REST API endpoints for dependency submission doesn't explain how to enable dependencies #36123
Comments
jsoref
added
the
content
github-actions
bot
added
the
triage
subatoi
removed
the
triage
|
Hi @jsoref, and thanks for raising an issue for this—I'll get this triaged now 👍 |
subatoi
added
waiting for review
|
Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀 |
|
hi @jsoref - PM for dependency graph here 👋 I see that there was a successful run of this action so I think the error you saw was a transient problem.
The docs url will be updated to point to this doc instead but it's weird that you would see that error in the first place. Thanks for the report, we'll get to the bottom of this! |
|
@ahpook: no, it wasn't a transient failure, it failed because I hadn't enabled the required feature (dependencies). Once I enabled them, a rerun worked. But the problem is that the error path should take me to a page that clearly explains how to enable the feature. It doesn't matter than I've done it a dozen times over the past half dozen years or whatever, I don't do it every day. For a random repository, 
There's no way for me to disable this feature, so it's a one-way taint. I do have an infinite number of additional repositories I can use to play with it (but you can too, repositories are cheap). There are half a dozen knobs for github repositories to enable features, and this one is the furthest out of the way of all of them. Almost all knobs are within 
In general, as a user, when I read an error that says I need to do something, I try to follow the instructions, or if it says I need to enable something, I go to settings and look, or maybe I go to the docs. None of those paths work for this product area. |
|
Ah, gotcha sorry - I thought that dependency graph was enabled, but you still got the error. There is also an enable button in Settings, under "Code Security" - I take your point though. |
|
The documentation https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository is misleading, it talks about enabling/disabling the graph for private repositories, but as noted, it applies to public repositories. |
|
GitHub's settings are sufficiently complicated at this point that they should have search, just like browser settings have search. |
|
Good point @jsoref - there is an inconsistency in the docs - the correct answer is that Dependency Graph is automatically on for new public repos, but needs to be enabled specifically for both private repos and forks of upstream projects. This one is correct: But the 'configuring the dependency graph' doc is wrong. We'll get that cleaned up. |
subatoi
added
the
fix-internally
|
Many thanks for reporting this, @jsoref! We'll fix this internally, and add you as a co-committer. |
|
Thank you for opening this issue! Updates to this documentation must be made internally. I have copied your issue to an internal issue, so I will close this issue. |
|
Just following up that the commit has now been synced with this repo fbb550a Many thanks again for your help |
|
Thanks @subatoi ...
Shouldn't that say something about forks? (I know it later says you can enable it for forks, but that doesn't make sense if this part doesn't include a qualifier.) I don't know how to fix the wording, it's something like "public source repositories" but, I don't think that terminology makes sense to normal readers. (This note applies to a number of paragraphs in that commit.) |
|
Also, please note that this ticket was originally filed about the REST help which still needs help. HTTP response status codes for "Create a snapshot of dependencies for a repository" lists a single status code:
It doesn't mention 404 nor does it link to the content that you've updated. |
|
I'm not sure we really have the right terminology to account for that: I know what you mean by "source repository" but that's not something we'd use, and the term "upstream" would only make sense if it had actually been forked. It's a limitation of technical content in general, but since this an edge case, the idea was to make sure that somebody reading could distinguish between a "repository" and a "fork" in the context. I accept your point that it's not perfect, but the risk is that we'd end up with such contrived language that we'd lose readability overall. On the second point, yes, I didn't make this clear but there's a separate issue to track fixing the error message—that's being tracked internally with its own issue as it's not something we can accept open-source contributions on. |
|
https://github.com/orgs/github/repositories?q=mirror%3Afalse+fork%3Afalse+archived%3Afalse has a 
https://docs.github.com/en/search-github/searching-on-github/searching-for-repositories doesn't talk about It's a problem, and I'd love for someone to fix it. I don't have the resources to, and I understand it's hard since it's terminology.
Thanks, I appreciate that. I'm so used to the docbot making an annotation that it had copied a thing over to work on the REST side. |
I accept your point—let me create an issue to see if there's something we can do about it. Since it'll almost certainly affect more content than just what we've referenced here, it'll need to be done internally, so I can't commit to a timeframe. But to be clear, I do accept your point 👍 |
|
FWIW we're tracking that docs link in the 404 error separately as a Dependency Graph engineering fix |
and others
Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#create-a-snapshot-of-dependencies-for-a-repository
What part(s) of the article would you like to see updated?
Something should explain how to resolve:
{ "message": "The Dependency graph is disabled for this repository. Please enable it before submitting snapshots.", "documentation_url": "https://docs.github.com/rest/dependency-graph/dependency-submission#create-a-snapshot-of-dependencies-for-a-repository", "status": "404" }Additional information
There's an action, it triggers this API call, which yielded the above error. The link is to a document that doesn't explain how to do the thing
Yes, this has to be copied to the internal repository.
The text was updated successfully, but these errors were encountered: