Skip to content

Skip dependency submission on PR events#451

Merged
vorburger merged 2 commits into
developfrom
copilot/update-dependency-submission-job
Jun 6, 2026
Merged

Skip dependency submission on PR events#451
vorburger merged 2 commits into
developfrom
copilot/update-dependency-submission-job

Conversation

Copilot AI commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

dependency-submission was running on both push and pull_request, causing fork PR runs to fail with Resource not accessible by integration due to unavailable write-scoped token permissions. This change keeps PR build validation intact while restricting dependency graph submission to trusted push events.

  • Workflow behavior change

    • Added a job-level guard on .github/workflows/gradle.yaml so dependency-submission runs only on push.
    • Left build job and workflow triggers unchanged, so PRs to develop still execute normal build checks.
  • Scope

    • Single-line, job-local condition; no changes to build steps, permissions model, or trigger definitions beyond execution gating for dependency submission.
dependency-submission:
  if: github.event_name == 'push'
  runs-on: ubuntu-latest
  permissions:
    contents: write
  steps:
    # unchanged
Original prompt

The GitHub Actions job failed in repository OASIS-learn-study/minecraft-storeys-maker for workflow .github/workflows/gradle.yaml.

Failure details:

  • Workflow run: 26871408612
  • Job ID: 79247391460
  • PR number associated with the failing run: #450
  • The failure is in the dependency-submission job.
  • Logs show: Resource not accessible by integration and note that this permission is never available for a pull_request trigger from a repository fork.

Repository context:

  • Workflow file: .github/workflows/gradle.yaml
  • Current workflow triggers on both push and pull_request to develop.
  • The dependency-submission job requests contents: write and uses gradle/actions/dependency-submission.

Requested change:

  • Update the workflow so that dependency submission does not run on pull_request events from forks where write permissions are unavailable.
  • Keep normal build validation running for pull requests.
  • Preferred fix: restrict the dependency-submission job to trusted events such as push.

Implementation guidance:

  • Modify .github/workflows/gradle.yaml.
  • Add a job-level condition so dependency-submission runs only when github.event_name == 'push'.
  • Do not remove the existing build job.
  • Keep the workflow otherwise minimally changed.

Acceptance criteria:

  • PRs against develop still run the build job.
  • The dependency-submission job is skipped on pull_request events.
  • Pushes to develop still run dependency submission.
  • Open a pull request with the workflow fix.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: The failure is in the dependency-submission job, not the Gradle build itself.

Root cause

The logs show:

  • Resource not accessible by integration
  • Please ensure that the 'contents: write' permission is available for the workflow job.
  • Note that this permission is never available for a 'pull_request' trigger from a repository fork.

The workflow confirms that the failing step is the dependency graph upload in .github/workflows/gradle.yaml:

  • pull_request trigger on lines 7–8
  • dependency-submission job on lines 32–47
  • contents: write requested on lines 34–35
  • gradle/actions/dependency-submission used on lines 46–47

Source: https://github.com/OASIS-learn-study/minecraft-storeys-maker/blob/b61dc354c8be6e45d31c03ed8910fc357895eea8/.github/workflows/gradle.yaml

Why it fails

For PRs coming from forks, GitHub does not grant the write-capable token needed to submit the dependency graph, even if the workflow asks for contents: write. So this job is expected to fail on fork-based pull_request runs.

Fix

Do not run the dependency-submission job on pull_request. Run it only on trusted events like push to develop.

A focused fix is:

name: Java CI with Gradle

on:
  push:
    branches: [ "develop" ]
  pull_request:
    branches: [ "develop" ]

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read

    steps:
    - uses: actions/checkout@v4
    - name: Set up JDK 17
      uses: actions/setup-java@v4
      with:
        java-version: '17'
        distribution: 'temurin'
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582
    - name: Build with Gradle Wrapper
      run: ./gradlew build -x test

  dependency-submission:
    if: github.event_name == 'push'
    runs-on: ubuntu-latest
    permissions:
      contents: write

    steps:
    - uses: actions/checkout@v4
    - name: Set up JDK 17
      uses: actions/setup-java@v4
      with:
        java-version: '17'
        distribution: 'temurin'
    - name: Generate and submit dependency graph
      uses: gradle/actions/dependency-submission@af1da67850ed9a4cedd57bfd976089dd991e2582

Minimal patch

If you want the smallest possible change to .github/workflows/gradle.yaml, add this line under the dependency-submission job:

dependency-submission:
  if: github.event_name == 'push'

Result

This keeps CI validation for PRs, while only running dependency submission where GitHub provides the required permissions.

User: raise a CL to fix this?

Assistant: I’m waiting for your confirmation on the proposed pull request creation, and once you accept it I’ll proceed with the fix.

This pull request was created from Copilot chat.

Copilot AI changed the title [WIP] Update dependency submission job for pull requests from forks Skip dependency submission on PR events Jun 6, 2026
Copilot AI requested a review from vorburger June 6, 2026 14:14
@vorburger
vorburger marked this pull request as ready for review June 6, 2026 14:21
Copilot AI review requested due to automatic review settings June 6, 2026 14:21

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the GitHub Actions workflow to prevent the dependency-submission job from running on pull_request events (notably fork PRs), where write-scoped permissions are unavailable and cause failures, while keeping normal PR build validation intact.

Changes:

  • Added a job-level if: github.event_name == 'push' guard to the dependency-submission job.
  • Kept existing workflow triggers and the build job unchanged so PRs to develop still run build checks.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@vorburger
vorburger enabled auto-merge (rebase) June 6, 2026 14:25
@vorburger
vorburger disabled auto-merge June 6, 2026 14:25
@vorburger
vorburger merged commit 7138dea into develop Jun 6, 2026
3 checks passed
@vorburger
vorburger deleted the copilot/update-dependency-submission-job branch June 6, 2026 14:26
@vorburger vorburger mentioned this pull request Jun 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants