Merge pull request #911 - Improve dependency review support

A common issue when submitting a dependency graph is that the required
'contents: write' permission is not set.
We now catch any dependency submission failure and inform the user to check
that the required permissions are available.

.github/workflows/ci-init-script-check.yml

@@ -20,7 +20,7 @@ jobs:
         distribution: temurin
         java-version: 8
     - name: Setup Gradle
-      uses: gradle/gradle-build-action@v2.8.0 # Use a released version to avoid breakages
+      uses: gradle/gradle-build-action@v2.8.1 # Use a released version to avoid breakages
     - name: Run integration tests
       working-directory: test/init-scripts
       run: ./gradlew check

README.md

@@ -8,11 +8,11 @@ It is possible to directly invoke Gradle in your workflow, and the `actions/setu
 
 However, the `gradle-build-action` offers a number of advantages over this approach:
 
-- Easily [configure your workflow to use a specific version of Gradle](#use-a-specific-gradle-version) using the `gradle-version` parameter. Gradle distributions are automatically downloaded and cached. 
-- More sophisticated and more efficient caching of Gradle User Home between invocations, compared to `setup-java` and most custom configurations using `actions/cache`. [More details below](#caching).
+- Easily [configure your workflow to use a specific version of Gradle](#choose-a-specific-gradle-version) using the `gradle-version` parameter. Gradle distributions are automatically downloaded and cached. 
+- More sophisticated and more efficient caching of Gradle User Home between invocations, compared to `setup-java` and most custom configurations using `actions/cache`. [More details below](#caching-build-state-between-jobs).
 - Detailed reporting of cache usage and cache configuration options allow you to [optimize the use of the GitHub actions cache](#optimizing-cache-effectiveness).
 - [Generate and Submit a GitHub Dependency Graph](#github-dependency-graph-support) for your project, enabling Dependabot security alerts.
-- [Automatic capture of Build Scan® links](#build-scans) from the build, making these easier to locate for workflow run.
+- [Automatic capture of Build Scan® links](#build-reporting) from the build, making these easier to locate for workflow run.
 
 The `gradle-build-action` is designed to provide these benefits with minimal configuration. 
 These features work both when Gradle is executed via the `gradle-build-action` and for any Gradle execution in subsequent steps.
@@ -546,8 +546,6 @@ You enable GitHub Dependency Graph support by setting the `dependency-graph` act
 | `generate-and-submit` | As per `generate`, but any generated dependency graph snapshots will be submitted at the end of the job. |
 | `download-and-submit` | Download any previously saved dependency graph snapshots, submitting them via the Dependency Submission API. This can be useful to collect all snapshots in a matrix of builds and submit them in one step. |
 
-Dependency Graph _submission_ (but not generation) requires the `contents: write` permission, which may need to be explicitly enabled in the workflow file.
-
 Example of a simple workflow that generates and submits a dependency graph:
 ```yaml
 name: Submit dependency graph
@@ -566,14 +564,62 @@ jobs:
       uses: gradle/gradle-build-action@v2
       with:
         dependency-graph: generate-and-submit
-    - name: Run a build, generating the dependency graph snapshot which will be submitted
+    - name: Run a build and generate the dependency graph which will be submitted post-job
       run: ./gradlew build
 ```
 
-The `contents: write` permission is not required to generate the dependency graph, but is required in order to submit the graph via the GitHub API.
+The `contents: write` permission is not required to generate the dependency graph, but is required in order to submit the graph via the GitHub API. This permission will need to be explicitly enabled in the workflow file for dependency graph submission to succeed.
 
-The above configuration will work for workflows that run as a result of commits to a repository branch, but not when a workflow is triggered by a PR from a repository fork.
-For a configuration that supports this setup, see [Dependency Graphs for pull request workflows](#dependency-graphs-for-pull-request-workflows).
+> [!IMPORTANT]
+> The above configuration will work for workflows that run as a result of commits to a repository branch, 
+> but not when a workflow is triggered by a PR from a repository fork.
+> This is because the `contents: write` permission is not available when executing a workflow 
+> for a PR submitted from a forked repository.
+> For a configuration that supports this setup, see [Dependency Graphs for pull request workflows](#dependency-graphs-for-pull-request-workflows).
+
+### Integrating the `dependency-review-action`
+
+The GitHub [dependency-review-action](https://github.com/actions/dependency-review-action) helps you 
+understand dependency changes (and the security impact of these changes) for a pull request.
+For the `dependency-review-action` to succeed, it must run _after_ the dependency graph has been submitted for a PR.
+
+When using `generate-and-submit`, dependency graph files are submitted at the end of the job, after all steps have been
+executed. For this reason, the `dependency-review-action` must be executed in a dependent job,
+and not as a subsequent step in the job that generates the dependency graph.
+
+Example of a pull request workflow that executes a build for a pull request and runs the `dependency-review-action`:
+
+```yaml
+name: PR check
+
+on:
+  pull_request:
+  
+permissions:
+  contents: write
+  # Note that this permission will not be available if the PR is from a forked repository
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Setup Gradle to generate and submit dependency graphs
+      uses: gradle/gradle-build-action@v2
+      with:
+        dependency-graph: generate-and-submit
+    - name: Run a build and generate the dependency graph which will be submitted post-job
+      run: ./gradlew build
+
+  dependency-review:
+    needs: build
+    runs-on: ubuntu-latest
+    - name: Perform dependency review
+      uses: actions/dependency-review-action@v3
+```
+
+See [Dependency Graphs for pull request workflows](#dependency-graphs-for-pull-request-workflows) for a more complex
+(and less functional) example that will work for pull requests submitted from forked repositories.
 
 ## Limiting the scope of the dependency graph
 
@@ -583,7 +629,7 @@ For example, a vulnerability in the tool you use to generate documentation is un
 There are a number of techniques you can employ to limit the scope of the generated dependency graph:
 - [Don't generate a dependency graph for all Gradle executions](#choosing-which-gradle-invocations-will-generate-a-dependency-graph)
 - [For a Gradle execution, filter which Gradle projects and configurations will contribute dependencies](#filtering-which-gradle-configurations-contribute-to-the-dependency-graph)
-- [Use a separate workflow that only resolves the required dependencies]()
+- [Use a separate workflow that only resolves the required dependencies](#use-a-dedicated-workflow-for-dependency-graph-generation)
 
 > [!NOTE]
 > Ideally, all dependencies involved in building and testing a project will be extracted and reported in a dependency graph. 
@@ -682,6 +728,9 @@ Note: when `download-and-submit` is used in a workflow triggered via [workflow_r
 ```yaml
 name: run-build-and-generate-dependency-snapshot
 
+on:
+  pull_request:
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -693,6 +742,13 @@ jobs:
         dependency-graph: generate # Only generate in this job
     - name: Run a build, generating the dependency graph snapshot which will be submitted
       run: ./gradlew build
+
+  dependency-review:
+    needs: build
+    runs-on: ubuntu-latest
+    - name: Perform dependency review
+      uses: actions/dependency-review-action@v3
+      
 ```
 
