Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add separate dependency-submission workflow for GitHub actions #3668

Merged
merged 1 commit into from
Apr 16, 2024

Conversation

bigdaz
Copy link
Contributor

@bigdaz bigdaz commented Jan 30, 2024

With the introduction of gradle/actions/dependency-submission, it is now simpler (and recommended) to use a separate workflow for generation and submission of GitHub Dependency Graph.

This workflow attempts to detect and submit all dependencies that would be resolved during build execution, without requiring the execution of any particular task. In basic testing it appears that the generated dependency graph contains the same dependencies as before.

A few things to note:
The new workflow will submit a dependency graph with a different "correlator" to the previous one. This means that duplicate dependencies (and alerts) may appear until the older graph ages out and is automatically purged. (Period of days).

Manually dismissed Dependabot Alerts may need to be re-dismissed after switching to the new workflow.


I hereby agree to the terms of the JUnit Contributor License Agreement.


Definition of Done

With the introduction of `gradle/actions/dependency-submission`, it is now
simpler (and recommended) to use a separate workflow for generation and
submission of GitHub Dependency Graph.

This workflow attempts to detect and submit all dependencies that would
be resolved during build execution, without requiring the execution of any
particular task. In basic testing it appears that the generated dependency
graph contains the same dependencies as before.

A few things to note:
The new workflow will submit a dependency graph with a different "correlator" to
the previous one. This means that duplicate dependencies (and alerts) may appear
until the older graph ages out and is automatically purged. (Period of hours to days).

Manually dismissed Dependabot Alerts may need to be re-dismissed after
switching to the new workflow.
@sormuras sormuras requested a review from marcphilipp January 31, 2024 09:52
@sbrannen sbrannen changed the title Add separate dependency-submission workflow Add separate dependency-submission workflow for GitHub actions Jan 31, 2024
@bigdaz bigdaz closed this Apr 7, 2024
@marcphilipp
Copy link
Member

@bigdaz Why did you close the PR?

@marcphilipp marcphilipp reopened this Apr 8, 2024
@bigdaz
Copy link
Contributor Author

bigdaz commented Apr 8, 2024

@bigdaz Why did you close the PR?

I was just cleaning up open PRs of mine that hadn't got any traction. It's still valid as far as I know.

@marcphilipp marcphilipp merged commit 062214f into junit-team:main Apr 16, 2024
25 checks passed
@marcphilipp
Copy link
Member

Thanks, Daz! Sorry it took so long to get this merged!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants