Skip to content

Commit

Permalink
Merge pull request #817 from gradle/dd/270
Browse files Browse the repository at this point in the history
Prepare for 2.7.0 release
  • Loading branch information
bigdaz authored Jul 24, 2023
2 parents ced6859 + a8aac05 commit a4cf152
Show file tree
Hide file tree
Showing 10 changed files with 1,771 additions and 3,642 deletions.
16 changes: 7 additions & 9 deletions .github/workflows/integ-test-dependency-graph.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,21 +78,19 @@ jobs:
uses: ./
with:
dependency-graph: generate
- name: Run assemble
- id: gradle-assemble
run: ./gradlew assemble
working-directory: .github/workflow-samples/groovy-dsl
env:
GITHUB_JOB_CORRELATOR: job-correlator
- name: Run build
- id: gradle-build
run: ./gradlew build
working-directory: .github/workflow-samples/groovy-dsl
env:
GITHUB_JOB_CORRELATOR: job-correlator
working-directory: .github/workflow-samples/groovy-dsl
- name: Check generated dependency graphs
run: |
echo "gradle-assemble report file: ${{ steps.gradle-assemble.outputs.dependency-graph-file }}"
echo "gradle-build report file: ${{ steps.gradle-build.outputs.dependency-graph-file }}"
ls -l dependency-graph-reports
if ([ ! -e dependency-graph-reports/job-correlator.json ] || [ ! -e dependency-graph-reports/job-correlator-1.json ])
if ([ ! -e ${{ steps.gradle-assemble.outputs.dependency-graph-file }} ] || [ ! -e ${{ steps.gradle-build.outputs.dependency-graph-file }} ])
then
echo "Did not find expected dependency graph files"
exit 1
fi
fi
49 changes: 47 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -410,7 +410,6 @@ You can use the `gradle-build-action` on GitHub Enterprise Server, and benefit f
- Support for GitHub Actions Job Summary (requires GHES 3.6+ : GitHub Actions Job Summary support was introduced in GHES 3.6). In earlier versions of GHES the build-results summary and caching report will be written to the workflow log, as part of the post-action step.

# GitHub Dependency Graph support
**EXPERIMENTAL**

The `gradle-build-action` has experimental support for submitting a [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) snapshot via the [GitHub Dependency Submission API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28).

Expand Down Expand Up @@ -449,13 +448,59 @@ jobs:
steps:
- uses: actions/checkout@v3
- name: Setup Gradle to generate and submit dependency graphs
uses: gradle/gradle-build-action@dependency-graph
uses: gradle/gradle-build-action@v2
with:
dependency-graph: generate-and-submit
- name: Run a build, generating the dependency graph snapshot which will be submitted
run: ./gradlew build
```

### Filtering which Gradle Configurations contribute to the dependency graph

If you do not want to include every dependency configuration in every project in your build, you can limit the
dependency extraction to a subset of these.

To restrict which Gradle subprojects contribute to the report, specify which projects to include via a regular expression.
You can provide this value via the `DEPENDENCY_GRAPH_INCLUDE_PROJECTS` environment variable or system property.

To restrict which Gradle configurations contribute to the report, you can filter configurations by name using a regular expression.
You can provide this value via the `DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS` environment variable or system property.

Example of a simple workflow that limits the dependency graph to `RuntimeClasspath` configuration:
```yaml
name: Submit dependency graph
on:
push:
permissions:
contents: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Gradle to generate and submit dependency graphs
uses: gradle/gradle-build-action@v2
with:
dependency-graph: generate-and-submit
- name: Run a build, generating the dependency graph from 'RuntimeClasspath' configurations
run: ./gradlew build -DDEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS=RuntimeClasspath
```

### Gradle version compatibility

The plugin should be compatible with all versions of Gradle >= 5.0, and has been tested against
Gradle versions "5.6.4", "6.9.4", "7.0.2", "7.6.2", "8.0.2" and the current Gradle release.

The plugin is compatible with running Gradle with the configuration-cache enabled. However, this support is
limited to Gradle "8.1.0" and later:
- With Gradle "8.0", the build should run successfully, but an empty dependency graph will be generated.
- With Gradle <= "7.6.4", the plugin will cause the build to fail with configuration-cache enabled.

To use this plugin with versions of Gradle older than "8.1.0", you'll need to invoke Gradle with the
configuration-cache disabled.

### Dependency snapshots generated for pull requests

This `contents: write` permission is not available for any workflow that is triggered by a pull request submitted from a forked repository, since it would permit a malicious pull request to make repository changes.
Expand Down
4 changes: 3 additions & 1 deletion action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,9 @@ inputs:

outputs:
build-scan-url:
description: Link to the Build Scan® if any
description: Link to the Build Scan® generated by a Gradle build. Note that this output applies to a Step executing Gradle, not to the `gradle-build-action` Step itself.
dependency-graph-file:
description: Path to the GitHub Dependency Graph snapshot file generated by a Gradle build. Note that this output applies to a Step executing Gradle, not to the `gradle-build-action` Step itself.

runs:
using: 'node16'
Expand Down
Loading

0 comments on commit a4cf152

Please sign in to comment.