Hide snapshot warning messages if not needed

[febuiles]

Users who are not using dependency snapshots should not be seeing this warning message in their runs:

Triage notes:

1. This block in main.ts is in charge of printing the warnings.
2. The warnings themselves are gathered in dependency-graph.ts
3. In my [very limited] local testing, the server responds with an empty strings, which leads to the printing in (1) to be skipped (expected behavior).

I can confirm that I'm getting the correct response header (empty):

gh api --verbose repos/future-funk/fantastic-invention/dependency-graph/compare/febuiles-patch-1^...febuiles-patch-1 | grep 'X-Github'
< X-Github-Api-Version-Selected: 2022-11-28
# here
< X-Github-Dependency-Graph-Snapshot-Warnings:
< X-Github-Media-Type: github.v3; format=json
< X-Github-Request-Id: E503:F980:E81D500:EB187EE:65644914

@louis-bompart @virangdoshi What Dependency-Snapshot-Warning do you receive when running the Action in a problematic PR?

[juxtin]

Do we have an example repository where this is happening?

[virangdoshi]

@febuiles The "snapshot warning" header field contains the following error: No snapshots were found for the head SHA <The actual SHA> That is the same message that shows up in the Actions run log

Can the snapshot checks be disabled (or not added to the summary) with a configuration option or some other mechanism?

[febuiles]

@virangdoshi is this happening on a public repo, or do you have a way to reproduce it and share the result?

I don't mind considering the idea of disabling snapshots with an option, but would like to see if we can't fix this in the first place.

[virangdoshi]

@febuiles I am not familiar with snapshots and do not have a way to reproduce this in a public repo.

[lucacome]

I just saw this warning for the first time here nginxinc/nginx-gateway-fabric#1581 if it can help fix this.

[febuiles]

@lucacome that's very useful, thank you!

Here's the API output of running DR on that PR:

$ gh api --verbose repos/nginxinc/nginx-gateway-fabric/dependency-graph/compare/main...bbe5d8e
* Request at 2024-02-15 07:15:27.983708 +0100 CET m=+0.067214959
* Request to https://api.github.com/repos/nginxinc/nginx-gateway-fabric/dependency-graph/compare/main...bbe5d8e
> GET /repos/nginxinc/nginx-gateway-fabric/dependency-graph/compare/main...bbe5d8e HTTP/1.1
> Host: api.github.com
> Accept:
> Authorization: token ...
> Content-Type: application/json; charset=utf-8

< HTTP/2.0 200 OK
< Access-Control-Allow-Origin: *
< Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
< Cache-Control: private, max-age=60, s-maxage=60
< Content-Security-Policy: default-src 'none'
< Content-Type: application/json; charset=utf-8
< Date: Thu, 15 Feb 2024 06:15:28 GMT
< Etag: W/"fdd68e99f804c0b800278fd1d2cbc3081625e07df7c8515db7ac36d2dbebb2e9"
< Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
< Server: github.com
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< Vary: Accept, Authorization, Cookie, X-GitHub-OTP
< Vary: Accept-Encoding, Accept, X-Requested-With
< X-Accepted-Oauth-Scopes:
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-Github-Api-Version-Selected: 2022-11-28
< X-Github-Dependency-Graph-Snapshot-Warnings: Tm8gc25hcHNob3RzIHdlcmUgZm91bmQgZm9yIHRoZSBoZWFkIFNIQSBiYmU1ZDhlMGE0OTk2ZmU2OWMzYTU4YjU1YjE2MGVhOTU5NDQ1Y2E1Lg==
< X-Github-Media-Type: github.v3; format=json
< X-Github-Request-Id: F047:0FB0:9FFED:A2818:65CDAC00
< X-Oauth-Client-Id: 178c6fc778ccc68e1d6a
< X-Oauth-Scopes: admin:public_key, codespace, gist, read:org, repo
...

[
  {
    "change_type": "added",
    "manifest": ".github/workflows/fossa.yml",
    "ecosystem": "actions",
    "name": "fossas/fossa-action",
    "version": "32c7979e971182f1e7602ed5d2b9ae0f5a6933d1",
    "package_url": "pkg:githubactions/fossas/fossa-action@32c7979e971182f1e7602ed5d2b9ae0f5a6933d1",
    "license": null,
    "source_repository_url": "https://github.com/fossas/fossa-action",
    "scope": "runtime",
    "vulnerabilities": []
  },
  {
    "change_type": "removed",
    "manifest": ".github/workflows/fossa.yml",
    "ecosystem": "actions",
    "name": "fossas/fossa-action",
    "version": "f61a4c0c263690f2ddb54b9822a719c25a7b608f",
    "package_url": "pkg:githubactions/fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f",
    "license": null,
    "source_repository_url": "https://github.com/fossas/fossa-action",
    "scope": "runtime",
    "vulnerabilities": []
  }
]

* Request took 271.863292ms

The snapshots warning matches the error being displayed:

< X-Github-Dependency-Graph-Snapshot-Warnings: Tm8gc25hcHNob3RzIHdlcmUgZm91bmQgZm9yIHRoZSBoZWFkIFNIQSBiYmU1ZDhlMGE0OTk2ZmU2OWMzYTU4YjU1YjE2MGVhOTU5NDQ1Y2E1Lg== 
# decodes to No snapshots were found for the head SHA bbe5d8e0a4996fe69c3a58b55b160ea959445ca5.

@juxtin The repo (nginxinc/nginx-gateway-fabric) contains a single snapshot generated in 2023-03-29: https://gist.github.com/febuiles/b99c8d92ead98029495b4b014cff9f9b. The only "weird" thing I see in the snapshot is that the lockfile referenced in it now lives somewhere else in the repo. Do you see anything that could be generating the warnings?

[lucacome]

Sorry to hijack the conversation for a second, but I'm still not sure what this dependency snapshot is and why it was only generated on 2023-03-29. Should it be generated more frequently? Is it something that we're missing in the repo?

[febuiles]

@lucacome I'm sorry you ran into this. You can read more about dependency snapshots here. They provide a way to capture build-time information of projects to complement the static analysis Dependency Graph does.

Looking at the detector name (GitHub Dependabot Push-Time Snapshot) it looks like this came from a GitHub internal tool/experiment. I'll make sure this snapshot is disabled from your repo. Maybe snapshots generated by this tool are the ones causing issues (cc @juxtin)

[febuiles]

@lucacome can you try to re-run the Action? You don't need to merge, but I think the problem has resolved for your repo. The Github-Dependency-Graph-Snapshot-Warnings header is now empty when calling the API manually

gh api --verbose repos/nginxinc/nginx-gateway-fabric/dependency-graph/compare/main...bbe5d8e

[lucacome]

@febuiles the warning is gone, thanks! 🎉

[juxtin]

Thanks everyone, I've merged a fix for this on the service side, so we shouldn't see any more of these spurious warnings.

[wjglerum]

It seems like we still get this error in our workflow:
⚠️: No snapshots were found for the head SHA 1234.

If I query the REST API I do get an empty array as response (which makes sense as no dependencies have changed)

gh api --verbose repos/foo/bar/dependency-graph/compare/main...1234

which simply returns []

Shouldn't this action handle this case gracefully instead?

Cause this is quite confusing for our users who see this error on their PRs or as annotation in their checks on their PR.