From 682cf4bfe6ffe00d11e2fc24abcfd5ed70bcc22e Mon Sep 17 00:00:00 2001 From: Aosen Xiong Date: Wed, 7 Aug 2024 11:04:42 -0400 Subject: [PATCH 1/4] Disables the dependency submission job when in a fork --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f46712b2646..cc6d2515ff1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -159,6 +159,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: write + if: github.event.pull_request.head.repo.fork == false steps: - uses: actions/checkout@v4 - name: Set up JDK 21 From 99c560366e89a0aff37209b623b1c729bb5d032c Mon Sep 17 00:00:00 2001 From: Aosen Xiong Date: Wed, 7 Aug 2024 11:07:56 -0400 Subject: [PATCH 2/4] Comment the reason for disable the check --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cc6d2515ff1..30d7252a6c3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -159,6 +159,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: write + # Only run on the main repository because forks do not have write access to the main repository. if: github.event.pull_request.head.repo.fork == false steps: - uses: actions/checkout@v4 From 832afc32d94fd74f436a5820e2c86e1164e75e2c Mon Sep 17 00:00:00 2001 From: Aosen Xiong Date: Wed, 7 Aug 2024 12:37:33 -0400 Subject: [PATCH 3/4] Use three stage dependency generate, submission and review Github action --- .github/workflows/ci.yml | 20 ---------------- .../dependency-download-and-submit.yml | 19 +++++++++++++++ .../dependency-generate-and-upload.yml | 23 +++++++++++++++++++ .github/workflows/dependency-review.yml | 17 ++++++++++++++ 4 files changed, 59 insertions(+), 20 deletions(-) create mode 100644 .github/workflows/dependency-download-and-submit.yml create mode 100644 .github/workflows/dependency-generate-and-upload.yml create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 30d7252a6c3..d80cf54d35d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -154,23 +154,3 @@ jobs: - name: Run test script checker/bin-devel/test-${{ matrix.script }} shell: bash run: ./checker/bin-devel/test-${{ matrix.script }}.sh - - dependency-submission: - runs-on: ubuntu-latest - permissions: - contents: write - # Only run on the main repository because forks do not have write access to the main repository. - if: github.event.pull_request.head.repo.fork == false - steps: - - uses: actions/checkout@v4 - - name: Set up JDK 21 - uses: actions/setup-java@v4 - with: - java-version: '21' - distribution: 'temurin' - - # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. - # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md - - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@v3.5.0 - diff --git a/.github/workflows/dependency-download-and-submit.yml b/.github/workflows/dependency-download-and-submit.yml new file mode 100644 index 00000000000..6298fcd8419 --- /dev/null +++ b/.github/workflows/dependency-download-and-submit.yml @@ -0,0 +1,19 @@ +name: Download and submit dependency graph + +on: + workflow_run: + workflows: ['Generate and save dependency graph'] + types: [completed] + +permissions: + actions: read + contents: write + +jobs: + submit-dependency-graph: + runs-on: ubuntu-latest + steps: + - name: Download and submit dependency graph + uses: gradle/actions/dependency-submission@v4 + with: + dependency-graph: download-and-submit # Download saved dependency-graph and submit diff --git a/.github/workflows/dependency-generate-and-upload.yml b/.github/workflows/dependency-generate-and-upload.yml new file mode 100644 index 00000000000..65004ec91e7 --- /dev/null +++ b/.github/workflows/dependency-generate-and-upload.yml @@ -0,0 +1,23 @@ +name: Generate and save dependency graph + +on: + pull_request: + +permissions: + contents: read # 'write' permission is not available + +jobs: + dependency-submission: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up JDK 21 + uses: actions/setup-java@v4 + with: + java-version: '21' + distribution: 'temurin' + + - name: Generate and save dependency graph + uses: gradle/actions/dependency-submission@v4 + with: + dependency-graph: generate-and-upload diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000000..3d1bd6b5f17 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,17 @@ +name: dependency-review + +on: + pull_request: + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 + with: + retry-on-snapshot-warnings: true + retry-on-snapshot-warnings-timeout: 600 From f7643933f0c8089858c0b427ce918f631c7247f2 Mon Sep 17 00:00:00 2001 From: Aosen Xiong Date: Wed, 7 Aug 2024 15:23:36 -0400 Subject: [PATCH 4/4] Add blogpost link the yml file and use consistent words --- .github/workflows/dependency-download-and-submit.yml | 1 + .github/workflows/dependency-generate-and-upload.yml | 1 + .github/workflows/dependency-review.yml | 5 +++-- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-download-and-submit.yml b/.github/workflows/dependency-download-and-submit.yml index 6298fcd8419..422643ac428 100644 --- a/.github/workflows/dependency-download-and-submit.yml +++ b/.github/workflows/dependency-download-and-submit.yml @@ -1,3 +1,4 @@ +# See: https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#usage-with-pull-requests-from-public-forked-repositories name: Download and submit dependency graph on: diff --git a/.github/workflows/dependency-generate-and-upload.yml b/.github/workflows/dependency-generate-and-upload.yml index 65004ec91e7..f746d23e0fc 100644 --- a/.github/workflows/dependency-generate-and-upload.yml +++ b/.github/workflows/dependency-generate-and-upload.yml @@ -1,3 +1,4 @@ +# See: https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#usage-with-pull-requests-from-public-forked-repositories name: Generate and save dependency graph on: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 3d1bd6b5f17..1c3553d96b5 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,4 +1,5 @@ -name: dependency-review +# See: https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#usage-with-pull-requests-from-public-forked-repositories +name: Dependency review on: pull_request: @@ -10,7 +11,7 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: - - name: 'Dependency Review' + - name: 'Dependency review' uses: actions/dependency-review-action@v4 with: retry-on-snapshot-warnings: true