REST API endpoints for dependency submission doesn't explain how to enable dependencies #36123
Comments
jsoref
added
the
content
github-actions
bot
added
the
triage
subatoi
removed
the
triage
|
Hi @jsoref, and thanks for raising an issue for this—I'll get this triaged now 👍 |
subatoi
added
waiting for review
|
Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀 |
|
hi @jsoref - PM for dependency graph here 👋 I see that there was a successful run of this action so I think the error you saw was a transient problem.
The docs url will be updated to point to this doc instead but it's weird that you would see that error in the first place. Thanks for the report, we'll get to the bottom of this! |
|
@ahpook: no, it wasn't a transient failure, it failed because I hadn't enabled the required feature (dependencies). Once I enabled them, a rerun worked. But the problem is that the error path should take me to a page that clearly explains how to enable the feature. It doesn't matter than I've done it a dozen times over the past half dozen years or whatever, I don't do it every day. For a random repository, 
There's no way for me to disable this feature, so it's a one-way taint. I do have an infinite number of additional repositories I can use to play with it (but you can too, repositories are cheap). There are half a dozen knobs for github repositories to enable features, and this one is the furthest out of the way of all of them. Almost all knobs are within 
In general, as a user, when I read an error that says I need to do something, I try to follow the instructions, or if it says I need to enable something, I go to settings and look, or maybe I go to the docs. None of those paths work for this product area. |
|
Ah, gotcha sorry - I thought that dependency graph was enabled, but you still got the error. There is also an enable button in Settings, under "Code Security" - I take your point though. |
|
The documentation https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository is misleading, it talks about enabling/disabling the graph for private repositories, but as noted, it applies to public repositories. |
|
GitHub's settings are sufficiently complicated at this point that they should have search, just like browser settings have search. |
|
Good point @jsoref - there is an inconsistency in the docs - the correct answer is that Dependency Graph is automatically on for new public repos, but needs to be enabled specifically for both private repos and forks of upstream projects. This one is correct: But the 'configuring the dependency graph' doc is wrong. We'll get that cleaned up. |
subatoi
added
the
fix-internally
|
Many thanks for reporting this, @jsoref! We'll fix this internally, and add you as a co-committer. |
|
Thank you for opening this issue! Updates to this documentation must be made internally. I have copied your issue to an internal issue, so I will close this issue. |
and others
Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#create-a-snapshot-of-dependencies-for-a-repository
What part(s) of the article would you like to see updated?
Something should explain how to resolve:
{ "message": "The Dependency graph is disabled for this repository. Please enable it before submitting snapshots.", "documentation_url": "https://docs.github.com/rest/dependency-graph/dependency-submission#create-a-snapshot-of-dependencies-for-a-repository", "status": "404" }Additional information
There's an action, it triggers this API call, which yielded the above error. The link is to a document that doesn't explain how to do the thing
Yes, this has to be copied to the internal repository.
The text was updated successfully, but these errors were encountered: