Merge pull request #817 from gradle/dd/270

Prepare for 2.7.0 release
2024-11-22 09:02:50 +00:00 · 2023-07-24 17:04:07 +02:00 · 2023-07-24 17:04:07 +02:00 · a4cf152f48
commit a4cf152f48
parent ced6859e9c a8aac055e2
10 changed files with 1819 additions and 3690 deletions
--- a/.github/workflows/integ-test-dependency-graph.yml
+++ b/.github/workflows/integ-test-dependency-graph.yml
@ -78,20 +78,18 @@ jobs:
      uses: ./
      with:
        dependency-graph: generate
-    - name: Run assemble
+    - id: gradle-assemble
      run: ./gradlew assemble
      working-directory: .github/workflow-samples/groovy-dsl
-      env:
-        GITHUB_JOB_CORRELATOR: job-correlator
-    - name: Run build
+    - id: gradle-build
      run: ./gradlew build
      working-directory: .github/workflow-samples/groovy-dsl
-      env:
-        GITHUB_JOB_CORRELATOR: job-correlator
    - name: Check generated dependency graphs
      run: |
+        echo "gradle-assemble report file: ${{ steps.gradle-assemble.outputs.dependency-graph-file }}"
+        echo "gradle-build report file: ${{ steps.gradle-build.outputs.dependency-graph-file }}"
        ls -l dependency-graph-reports
-        if ([ ! -e dependency-graph-reports/job-correlator.json ] || [ ! -e dependency-graph-reports/job-correlator-1.json ])
+        if ([ ! -e ${{ steps.gradle-assemble.outputs.dependency-graph-file }} ] || [ ! -e ${{ steps.gradle-build.outputs.dependency-graph-file }} ])
        then
            echo "Did not find expected dependency graph files"
            exit 1
--- a/README.md
+++ b/README.md
@ -410,7 +410,6 @@ You can use the `gradle-build-action` on GitHub Enterprise Server, and benefit f
 - Support for GitHub Actions Job Summary (requires GHES 3.6+ : GitHub Actions Job Summary support was introduced in GHES 3.6). In earlier versions of GHES the build-results summary and caching report will be written to the workflow log, as part of the post-action step.

 # GitHub Dependency Graph support
-**EXPERIMENTAL**

 The `gradle-build-action` has experimental support for submitting a [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) snapshot via the [GitHub Dependency Submission API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28).

