Merge pull request #817 from gradle/dd/270
	
		
			
	
		
	
	
		
	
		
			Some checks failed
		
		
	
	
		
			
				
	
				Demo Job Summary, for Gradle builds / run-gradle-builds (push) Has been cancelled
				
			
		
		
	
	
				
					
				
			
		
			Some checks failed
		
		
	
	Demo Job Summary, for Gradle builds / run-gradle-builds (push) Has been cancelled
				
			Prepare for 2.7.0 release
This commit is contained in:
		
						commit
						a4cf152f48
					
				| @ -78,20 +78,18 @@ jobs: | |||||||
|       uses: ./ |       uses: ./ | ||||||
|       with: |       with: | ||||||
|         dependency-graph: generate |         dependency-graph: generate | ||||||
|     - name: Run assemble |     - id: gradle-assemble | ||||||
|       run: ./gradlew assemble |       run: ./gradlew assemble | ||||||
|       working-directory: .github/workflow-samples/groovy-dsl |       working-directory: .github/workflow-samples/groovy-dsl | ||||||
|       env: |     - id: gradle-build | ||||||
|         GITHUB_JOB_CORRELATOR: job-correlator |  | ||||||
|     - name: Run build |  | ||||||
|       run: ./gradlew build |       run: ./gradlew build | ||||||
|       working-directory: .github/workflow-samples/groovy-dsl |       working-directory: .github/workflow-samples/groovy-dsl | ||||||
|       env: |  | ||||||
|         GITHUB_JOB_CORRELATOR: job-correlator |  | ||||||
|     - name: Check generated dependency graphs |     - name: Check generated dependency graphs | ||||||
|       run: | |       run: | | ||||||
|  |         echo "gradle-assemble report file: ${{ steps.gradle-assemble.outputs.dependency-graph-file }}" | ||||||
|  |         echo "gradle-build report file: ${{ steps.gradle-build.outputs.dependency-graph-file }}" | ||||||
|         ls -l dependency-graph-reports |         ls -l dependency-graph-reports | ||||||
|         if ([ ! -e dependency-graph-reports/job-correlator.json ] || [ ! -e dependency-graph-reports/job-correlator-1.json ]) |         if ([ ! -e ${{ steps.gradle-assemble.outputs.dependency-graph-file }} ] || [ ! -e ${{ steps.gradle-build.outputs.dependency-graph-file }} ]) | ||||||
|         then |         then | ||||||
|             echo "Did not find expected dependency graph files" |             echo "Did not find expected dependency graph files" | ||||||
|             exit 1 |             exit 1 | ||||||
|  | |||||||
							
								
								
									
										49
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										49
									
								
								README.md
									
									
									
									
									
