mirror of
https://github.com/gradle/gradle-build-action.git
synced 2024-11-22 09:02:50 +00:00
commit
a4cf152f48
10 changed files with 1819 additions and 3690 deletions
|
@ -78,20 +78,18 @@ jobs:
|
|||
uses: ./
|
||||
with:
|
||||
dependency-graph: generate
|
||||
- name: Run assemble
|
||||
- id: gradle-assemble
|
||||
run: ./gradlew assemble
|
||||
working-directory: .github/workflow-samples/groovy-dsl
|
||||
env:
|
||||
GITHUB_JOB_CORRELATOR: job-correlator
|
||||
- name: Run build
|
||||
- id: gradle-build
|
||||
run: ./gradlew build
|
||||
working-directory: .github/workflow-samples/groovy-dsl
|
||||
env:
|
||||
GITHUB_JOB_CORRELATOR: job-correlator
|
||||
- name: Check generated dependency graphs
|
||||
run: |
|
||||
echo "gradle-assemble report file: ${{ steps.gradle-assemble.outputs.dependency-graph-file }}"
|
||||
echo "gradle-build report file: ${{ steps.gradle-build.outputs.dependency-graph-file }}"
|
||||
ls -l dependency-graph-reports
|
||||
if ([ ! -e dependency-graph-reports/job-correlator.json ] || [ ! -e dependency-graph-reports/job-correlator-1.json ])
|
||||
if ([ ! -e ${{ steps.gradle-assemble.outputs.dependency-graph-file }} ] || [ ! -e ${{ steps.gradle-build.outputs.dependency-graph-file }} ])
|
||||
then
|
||||
echo "Did not find expected dependency graph files"
|
||||
exit 1
|
||||
|
|
49
README.md
49
README.md
|
@ -410,7 +410,6 @@ You can use the `gradle-build-action` on GitHub Enterprise Server, and benefit f
|
|||
- Support for GitHub Actions Job Summary (requires GHES 3.6+ : GitHub Actions Job Summary support was introduced in GHES 3.6). In earlier versions of GHES the build-results summary and caching report will be written to the workflow log, as part of the post-action step.
|
||||
|
||||
# GitHub Dependency Graph support
|
||||
**EXPERIMENTAL**
|
||||
|
||||
The `gradle-build-action` has experimental support for submitting a [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) snapshot via the [GitHub Dependency Submission API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28).
|
||||
|
||||
|
@ -449,13 +448,59 @@ jobs:
|
|||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Setup Gradle to generate and submit dependency graphs
|
||||
uses: gradle/gradle-build-action@dependency-graph
|
||||
uses: gradle/gradle-build-action@v2
|
||||
with:
|
||||
dependency-graph: generate-and-submit
|
||||
- name: Run a build, generating the dependency graph snapshot which will be submitted
|
||||
run: ./gradlew build
|
||||
```
|
||||
|
||||
### Filtering which Gradle Configurations contribute to the dependency graph
|
||||
|
||||
If you do not want to include every dependency configuration in every project in your build, you can limit the
|
||||
dependency extraction to a subset of these.
|
||||
|
||||
To restrict which Gradle subprojects contribute to the report, specify which projects to include via a regular expression.
|
||||
You can provide this value via the `DEPENDENCY_GRAPH_INCLUDE_PROJECTS` environment variable or system property.
|
||||
|
||||
To restrict which Gradle configurations contribute to the report, you can filter configurations by name using a regular expression.
|
||||
You can provide this value via the `DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS` environment variable or system property.
|
||||
|
||||
Example of a simple workflow that limits the dependency graph to `RuntimeClasspath` configuration:
|
||||
```yaml
|
||||
name: Submit dependency graph
|
||||
on:
|
||||
push:
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Setup Gradle to generate and submit dependency graphs
|
||||
uses: gradle/gradle-build-action@v2
|
||||
with:
|
||||
dependency-graph: generate-and-submit
|
||||
- name: Run a build, generating the dependency graph from 'RuntimeClasspath' configurations
|
||||
run: ./gradlew build -DDEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS=RuntimeClasspath
|
||||
```
|
||||
|
||||
### Gradle version compatibility
|
||||
|
||||
The plugin should be compatible with all versions of Gradle >= 5.0, and has been tested against
|
||||
Gradle versions "5.6.4", "6.9.4", "7.0.2", "7.6.2", "8.0.2" and the current Gradle release.
|
||||
|
||||
The plugin is compatible with running Gradle with the configuration-cache enabled. However, this support is
|
||||
limited to Gradle "8.1.0" and later:
|
||||
- With Gradle "8.0", the build should run successfully, but an empty dependency graph will be generated.
|
||||
- With Gradle <= "7.6.4", the plugin will cause the build to fail with configuration-cache enabled.
|
||||
|
||||
To use this plugin with versions of Gradle older than "8.1.0", you'll need to invoke Gradle with the
|
||||
configuration-cache disabled.
|
||||
|
||||
### Dependency snapshots generated for pull requests
|
||||
|
||||
This `contents: write` permission is not available for any workflow that is triggered by a pull request submitted from a forked repository, since it would permit a malicious pull request to make repository changes.
|
||||
|
|
|
@ -87,7 +87,9 @@ inputs:
|
|||
|
||||
outputs:
|
||||
build-scan-url:
|
||||
description: Link to the Build Scan® if any
|
||||
description: Link to the Build Scan® generated by a Gradle build. Note that this output applies to a Step executing Gradle, not to the `gradle-build-action` Step itself.
|
||||
dependency-graph-file:
|
||||
description: Path to the GitHub Dependency Graph snapshot file generated by a Gradle build. Note that this output applies to a Step executing Gradle, not to the `gradle-build-action` Step itself.
