actions/gradle
0
0
Fork 0
mirror of https://github.com/gradle/actions.git synced 2025-02-03 15:26:42 -05:00
Code Issues Projects Releases Packages Wiki Activity

Update docs for dependency review (#540)

Browse source 
Due to an issue with dependency-review-action (https://github.com/gradle/actions/issues/482),
the setup described in the documentation can result in duplicate 
dependencies being added to the dependency graph.

To avoid this, we now recommend using a common `dependency-submission`
workflow for both pushes to `main` and pull requests. 
The `dependency-review` workflow runs on any `pull_request` but will wait
for the `dependency-submission` to complete.

This setup works for both the standard setup, and for the advanced setup for 
pull requests from repository forks.
This commit is contained in:
Daz DeBoer 2025-01-30 08:35:10 -07:00 committed by GitHub
parent 65a3beb941
commit 986922f6a6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 38 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

73
docs/dependency-submission.md
View file

@ -321,12 +321,19 @@ The GitHub [dependency-review-action](https://github.com/actions/dependency-revi
understand dependency changes (and the security impact of these changes) for a pull request, understand dependency changes (and the security impact of these changes) for a pull request,
by comparing the dependency graph for the pull-request with that of the HEAD commit. by comparing the dependency graph for the pull-request with that of the HEAD commit.
Example of a pull request workflow that executes a build for a pull request and runs the `dependency-review-action`: Integrating the Dependency Review Action requires 2 changes to your workflows:
#### 1. Add a `pull_request` trigger to your existing Dependency Submission workflow.
In order to perform Dependency Review on a pull request, the dependency graph must be submitted for the pull request.
To do this, simply add a `pull_request` trigger to your existing dependency submission workflow.
```yaml ```yaml
name: Dependency review for pull requests name: Dependency Submission
on: on:
push:
branches: [ 'main' ]
pull_request: pull_request:
permissions: permissions:
@ -344,11 +351,37 @@ jobs:
- name: Generate and submit dependency graph - name: Generate and submit dependency graph
uses: gradle/actions/dependency-submission@v4 uses: gradle/actions/dependency-submission@v4
- name: Perform dependency review
uses: actions/dependency-review-action@v4
``` ```
#### 2. Add a dedicated Dependency Review workflow
The Dependency Review workflow will be triggered directly on `pull_request`, but will wait until the dependency graph results are
submitted before the dependency review can complete. The period to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
Here's an example of a separate "Dependency Review" workflow that will wait up to 10 minutes for dependency submission to complete.
```yaml
name: Dependency Review
on:
pull_request:
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Dependency Review'
uses: actions/dependency-review-action@v4
with:
retry-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 600
```
The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the modified dependency-submission workflow to complete.
## Usage with pull requests from public forked repositories ## Usage with pull requests from public forked repositories
This `contents: write` permission is [not available for any workflow that is triggered by a pull request submitted from a public forked repository](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). This `contents: write` permission is [not available for any workflow that is triggered by a pull request submitted from a public forked repository](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
@ -407,36 +440,6 @@ jobs:
dependency-graph: download-and-submit # Download saved dependency-graph and submit dependency-graph: download-and-submit # Download saved dependency-graph and submit
``` ```
### Integrating `dependency-review-action` for pull requests from public forked repositories
To integrate the `dependency-review-action` into the pull request workflows above, a third workflow file is required.
This workflow will be triggered directly on `pull_request`, but will wait until the dependency graph results are
submitted before the dependency review can complete. The period to wait is controlled by the `retry-on-snapshot-warnings` input parameters.
Here's an example of a separate "Dependency Review" workflow that will wait for 10 minutes for the above PR check workflow to complete.
```yaml
name: dependency-review
on:
pull_request:
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Dependency Review'
uses: actions/dependency-review-action@v4
with:
retry-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 600
```
The `retry-on-snapshot-warnings-timeout` (in seconds) needs to be long enough to allow the entire `Generate and save dependency graph` and `Download and submit dependency graph` workflows (above) to complete.
# Gradle version compatibility # Gradle version compatibility
Dependency-graph generation is compatible with most versions of Gradle >= `5.2`, and is tested regularly against Dependency-graph generation is compatible with most versions of Gradle >= `5.2`, and is tested regularly against