@ -449,13 +448,59 @@ jobs:
    steps:
    - uses: actions/checkout@v3
    - name: Setup Gradle to generate and submit dependency graphs
-      uses: gradle/gradle-build-action@dependency-graph
+      uses: gradle/gradle-build-action@v2
      with:
        dependency-graph: generate-and-submit
    - name: Run a build, generating the dependency graph snapshot which will be submitted
      run: ./gradlew build
 ```

+### Filtering which Gradle Configurations contribute to the dependency graph
+
+If you do not want to include every dependency configuration in every project in your build, you can limit the
+dependency extraction to a subset of these.
+
+To restrict which Gradle subprojects contribute to the report, specify which projects to include via a regular expression.
+You can provide this value via the `DEPENDENCY_GRAPH_INCLUDE_PROJECTS` environment variable or system property.
+
+To restrict which Gradle configurations contribute to the report, you can filter configurations by name using a regular expression.
+You can provide this value via the `DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS` environment variable or system property.
+
+Example of a simple workflow that limits the dependency graph to `RuntimeClasspath` configuration:
+```yaml
+name: Submit dependency graph
+on:
+  push:
+  
+permissions:
+  contents: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Setup Gradle to generate and submit dependency graphs
+      uses: gradle/gradle-build-action@v2
+      with:
+        dependency-graph: generate-and-submit
+    - name: Run a build, generating the dependency graph from 'RuntimeClasspath' configurations
+      run: ./gradlew build -DDEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS=RuntimeClasspath
+```
+
+### Gradle version compatibility
+
+The plugin should be compatible with all versions of Gradle >= 5.0, and has been tested against 
+Gradle versions "5.6.4", "6.9.4", "7.0.2", "7.6.2", "8.0.2" and the current Gradle release.
+
+The plugin is compatible with running Gradle with the configuration-cache enabled. However, this support is
+limited to Gradle "8.1.0" and later:
+- With Gradle "8.0", the build should run successfully, but an empty dependency graph will be generated.
+- With Gradle <= "7.6.4", the plugin will cause the build to fail with configuration-cache enabled.
+
+To use this plugin with versions of Gradle older than "8.1.0", you'll need to invoke Gradle with the
+configuration-cache disabled.
+
 ### Dependency snapshots generated for pull requests

 This `contents: write` permission is not available for any workflow that is triggered by a pull request submitted from a forked repository, since it would permit a malicious pull request to make repository changes. 
--- a/action.yml
+++ b/action.yml
@ -87,7 +87,9 @@ inputs:

 outputs:
  build-scan-url:
-    description: Link to the Build Scan® if any
+    description: Link to the Build Scan® generated by a Gradle build. Note that this output applies to a Step executing Gradle, not to the `gradle-build-action` Step itself.
+  dependency-graph-file:
+    description: Path to the GitHub Dependency Graph snapshot file generated by a Gradle build. Note that this output applies to a Step executing Gradle, not to the `gradle-build-action` Step itself.

 runs:
  using: 'node16'
--- a/dist/main/index.js
+++ b/dist/main/index.js
--- a/dist/main/index.js.map
+++ b/dist/main/index.js.map
--- a/dist/post/index.js
+++ b/dist/post/index.js
--- a/dist/post/index.js.map
+++ b/dist/post/index.js.map
--- a/src/resources/init-scripts/github-dependency-graph-gradle-plugin-apply.groovy
+++ b/src/resources/init-scripts/github-dependency-graph-gradle-plugin-apply.groovy
@ -3,7 +3,7 @@ buildscript {
    maven { url "https://plugins.gradle.org/m2/" }
  }
  dependencies {
-    classpath "org.gradle:github-dependency-graph-gradle-plugin:0.1.0"
+    classpath "org.gradle:github-dependency-graph-gradle-plugin:0.2.0"
  }
 }
 apply plugin: org.gradle.github.GitHubDependencyGraphPlugin
--- a/src/resources/init-scripts/github-dependency-graph.init.gradle
+++ b/src/resources/init-scripts/github-dependency-graph.init.gradle
@ -15,14 +15,20 @@ if (GradleVersion.current().baseVersion < GradleVersion.version("5.0")) {
 // This is only required for top-level builds
 def isTopLevelBuild = gradle.getParent() == null
 if (isTopLevelBuild) {
-  def jobCorrelator = ensureUniqueJobCorrelator(System.env.GITHUB_JOB_CORRELATOR)
+  def reportFile = getUniqueReportFile(System.env.GITHUB_JOB_CORRELATOR)

-  if (jobCorrelator == null) {
-    println "::warning::No dependency snapshot generated for step: report file for '${jobCorrelator}' created in earlier step. Each build invocation requires a unique job correlator: specify GITHUB_JOB_CORRELATOR var for this step."
+  if (reportFile == null) {
+    println "::warning::No dependency snapshot generated for step. Could not determine unique job correlator - specify GITHUB_JOB_CORRELATOR var for this step."
    return
  }

-  println "Generating dependency graph for '${jobCorrelator}'"
+  def githubOutput = System.getenv("GITHUB_OUTPUT")
+  if (githubOutput) {
+      new File(githubOutput) << "dependency-graph-file=${reportFile.absolutePath}\n"
+  }
+
+
+  println "Generating dependency graph into '${reportFile}'"
 }

 apply from: 'github-dependency-graph-gradle-plugin-apply.groovy'
@ -33,10 +39,10 @@ apply from: 'github-dependency-graph-gradle-plugin-apply.groovy'
 * - If so, tries to find a unique value that does not yet have a corresponding report file.
 * - When found, this value is set as a System property override.
 */
-String ensureUniqueJobCorrelator(String jobCorrelator) {
+File getUniqueReportFile(String jobCorrelator) {
    def reportDir = System.env.DEPENDENCY_GRAPH_REPORT_DIR
    def reportFile = new File(reportDir, jobCorrelator + ".json")
-    if (!reportFile.exists()) return jobCorrelator
+    if (!reportFile.exists()) return reportFile

    // Try at most 100 suffixes
    for (int i = 1; i < 100; i++) {
@ -44,7 +50,7 @@ String ensureUniqueJobCorrelator(String jobCorrelator) {
        def candidateFile = new File(reportDir, candidateCorrelator + ".json")
        if (!candidateFile.exists()) {
           System.properties['GITHUB_JOB_CORRELATOR'] = candidateCorrelator
-           return candidateCorrelator
+           return candidateFile
        }
    }

--- a/test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/TestDependencyGraph.groovy
+++ b/test/init-scripts/src/test/groovy/com/gradle/gradlebuildaction/TestDependencyGraph.groovy
@ -29,9 +29,10 @@ class TestDependencyGraph extends BaseInitScriptTest {

        then:
        assert reportFile.exists()
+        assert gitHubOutputFile.text == "dependency-graph-file=${reportFile.absolutePath}\n"

        where:
-        testGradleVersion << DEPENDENCY_GRAPH_VERSIONS
+        testGradleVersion << GRADLE_8_X
    }

    // Dependency-graph plugin doesn't support config-cache for 8.0 of Gradle
@ -114,7 +115,8 @@ class TestDependencyGraph extends BaseInitScriptTest {
            GITHUB_REF: "main",
            GITHUB_SHA: "123456",
            GITHUB_WORKSPACE: testProjectDir.absolutePath,
-            DEPENDENCY_GRAPH_REPORT_DIR: reportsDir.absolutePath
+            DEPENDENCY_GRAPH_REPORT_DIR: reportsDir.absolutePath,
+            GITHUB_OUTPUT: gitHubOutputFile.absolutePath
        ]
    }

@ -125,4 +127,8 @@ class TestDependencyGraph extends BaseInitScriptTest {
    def getReportFile() {
        return new File(reportsDir, "CORRELATOR.json")
    }
+
+    def getGitHubOutputFile() {
+        return new File(testProjectDir, "GITHUB_OUTPUT")
+    }
 }