Incorrect endpoint used to submit Dependency Graph on GitHub Enterprise

[n0rdy]

Hello there!

Thanks for the development of this plugin, and especially for the recent Dependency Graph Submission feature - it's pretty useful to make Dependabot work with Gradle.

While configuring the workflow, I experienced the issue that happens in the post-action stage:

Warning: Unhandled error in Gradle post-action - job will continue: HttpError: Not Found
HttpError: Not Found
    at /runner/_work/_actions/gradle/gradle-build-action/v2/dist/post/index.js:50[98]
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

Some context:

• it happens for the GitHub Enterprise Server (we using v.3.8.1)
• our workflow setup looks like this:

name: Gradle Dependency Submission
on:
  push:
    branches:
         - main

jobs:
  gradle-action-detection:
    runs-on: [ ubuntu-latest ]
    permissions:
      contents: write
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v4

      - name: Setup Java 17
        uses: actions/setup-java@v3
        with:
          java-version: '17'
          distribution: corretto

      - name: Setup Gradle to generate and submit dependency graphs
        uses: gradle/gradle-build-action@v2
        with:
          dependency-graph: generate-and-submit

      - name: Run a build, generating the dependency graph snapshot which will be submitted
        run: ./gradlew build

The provided error happens for the Post Setup Gradle to generate and submit dependency graphs step.

Based on the logs, I can see that the error is originated here:

await submitDependencyGraphs(await uploadDependencyGraphs())

when the submitDependencyGraphs method is called.

I noticed that there is the exact endpoint hardcoded, so I wonder whether that could be somehow related to the differences between the regular GitHub and GitHub Enterprise: according to the GitHub Docs, there is a slight diff:

• regular GitHub: https://api.github.com/repos/OWNER/REPO/dependency-graph/snapshots
• GitHub Enterprise: http(s)://HOSTNAME/api/v3/repos/OWNER/REPO/dependency-graph/snapshots

Maybe, it seems like this might be somehow resolved by the Octokit library you are using under the hood. However, I didn't manage to find the answer while browsing the codebase.

Also, I double-checked that:

• the Dependency Submission endpoint is available within our GitHub server
• tried calling it with different scenarios via curl (without a token, without /api/v3, with the wrong token), and I can't get a Not found response from it - so it doesn't seem to be some permissions-related issue.

Question:
Is it me doing something wrong, or is it something that is not supported by this action?

Any help here is appreciated.
Thanks a lot!

[bigdaz]

Thanks for your detailed report. I'm not able to test this action on GitHub Enterprise, so it's quite possible you've discovered a genuine issue.

It looks like we'll need to initialize Oktokit with your GitHub Enterprise server URL: https://github.com/octokit/octokit.js#constructor-options.
The value should be available in the [GITHUB_SERVER_URL](https://docs.github.com/en/enterprise-cloud@latest/actions/learn-github-actions/variables#default-environment-variables) environment variable.

If you could fork the action, try this out, and submit a PR, that would really help.

[n0rdy]

Thanks for your detailed report. I'm not able to test this action on GitHub Enterprise, so it's quite possible you've discovered a genuine issue.

It looks like we'll need to initialize Oktokit with your GitHub Enterprise server URL: https://github.com/octokit/octokit.js#constructor-options. The value should be available in the [GITHUB_SERVER_URL](https://docs.github.com/en/enterprise-cloud@latest/actions/learn-github-actions/variables#default-environment-variables) environment variable.

If you could fork the action, try this out, and submit a PR, that would really help.

Hey! Thanks for the reply. I'll try to do the suggested fork approach, but it will take some time due to the security processes.

[bigdaz]

No problem. This should already be fixed on the main branch, and I plan to release a 2.8.1 with the fix shortly.

[bigdaz]

@n0rdy I've released v2.8.1 (aliased to v2) with the fix. It would be helpful if you could test and confirm that Dependency Submission now works for you on GitHub Enterprise.

[n0rdy]

@n0rdy I've released v2.8.1 (aliased to v2) with the fix. It would be helpful if you could test and confirm that Dependency Submission now works for you on GitHub Enterprise.

I gave it a try: the error is gone and the dependency graph was submitted - thanks a lot!

The Dependabot security update failed with the same error as I described within the issue report to another dependency submission action library, but I guess it's the issue on the Dependabot end.

Thanks again for the fix!