actions/gradle
0
0
Fork 0
mirror of https://github.com/gradle/actions.git synced 2025-02-03 15:26:42 -05:00
Code Issues Projects Releases Packages Wiki Activity

Save dependency-graph file as workflow artifact

Browse source 
Diagnosing unexpected dependencies in the GitHub Dependency Graph can
be difficult. In order to aid with diagnosis, the `dependency-submission`
action will  now save each dependency-graph file as a workflow artifact.

If this is undesirable, the prior behaviour can be restored by explicitly setting
`dependency-graph: generate-and-submit`.

Fixes #519
This commit is contained in:
daz 2025-01-21 11:41:58 -07:00 committed by Daz DeBoer
parent 28ab4dff3a
commit 245c8a24de
7 changed files with 84 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
.github/workflows/integ-test-dependency-graph.yml vendored
View file

@ -153,3 +153,40 @@ jobs:
ls -l dependency-graph-reports
exit 1
fi
dependency-graph-generate-submit-and-upload:
permissions:
contents: write
runs-on: "ubuntu-latest"
steps:
- name: Checkout sources
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Initialize integ-test
uses: ./.github/actions/init-integ-test
- name: Setup Gradle for dependency-graph generate
uses: ./setup-gradle
with:
dependency-graph: generate-submit-and-upload
- name: Run gradle build
id: gradle-build
run: ./gradlew build
working-directory: .github/workflow-samples/groovy-dsl
dependency-graph-generate-submit-and-upload-check:
needs: [dependency-graph-generate-submit-and-upload]
runs-on: "ubuntu-latest"
steps:
- name: Download dependency-graph artifact
uses: actions/download-artifact@v4
with:
path: downloaded-dependency-graphs
pattern: dependency-graph_*dependency-graph-generate-submit-and-upload.json
- name: Check for downloaded dependency graphs
shell: bash
run: |
ls -A "${{ github.workspace }}/downloaded-dependency-graphs"
if [ -z "$(ls -A "${{ github.workspace }}/downloaded-dependency-graphs")" ]; then
echo "No dependency graph files found"
exit 1
fi

12
dependency-submission/action.yml
View file

@ -96,17 +96,20 @@ inputs:
# Dependency Graph configuration
dependency-graph:
description: |
Specifies how the dependency-graph should be handled by this action. By default a dependency-graph will be generated and submitted.
Specifies how the dependency-graph should be handled by this action.
By default a dependency-graph will be generated, submitted to the dependency-submission API, and saved as a workflow artifact.
Valid values are:
'generate-and-submit' (default): Generates a dependency graph for the project and submits it in the same Job.
'generate-and-upload': Generates a dependency graph for the project and saves it as a workflow artifact.
'generate-and-submit': Generates a dependency graph for the project and submits it in the same Job.
'generate-submit-and-upload (default)': As per 'generate-and-submit', but also saves the dependency graph as a workflow artifact.
'generate-and-upload': Generates a dependency graph for the project and saves it as a workflow artifact. Does not submit it to the repository.
'download-and-submit': Retrieves a previously saved dependency-graph and submits it to the repository.
Use `generate-and-submit` if you prefer not to save the dependency-graph as a workflow artifact.
The `generate-and-upload` and `download-and-submit` options are designed to be used in an untrusted workflow scenario,
where the workflow generating the dependency-graph cannot (or should not) be given the `contents: write` permissions
required to submit via the Dependency Submission API.
required: false
default: 'generate-and-submit'
default: 'generate-submit-and-upload'
dependency-graph-report-dir:
description: |
@ -147,7 +150,6 @@ inputs:
artifact-retention-days:
description: Specifies the number of days to retain any artifacts generated by the action. If not set, the default retention settings for the repository will apply.
required: false
default: 1
# Build Scan configuration
build-scan-publish:

26
docs/dependency-submission.md
View file

@ -103,6 +103,9 @@ In some cases, the default action configuration will not be sufficient, and addi
# Do not attempt to submit the dependency-graph. Save it as a workflow artifact.
dependency-graph: generate-and-upload
# Change the number of days that workflow artifacts are retained. (Default is 30 days).
artifact-retention-days: 5
# Specify the location where dependency graph files will be generated.
dependency-graph-report-dir: custom-report-dir
@ -118,6 +121,29 @@ The `GitHub Dependency Graph Gradle Plugin` can be further
These will be automatically set by the `dependency-submission` action, but you may override these values
by setting them explicitly in your workflow file.
### Reducing storage costs for saved dependency graph artifacts
By default, the dependency graph that is generated is stored as a workflow artifact.
To reduce storage costs for these artifacts, you can:
1. Set the `artifact-retention-days`:
```yaml
- name: Generate dependency graph but only store workflow artifacts for 1 day
uses: gradle/actions/dependency-submission@v4
with:
artifact-retention-days: 1 # Default is 30 days or as configured for repository
```
2. Disable storing dependency-graph artifacts using `generate-and-submit`
```yaml
- name: Generate and submit dependency graph but do not store as workflow artifact
uses: gradle/actions/dependency-submission@v4
with:
dependency-graph: 'generate-and-submit' # Default value is 'generate-submit-and-upload'
```
# Resolving a dependency vulnerability
## Finding the source of a dependency vulnerability