|
||||
|
||||
runs:
|
||||
using: 'node16'
|
||||
|
|
2624
dist/main/index.js
vendored
2624
dist/main/index.js
vendored
File diff suppressed because it is too large
Load diff
2
dist/main/index.js.map
vendored
2
dist/main/index.js.map
vendored
File diff suppressed because one or more lines are too long
2624
dist/post/index.js
vendored
2624
dist/post/index.js
vendored
File diff suppressed because it is too large
Load diff
2
dist/post/index.js.map
vendored
2
dist/post/index.js.map
vendored
File diff suppressed because one or more lines are too long
|
@ -3,7 +3,7 @@ buildscript {
|
|||
maven { url "https://plugins.gradle.org/m2/" }
|
||||
}
|
||||
dependencies {
|
||||
classpath "org.gradle:github-dependency-graph-gradle-plugin:0.1.0"
|
||||
classpath "org.gradle:github-dependency-graph-gradle-plugin:0.2.0"
|
||||
}
|
||||
}
|
||||
apply plugin: org.gradle.github.GitHubDependencyGraphPlugin
|
||||
|
|
|
@ -15,14 +15,20 @@ if (GradleVersion.current().baseVersion < GradleVersion.version("5.0")) {
|
|||
// This is only required for top-level builds
|
||||
def isTopLevelBuild = gradle.getParent() == null
|
||||
if (isTopLevelBuild) {
|
||||
def jobCorrelator = ensureUniqueJobCorrelator(System.env.GITHUB_JOB_CORRELATOR)
|
||||
def reportFile = getUniqueReportFile(System.env.GITHUB_JOB_CORRELATOR)
|
||||
|
||||
if (jobCorrelator == null) {
|
||||
println "::warning::No dependency snapshot generated for step: report file for '${jobCorrelator}' created in earlier step. Each build invocation requires a unique job correlator: specify GITHUB_JOB_CORRELATOR var for this step."
|
||||
if (reportFile == null) {
|
||||
println "::warning::No dependency snapshot generated for step. Could not determine unique job correlator - specify GITHUB_JOB_CORRELATOR var for this step."
|
||||
return
|
||||
}
|
||||
|
||||
println "Generating dependency graph for '${jobCorrelator}'"
|
||||
def githubOutput = System.getenv("GITHUB_OUTPUT")
|
||||
if (githubOutput) {
|
||||
new File(githubOutput) << "dependency-graph-file=${reportFile.absolutePath}\n"
|
||||
}
|
||||
|
||||
|
||||
println "Generating dependency graph into '${reportFile}'"
|
||||
}
|
||||
|
||||
apply from: 'github-dependency-graph-gradle-plugin-apply.groovy'
|
||||
|
@ -33,10 +39,10 @@ apply from: 'github-dependency-graph-gradle-plugin-apply.groovy'
|
|||
* - If so, tries to find a unique value that does not yet have a corresponding report file.
|
||||
* - When found, this value is set as a System property override.
|
||||
*/
|
||||
String ensureUniqueJobCorrelator(String jobCorrelator) {
|
||||
File getUniqueReportFile(String jobCorrelator) {
|
||||
def reportDir = System.env.DEPENDENCY_GRAPH_REPORT_DIR
|
||||
def reportFile = new File(reportDir, jobCorrelator + ".json")
|
||||
if (!reportFile.exists()) return jobCorrelator
|
||||
if (!reportFile.exists()) return reportFile
|
||||
|
||||
// Try at most 100 suffixes
|
||||
for (int i = 1; i < 100; i++) {
|
||||
|
@ -44,7 +50,7 @@ String ensureUniqueJobCorrelator(String jobCorrelator) {
|
|||
def candidateFile = new File(reportDir, candidateCorrelator + ".json")
|
||||
if (!candidateFile.exists()) {
|
||||
System.properties['GITHUB_JOB_CORRELATOR'] = candidateCorrelator
|
||||
return candidateCorrelator
|
||||
return candidateFile
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -29,9 +29,10 @@ class TestDependencyGraph extends BaseInitScriptTest {
|
|||
|
||||
then:
|
||||
assert reportFile.exists()
|
||||
assert gitHubOutputFile.text == "dependency-graph-file=${reportFile.absolutePath}\n"
|
||||
|
||||
where:
|
||||
testGradleVersion << DEPENDENCY_GRAPH_VERSIONS
|
||||
testGradleVersion << GRADLE_8_X
|
||||
}
|
||||
|
||||
// Dependency-graph plugin doesn't support config-cache for 8.0 of Gradle
|
||||
|
@ -114,7 +115,8 @@ class TestDependencyGraph extends BaseInitScriptTest {
|
|||
GITHUB_REF: "main",
|
||||
GITHUB_SHA: "123456",
|
||||
GITHUB_WORKSPACE: testProjectDir.absolutePath,
|
||||
DEPENDENCY_GRAPH_REPORT_DIR: reportsDir.absolutePath
|
||||
DEPENDENCY_GRAPH_REPORT_DIR: reportsDir.absolutePath,
|
||||
GITHUB_OUTPUT: gitHubOutputFile.absolutePath
|
||||
]
|
||||
}
|
||||
|
||||
|
@ -125,4 +127,8 @@ class TestDependencyGraph extends BaseInitScriptTest {
|
|||
def getReportFile() {
|
||||
return new File(reportsDir, "CORRELATOR.json")
|
||||
}
|
||||
|
||||
def getGitHubOutputFile() {
|
||||
return new File(testProjectDir, "GITHUB_OUTPUT")
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue