Update to the latest dependency-graph plugin

- Remove experimental warning
- Update documentation
This commit is contained in:
daz 2023-07-24 08:07:59 -06:00
parent ced6859e9c
commit 632e888003
No known key found for this signature in database
3 changed files with 49 additions and 4 deletions

View file

@ -410,7 +410,6 @@ You can use the `gradle-build-action` on GitHub Enterprise Server, and benefit f
- Support for GitHub Actions Job Summary (requires GHES 3.6+ : GitHub Actions Job Summary support was introduced in GHES 3.6). In earlier versions of GHES the build-results summary and caching report will be written to the workflow log, as part of the post-action step. - Support for GitHub Actions Job Summary (requires GHES 3.6+ : GitHub Actions Job Summary support was introduced in GHES 3.6). In earlier versions of GHES the build-results summary and caching report will be written to the workflow log, as part of the post-action step.
# GitHub Dependency Graph support # GitHub Dependency Graph support
**EXPERIMENTAL**
The `gradle-build-action` has experimental support for submitting a [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) snapshot via the [GitHub Dependency Submission API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28). The `gradle-build-action` has experimental support for submitting a [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) snapshot via the [GitHub Dependency Submission API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28).
@ -449,13 +448,59 @@ jobs:
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: Setup Gradle to generate and submit dependency graphs - name: Setup Gradle to generate and submit dependency graphs
uses: gradle/gradle-build-action@dependency-graph uses: gradle/gradle-build-action@v2
with: with:
dependency-graph: generate-and-submit dependency-graph: generate-and-submit
- name: Run a build, generating the dependency graph snapshot which will be submitted - name: Run a build, generating the dependency graph snapshot which will be submitted
run: ./gradlew build run: ./gradlew build
``` ```
### Filtering which Gradle Configurations contribute to the dependency graph
If you do not want to include every dependency configuration in every project in your build, you can limit the
dependency extraction to a subset of these.
To restrict which Gradle subprojects contribute to the report, specify which projects to include via a regular expression.
You can provide this value via the `DEPENDENCY_GRAPH_INCLUDE_PROJECTS` environment variable or system property.
To restrict which Gradle configurations contribute to the report, you can filter configurations by name using a regular expression.
You can provide this value via the `DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS` environment variable or system property.
Example of a simple workflow that limits the dependency graph to `RuntimeClasspath` configuration:
```yaml
name: Submit dependency graph
on:
push:
permissions:
contents: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Gradle to generate and submit dependency graphs
uses: gradle/gradle-build-action@v2
with:
dependency-graph: generate-and-submit
- name: Run a build, generating the dependency graph from 'RuntimeClasspath' configurations
run: ./gradlew build -DDEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS=RuntimeClasspath
```
### Gradle version compatibility
The plugin should be compatible with all versions of Gradle >= 5.0, and has been tested against
Gradle versions "5.6.4", "6.9.4", "7.0.2", "7.6.2", "8.0.2" and the current Gradle release.
The plugin is compatible with running Gradle with the configuration-cache enabled. However, this support is
limited to Gradle "8.1.0" and later:
- With Gradle "8.0", the build should run successfully, but an empty dependency graph will be generated.
- With Gradle <= "7.6.4", the plugin will cause the build to fail with configuration-cache enabled.
To use this plugin with versions of Gradle older than "8.1.0", you'll need to invoke Gradle with the
configuration-cache disabled.
### Dependency snapshots generated for pull requests ### Dependency snapshots generated for pull requests
This `contents: write` permission is not available for any workflow that is triggered by a pull request submitted from a forked repository, since it would permit a malicious pull request to make repository changes. This `contents: write` permission is not available for any workflow that is triggered by a pull request submitted from a forked repository, since it would permit a malicious pull request to make repository changes.

View file

@ -87,7 +87,7 @@ inputs:
outputs: outputs:
build-scan-url: build-scan-url:
description: Link to the Build Scan® if any description: Link to the Build Scan® generated by a Gradle build. Note that this output applies to a Step executing Gradle, not to the `gradle-build-action` Step itself.
runs: runs:
using: 'node16' using: 'node16'

View file

@ -3,7 +3,7 @@ buildscript {
maven { url "https://plugins.gradle.org/m2/" } maven { url "https://plugins.gradle.org/m2/" }
} }
dependencies { dependencies {
classpath "org.gradle:github-dependency-graph-gradle-plugin:0.1.0" classpath "org.gradle:github-dependency-graph-gradle-plugin:0.2.0"
} }
} }
apply plugin: org.gradle.github.GitHubDependencyGraphPlugin apply plugin: org.gradle.github.GitHubDependencyGraphPlugin