnd.github+json" --header "X-GitHub-Api-Version: 2022-11-28" --include "/repos/${{ github.repository }}/dependency-graph/compare/${base_sha}...${head_sha}" | grep -E 'X-Github-Dependency-Graph-Snapshot-Warnings:\s*[a-zA-Z0-9]+' || true)" ]]; then
echo "::notice::Snapshot found on SHA ${base_sha}"
{
echo "base_sha=${base_sha}"
echo "head_sha=${head_sha}"
} >> "${GITHUB_OUTPUT}"
exit 0
fi
base_sha="$(git rev-parse "${base_sha}~1")"
counter=$((counter+1))
done
echo "::error::Snapshot not found"
exit 1
- name: Dependency Review
uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3
with:
base-ref: ${{ steps.snapshot.outputs.base_sha }}
head-ref: ${{ steps.snapshot.outputs.head_sha }}
fail-on-severity: high
comment-summary-in-pr: alwaysAdditional context
N/A