 ***Dependent workflow file***
@@ -705,15 +761,48 @@ on:
     types: [completed]
 
 jobs:
-  submit-snapshots:
+  submit-dependency-graph:
     runs-on: ubuntu-latest
     steps:
-      - name: Retrieve dependency graph artifact and submit
-        uses: gradle/gradle-build-action@v2
+    - name: Retrieve dependency graph artifact and submit
+      uses: gradle/gradle-build-action@v2
       with:
         dependency-graph: download-and-submit
 ```
 
+### Integrating `dependency-review-action` for pull request workflows
+
+The GitHub [dependency-review-action](https://github.com/actions/dependency-review-action) helps you 
+understand dependency changes (and the security impact of these changes) for a pull request.
+
+To integrate the `dependency-review-action` into the pull request workflows above, a separate workflow should be added.
+This workflow will be triggered directly on `pull_request`, but will need to wait until the dependency graph results are
+submitted before the dependency review can complete. How long to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
+
+Here's an example of a separate "Dependency Review" workflow that will wait for 10 minutes for the PR check workflow to complete.
+
+```yaml
+name: dependency-review
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+    - name: 'Dependency Review'
+      uses: actions/dependency-review-action@v3
+      with:
+        retry-on-snapshot-warnings: true
+        retry-on-snapshot-warnings-timeout: 600
+```
+
+The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the entire `run-build-and-generate-dependency-snapshot` and `submit-dependency-snapshot` workflows (above) to complete.
+
 ## Gradle version compatibility
 
 The GitHub Dependency Graph plugin should be compatible with all versions of Gradle >= 5.0, and has been tested against 

dist/main/index.js

@@ -69620,7 +69620,8 @@ class CacheCleaner {
             fs_1.default.mkdirSync(cleanupProjectDir, { recursive: true });
             fs_1.default.writeFileSync(path_1.default.resolve(cleanupProjectDir, 'settings.gradle'), 'rootProject.name = "dummy-cleanup-project"');
             fs_1.default.writeFileSync(path_1.default.resolve(cleanupProjectDir, 'build.gradle'), 'task("noop") {}');
-            yield exec.exec(`gradle -g ${this.gradleUserHome} --no-daemon --build-cache --no-scan --quiet noop`, [], {
+            const gradleCommand = `gradle -g ${this.gradleUserHome} --no-daemon --build-cache --no-scan --quiet -DGITHUB_DEPENDENCY_GRAPH_ENABLED=false noop`;
+            yield exec.exec(gradleCommand, [], {
                 cwd: cleanupProjectDir
             });
         });
@@ -70667,33 +70668,43 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.constructJobCorrelator = exports.getJobCorrelator = exports.complete = exports.setup = void 0;
+exports.constructJobCorrelator = exports.complete = exports.setup = void 0;
 const core = __importStar(__nccwpck_require__(2186));
 const artifact = __importStar(__nccwpck_require__(2605));
 const github = __importStar(__nccwpck_require__(5438));
 const glob = __importStar(__nccwpck_require__(8090));
 const toolCache = __importStar(__nccwpck_require__(7784));
+const request_error_1 = __nccwpck_require__(537);
 const path = __importStar(__nccwpck_require__(1017));
 const fs_1 = __importDefault(__nccwpck_require__(7147));
 const layout = __importStar(__nccwpck_require__(8182));
 const input_params_1 = __nccwpck_require__(3885);
 const DEPENDENCY_GRAPH_ARTIFACT = 'dependency-graph';
 function setup(option) {
-    if (option === input_params_1.DependencyGraphOption.Disabled || option === input_params_1.DependencyGraphOption.DownloadAndSubmit) {
-        return;
-    }
-    core.info('Enabling dependency graph generation');
-    const jobCorrelator = getJobCorrelator();
-    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_ENABLED', 'true');
-    core.exportVariable('GITHUB_JOB_CORRELATOR', jobCorrelator);
-    core.exportVariable('GITHUB_JOB_ID', github.context.runId);
-    core.exportVariable('DEPENDENCY_GRAPH_REPORT_DIR', path.resolve(layout.workspaceDirectory(), 'dependency-graph-reports'));
+    return __awaiter(this, void 0, void 0, function* () {
+        if (option === input_params_1.DependencyGraphOption.Disabled) {
+            return;
+        }
+        if (option === input_params_1.DependencyGraphOption.DownloadAndSubmit) {
+            yield downloadAndSubmitDependencyGraphs();
+            return;
+        }
+        core.info('Enabling dependency graph generation');
+        core.exportVariable('GITHUB_DEPENDENCY_GRAPH_ENABLED', 'true');
+        core.exportVariable('GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR', getJobCorrelator());
+        core.exportVariable('GITHUB_DEPENDENCY_GRAPH_JOB_ID', github.context.runId);
+        core.exportVariable('GITHUB_DEPENDENCY_GRAPH_REF', github.context.ref);
+        core.exportVariable('GITHUB_DEPENDENCY_GRAPH_SHA', getShaFromContext());
+        core.exportVariable('GITHUB_DEPENDENCY_GRAPH_WORKSPACE', layout.workspaceDirectory());
+        core.exportVariable('DEPENDENCY_GRAPH_REPORT_DIR', path.resolve(layout.workspaceDirectory(), 'dependency-graph-reports'));
+    });
 }
 exports.setup = setup;
 function complete(option) {
     return __awaiter(this, void 0, void 0, function* () {
         switch (option) {
             case input_params_1.DependencyGraphOption.Disabled:
+            case input_params_1.DependencyGraphOption.DownloadAndSubmit:
                 return;
             case input_params_1.DependencyGraphOption.Generate:
                 yield uploadDependencyGraphs();
@@ -70701,8 +70712,6 @@ function complete(option) {
             case input_params_1.DependencyGraphOption.GenerateAndSubmit:
                 yield submitDependencyGraphs(yield uploadDependencyGraphs());
                 return;
-            case input_params_1.DependencyGraphOption.DownloadAndSubmit:
-                yield downloadAndSubmitDependencyGraphs();
         }
     });
 }
@@ -70726,18 +70735,36 @@ function downloadAndSubmitDependencyGraphs() {
 }
 function submitDependencyGraphs(dependencyGraphFiles) {
     return __awaiter(this, void 0, void 0, function* () {
-        const octokit = getOctokit();
         for (const jsonFile of dependencyGraphFiles) {
-            const jsonContent = fs_1.default.readFileSync(jsonFile, 'utf8');
-            const jsonObject = JSON.parse(jsonContent);
-            jsonObject.owner = github.context.repo.owner;
-            jsonObject.repo = github.context.repo.repo;
-            const response = yield octokit.request('POST /repos/{owner}/{repo}/dependency-graph/snapshots', jsonObject);
-            const relativeJsonFile = getRelativePathFromWorkspace(jsonFile);
-            core.notice(`Submitted ${relativeJsonFile}: ${response.data.message}`);
+            try {
+                yield submitDependencyGraphFile(jsonFile);
+            }
+            catch (error) {
+                if (error instanceof request_error_1.RequestError) {
+                    const relativeJsonFile = getRelativePathFromWorkspace(jsonFile);
+                    core.warning(`Failed to submit dependency graph ${relativeJsonFile}.\n` +
+                        "Please ensure that the 'contents: write' permission is available for the workflow job.\n" +
+                        "Note that this permission is never available for a 'pull_request' trigger from a repository fork.");
+                }
+                else {
+                    throw error;
+                }
+            }
         }
     });
 }
+function submitDependencyGraphFile(jsonFile) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const octokit = getOctokit();
+        const jsonContent = fs_1.default.readFileSync(jsonFile, 'utf8');
+        const jsonObject = JSON.parse(jsonContent);
+        jsonObject.owner = github.context.repo.owner;
+        jsonObject.repo = github.context.repo.repo;
+        const response = yield octokit.request('POST /repos/{owner}/{repo}/dependency-graph/snapshots', jsonObject);
+        const relativeJsonFile = getRelativePathFromWorkspace(jsonFile);
+        core.notice(`Submitted ${relativeJsonFile}: ${response.data.message}`);
+    });
+}
 function retrieveDependencyGraphs(workspaceDirectory) {
     return __awaiter(this, void 0, void 0, function* () {
         if (github.context.payload.workflow_run) {
@@ -70800,10 +70827,25 @@ function getRelativePathFromWorkspace(file) {
     const workspaceDirectory = layout.workspaceDirectory();
     return path.relative(workspaceDirectory, file);
 }
+function getShaFromContext() {
+    const context = github.context;
+    const pullRequestEvents = [
+        'pull_request',
+        'pull_request_comment',
+        'pull_request_review',
+        'pull_request_review_comment'
+    ];
+    if (pullRequestEvents.includes(context.eventName)) {
+        const pr = context.payload.pull_request;
+        return pr.head.sha;
+    }
+    else {
+        return context.sha;
+    }
+}
 function getJobCorrelator() {
     return constructJobCorrelator(github.context.workflow, github.context.job, (0, input_params_1.getJobMatrix)());
 }
-exports.getJobCorrelator = getJobCorrelator;
 function constructJobCorrelator(workflow, jobId, matrixJson) {
     const matrixString = describeMatrix(matrixJson);
     const label = matrixString ? `${workflow}-${jobId}-${matrixString}` : `${workflow}-${jobId}`;
@@ -71639,7 +71681,7 @@ function setup() {
         const cacheListener = new cache_reporting_1.CacheListener();
         yield caches.restore(gradleUserHome, cacheListener);
         core.saveState(CACHE_LISTENER, cacheListener.stringify());
-        dependencyGraph.setup(params.getDependencyGraphOption());
+        yield dependencyGraph.setup(params.getDependencyGraphOption());
     });
 }
 exports.setup = setup;
@@ -71661,7 +71703,7 @@ function complete() {
         else {
             (0, job_summary_1.logJobSummary)(buildResults, cacheListener);
         }
-        dependencyGraph.complete(params.getDependencyGraphOption());
+        yield dependencyGraph.complete(params.getDependencyGraphOption());
     });
 }
 exports.complete = complete;

dist/post/index.js

@@ -69620,7 +69620,8 @@ class CacheCleaner {
             fs_1.default.mkdirSync(cleanupProjectDir, { recursive: true });
             fs_1.default.writeFileSync(path_1.default.resolve(cleanupProjectDir, 'settings.gradle'), 'rootProject.name = "dummy-cleanup-project"');
             fs_1.default.writeFileSync(path_1.default.resolve(cleanupProjectDir, 'build.gradle'), 'task("noop") {}');
-            yield exec.exec(`gradle -g ${this.gradleUserHome} --no-daemon --build-cache --no-scan --quiet noop`, [], {
+            const gradleCommand = `gradle -g ${this.gradleUserHome} --no-daemon --build-cache --no-scan --quiet -DGITHUB_DEPENDENCY_GRAPH_ENABLED=false noop`;
+            yield exec.exec(gradleCommand, [], {
                 cwd: cleanupProjectDir
             });
         });
@@ -70667,33 +70668,43 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.constructJobCorrelator = exports.getJobCorrelator = exports.complete = exports.setup = void 0;
+exports.constructJobCorrelator = exports.complete = exports.setup = void 0;
 const core = __importStar(__nccwpck_require__(2186));
 const artifact = __importStar(__nccwpck_require__(2605));
 const github = __importStar(__nccwpck_require__(5438));
 const glob = __importStar(__nccwpck_require__(8090));
 const toolCache = __importStar(__nccwpck_require__(7784));
+const request_error_1 = __nccwpck_require__(537);
 const path = __importStar(__nccwpck_require__(1017));
 const fs_1 = __importDefault(__nccwpck_require__(7147));
 const layout = __importStar(__nccwpck_require__(8182));
 const input_params_1 = __nccwpck_require__(3885);
 const DEPENDENCY_GRAPH_ARTIFACT = 'dependency-graph';
 function setup(option) {
-    if (option === input_params_1.DependencyGraphOption.Disabled || option === input_params_1.DependencyGraphOption.DownloadAndSubmit) {
-        return;
-    }
-    core.info('Enabling dependency graph generation');
-    const jobCorrelator = getJobCorrelator();
-    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_ENABLED', 'true');
