Bug: Error "fetch failed" when fetching v3.1.1

[lindeberg]

We are getting error "fetch failed" when targeting the brand new patch v3.1.1:

Targeting v3.1.0 works fine.

[febuiles]

@lindeberg thanks for the report, we recently updated our HTTP libraries and I was expecting something like this to show up! Can you share the YAML file you're using for the Action (please obscure any private info) so we can reproduce?

[lindeberg]

name: Dependency Review
on: [pull_request]
permissions:
  contents: read
jobs:
  dependency-review:
    name: Dependency review
    runs-on: [self-hosted, linux]
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Dependency Review
        uses: actions/dependency-review-action@v3
        with:
          fail-on-severity: low
          license-check: false

[lindeberg]

Why release something where there is an expected issue?

[febuiles]

@lindeberg Thanks for providing additional details for the reproduction. I apologize for using such loose language in my previous comment. Rephrased: I am not surprised to see this error given the number of packages upgraded. I will provide an update once I can debug this issue.

[febuiles]

@lindeberg I have not been able to reproduce this issue on github.com. I used the https://github.com/future-funk/glowing-computing-machine/ repo with two pull requests:

1. PR with vulnerability: https://github.com/future-funk/glowing-computing-machine/actions/runs/6773235611?pr=2
2. PR fixing vulnerability: https://github.com/future-funk/glowing-computing-machine/actions/runs/6773258235?pr=2

Are you able to reproduce? The only difference is the self-hosted runners part. A few questions:

• What platform are you using? (GitHub Enterprise Cloud, GitHub Enterprise Server (on-prem)..., etc)
• Are your self hosted runners running at the repo, org or enterprise level?

[muscionig]

Not sure if related, but since the new version we have been having the following problem on self-hosted runners:

Runner version: v2.311-ubuntu-20.04

Pinning to the previous version solves the problem: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034

@febuiles happy to log this on a different issue

[mirimbi]

Hello, i am also receiving this error! Tried with 3.1.1 with no difference!

[mirimbi]

It is executed on GitHub Enterprise with Advanced security enabled.
Code of the action is :
name: 'Dependency Review'
on: [pull_request]

permissions:
contents: read
pull-requests: write

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: internal-marketplace/dependency-review-action@v3
with:
fail-on-severity: high
comment-summary-in-pr: on-failure

Added bold lines hoping to get some additional info.

[lindeberg]

We are using self hosted runners on organization level in Enterprise Cloud.

[febuiles]

I have not been able to reproduce this in GitHub Enterprise Cloud with a self-hosted runner, log here: https://github.com/future-funk/glowing-computing-machine/actions/runs/6784453748/job/18440780341. Relevant lines:

Current runner version: '2.311.0'
Runner name: 'nekrasov'
Runner group name: 'Default'
Machine name: 'nekrasov'
...
Run actions/dependency-review-action@v3
  with:
    fail-on-severity: low
    license-check: false
    repo-token: ***
    retry-on-snapshot-warnings: false
    retry-on-snapshot-warnings-timeout: 120
Dependency review did not detect any denied packages
Vulnerabilities
  package.json » loader-utils@1.2.3 – Prototype pollution in webpack loader-utils (critical severity)
    ↪ https://github.com/advisories/GHSA-76p3-8jx3-jpfq

A reproduction repro, or a scrubbed log of a run would be appreciated to get an idea of where we're failing. I'll commission a GitHub Enterprise Server to test self-hosted runners there.

[lindeberg]

Not sure what logs you mean. Logs with debug on:

##[debug]Evaluating condition for step: 'Dependency Review'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Dependency Review
##[debug]Loading inputs
##[debug]Evaluating: github.token
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'token'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Loading env
Run actions/dependency-review-action@v3.1.1
  with:
    fail-on-severity: low
    license-check: false
    repo-token: ***
    retry-on-snapshot-warnings: false
    retry-on-snapshot-warnings-timeout: 1[2](https://github.com/company/repo/actions/runs/6779542227/job/18431071297#step:4:2)0
Error: fetch failed
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Dependency Review

Could you elaborate on how we can help?

Note that we are running behind proxy server. That sounds like a potential culprit as you mentioned http libraries.

[febuiles]

I was not able to reproduce this in GHES 3.10 either, so I guess proxies are the ones getting disrupted by this, thanks for bringing that up @lindeberg.

To get the full logs for a run you can click the cogwheel item in the failed run and then "View raw logs":

It'd be useful to get the full output (with private data scrubbed) to see at which step of the run things are failing.

[febuiles]

I've pushed a temporary tag to see if we can fix this issue by downgrading a couple of libraries.

Can you test with this custom version and see if the error still appears?

 uses: actions/dependency-review-action@downgrade-actions-github

[muscionig]

@febuiles I just tried the tag you posted and I am getting the same error I posted before while getting credentials.

Some additional info:

1. GHES: 3.8.5
2. ARC: actions-runner-controller-0.23.3 (chart), 0.27.4 (app version)
3. We do patch custom certs in our runner images

Runner set up:

Current runner version: '2.311.0'
Runner name: 'xxxx'
Runner group name: 'Default'
Machine name: 'xxxx'
GITHUB_TOKEN Permissions
  Actions: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write
Secret source: Actions
Prepare workflow directory
Prepare all required actions
Getting action download info
Download action repository 'actions/checkout@v3' (SHA:93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8)
Download action repository 'actions/dependency-review-action@downgrade-actions-github' (SHA: a7302e6bbe4bbfebae5b9252e31176bf32afe179)
Complete job name: dependency-review

[lindeberg]

Same error with version "downgrade-actions-github".

Full log:

2023-11-08T03:19:33.8099068Z Requested labels: self-hosted, linux
2023-11-08T03:19:33.8099316Z Job defined at: company/repo/.github/workflows/dependency-review.yml@refs/pull/255/merge
2023-11-08T03:19:33.8099404Z Waiting for a runner to pick up this job...
2023-11-08T03:19:34.3619552Z Job is about to start running on the runner: company-runner-s59vw-7t59s (organization)
2023-11-08T03:19:39.4870942Z Current runner version: '2.311.0'
2023-11-08T03:19:39.4878687Z Runner name: 'company-runner-s59vw-7t59s'
2023-11-08T03:19:39.4879653Z Runner group name: 'company runners'
2023-11-08T03:19:39.4880619Z Machine name: 'company-runner-s59vw-7t59s'
2023-11-08T03:19:39.4883695Z ##[group]GITHUB_TOKEN Permissions
2023-11-08T03:19:39.4886191Z Contents: read
2023-11-08T03:19:39.4886546Z Metadata: read
2023-11-08T03:19:39.4886843Z ##[endgroup]
2023-11-08T03:19:39.4890074Z Secret source: Dependabot
2023-11-08T03:19:39.4891346Z Runner is running behind proxy server 'http://proxy.company.net:8080' for all HTTP requests.
2023-11-08T03:19:39.4892809Z Runner is running behind proxy server 'http://proxy.company.net:8080' for all HTTPS requests.
2023-11-08T03:19:39.4893677Z Prepare workflow directory
2023-11-08T03:19:39.5554514Z Prepare all required actions
2023-11-08T03:19:39.5729375Z Getting action download info
2023-11-08T03:19:39.8544704Z Download action repository 'actions/checkout@v4' (SHA:b4ffde65f46336ab88eb53be808477a3936bae11)
2023-11-08T03:19:40.7002773Z Download action repository 'actions/dependency-review-action@v3' (SHA:9f45b2463b475767b61721ccfef113fef513e6aa)
2023-11-08T03:19:41.6662394Z Complete job name: Dependency review
2023-11-08T03:19:41.7139255Z A job started hook has been configured by the self-hosted runner administrator
2023-11-08T03:19:41.7309545Z ##[group]Run '/etc/arc/hooks/job-started.sh'
2023-11-08T03:19:41.7334999Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2023-11-08T03:19:41.7335817Z ##[endgroup]
2023-11-08T03:19:41.7733049Z �[0;37m2023-11-08 03:19:41.769  DEBUG --- Running ARC Job Started Hooks�[0m
2023-11-08T03:19:41.7747411Z �[0;37m2023-11-08 03:19:41.773  DEBUG --- Running hook: /etc/arc/hooks/job-started.d/update-status�[0m
2023-11-08T03:19:41.8266349Z ##[group]Run actions/checkout@v4
2023-11-08T03:19:41.8266864Z with:
2023-11-08T03:19:41.8267117Z   repository: company/repo
2023-11-08T03:19:41.8267801Z   token: ***
2023-11-08T03:19:41.8268061Z   ssh-strict: true
2023-11-08T03:19:41.8268461Z   persist-credentials: true
2023-11-08T03:19:41.8268864Z   clean: true
2023-11-08T03:19:41.8269145Z   sparse-checkout-cone-mode: true
2023-11-08T03:19:41.8269465Z   fetch-depth: 1
2023-11-08T03:19:41.8269725Z   fetch-tags: false
2023-11-08T03:19:41.8269988Z   show-progress: true
2023-11-08T03:19:41.8270238Z   lfs: false
2023-11-08T03:19:41.8270473Z   submodules: false
2023-11-08T03:19:41.8270749Z   set-safe-directory: true
2023-11-08T03:19:41.8271033Z ##[endgroup]
2023-11-08T03:19:41.9726356Z Syncing repository: company/repo
2023-11-08T03:19:41.9728129Z ##[group]Getting Git version info
2023-11-08T03:19:41.9728749Z Working directory is '/runner/_work/repo/repo'
2023-11-08T03:19:41.9729529Z [command]/usr/bin/git version
2023-11-08T03:19:41.9729861Z git version 2.42.0
2023-11-08T03:19:41.9730945Z ##[endgroup]
2023-11-08T03:19:41.9741963Z Temporarily overriding HOME='/runner/_work/_temp/3f211264-d443-4bb6-a161-bec21cefd0f1' before making global git config changes
2023-11-08T03:19:41.9743057Z Adding repository directory to the temporary git global config as a safe directory
2023-11-08T03:19:41.9743982Z [command]/usr/bin/git config --global --add safe.directory /runner/_work/repo/repo
2023-11-08T03:19:41.9745232Z Deleting the contents of '/runner/_work/repo/repo'
2023-11-08T03:19:41.9745976Z ##[group]Initializing the repository
2023-11-08T03:19:41.9746507Z [command]/usr/bin/git init /runner/_work/repo/repo
2023-11-08T03:19:41.9779092Z hint: Using 'master' as the name for the initial branch. This default branch name
2023-11-08T03:19:41.9779849Z hint: is subject to change. To configure the initial branch name to use in all
2023-11-08T03:19:41.9780531Z hint: of your new repositories, which will suppress this warning, call:
2023-11-08T03:19:41.9781015Z hint: 
2023-11-08T03:19:41.9781667Z hint: 	git config --global init.defaultBranch <name>
2023-11-08T03:19:41.9782071Z hint: 
2023-11-08T03:19:41.9782538Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
2023-11-08T03:19:41.9783593Z hint: 'development'. The just-created branch can be renamed via this command:
2023-11-08T03:19:41.9784092Z hint: 
2023-11-08T03:19:41.9784351Z hint: 	git branch -m <name>
2023-11-08T03:19:41.9801004Z Initialized empty Git repository in /runner/_work/repo/repo/.git/
2023-11-08T03:19:41.9813662Z [command]/usr/bin/git remote add origin https://github.com/company/repo
2023-11-08T03:19:41.9888688Z ##[endgroup]
