FOSSA dependency review failing in PRs

[edgarrmondragon]

Error:  ----------
  An issue occurred

  >>> Details
    Cannot collect revision data without a valid base directory

  >>> Relevant errors

    Error

      Directory does not exist: /home/runner/work/sdk/sdk/ae234bd118a50[48](https://github.com/meltano/sdk/runs/7404388245?check_suite_focus=true#step:4:49)0185366e279bd2068bb077230/

      Traceback:
        - Validating configuration

    Error

      Directory does not exist: /home/runner/work/sdk/sdk/ae234bd118a[50](https://github.com/meltano/sdk/runs/7404388245?check_suite_focus=true#step:4:51)48018[53](https://github.com/meltano/sdk/runs/7404388245?check_suite_focus=true#step:4:54)66e279bd2068bb077230/

      Traceback:
        - Validating configuration

Re-running the job works, but logging in case there's something we're missing to make it work the first time.

[WillDaSilva]

Example failure: https://github.com/meltano/sdk/runs/7409331949

[WillDaSilva]

Re-running the job works

Didn't work when I tried it. Maybe there's some kind of race condition here, or some other non-deterministic behaviour 😬

[edgarrmondragon]

Didn't work when I tried it. Maybe there's some kind of race condition here, or some other non-deterministic behaviour 😬

@WillDaSilva interesting. It did work for some dependabot PRs, so it certainly could be a race condition:

• https://github.com/meltano/sdk/actions/runs/2704865172/attempts/1
• https://github.com/meltano/sdk/actions/runs/2704865172/attempts/2

[WillDaSilva]

What seems to be happening is that when we run fossa <command> --fossa-api-key ${{ secrets.MELTYBOT_FOSSA_API_KEY }} --revision ${{ github.sha }} the secret API key is an empty string. This is caused by us using the pull_request event to trigger the workflow (which doesn't have access to secrets when run from a fork) instead of pull_request_target.

When the secret API key is an empty string, --revision is treated as the API key. This results in fossa using the commit SHA as its optional [DIR] argument, which explains the error messages we've been seeing:

Directory does not exist: /home/runner/work/meltano/meltano/b7bb77d175fa02aba384583152bfb0c197bdafc1/

It should be safe for us to use pull_request_target for the dependency review workflow, though that may not work for dependency-review-action, which might only be usable with pull_request events. If that is the case, they'll have to be separated into different workflows.

As for what happened with Dependabot and fixing it by re-running it: I don't know how to explain that given the problem explained above. Maybe it had access to the secret somehow on the re-run?

[WillDaSilva]

actions/dependency-review-action#30

I'm going to open a PR for actions/dependency-review-action to add support for pull_request_target (and others). Should be a matter of removing the check for the triggering event, and then adding error handling that ensures that both a head ref and base ref are provided.

[edgarrmondragon]

Maybe it had access to the secret somehow on the re-run?

@WillDaSilva Ah yes! That's the same thing that happens with other workflows that use secrets. Triggering them manually (as an admin) fixes them because they then have access to the secrets.

[WillDaSilva]

PR for dependency-review-action is up here: actions/dependency-review-action#165

In the meantime we can use my fork.