14
docs/setup-gradle.md
View file

@ -718,20 +718,6 @@ A known exception to this is that Gradle `7.0`, `7.0.1`, and `7.0.2` are not sup
See [here](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#gradle-compatibility) for complete compatibility information.
### Reducing storage costs for saved dependency graph artifacts
When `generate` or `generate-and-submit` is used with the action, the dependency graph that is generated is stored as a workflow artifact.
By default, these artifacts are retained for 30 days (or as configured for the repository).
To reduce storage costs for these artifacts, you can set the `artifact-retention-days` value to a lower number.
```yaml
- name: Generate dependency graph, but only retain artifact for one day
uses: gradle/actions/setup-gradle@v4
with:
dependency-graph: generate
artifact-retention-days: 1
```
# Develocity Build Scan® integration
Publishing a Develocity Build Scan can be very helpful for Gradle builds run on GitHub Actions. Each Build Scan provides a

2
setup-gradle/action.yml
View file

@ -80,7 +80,7 @@ inputs:
dependency-graph:
description: |
Specifies if a GitHub dependency snapshot should be generated for each Gradle build, and if so, how.
Valid values are 'disabled' (default), 'generate', 'generate-and-submit', 'generate-and-upload', and 'download-and-submit'.
Valid values are 'disabled' (default), 'generate', 'generate-and-submit', 'generate-submit-and-upload', 'generate-and-upload', and 'download-and-submit'.
required: false
default: 'disabled'

5
sources/src/configuration.ts
View file

@ -20,13 +20,15 @@ export class DependencyGraphConfig {
return DependencyGraphOption.Generate
case 'generate-and-submit':
return DependencyGraphOption.GenerateAndSubmit
case 'generate-submit-and-upload':
return DependencyGraphOption.GenerateSubmitAndUpload
case 'generate-and-upload':
return DependencyGraphOption.GenerateAndUpload
case 'download-and-submit':
return DependencyGraphOption.DownloadAndSubmit
}
throw TypeError(
`The value '${val}' is not valid for 'dependency-graph'. Valid values are: [disabled, generate, generate-and-submit, generate-and-upload, download-and-submit]. The default value is 'disabled'.`
`The value '${val}' is not valid for 'dependency-graph'. Valid values are: [disabled, generate, generate-and-submit, generate-submit-and-upload, generate-and-upload, download-and-submit].`
)
}
@ -96,6 +98,7 @@ export enum DependencyGraphOption {
Disabled = 'disabled',
Generate = 'generate',
GenerateAndSubmit = 'generate-and-submit',
GenerateSubmitAndUpload = 'generate-submit-and-upload',
GenerateAndUpload = 'generate-and-upload',
DownloadAndSubmit = 'download-and-submit'
}

11
sources/src/dependency-graph.ts
View file

@ -60,7 +60,10 @@ export async function complete(config: DependencyGraphConfig): Promise<void> {
case DependencyGraphOption.DownloadAndSubmit: // Performed in setup
return
case DependencyGraphOption.GenerateAndSubmit:
await findAndSubmitDependencyGraphs(config)
await findAndSubmitDependencyGraphs(config, false)
return
case DependencyGraphOption.GenerateSubmitAndUpload:
await findAndSubmitDependencyGraphs(config, true)
return
case DependencyGraphOption.GenerateAndUpload:
await findAndUploadDependencyGraphs(config)
@ -83,7 +86,7 @@ async function downloadAndSubmitDependencyGraphs(config: DependencyGraphConfig):
}
}
async function findAndSubmitDependencyGraphs(config: DependencyGraphConfig): Promise<void> {
async function findAndSubmitDependencyGraphs(config: DependencyGraphConfig, uploadAfterSubmit: boolean): Promise<void> {
if (isRunningInActEnvironment()) {
core.info('Dependency graph not supported in the ACT environment.')
return
@ -100,6 +103,10 @@ async function findAndSubmitDependencyGraphs(config: DependencyGraphConfig): Pro
}
throw e
}
if (uploadAfterSubmit) {
await uploadDependencyGraphs(dependencyGraphFiles, config)
}
}
async function findAndUploadDependencyGraphs(config: DependencyGraphConfig): Promise<void> {