2023-11-08T03:19:41.9890237Z ##[group]Disabling automatic garbage collection
2023-11-08T03:19:41.9891713Z [command]/usr/bin/git config --local gc.auto 0
2023-11-08T03:19:41.9925505Z ##[endgroup]
2023-11-08T03:19:41.9926860Z ##[group]Setting up auth
2023-11-08T03:19:41.9939711Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2023-11-08T03:19:42.0001230Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2023-11-08T03:19:42.0595221Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2023-11-08T03:19:42.0681931Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2023-11-08T03:19:42.1184429Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***
2023-11-08T03:19:42.1245085Z ##[endgroup]
2023-11-08T03:19:42.1245586Z ##[group]Fetching the repository
2023-11-08T03:19:42.1263018Z [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --depth=1 origin +649d2c42dd93c5a27d08cb9b602133615e502188:refs/remotes/pull/255/merge
2023-11-08T03:19:42.9638314Z From https://github.com/company/repo
2023-11-08T03:19:42.9639211Z  * [new ref]         649d2c42dd93c5a27d08cb9b602133615e502188 -> pull/255/merge
2023-11-08T03:19:42.9677806Z ##[endgroup]
2023-11-08T03:19:42.9678611Z ##[group]Determining the checkout info
2023-11-08T03:19:42.9682018Z ##[endgroup]
2023-11-08T03:19:42.9683635Z ##[group]Checking out the ref
2023-11-08T03:19:42.9688783Z [command]/usr/bin/git checkout --progress --force refs/remotes/pull/255/merge
2023-11-08T03:19:42.9992197Z Note: switching to 'refs/remotes/pull/255/merge'.
2023-11-08T03:19:42.9993673Z 
2023-11-08T03:19:42.9997376Z You are in 'detached HEAD' state. You can look around, make experimental
2023-11-08T03:19:42.9999146Z changes and commit them, and you can discard any commits you make in this
2023-11-08T03:19:43.0000453Z state without impacting any branches by switching back to a branch.
2023-11-08T03:19:43.0001194Z 
2023-11-08T03:19:43.0001630Z If you want to create a new branch to retain commits you create, you may
2023-11-08T03:19:43.0002416Z do so (now or later) by using -c with the switch command. Example:
2023-11-08T03:19:43.0002836Z 
2023-11-08T03:19:43.0003002Z   git switch -c <new-branch-name>
2023-11-08T03:19:43.0003231Z 
2023-11-08T03:19:43.0003357Z Or undo this operation with:
2023-11-08T03:19:43.0003565Z 
2023-11-08T03:19:43.0003660Z   git switch -
2023-11-08T03:19:43.0008573Z 
2023-11-08T03:19:43.0011007Z Turn off this advice by setting config variable advice.detachedHead to false
2023-11-08T03:19:43.0014096Z 
2023-11-08T03:19:43.0016966Z HEAD is now at 649d2c4 Merge 768ab17184b4800aa9498763213100fd97619918 into 72750e124c054d202e489eb2f491224810a05a62
2023-11-08T03:19:43.0021871Z ##[endgroup]
2023-11-08T03:19:43.0056614Z [command]/usr/bin/git log -1 --format='%H'
2023-11-08T03:19:43.0087975Z '649d2c42dd93c5a27d08cb9b602133615e502188'
2023-11-08T03:19:43.0393155Z ##[group]Run actions/dependency-review-action@v3
2023-11-08T03:19:43.0393583Z with:
2023-11-08T03:19:43.0393803Z   fail-on-severity: low
2023-11-08T03:19:43.0394092Z   license-check: false
2023-11-08T03:19:43.0394595Z   repo-token: ***
2023-11-08T03:19:43.0394873Z   retry-on-snapshot-warnings: false
2023-11-08T03:19:43.0395457Z   retry-on-snapshot-warnings-timeout: 120
2023-11-08T03:19:43.0395822Z ##[endgroup]
2023-11-08T03:20:37.4560030Z ##[error]fetch failed
2023-11-08T03:20:37.4827090Z Post job cleanup.
2023-11-08T03:20:37.5855729Z [command]/usr/bin/git version
2023-11-08T03:20:37.5892623Z git version 2.42.0
2023-11-08T03:20:37.5943136Z Temporarily overriding HOME='/runner/_work/_temp/5f21b3ab-600a-4fdd-b619-c6ee28cc7e57' before making global git config changes
2023-11-08T03:20:37.5945517Z Adding repository directory to the temporary git global config as a safe directory
2023-11-08T03:20:37.5949403Z [command]/usr/bin/git config --global --add safe.directory /runner/_work/repo/repo
2023-11-08T03:20:37.5994176Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2023-11-08T03:20:37.6036526Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2023-11-08T03:20:37.6579275Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2023-11-08T03:20:37.6631824Z http.https://github.com/.extraheader
2023-11-08T03:20:37.6665174Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader
2023-11-08T03:20:37.6742297Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2023-11-08T03:20:37.7261229Z A job completed hook has been configured by the self-hosted runner administrator
2023-11-08T03:20:37.7360183Z ##[group]Run '/etc/arc/hooks/job-completed.sh'
2023-11-08T03:20:37.7371474Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2023-11-08T03:20:37.7372125Z ##[endgroup]
2023-11-08T03:20:37.7484790Z �[0;37m2023-11-08 03:20:37.746  DEBUG --- Running ARC Job Completed Hooks�[0m
2023-11-08T03:20:37.7537414Z �[0;37m2023-11-08 03:20:37.752  DEBUG --- Running hook: /etc/arc/hooks/job-completed.d/update-status�[0m
2023-11-08T03:20:37.7920228Z Cleaning up orphan processes

[febuiles]

I have a new branch for testing the fix¹, I would appreciate testing from folks whose setup is working in 3.1.0:

    uses: actions/dependency-review-action@fix-https-proxy

If you see failures prior in, or prior to 3.1.0 please open a new issue!

Footnotes

1. The Node 16->Node 20 upgraded introduced the fetch API, which is not playing along well with octokit and its plugins (particularly the retry one, which is needed for snapshot fetching). I'm opting for releasing a new version that works here, and then focusing on creating a test harness where we can experiment more with these changes before performing the upgrade. ↩

[febuiles]

@lindeberg thanks for sharing the output of your run. We posted almost at the same time, but I hope the new branch mentioned in the last comment fixes the. Your patience is much appreciated, I will make sure that HTTPS-proxy testing is done for future releases.

[lindeberg]

@febuiles version "fix-https-proxy" works! 👍

[febuiles]

Thanks for the confirmation that it's working 🙇

I cut a new releases, 3.1.2, to address the bug. I added a bit more context to the original PR. With this I'm closing this issue.

If you are still running into problems with 3.1.2 please re-open this issue or create a new one.

[mirimbi]

Hello, I also can confirm it is working now - sorry for the timeout!

[lindeberg]

Hi @febuiles! We are having this issue again (some(most)time). Now using v4.3.4. On self hosted runners with least privelege external network access. So we figured these domains should be allowed by the proxy:

• api.deps.dev
• api.securityscorecards.dev

Anything else that needs to be allowed?

2024-08-15T11:29:36.3809270Z Dependency review did not detect any denied packages
2024-08-15T11:29:36.3810601Z ##[debug]Getting deps.dev data for github.com/beorn7/perks 1.0.1
2024-08-15T11:29:46.3821020Z ##[error]fetch failed

[febuiles]

@lindeberg I'm not up to date with the latest changes, but it makes sense that now that the action reaches out to external providers some additional configuration is needed.

I think @jonjanego can provide further guidance with this, good luck!

[jonjanego]

Hi @lindeberg these are probably from the OpenSSF scorecards option being enabled. URLs that option uses are defined here:

dependency-review-action/src/scorecard.ts

Line 52 in 90820ab

const apiRoot = 'https://api.securityscorecards.dev'

dependency-review-action/src/scorecard.ts

Line 71 in 90820ab

const depsDevAPIRoot = 'https://api.deps.dev'

https://api.securityscorecards.dev
https://api.deps.dev

If you're still encountering trouble after allowlisting those could you please open up a new issue with similar troubleshooting logs as you provided above?