submit Gradle's dependency info to Github API, for DependaBot alerts …

…etc.
nicolasbrailo · Sep 21, 2023 · a602e2c · a602e2c
1 parent 0eea8dc
commit a602e2c
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
@@ -26,6 +26,11 @@ jobs:
 
     - name: Setup Gradle
       uses: gradle/gradle-build-action@v2
+      with:
+        # configure gradle to track dependency info for GitHub Dependency Graph API
+        # Submission is left to other job, due to (rightfully!) missing write permissions if branch is contributed
+        # from "foreign" repo, see submit-dependency-snapshot.yml
+        dependency-graph: generate
 
     - name: Gradle check
       run: ./gradlew check --no-daemon

diff --git a/.github/workflows/submit-dependency-snapshot.yml b/.github/workflows/submit-dependency-snapshot.yml
@@ -0,0 +1,24 @@
+# Submits dependency graph info generated by other jobs to GitHub API
+# This requires content-write permission, which is by default disabled if the PR-branch is from a "foreign" repo,
+# https://github.com/gradle/gradle-build-action#enable-dependency-graph-generation-for-a-workflow
+
+name: submit-dependency-snapshot
+
+on:
+  workflow_run:
+    workflows: ['build-and-check']
+    types: [completed]
+
+
+# be explicit about the write permission for the API call.
+permissions:
+  contents: write
+
+jobs:
+  submit-snapshots:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Retrieve dependency graph artifact and submit
+        uses: gradle/gradle-build-action@v2
+        with:
+          dependency-graph: download-and-submit