-    core.exportVariable('GITHUB_JOB_CORRELATOR', jobCorrelator);
-    core.exportVariable('GITHUB_JOB_ID', github.context.runId);
-    core.exportVariable('DEPENDENCY_GRAPH_REPORT_DIR', path.resolve(layout.workspaceDirectory(), 'dependency-graph-reports'));
+    return __awaiter(this, void 0, void 0, function* () {
+        if (option === input_params_1.DependencyGraphOption.Disabled) {
+            return;
+        }
+        if (option === input_params_1.DependencyGraphOption.DownloadAndSubmit) {
+            yield downloadAndSubmitDependencyGraphs();
+            return;
+        }
+        core.info('Enabling dependency graph generation');
+        core.exportVariable('GITHUB_DEPENDENCY_GRAPH_ENABLED', 'true');
+        core.exportVariable('GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR', getJobCorrelator());
+        core.exportVariable('GITHUB_DEPENDENCY_GRAPH_JOB_ID', github.context.runId);
+        core.exportVariable('GITHUB_DEPENDENCY_GRAPH_REF', github.context.ref);
+        core.exportVariable('GITHUB_DEPENDENCY_GRAPH_SHA', getShaFromContext());
+        core.exportVariable('GITHUB_DEPENDENCY_GRAPH_WORKSPACE', layout.workspaceDirectory());
+        core.exportVariable('DEPENDENCY_GRAPH_REPORT_DIR', path.resolve(layout.workspaceDirectory(), 'dependency-graph-reports'));
+    });
 }
 exports.setup = setup;
 function complete(option) {
     return __awaiter(this, void 0, void 0, function* () {
         switch (option) {
             case input_params_1.DependencyGraphOption.Disabled:
+            case input_params_1.DependencyGraphOption.DownloadAndSubmit:
                 return;
             case input_params_1.DependencyGraphOption.Generate:
                 yield uploadDependencyGraphs();
@@ -70701,8 +70712,6 @@ function complete(option) {
             case input_params_1.DependencyGraphOption.GenerateAndSubmit:
                 yield submitDependencyGraphs(yield uploadDependencyGraphs());
                 return;
-            case input_params_1.DependencyGraphOption.DownloadAndSubmit:
-                yield downloadAndSubmitDependencyGraphs();
         }
     });
 }
@@ -70726,18 +70735,36 @@ function downloadAndSubmitDependencyGraphs() {
 }
 function submitDependencyGraphs(dependencyGraphFiles) {
     return __awaiter(this, void 0, void 0, function* () {
-        const octokit = getOctokit();
         for (const jsonFile of dependencyGraphFiles) {
-            const jsonContent = fs_1.default.readFileSync(jsonFile, 'utf8');
-            const jsonObject = JSON.parse(jsonContent);
-            jsonObject.owner = github.context.repo.owner;
-            jsonObject.repo = github.context.repo.repo;
-            const response = yield octokit.request('POST /repos/{owner}/{repo}/dependency-graph/snapshots', jsonObject);
-            const relativeJsonFile = getRelativePathFromWorkspace(jsonFile);
-            core.notice(`Submitted ${relativeJsonFile}: ${response.data.message}`);
+            try {
+                yield submitDependencyGraphFile(jsonFile);
+            }
+            catch (error) {
+                if (error instanceof request_error_1.RequestError) {
+                    const relativeJsonFile = getRelativePathFromWorkspace(jsonFile);
+                    core.warning(`Failed to submit dependency graph ${relativeJsonFile}.\n` +
+                        "Please ensure that the 'contents: write' permission is available for the workflow job.\n" +
+                        "Note that this permission is never available for a 'pull_request' trigger from a repository fork.");
+                }
+                else {
+                    throw error;
+                }
+            }
         }
     });
 }
+function submitDependencyGraphFile(jsonFile) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const octokit = getOctokit();
+        const jsonContent = fs_1.default.readFileSync(jsonFile, 'utf8');
+        const jsonObject = JSON.parse(jsonContent);
+        jsonObject.owner = github.context.repo.owner;
+        jsonObject.repo = github.context.repo.repo;
+        const response = yield octokit.request('POST /repos/{owner}/{repo}/dependency-graph/snapshots', jsonObject);
+        const relativeJsonFile = getRelativePathFromWorkspace(jsonFile);
+        core.notice(`Submitted ${relativeJsonFile}: ${response.data.message}`);
+    });
+}
 function retrieveDependencyGraphs(workspaceDirectory) {
     return __awaiter(this, void 0, void 0, function* () {
         if (github.context.payload.workflow_run) {
@@ -70800,10 +70827,25 @@ function getRelativePathFromWorkspace(file) {
     const workspaceDirectory = layout.workspaceDirectory();
     return path.relative(workspaceDirectory, file);
 }
+function getShaFromContext() {
+    const context = github.context;
+    const pullRequestEvents = [
+        'pull_request',
+        'pull_request_comment',
+        'pull_request_review',
+        'pull_request_review_comment'
+    ];
+    if (pullRequestEvents.includes(context.eventName)) {
+        const pr = context.payload.pull_request;
+        return pr.head.sha;
+    }
+    else {
+        return context.sha;
+    }
+}
 function getJobCorrelator() {
     return constructJobCorrelator(github.context.workflow, github.context.job, (0, input_params_1.getJobMatrix)());
 }
-exports.getJobCorrelator = getJobCorrelator;
 function constructJobCorrelator(workflow, jobId, matrixJson) {
     const matrixString = describeMatrix(matrixJson);
     const label = matrixString ? `${workflow}-${jobId}-${matrixString}` : `${workflow}-${jobId}`;
@@ -71271,7 +71313,7 @@ function setup() {
         const cacheListener = new cache_reporting_1.CacheListener();
         yield caches.restore(gradleUserHome, cacheListener);
         core.saveState(CACHE_LISTENER, cacheListener.stringify());
-        dependencyGraph.setup(params.getDependencyGraphOption());
+        yield dependencyGraph.setup(params.getDependencyGraphOption());
     });
 }
 exports.setup = setup;
@@ -71293,7 +71335,7 @@ function complete() {
         else {
             (0, job_summary_1.logJobSummary)(buildResults, cacheListener);
         }
