Merge pull request #817 from gradle/dd/270

Prepare for 2.7.0 release
This commit is contained in:
Daz DeBoer 2023-07-24 17:04:07 +02:00 committed by GitHub
commit a4cf152f48
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 1819 additions and 3690 deletions

View file

@ -78,20 +78,18 @@ jobs:
uses: ./ uses: ./
with: with:
dependency-graph: generate dependency-graph: generate
- name: Run assemble - id: gradle-assemble
run: ./gradlew assemble run: ./gradlew assemble
working-directory: .github/workflow-samples/groovy-dsl working-directory: .github/workflow-samples/groovy-dsl
env: - id: gradle-build
GITHUB_JOB_CORRELATOR: job-correlator
- name: Run build
run: ./gradlew build run: ./gradlew build
working-directory: .github/workflow-samples/groovy-dsl working-directory: .github/workflow-samples/groovy-dsl
env:
GITHUB_JOB_CORRELATOR: job-correlator
- name: Check generated dependency graphs - name: Check generated dependency graphs
run: | run: |
echo "gradle-assemble report file: ${{ steps.gradle-assemble.outputs.dependency-graph-file }}"
echo "gradle-build report file: ${{ steps.gradle-build.outputs.dependency-graph-file }}"
ls -l dependency-graph-reports ls -l dependency-graph-reports
if ([ ! -e dependency-graph-reports/job-correlator.json ] || [ ! -e dependency-graph-reports/job-correlator-1.json ]) if ([ ! -e ${{ steps.gradle-assemble.outputs.dependency-graph-file }} ] || [ ! -e ${{ steps.gradle-build.outputs.dependency-graph-file }} ])
then then
echo "Did not find expected dependency graph files" echo "Did not find expected dependency graph files"
exit 1 exit 1

