Skip to content
book

GitHub Action

Dependency Eye

v1.0.2 Latest version

Dependency Eye

book

Dependency Eye

A little tool to check dependencies

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: Dependency Eye

              
  uses: givemesomefaces/dependency-checker@v1.0.2
Learn more about this action in givemesomefaces/dependency-checker

Choose a version

eye - a little tool to check dependencies by configuring a dependency blacklist.

Supported project types include:

  • Maven
  • Gradle
  • ...

Usage

You can use this tool in GitHub Actions, Gitlab CI or local machine.

GitHub Actions

Add .dependency.yaml file to the root directory of your project and add the following.

dependency:
  files:
    - pom.xml # If this is a maven project.
  black-list: # Support regular expressions, the priority is groupId > artifactId > version
    - groupId: junit
    - groupId: com.alibaba.*
      artifactId: fastjson
      version:

and add the following to GHA workflows

- name: Dependency Eye
  uses: lv-lifeng/eye@latestTag
  #with:
    #log: debug # optional: set the log level. The default value is `info`.
    #config: .dependency.yaml # optional: set the config file. The default value is `.dependency.yaml`.
    #token: # optional: the token that dependency eye uses when it needs to comment on the pull request. Set to empty ("") to disable commenting on pull request. The default value is ${{ github.token }}
    #mode: # optional: Which mode Dep-Eye should be run in. The default value is `check`.

Gitlab CI

First, dep-eye commands need to be configured in gitlab runner.

dep-check-job:       # job name.
  tags: [dep_check] # gitlab runner tag.
  rules:
    # trigger condition.
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event' && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == 'main'
  script:
    - dep-eye d check

Other

Download release

Download binary file Assets/eye.zip, and add .dependency.yaml file to the root directory of your project or the other specified directory(e.g. /User/other/dependency.yaml), execute the following command in specified directory.

%PATH%/eye/bin/linux/dep-eye dependency(d/dep) -c /User/other/dependency.yaml check

or add %PATH%/eye/bin/linux to the environment variable and execute the following command everywhere.

dep-eye dependency(d/dep) -c /User/other/dependency.yaml check

if the -c parameter is not specified and the current directory does not have .dependency.yaml file, then dependency-default.yaml will be used.

Compile from source

git clone git@github.com:lv-lifeng/eye.git
cd eye
make build

the command same as download release

Check result

dep-eye d check
INFO Loading configuration from file: .dependency.yaml 
INFO Config file .dependency.yaml does not exist, using the default config: eye/dependency-default.yaml 
INFO Start checking dependencies, please wait!    
Black-List           |                                                                                  Path
-------------------- | -------------------------------------------------------------------------------------
com.alibaba:fastjson | org.apache.rocketmq:rocketmq-acl:4.9.2 -> org.apache.rocketmq:rocketmq-remoting:4.9.2

ERROR found 1 dependencies hit the blacklist

Black-List: dependence in the blacklist
Path: parent dependency of dependence in the blacklist

Reference from skywalking-eyes