-        dependencyGraph.complete(params.getDependencyGraphOption());
+        yield dependencyGraph.complete(params.getDependencyGraphOption());
     });
 }
 exports.complete = complete;

package-lock.json

@@ -19,15 +19,16 @@
         "@actions/http-client": "2.1.1",
         "@actions/tool-cache": "2.0.1",
         "@octokit/rest": "19.0.13",
+        "@octokit/webhooks-types": "7.3.1",
         "string-argv": "0.3.2"
       },
       "devDependencies": {
         "@types/jest": "29.5.5",
         "@types/node": "16.18.38",
         "@types/unzipper": "0.10.7",
-        "@typescript-eslint/parser": "6.7.2",
+        "@typescript-eslint/parser": "6.7.3",
         "@vercel/ncc": "0.38.0",
-        "eslint": "8.49.0",
+        "eslint": "8.50.0",
         "eslint-plugin-github": "4.10.0",
         "eslint-plugin-jest": "27.4.0",
         "eslint-plugin-prettier": "5.0.0",
@@ -995,9 +996,9 @@
       }
     },
     "node_modules/@eslint/js": {
-      "version": "8.49.0",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.49.0.tgz",
-      "integrity": "sha512-1S8uAY/MTJqVx0SC4epBq+N2yhuwtNwLbJYNZyhL2pO1ZVKn5HFXav5T41Ryzy9K9V7ZId2JB2oy/W4aCd9/2w==",
+      "version": "8.50.0",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.50.0.tgz",
+      "integrity": "sha512-NCC3zz2+nvYd+Ckfh87rA47zfu2QsQpvc6k1yzTk+b9KzRj0wkGa8LSoGOXN6Zv4lRf/EIoZ80biDh9HOI+RNQ==",
       "dev": true,
       "engines": {
         "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
@@ -1817,6 +1818,11 @@
         "@octokit/openapi-types": "^12.11.0"
       }
     },
+    "node_modules/@octokit/webhooks-types": {
+      "version": "7.3.1",
+      "resolved": "https://registry.npmjs.org/@octokit/webhooks-types/-/webhooks-types-7.3.1.tgz",
+      "integrity": "sha512-u6355ZsZnHwmxen30SrqnYb1pXieBFkYgkNzt+Ed4Ao5tupN1OErHfzwiV6hq6duGkDAYASbq7/uVJQ69PjLEg=="
+    },
     "node_modules/@opentelemetry/api": {
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.4.1.tgz",
@@ -2223,15 +2229,15 @@
       "dev": true
     },
     "node_modules/@typescript-eslint/parser": {
-      "version": "6.7.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.7.2.tgz",
-      "integrity": "sha512-KA3E4ox0ws+SPyxQf9iSI25R6b4Ne78ORhNHeVKrPQnoYsb9UhieoiRoJgrzgEeKGOXhcY1i8YtOeCHHTDa6Fw==",
+      "version": "6.7.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.7.3.tgz",
+      "integrity": "sha512-TlutE+iep2o7R8Lf+yoer3zU6/0EAUc8QIBB3GYBc1KGz4c4TRm83xwXUZVPlZ6YCLss4r77jbu6j3sendJoiQ==",
       "dev": true,
       "dependencies": {
-        "@typescript-eslint/scope-manager": "6.7.2",
-        "@typescript-eslint/types": "6.7.2",
-        "@typescript-eslint/typescript-estree": "6.7.2",
-        "@typescript-eslint/visitor-keys": "6.7.2",
+        "@typescript-eslint/scope-manager": "6.7.3",
+        "@typescript-eslint/types": "6.7.3",
+        "@typescript-eslint/typescript-estree": "6.7.3",
+        "@typescript-eslint/visitor-keys": "6.7.3",
         "debug": "^4.3.4"
       },
       "engines": {
@@ -2251,13 +2257,13 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/scope-manager": {
-      "version": "6.7.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.7.2.tgz",
-      "integrity": "sha512-bgi6plgyZjEqapr7u2mhxGR6E8WCzKNUFWNh6fkpVe9+yzRZeYtDTbsIBzKbcxI+r1qVWt6VIoMSNZ4r2A+6Yw==",
+      "version": "6.7.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.7.3.tgz",
+      "integrity": "sha512-wOlo0QnEou9cHO2TdkJmzF7DFGvAKEnB82PuPNHpT8ZKKaZu6Bm63ugOTn9fXNJtvuDPanBc78lGUGGytJoVzQ==",
       "dev": true,
       "dependencies": {
-        "@typescript-eslint/types": "6.7.2",
-        "@typescript-eslint/visitor-keys": "6.7.2"
+        "@typescript-eslint/types": "6.7.3",
+        "@typescript-eslint/visitor-keys": "6.7.3"
       },
       "engines": {
         "node": "^16.0.0 || >=18.0.0"
@@ -2268,9 +2274,9 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/types": {
-      "version": "6.7.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.7.2.tgz",
-      "integrity": "sha512-flJYwMYgnUNDAN9/GAI3l8+wTmvTYdv64fcH8aoJK76Y+1FCZ08RtI5zDerM/FYT5DMkAc+19E4aLmd5KqdFyg==",
+      "version": "6.7.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.7.3.tgz",
+      "integrity": "sha512-4g+de6roB2NFcfkZb439tigpAMnvEIg3rIjWQ+EM7IBaYt/CdJt6em9BJ4h4UpdgaBWdmx2iWsafHTrqmgIPNw==",
       "dev": true,
       "engines": {
         "node": "^16.0.0 || >=18.0.0"
@@ -2281,13 +2287,13 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/typescript-estree": {
-      "version": "6.7.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.7.2.tgz",
-      "integrity": "sha512-kiJKVMLkoSciGyFU0TOY0fRxnp9qq1AzVOHNeN1+B9erKFCJ4Z8WdjAkKQPP+b1pWStGFqezMLltxO+308dJTQ==",
+      "version": "6.7.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.7.3.tgz",
+      "integrity": "sha512-YLQ3tJoS4VxLFYHTw21oe1/vIZPRqAO91z6Uv0Ss2BKm/Ag7/RVQBcXTGcXhgJMdA4U+HrKuY5gWlJlvoaKZ5g==",
       "dev": true,
       "dependencies": {
-        "@typescript-eslint/types": "6.7.2",
-        "@typescript-eslint/visitor-keys": "6.7.2",
+        "@typescript-eslint/types": "6.7.3",
+        "@typescript-eslint/visitor-keys": "6.7.3",
         "debug": "^4.3.4",
         "globby": "^11.1.0",
         "is-glob": "^4.0.3",
@@ -2308,12 +2314,12 @@
       }
     },
     "node_modules/@typescript-eslint/parser/node_modules/@typescript-eslint/visitor-keys": {
-      "version": "6.7.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.7.2.tgz",
-      "integrity": "sha512-uVw9VIMFBUTz8rIeaUT3fFe8xIUx8r4ywAdlQv1ifH+6acn/XF8Y6rwJ7XNmkNMDrTW+7+vxFFPIF40nJCVsMQ==",
+      "version": "6.7.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.7.3.tgz",
+      "integrity": "sha512-HEVXkU9IB+nk9o63CeICMHxFWbHWr3E1mpilIQBe9+7L/lH97rleFLVtYsfnWB+JVMaiFnEaxvknvmIzX+CqVg==",
       "dev": true,
       "dependencies": {
-        "@typescript-eslint/types": "6.7.2",
+        "@typescript-eslint/types": "6.7.3",
         "eslint-visitor-keys": "^3.4.1"
       },
       "engines": {
@@ -3849,15 +3855,15 @@
       }
     },
     "node_modules/eslint": {
-      "version": "8.49.0",
-      "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.49.0.tgz",
-      "integrity": "sha512-jw03ENfm6VJI0jA9U+8H5zfl5b+FvuU3YYvZRdZHOlU2ggJkxrlkJH4HcDrZpj6YwD8kuYqvQM8LyesoazrSOQ==",
+      "version": "8.50.0",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.50.0.tgz",
+      "integrity": "sha512-FOnOGSuFuFLv/Sa+FDVRZl4GGVAAFFi8LecRsI5a1tMO5HIE8nCm4ivAlzt4dT3ol/PaaGC0rJEEXQmHJBGoOg==",
       "dev": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.2.0",
         "@eslint-community/regexpp": "^4.6.1",
         "@eslint/eslintrc": "^2.1.2",
-        "@eslint/js": "8.49.0",
+        "@eslint/js": "8.50.0",
         "@humanwhocodes/config-array": "^0.11.11",
         "@humanwhocodes/module-importer": "^1.0.1",
         "@nodelib/fs.walk": "^1.2.8",
@@ -8891,9 +8897,9 @@
       }
     },
     "@eslint/js": {
-      "version": "8.49.0",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.49.0.tgz",
-      "integrity": "sha512-1S8uAY/MTJqVx0SC4epBq+N2yhuwtNwLbJYNZyhL2pO1ZVKn5HFXav5T41Ryzy9K9V7ZId2JB2oy/W4aCd9/2w==",
+      "version": "8.50.0",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.50.0.tgz",
+      "integrity": "sha512-NCC3zz2+nvYd+Ckfh87rA47zfu2QsQpvc6k1yzTk+b9KzRj0wkGa8LSoGOXN6Zv4lRf/EIoZ80biDh9HOI+RNQ==",
       "dev": true
     },
     "@github/browserslist-config": {
@@ -9552,6 +9558,11 @@
         "@octokit/openapi-types": "^12.11.0"
       }
     },
+    "@octokit/webhooks-types": {
+      "version": "7.3.1",
+      "resolved": "https://registry.npmjs.org/@octokit/webhooks-types/-/webhooks-types-7.3.1.tgz",
+      "integrity": "sha512-u6355ZsZnHwmxen30SrqnYb1pXieBFkYgkNzt+Ed4Ao5tupN1OErHfzwiV6hq6duGkDAYASbq7/uVJQ69PjLEg=="
+    },
     "@opentelemetry/api": {
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.4.1.tgz",
@@ -9878,42 +9889,42 @@
       }
     },
     "@typescript-eslint/parser": {
-      "version": "6.7.2",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.7.2.tgz",
-      "integrity": "sha512-KA3E4ox0ws+SPyxQf9iSI25R6b4Ne78ORhNHeVKrPQnoYsb9UhieoiRoJgrzgEeKGOXhcY1i8YtOeCHHTDa6Fw==",
+      "version": "6.7.3",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.7.3.tgz",
+      "integrity": "sha512-TlutE+iep2o7R8Lf+yoer3zU6/0EAUc8QIBB3GYBc1KGz4c4TRm83xwXUZVPlZ6YCLss4r77jbu6j3sendJoiQ==",
       "dev": true,
       "requires": {
-        "@typescript-eslint/scope-manager": "6.7.2",
-        "@typescript-eslint/types": "6.7.2",
-        "@typescript-eslint/typescript-estree": "6.7.2",
-        "@typescript-eslint/visitor-keys": "6.7.2",
+        "@typescript-eslint/scope-manager": "6.7.3",
+        "@typescript-eslint/types": "6.7.3",
+        "@typescript-eslint/typescript-estree": "6.7.3",
+        "@typescript-eslint/visitor-keys": "6.7.3",
         "debug": "^4.3.4"
       },
       "dependencies": {
         "@typescript-eslint/scope-manager": {
-          "version": "6.7.2",
-          "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.7.2.tgz",
-          "integrity": "sha512-bgi6plgyZjEqapr7u2mhxGR6E8WCzKNUFWNh6fkpVe9+yzRZeYtDTbsIBzKbcxI+r1qVWt6VIoMSNZ4r2A+6Yw==",
+          "version": "6.7.3",
+          "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.7.3.tgz",
+          "integrity": "sha512-wOlo0QnEou9cHO2TdkJmzF7DFGvAKEnB82PuPNHpT8ZKKaZu6Bm63ugOTn9fXNJtvuDPanBc78lGUGGytJoVzQ==",
           "dev": true,
           "requires": {
-            "@typescript-eslint/types": "6.7.2",
-            "@typescript-eslint/visitor-keys": "6.7.2"
+            "@typescript-eslint/types": "6.7.3",
+            "@typescript-eslint/visitor-keys": "6.7.3"
           }
         },
         "@typescript-eslint/types": {
-          "version": "6.7.2",
-          "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.7.2.tgz",
-          "integrity": "sha512-flJYwMYgnUNDAN9/GAI3l8+wTmvTYdv64fcH8aoJK76Y+1FCZ08RtI5zDerM/FYT5DMkAc+19E4aLmd5KqdFyg==",
+          "version": "6.7.3",
+          "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.7.3.tgz",
+          "integrity": "sha512-4g+de6roB2NFcfkZb439tigpAMnvEIg3rIjWQ+EM7IBaYt/CdJt6em9BJ4h4UpdgaBWdmx2iWsafHTrqmgIPNw==",
           "dev": true
         },
         "@typescript-eslint/typescript-estree": {
-          "version": "6.7.2",
-          "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.7.2.tgz",
-          "integrity": "sha512-kiJKVMLkoSciGyFU0TOY0fRxnp9qq1AzVOHNeN1+B9erKFCJ4Z8WdjAkKQPP+b1pWStGFqezMLltxO+308dJTQ==",
+          "version": "6.7.3",
+          "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.7.3.tgz",
+          "integrity": "sha512-YLQ3tJoS4VxLFYHTw21oe1/vIZPRqAO91z6Uv0Ss2BKm/Ag7/RVQBcXTGcXhgJMdA4U+HrKuY5gWlJlvoaKZ5g==",
           "dev": true,
           "requires": {
-            "@typescript-eslint/types": "6.7.2",
-            "@typescript-eslint/visitor-keys": "6.7.2",
+            "@typescript-eslint/types": "6.7.3",
+            "@typescript-eslint/visitor-keys": "6.7.3",
             "debug": "^4.3.4",
             "globby": "^11.1.0",
             "is-glob": "^4.0.3",
@@ -9922,12 +9933,12 @@
           }
         },
         "@typescript-eslint/visitor-keys": {
-          "version": "6.7.2",
-          "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.7.2.tgz",
-          "integrity": "sha512-uVw9VIMFBUTz8rIeaUT3fFe8xIUx8r4ywAdlQv1ifH+6acn/XF8Y6rwJ7XNmkNMDrTW+7+vxFFPIF40nJCVsMQ==",
+          "version": "6.7.3",
+          "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.7.3.tgz",
+          "integrity": "sha512-HEVXkU9IB+nk9o63CeICMHxFWbHWr3E1mpilIQBe9+7L/lH97rleFLVtYsfnWB+JVMaiFnEaxvknvmIzX+CqVg==",
           "dev": true,
           "requires": {
-            "@typescript-eslint/types": "6.7.2",
+            "@typescript-eslint/types": "6.7.3",
             "eslint-visitor-keys": "^3.4.1"
           }
         },
@@ -10995,15 +11006,15 @@
       "dev": true
     },
     "eslint": {
-      "version": "8.49.0",
-      "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.49.0.tgz",
-      "integrity": "sha512-jw03ENfm6VJI0jA9U+8H5zfl5b+FvuU3YYvZRdZHOlU2ggJkxrlkJH4HcDrZpj6YwD8kuYqvQM8LyesoazrSOQ==",
+      "version": "8.50.0",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.50.0.tgz",