View file

@ -410,7 +410,6 @@ You can use the `gradle-build-action` on GitHub Enterprise Server, and benefit f
- Support for GitHub Actions Job Summary (requires GHES 3.6+ : GitHub Actions Job Summary support was introduced in GHES 3.6). In earlier versions of GHES the build-results summary and caching report will be written to the workflow log, as part of the post-action step. - Support for GitHub Actions Job Summary (requires GHES 3.6+ : GitHub Actions Job Summary support was introduced in GHES 3.6). In earlier versions of GHES the build-results summary and caching report will be written to the workflow log, as part of the post-action step.
# GitHub Dependency Graph support # GitHub Dependency Graph support
**EXPERIMENTAL**
The `gradle-build-action` has experimental support for submitting a [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) snapshot via the [GitHub Dependency Submission API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28). The `gradle-build-action` has experimental support for submitting a [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) snapshot via the [GitHub Dependency Submission API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28).
@ -449,13 +448,59 @@ jobs:
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: Setup Gradle to generate and submit dependency graphs - name: Setup Gradle to generate and submit dependency graphs
uses: gradle/gradle-build-action@dependency-graph uses: gradle/gradle-build-action@v2
with: with:
dependency-graph: generate-and-submit dependency-graph: generate-and-submit
- name: Run a build, generating the dependency graph snapshot which will be submitted - name: Run a build, generating the dependency graph snapshot which will be submitted
run: ./gradlew build run: ./gradlew build
``` ```
### Filtering which Gradle Configurations contribute to the dependency graph
If you do not want to include every dependency configuration in every project in your build, you can limit the
dependency extraction to a subset of these.
To restrict which Gradle subprojects contribute to the report, specify which projects to include via a regular expression.
You can provide this value via the `DEPENDENCY_GRAPH_INCLUDE_PROJECTS` environment variable or system property.
To restrict which Gradle configurations contribute to the report, you can filter configurations by name using a regular expression.
You can provide this value via the `DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS` environment variable or system property.
Example of a simple workflow that limits the dependency graph to `RuntimeClasspath` configuration:
```yaml
name: Submit dependency graph
on:
push:
permissions:
contents: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Gradle to generate and submit dependency graphs
uses: gradle/gradle-build-action@v2
with:
dependency-graph: generate-and-submit
- name: Run a build, generating the dependency graph from 'RuntimeClasspath' configurations
run: ./gradlew build -DDEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS=RuntimeClasspath
```
### Gradle version compatibility
The plugin should be compatible with all versions of Gradle >= 5.0, and has been tested against
Gradle versions "5.6.4", "6.9.4", "7.0.2", "7.6.2", "8.0.2" and the current Gradle release.
The plugin is compatible with running Gradle with the configuration-cache enabled. However, this support is
limited to Gradle "8.1.0" and later:
- With Gradle "8.0", the build should run successfully, but an empty dependency graph will be generated.
- With Gradle <= "7.6.4", the plugin will cause the build to fail with configuration-cache enabled.
To use this plugin with versions of Gradle older than "8.1.0", you'll need to invoke Gradle with the
configuration-cache disabled.
### Dependency snapshots generated for pull requests ### Dependency snapshots generated for pull requests
This `contents: write` permission is not available for any workflow that is triggered by a pull request submitted from a forked repository, since it would permit a malicious pull request to make repository changes. This `contents: write` permission is not available for any workflow that is triggered by a pull request submitted from a forked repository, since it would permit a malicious pull request to make repository changes.

View file

@ -87,7 +87,9 @@ inputs:
outputs: outputs:
build-scan-url: build-scan-url:
description: Link to the Build Scan® if any description: Link to the Build Scan® generated by a Gradle build. Note that this output applies to a Step executing Gradle, not to the `gradle-build-action` Step itself.
dependency-graph-file:
description: Path to the GitHub Dependency Graph snapshot file generated by a Gradle build. Note that this output applies to a Step executing Gradle, not to the `gradle-build-action` Step itself.
runs: runs:
using: 'node16' using: 'node16'

2702
dist/main/index.js vendored

File diff suppressed because it is too large Load diff

File diff suppressed because one or more lines are too long

2702
dist/post/index.js vendored

File diff suppressed because it is too large Load diff

File diff suppressed because one or more lines are too long

View file

@ -3,7 +3,7 @@ buildscript {
maven { url "https://plugins.gradle.org/m2/" } maven { url "https://plugins.gradle.org/m2/" }
} }
dependencies { dependencies {
classpath "org.gradle:github-dependency-graph-gradle-plugin:0.1.0" classpath "org.gradle:github-dependency-graph-gradle-plugin:0.2.0"
} }
} }
apply plugin: org.gradle.github.GitHubDependencyGraphPlugin apply plugin: org.gradle.github.GitHubDependencyGraphPlugin

View file

@ -15,14 +15,20 @@ if (GradleVersion.current().baseVersion < GradleVersion.version("5.0")) {
// This is only required for top-level builds // This is only required for top-level builds
def isTopLevelBuild = gradle.getParent() == null def isTopLevelBuild = gradle.getParent() == null
if (isTopLevelBuild) { if (isTopLevelBuild) {
def jobCorrelator = ensureUniqueJobCorrelator(System.env.GITHUB_JOB_CORRELATOR) def reportFile = getUniqueReportFile(System.env.GITHUB_JOB_CORRELATOR)
if (jobCorrelator == null) { if (reportFile == null) {
println "::warning::No dependency snapshot generated for step: report file for '${jobCorrelator}' created in earlier step. Each build invocation requires a unique job correlator: specify GITHUB_JOB_CORRELATOR var for this step." println "::warning::No dependency snapshot generated for step. Could not determine unique job correlator - specify GITHUB_JOB_CORRELATOR var for this step."
return return
} }
println "Generating dependency graph for '${jobCorrelator}'" def githubOutput = System.getenv("GITHUB_OUTPUT")
if (githubOutput) {
new File(githubOutput) << "dependency-graph-file=${reportFile.absolutePath}\n"
}
println "Generating dependency graph into '${reportFile}'"
} }
apply from: 'github-dependency-graph-gradle-plugin-apply.groovy' apply from: 'github-dependency-graph-gradle-plugin-apply.groovy'
@ -33,10 +39,10 @@ apply from: 'github-dependency-graph-gradle-plugin-apply.groovy'
* - If so, tries to find a unique value that does not yet have a corresponding report file. * - If so, tries to find a unique value that does not yet have a corresponding report file.
* - When found, this value is set as a System property override. * - When found, this value is set as a System property override.
*/ */
String ensureUniqueJobCorrelator(String jobCorrelator) { File getUniqueReportFile(String jobCorrelator) {
def reportDir = System.env.DEPENDENCY_GRAPH_REPORT_DIR def reportDir = System.env.DEPENDENCY_GRAPH_REPORT_DIR
def reportFile = new File(reportDir, jobCorrelator + ".json") def reportFile = new File(reportDir, jobCorrelator + ".json")
if (!reportFile.exists()) return jobCorrelator if (!reportFile.exists()) return reportFile
// Try at most 100 suffixes // Try at most 100 suffixes
for (int i = 1; i < 100; i++) { for (int i = 1; i < 100; i++) {
@ -44,7 +50,7 @@ String ensureUniqueJobCorrelator(String jobCorrelator) {
def candidateFile = new File(reportDir, candidateCorrelator + ".json") def candidateFile = new File(reportDir, candidateCorrelator + ".json")
if (!candidateFile.exists()) { if (!candidateFile.exists()) {
System.properties['GITHUB_JOB_CORRELATOR'] = candidateCorrelator System.properties['GITHUB_JOB_CORRELATOR'] = candidateCorrelator
return candidateCorrelator return candidateFile
} }
} }

View file

@ -29,9 +29,10 @@ class TestDependencyGraph extends BaseInitScriptTest {
then: then:
assert reportFile.exists() assert reportFile.exists()
assert gitHubOutputFile.text == "dependency-graph-file=${reportFile.absolutePath}\n"
where: where:
testGradleVersion << DEPENDENCY_GRAPH_VERSIONS testGradleVersion << GRADLE_8_X
} }
// Dependency-graph plugin doesn't support config-cache for 8.0 of Gradle // Dependency-graph plugin doesn't support config-cache for 8.0 of Gradle
@ -114,7 +115,8 @@ class TestDependencyGraph extends BaseInitScriptTest {
GITHUB_REF: "main", GITHUB_REF: "main",
GITHUB_SHA: "123456", GITHUB_SHA: "123456",
GITHUB_WORKSPACE: testProjectDir.absolutePath, GITHUB_WORKSPACE: testProjectDir.absolutePath,
DEPENDENCY_GRAPH_REPORT_DIR: reportsDir.absolutePath DEPENDENCY_GRAPH_REPORT_DIR: reportsDir.absolutePath,
GITHUB_OUTPUT: gitHubOutputFile.absolutePath
] ]
} }
@ -125,4 +127,8 @@ class TestDependencyGraph extends BaseInitScriptTest {
def getReportFile() { def getReportFile() {
return new File(reportsDir, "CORRELATOR.json") return new File(reportsDir, "CORRELATOR.json")
} }
def getGitHubOutputFile() {
return new File(testProjectDir, "GITHUB_OUTPUT")
}
} }