You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The GitHub dependency submission toolkit for JavaScript sets the value to context.job, which a similar default value originating from the workflow job.
When using a matrix to analyze the dependencies of multiple independent SBT builds in the same repository (e.g. "monorepos") this results in a race condition - since the correlator will be the same for each run of the GitHub workflow matrix, the last submission "wins" and overwrites all of the others.
To solve this, I'd like to propose adding a new correlator parameter to the action.yml that when set will be used as-is for the job.correlator value in the resulting dependency graph. When left blank (unset), the behavior would be the same as today.
I've run the solution by GitHub engineering via our GitHub professional services representative and they confirmed it was a reasonable solution - we have a similar draft PR pending for Maven over here: advanced-security/maven-dependency-submission-action#80. Note that in the draft PR the corrleator is appended not replaced - I don't recommend that solution as there is a strict 255 character internal limit for job correlators and long paths could easily overwhelm that limit and still cause collisions.
We're hoping to set the correlator property in all of our SBT dependency submissions so that we can roll it out as a general solution across all of our Scala repos without worrying about the potential for race conditions. I'll be helping with the Maven PR as well as submitting a similar request over to the Gradle team - the hope is that we can all coordinate on a single pattern (correlator action.yml parameter) for dependency submission actions.
Let me know if you have any questions! I'd submit a PR, but my Scala is rusty 😎
The text was updated successfully, but these errors were encountered:
Generated dependency graphs contain a
job.correlatorfield used to differentiate submissions from different workflows."${githubWorkflow()}_${githubJobName()}_${githubAction()}"context.job, which a similar default value originating from the workflow job.When using a matrix to analyze the dependencies of multiple independent SBT builds in the same repository (e.g. "monorepos") this results in a race condition - since the correlator will be the same for each run of the GitHub workflow matrix, the last submission "wins" and overwrites all of the others.
To solve this, I'd like to propose adding a new
correlatorparameter to theaction.ymlthat when set will be used as-is for thejob.correlatorvalue in the resulting dependency graph. When left blank (unset), the behavior would be the same as today.I've run the solution by GitHub engineering via our GitHub professional services representative and they confirmed it was a reasonable solution - we have a similar draft PR pending for Maven over here: advanced-security/maven-dependency-submission-action#80. Note that in the draft PR the corrleator is appended not replaced - I don't recommend that solution as there is a strict 255 character internal limit for job correlators and long paths could easily overwhelm that limit and still cause collisions.
We're hoping to set the correlator property in all of our SBT dependency submissions so that we can roll it out as a general solution across all of our Scala repos without worrying about the potential for race conditions. I'll be helping with the Maven PR as well as submitting a similar request over to the Gradle team - the hope is that we can all coordinate on a single pattern (
correlatoraction.yml parameter) for dependency submission actions.Let me know if you have any questions! I'd submit a PR, but my Scala is rusty 😎
The text was updated successfully, but these errors were encountered: