gradle-build-action icon indicating copy to clipboard operation
gradle-build-action copied to clipboard

Published 20 hours ago verified publisher icon gradle

Support for Dependency submission API

Open osiegmar opened this issue 2 years ago • 2 comments

Any plans to add support for Dependency submission API?

I found https://github.com/marketplace/actions/gradle-dependency-submission but I think this functionality should be available directly within gradle-build-action.

See also https://github.com/community/community/discussions/11117.

osiegmar avatar Oct 02 '22 20:10 osiegmar

Fwiw, Jonathan Leitschuh started https://github.com/gradle/github-dependency-extractor before leaving Gradle, Inc. I'd love it for Gradle to finish it and integrate it into gradle-build-action.

tbroyer avatar Oct 02 '22 21:10 tbroyer

There are no current plans to support this in gradle-build-action.

My understanding is that https://github.com/gradle/github-dependency-extractor has significant issues and performance overhead, and will require quite some work to finish.

I wasn't aware of https://github.com/mikepenz/gradle-dependency-submission but it's reliance on the dependencies task implies that it will only capture a subset of the actual project dependencies (build-time dependencies will not be captured). This is possibly better than nothing, but I know that Johathan wanted his implementation to capture all development and runtime project dependencies.

bigdaz avatar Oct 04 '22 04:10 bigdaz

+1 on supporting the new dependency API or something that gives users Dependabot security alerts for Gradle on GitHub.

Personally, I'm only interested in capturing non-test runtime dependencies, as these are what get deployed to production. However, that could just be me.

At the moment, @mikepenz's solution, great though it is, is brittle due to relying on the output of the dependencies task and it also requires users manually listing sub modules. I wonder if there is a way Gradle can be extended to allow a community solution, e.g. @mikepenz's action, to get sub module and dependency information in a supported stable format?

Unfortunately, making use of the Gradle Tooling API isn't an option as GitHub actions can't be written in Java, (well, strictly the can via a Docker container, but that's slow and only supported on a subset of runners).

big-andy-coates avatar Feb 08 '23 09:02 big-andy-coates

Closing as not directly related to gradle-build-action. However, the Gradle Build Tool team is working on plans to support the GitHub Dependency Submission API: expect to see something on the Gradle Build Tool roadmap soon.

bigdaz avatar Feb 18 '23 21:02 bigdaz