+      "integrity": "sha512-FOnOGSuFuFLv/Sa+FDVRZl4GGVAAFFi8LecRsI5a1tMO5HIE8nCm4ivAlzt4dT3ol/PaaGC0rJEEXQmHJBGoOg==",
       "dev": true,
       "requires": {
         "@eslint-community/eslint-utils": "^4.2.0",
         "@eslint-community/regexpp": "^4.6.1",
         "@eslint/eslintrc": "^2.1.2",
-        "@eslint/js": "8.49.0",
+        "@eslint/js": "8.50.0",
         "@humanwhocodes/config-array": "^0.11.11",
         "@humanwhocodes/module-importer": "^1.0.1",
         "@nodelib/fs.walk": "^1.2.8",

package.json

@@ -39,20 +39,21 @@
     "@actions/http-client": "2.1.1",
     "@actions/tool-cache": "2.0.1",
     "@octokit/rest": "19.0.13",
+    "@octokit/webhooks-types": "7.3.1",
     "string-argv": "0.3.2"
   },
   "devDependencies": {
     "@types/node": "16.18.38",
     "@types/jest": "29.5.5",
     "@types/unzipper": "0.10.7",
-    "@typescript-eslint/parser": "6.7.2",
+    "@typescript-eslint/parser": "6.7.3",
     "@vercel/ncc": "0.38.0",
-    "eslint": "8.49.0",
+    "eslint": "8.50.0",
     "eslint-plugin-github": "4.10.0",
     "eslint-plugin-jest": "27.4.0",
     "eslint-plugin-prettier": "5.0.0",
     "jest": "29.7.0",
-    "js-yaml": "4.1.0", 
+    "js-yaml": "4.1.0",
     "patch-package": "8.0.0",
     "prettier": "3.0.3",
     "ts-jest": "29.1.1",

src/cache-cleaner.ts

@@ -42,7 +42,8 @@ export class CacheCleaner {
         )
         fs.writeFileSync(path.resolve(cleanupProjectDir, 'build.gradle'), 'task("noop") {}')
 
-        await exec.exec(`gradle -g ${this.gradleUserHome} --no-daemon --build-cache --no-scan --quiet noop`, [], {
+        const gradleCommand = `gradle -g ${this.gradleUserHome} --no-daemon --build-cache --no-scan --quiet -DGITHUB_DEPENDENCY_GRAPH_ENABLED=false noop`
+        await exec.exec(gradleCommand, [], {
             cwd: cleanupProjectDir
         })
     }

src/dependency-graph.ts

@@ -4,6 +4,8 @@ import * as github from '@actions/github'
 import * as glob from '@actions/glob'
 import * as toolCache from '@actions/tool-cache'
 import {GitHub} from '@actions/github/lib/utils'
+import {RequestError} from '@octokit/request-error'
+import type {PullRequestEvent} from '@octokit/webhooks-types'
 
 import * as path from 'path'
 import fs from 'fs'
@@ -13,16 +15,23 @@ import {DependencyGraphOption, getJobMatrix} from './input-params'
 
 const DEPENDENCY_GRAPH_ARTIFACT = 'dependency-graph'
 
-export function setup(option: DependencyGraphOption): void {
-    if (option === DependencyGraphOption.Disabled || option === DependencyGraphOption.DownloadAndSubmit) {
+export async function setup(option: DependencyGraphOption): Promise<void> {
+    if (option === DependencyGraphOption.Disabled) {
+        return
+    }
+    // Download and submit early, for compatability with dependency review.
+    if (option === DependencyGraphOption.DownloadAndSubmit) {
+        await downloadAndSubmitDependencyGraphs()
         return
     }
 
     core.info('Enabling dependency graph generation')
-    const jobCorrelator = getJobCorrelator()
     core.exportVariable('GITHUB_DEPENDENCY_GRAPH_ENABLED', 'true')
-    core.exportVariable('GITHUB_JOB_CORRELATOR', jobCorrelator)
-    core.exportVariable('GITHUB_JOB_ID', github.context.runId)
+    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR', getJobCorrelator())
+    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_JOB_ID', github.context.runId)
+    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_REF', github.context.ref)
+    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_SHA', getShaFromContext())
+    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_WORKSPACE', layout.workspaceDirectory())
     core.exportVariable(
         'DEPENDENCY_GRAPH_REPORT_DIR',
         path.resolve(layout.workspaceDirectory(), 'dependency-graph-reports')
@@ -32,6 +41,7 @@ export function setup(option: DependencyGraphOption): void {
 export async function complete(option: DependencyGraphOption): Promise<void> {
     switch (option) {
         case DependencyGraphOption.Disabled:
+        case DependencyGraphOption.DownloadAndSubmit: // Performed in setup
             return
         case DependencyGraphOption.Generate:
             await uploadDependencyGraphs()
@@ -39,8 +49,6 @@ export async function complete(option: DependencyGraphOption): Promise<void> {
         case DependencyGraphOption.GenerateAndSubmit:
             await submitDependencyGraphs(await uploadDependencyGraphs())
             return
-        case DependencyGraphOption.DownloadAndSubmit:
-            await downloadAndSubmitDependencyGraphs()
     }
 }
 
@@ -63,21 +71,37 @@ async function downloadAndSubmitDependencyGraphs(): Promise<void> {
 }
 
 async function submitDependencyGraphs(dependencyGraphFiles: string[]): Promise<void> {
-    const octokit = getOctokit()
-
     for (const jsonFile of dependencyGraphFiles) {
-        const jsonContent = fs.readFileSync(jsonFile, 'utf8')
-
-        const jsonObject = JSON.parse(jsonContent)
-        jsonObject.owner = github.context.repo.owner
-        jsonObject.repo = github.context.repo.repo
-        const response = await octokit.request('POST /repos/{owner}/{repo}/dependency-graph/snapshots', jsonObject)
-
-        const relativeJsonFile = getRelativePathFromWorkspace(jsonFile)
-        core.notice(`Submitted ${relativeJsonFile}: ${response.data.message}`)
+        try {
+            await submitDependencyGraphFile(jsonFile)
+        } catch (error) {
+            if (error instanceof RequestError) {
+                const relativeJsonFile = getRelativePathFromWorkspace(jsonFile)
+                core.warning(
+                    `Failed to submit dependency graph ${relativeJsonFile}.\n` +
+                        "Please ensure that the 'contents: write' permission is available for the workflow job.\n" +
+                        "Note that this permission is never available for a 'pull_request' trigger from a repository fork."
+                )
+            } else {
+                throw error
+            }
+        }
     }
 }
 
+async function submitDependencyGraphFile(jsonFile: string): Promise<void> {
+    const octokit = getOctokit()
+    const jsonContent = fs.readFileSync(jsonFile, 'utf8')
+
+    const jsonObject = JSON.parse(jsonContent)
+    jsonObject.owner = github.context.repo.owner
+    jsonObject.repo = github.context.repo.repo
+    const response = await octokit.request('POST /repos/{owner}/{repo}/dependency-graph/snapshots', jsonObject)
+
+    const relativeJsonFile = getRelativePathFromWorkspace(jsonFile)
+    core.notice(`Submitted ${relativeJsonFile}: ${response.data.message}`)
+}
+
 async function retrieveDependencyGraphs(workspaceDirectory: string): Promise<string[]> {
     if (github.context.payload.workflow_run) {
         return await retrieveDependencyGraphsForWorkflowRun(github.context.payload.workflow_run.id, workspaceDirectory)
@@ -149,7 +173,26 @@ function getRelativePathFromWorkspace(file: string): string {
     return path.relative(workspaceDirectory, file)
 }
 
-export function getJobCorrelator(): string {
+function getShaFromContext(): string {
+    const context = github.context
+    const pullRequestEvents = [
+        'pull_request',
+        'pull_request_comment',
+        'pull_request_review',
+        'pull_request_review_comment'
+        // Note that pull_request_target is omitted here.
+        // That event runs in the context of the base commit of the PR,
+        // so the snapshot should not be associated with the head commit.
+    ]
+    if (pullRequestEvents.includes(context.eventName)) {
+        const pr = (context.payload as PullRequestEvent).pull_request
+        return pr.head.sha
+    } else {
+        return context.sha
+    }
+}
+
+function getJobCorrelator(): string {
     return constructJobCorrelator(github.context.workflow, github.context.job, getJobMatrix())
 }
 

src/resources/init-scripts/gradle-build-action.github-dependency-graph-gradle-plugin-apply.groovy

@@ -3,7 +3,7 @@ buildscript {
     maven { url "https://plugins.gradle.org/m2/" }
   }
   dependencies {
-    classpath "org.gradle:github-dependency-graph-gradle-plugin:0.2.0"
+    classpath "org.gradle:github-dependency-graph-gradle-plugin:0.4.1"
   }
 }
 apply plugin: org.gradle.github.GitHubDependencyGraphPlugin

src/resources/init-scripts/gradle-build-action.github-dependency-graph.init.gradle

@@ -1,7 +1,7 @@
 import org.gradle.util.GradleVersion
 
 // Only run when dependency graph is explicitly enabled
-if (System.env.GITHUB_DEPENDENCY_GRAPH_ENABLED != "true") {
+if (getVariable('GITHUB_DEPENDENCY_GRAPH_ENABLED') != "true") {
   return
 }
 
@@ -15,10 +15,10 @@ if (GradleVersion.current().baseVersion < GradleVersion.version("5.0")) {
 // This is only required for top-level builds
 def isTopLevelBuild = gradle.getParent() == null
 if (isTopLevelBuild) {
-  def reportFile = getUniqueReportFile(System.env.GITHUB_JOB_CORRELATOR)
+  def reportFile = getUniqueReportFile(getVariable('GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR'))
 
   if (reportFile == null) {
-    println "::warning::No dependency snapshot generated for step. Could not determine unique job correlator - specify GITHUB_JOB_CORRELATOR var for this step."
+    println "::warning::No dependency snapshot generated for step. Could not determine unique job correlator - specify GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR var for this step."
     return
   }
 
@@ -40,7 +40,7 @@ apply from: 'gradle-build-action.github-dependency-graph-gradle-plugin-apply.gro
  * - When found, this value is set as a System property override.
  */
 File getUniqueReportFile(String jobCorrelator) {
-    def reportDir = System.env.DEPENDENCY_GRAPH_REPORT_DIR
+    def reportDir = getVariable('DEPENDENCY_GRAPH_REPORT_DIR')
     def reportFile = new File(reportDir, jobCorrelator + ".json")
     if (!reportFile.exists()) return reportFile
 
@@ -49,7 +49,7 @@ File getUniqueReportFile(String jobCorrelator) {
         def candidateCorrelator = jobCorrelator + "-" + i
         def candidateFile = new File(reportDir, candidateCorrelator + ".json")
         if (!candidateFile.exists()) {
-           System.properties['GITHUB_JOB_CORRELATOR'] = candidateCorrelator
+           System.properties['GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR'] = candidateCorrelator
            return candidateFile
         }
     }
@@ -57,3 +57,10 @@ File getUniqueReportFile(String jobCorrelator) {
     // Could not determine unique job correlator
     return null
 }
+
+/**
+* Return the environment variable value, or equivalent system property (if set)
+*/
+String getVariable(String name) {
+  return System.properties[name] ?: System.getenv(name)
+}

src/setup-gradle.ts

@@ -38,7 +38,7 @@ export async function setup(): Promise<void> {
 
     core.saveState(CACHE_LISTENER, cacheListener.stringify())
 
-    dependencyGraph.setup(params.getDependencyGraphOption())
+    await dependencyGraph.setup(params.getDependencyGraphOption())
 }
 
 export async function complete(): Promise<void> {
@@ -62,7 +62,7 @@ export async function complete(): Promise<void> {
         logJobSummary(buildResults, cacheListener)
     }
 
-    dependencyGraph.complete(params.getDependencyGraphOption())
+    await dependencyGraph.complete(params.getDependencyGraphOption())
 }
 
 async function determineGradleUserHome(): Promise<string> {

test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/TestDependencyGraph.groovy

@@ -110,11 +110,11 @@ class TestDependencyGraph extends BaseInitScriptTest {
     def getEnvVars() {
         return [
             GITHUB_DEPENDENCY_GRAPH_ENABLED: "true",
-            GITHUB_JOB_CORRELATOR: "CORRELATOR",
-            GITHUB_JOB_ID: "1",
-            GITHUB_REF: "main",
-            GITHUB_SHA: "123456",
-            GITHUB_WORKSPACE: testProjectDir.absolutePath,
+            GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR: "CORRELATOR",
+            GITHUB_DEPENDENCY_GRAPH_JOB_ID: "1",
+            GITHUB_DEPENDENCY_GRAPH_REF: "main",
+            GITHUB_DEPENDENCY_GRAPH_SHA: "123456",
+            GITHUB_DEPENDENCY_GRAPH_WORKSPACE: testProjectDir.absolutePath,
             DEPENDENCY_GRAPH_REPORT_DIR: reportsDir.absolutePath,
             GITHUB_OUTPUT: gitHubOutputFile.absolutePath
         ]