								
							| @ -410,7 +410,6 @@ You can use the `gradle-build-action` on GitHub Enterprise Server, and benefit f | |||||||
| - Support for GitHub Actions Job Summary (requires GHES 3.6+ : GitHub Actions Job Summary support was introduced in GHES 3.6). In earlier versions of GHES the build-results summary and caching report will be written to the workflow log, as part of the post-action step. | - Support for GitHub Actions Job Summary (requires GHES 3.6+ : GitHub Actions Job Summary support was introduced in GHES 3.6). In earlier versions of GHES the build-results summary and caching report will be written to the workflow log, as part of the post-action step. | ||||||
| 
 | 
 | ||||||
| # GitHub Dependency Graph support | # GitHub Dependency Graph support | ||||||
| **EXPERIMENTAL** |  | ||||||
| 
 | 
 | ||||||
| The `gradle-build-action` has experimental support for submitting a [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) snapshot via the [GitHub Dependency Submission API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28). | The `gradle-build-action` has experimental support for submitting a [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) snapshot via the [GitHub Dependency Submission API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28). | ||||||
| 
 | 
 | ||||||
| @ -449,13 +448,59 @@ jobs: | |||||||
|     steps: |     steps: | ||||||
|     - uses: actions/checkout@v3 |     - uses: actions/checkout@v3 | ||||||
|     - name: Setup Gradle to generate and submit dependency graphs |     - name: Setup Gradle to generate and submit dependency graphs | ||||||
|       uses: gradle/gradle-build-action@dependency-graph |       uses: gradle/gradle-build-action@v2 | ||||||
|       with: |       with: | ||||||
|         dependency-graph: generate-and-submit |         dependency-graph: generate-and-submit | ||||||
|     - name: Run a build, generating the dependency graph snapshot which will be submitted |     - name: Run a build, generating the dependency graph snapshot which will be submitted | ||||||
|       run: ./gradlew build |       run: ./gradlew build | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
|  | ### Filtering which Gradle Configurations contribute to the dependency graph | ||||||
|  | 
 | ||||||
|  | If you do not want to include every dependency configuration in every project in your build, you can limit the | ||||||
|  | dependency extraction to a subset of these. | ||||||
|  | 
 | ||||||
|  | To restrict which Gradle subprojects contribute to the report, specify which projects to include via a regular expression. | ||||||
|  | You can provide this value via the `DEPENDENCY_GRAPH_INCLUDE_PROJECTS` environment variable or system property. | ||||||
|  | 
 | ||||||
|  | To restrict which Gradle configurations contribute to the report, you can filter configurations by name using a regular expression. | ||||||
|  | You can provide this value via the `DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS` environment variable or system property. | ||||||
|  | 
 | ||||||
|  | Example of a simple workflow that limits the dependency graph to `RuntimeClasspath` configuration: | ||||||
|  | ```yaml | ||||||
|  | name: Submit dependency graph | ||||||
|  | on: | ||||||
|  |   push: | ||||||
|  |    | ||||||
|  | permissions: | ||||||
|  |   contents: write | ||||||
|  | 
 | ||||||
|  | jobs: | ||||||
|  |   build: | ||||||
|  |     runs-on: ubuntu-latest | ||||||
|  |     steps: | ||||||
|  |     - uses: actions/checkout@v3 | ||||||
|  |     - name: Setup Gradle to generate and submit dependency graphs | ||||||
|  |       uses: gradle/gradle-build-action@v2 | ||||||
|  |       with: | ||||||
|  |         dependency-graph: generate-and-submit | ||||||
|  |     - name: Run a build, generating the dependency graph from 'RuntimeClasspath' configurations | ||||||
|  |       run: ./gradlew build -DDEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS=RuntimeClasspath | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | ### Gradle version compatibility | ||||||
|  | 
 | ||||||
|  | The plugin should be compatible with all versions of Gradle >= 5.0, and has been tested against  | ||||||
|  | Gradle versions "5.6.4", "6.9.4", "7.0.2", "7.6.2", "8.0.2" and the current Gradle release. | ||||||
|  | 
 | ||||||
|  | The plugin is compatible with running Gradle with the configuration-cache enabled. However, this support is | ||||||
|  | limited to Gradle "8.1.0" and later: | ||||||
|  | - With Gradle "8.0", the build should run successfully, but an empty dependency graph will be generated. | ||||||
|  | - With Gradle <= "7.6.4", the plugin will cause the build to fail with configuration-cache enabled. | ||||||
|  | 
 | ||||||
|  | To use this plugin with versions of Gradle older than "8.1.0", you'll need to invoke Gradle with the | ||||||
|  | configuration-cache disabled. | ||||||
|  | 
 | ||||||
| ### Dependency snapshots generated for pull requests | ### Dependency snapshots generated for pull requests | ||||||
| 
 | 
 | ||||||
| This `contents: write` permission is not available for any workflow that is triggered by a pull request submitted from a forked repository, since it would permit a malicious pull request to make repository changes.  | This `contents: write` permission is not available for any workflow that is triggered by a pull request submitted from a forked repository, since it would permit a malicious pull request to make repository changes.  | ||||||
|  | |||||||
| @ -87,7 +87,9 @@ inputs: | |||||||
| 
 | 
 | ||||||
| outputs: | outputs: | ||||||
|   build-scan-url: |   build-scan-url: | ||||||
|     description: Link to the Build Scan® if any |     description: Link to the Build Scan® generated by a Gradle build. Note that this output applies to a Step executing Gradle, not to the `gradle-build-action` Step itself. | ||||||
|  |   dependency-graph-file: | ||||||
|  |     description: Path to the GitHub Dependency Graph snapshot file generated by a Gradle build. Note that this output applies to a Step executing Gradle, not to the `gradle-build-action` Step itself. | ||||||
| 
 | 
 | ||||||
| runs: | runs: | ||||||
|   using: 'node16' |   using: 'node16' | ||||||
|  | |||||||
							
