From abc53b47d0e48fa7d7d6abd02dbed1cfcf3827ff Mon Sep 17 00:00:00 2001 From: Jules Kerssemakers Date: Fri, 22 Sep 2023 00:43:53 +0200 Subject: [PATCH] submit Gradle's dependency info to Github API, for DependaBot alerts etc. --- .github/workflows/android.yml | 5 ++++ .../workflows/submit-dependency-snapshot.yml | 24 +++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 .github/workflows/submit-dependency-snapshot.yml diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index f45324a..fca28b1 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -26,6 +26,11 @@ jobs: - name: Setup Gradle uses: gradle/gradle-build-action@v2 + with: + # configure gradle to track dependency info for GitHub Dependency Graph API + # Submission is left to other job, due to (rightfully!) missing write permissions if branch is contributed + # from "foreign" repo, see submit-dependency-snapshot.yml + dependency-graph: generate - name: Gradle check run: ./gradlew check --no-daemon diff --git a/.github/workflows/submit-dependency-snapshot.yml b/.github/workflows/submit-dependency-snapshot.yml new file mode 100644 index 0000000..61f7c20 --- /dev/null +++ b/.github/workflows/submit-dependency-snapshot.yml @@ -0,0 +1,24 @@ +# Submits dependency graph info generated by other jobs to GitHub API +# This requires content-write permission, which is by default disabled if the PR-branch is from a "foreign" repo, +# https://github.com/gradle/gradle-build-action#enable-dependency-graph-generation-for-a-workflow + +name: submit-dependency-snapshot + +on: + workflow_run: + workflows: ['Build and test app'] + types: [completed] + + +# be explicit about the write permission for the API call. +permissions: + contents: write + +jobs: + submit-snapshots: + runs-on: ubuntu-latest + steps: + - name: Retrieve dependency graph artifact and submit + uses: gradle/gradle-build-action@v2 + with: + dependency-graph: download-and-submit