								
								
									
										2624
									
								
								dist/main/index.js
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2624
									
								
								dist/main/index.js
									
									
									
									
										vendored
									
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										2
									
								
								dist/main/index.js.map
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								dist/main/index.js.map
									
									
									
									
										vendored
									
									
								
							
										
											
												File diff suppressed because one or more lines are too long
											
										
									
								
							
							
								
								
									
										2624
									
								
								dist/post/index.js
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2624
									
								
								dist/post/index.js
									
									
									
									
										vendored
									
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										2
									
								
								dist/post/index.js.map
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								dist/post/index.js.map
									
									
									
									
										vendored
									
									
								
							
										
											
												File diff suppressed because one or more lines are too long
											
										
									
								
							| @ -3,7 +3,7 @@ buildscript { | |||||||
|     maven { url "https://plugins.gradle.org/m2/" } |     maven { url "https://plugins.gradle.org/m2/" } | ||||||
|   } |   } | ||||||
|   dependencies { |   dependencies { | ||||||
|     classpath "org.gradle:github-dependency-graph-gradle-plugin:0.1.0" |     classpath "org.gradle:github-dependency-graph-gradle-plugin:0.2.0" | ||||||
|   } |   } | ||||||
| } | } | ||||||
| apply plugin: org.gradle.github.GitHubDependencyGraphPlugin | apply plugin: org.gradle.github.GitHubDependencyGraphPlugin | ||||||
|  | |||||||
| @ -15,14 +15,20 @@ if (GradleVersion.current().baseVersion < GradleVersion.version("5.0")) { | |||||||
| // This is only required for top-level builds | // This is only required for top-level builds | ||||||
| def isTopLevelBuild = gradle.getParent() == null | def isTopLevelBuild = gradle.getParent() == null | ||||||
| if (isTopLevelBuild) { | if (isTopLevelBuild) { | ||||||
|   def jobCorrelator = ensureUniqueJobCorrelator(System.env.GITHUB_JOB_CORRELATOR) |   def reportFile = getUniqueReportFile(System.env.GITHUB_JOB_CORRELATOR) | ||||||
| 
 | 
 | ||||||
|   if (jobCorrelator == null) { |   if (reportFile == null) { | ||||||
|     println "::warning::No dependency snapshot generated for step: report file for '${jobCorrelator}' created in earlier step. Each build invocation requires a unique job correlator: specify GITHUB_JOB_CORRELATOR var for this step." |     println "::warning::No dependency snapshot generated for step. Could not determine unique job correlator - specify GITHUB_JOB_CORRELATOR var for this step." | ||||||
|     return |     return | ||||||
|   } |   } | ||||||
| 
 | 
 | ||||||
|   println "Generating dependency graph for '${jobCorrelator}'" |   def githubOutput = System.getenv("GITHUB_OUTPUT") | ||||||
|  |   if (githubOutput) { | ||||||
|  |       new File(githubOutput) << "dependency-graph-file=${reportFile.absolutePath}\n" | ||||||
|  |   } | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  |   println "Generating dependency graph into '${reportFile}'" | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| apply from: 'github-dependency-graph-gradle-plugin-apply.groovy' | apply from: 'github-dependency-graph-gradle-plugin-apply.groovy' | ||||||
| @ -33,10 +39,10 @@ apply from: 'github-dependency-graph-gradle-plugin-apply.groovy' | |||||||
|  * - If so, tries to find a unique value that does not yet have a corresponding report file. |  * - If so, tries to find a unique value that does not yet have a corresponding report file. | ||||||
|  * - When found, this value is set as a System property override. |  * - When found, this value is set as a System property override. | ||||||
|  */ |  */ | ||||||
| String ensureUniqueJobCorrelator(String jobCorrelator) { | File getUniqueReportFile(String jobCorrelator) { | ||||||
|     def reportDir = System.env.DEPENDENCY_GRAPH_REPORT_DIR |     def reportDir = System.env.DEPENDENCY_GRAPH_REPORT_DIR | ||||||
|     def reportFile = new File(reportDir, jobCorrelator + ".json") |     def reportFile = new File(reportDir, jobCorrelator + ".json") | ||||||
|     if (!reportFile.exists()) return jobCorrelator |     if (!reportFile.exists()) return reportFile | ||||||
| 
 | 
 | ||||||
|     // Try at most 100 suffixes |     // Try at most 100 suffixes | ||||||
|     for (int i = 1; i < 100; i++) { |     for (int i = 1; i < 100; i++) { | ||||||
| @ -44,7 +50,7 @@ String ensureUniqueJobCorrelator(String jobCorrelator) { | |||||||
|         def candidateFile = new File(reportDir, candidateCorrelator + ".json") |         def candidateFile = new File(reportDir, candidateCorrelator + ".json") | ||||||
|         if (!candidateFile.exists()) { |         if (!candidateFile.exists()) { | ||||||
|            System.properties['GITHUB_JOB_CORRELATOR'] = candidateCorrelator |            System.properties['GITHUB_JOB_CORRELATOR'] = candidateCorrelator | ||||||
|            return candidateCorrelator |            return candidateFile | ||||||
|         } |         } | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -29,9 +29,10 @@ class TestDependencyGraph extends BaseInitScriptTest { | |||||||
| 
 | 
 | ||||||
|         then: |         then: | ||||||
|         assert reportFile.exists() |         assert reportFile.exists() | ||||||
|  |         assert gitHubOutputFile.text == "dependency-graph-file=${reportFile.absolutePath}\n" | ||||||
| 
 | 
 | ||||||
|         where: |         where: | ||||||
|         testGradleVersion << DEPENDENCY_GRAPH_VERSIONS |         testGradleVersion << GRADLE_8_X | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     // Dependency-graph plugin doesn't support config-cache for 8.0 of Gradle |     // Dependency-graph plugin doesn't support config-cache for 8.0 of Gradle | ||||||
| @ -114,7 +115,8 @@ class TestDependencyGraph extends BaseInitScriptTest { | |||||||
|             GITHUB_REF: "main", |             GITHUB_REF: "main", | ||||||
|             GITHUB_SHA: "123456", |             GITHUB_SHA: "123456", | ||||||
|             GITHUB_WORKSPACE: testProjectDir.absolutePath, |             GITHUB_WORKSPACE: testProjectDir.absolutePath, | ||||||
|             DEPENDENCY_GRAPH_REPORT_DIR: reportsDir.absolutePath |             DEPENDENCY_GRAPH_REPORT_DIR: reportsDir.absolutePath, | ||||||
|  |             GITHUB_OUTPUT: gitHubOutputFile.absolutePath | ||||||
|         ] |         ] | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
| @ -125,4 +127,8 @@ class TestDependencyGraph extends BaseInitScriptTest { | |||||||
|     def getReportFile() { |     def getReportFile() { | ||||||
|         return new File(reportsDir, "CORRELATOR.json") |         return new File(reportsDir, "CORRELATOR.json") | ||||||
|     } |     } | ||||||
|  | 
 | ||||||
|  |     def getGitHubOutputFile() { | ||||||
|  |         return new File(testProjectDir, "GITHUB_OUTPUT") | ||||||
|  |     } | ||||||
| } | } | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user