submit-dependencies.yaml

# Dependency graph doesn't automatically detect all dependencies for ecosystems like Gradle.
# GitHub Actions adds your dependencies using the dependency submission API so you can receive Dependabot alerts for known vulnerabilities.
# https://docs.github.com/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api

name: Submit Gradle dependencies

on:
  workflow_dispatch:
  schedule:
    - cron: '0 5 * * MON' # At 05:00 on Monday.

jobs:
  submit-dependencies:
    name: Dependencies
    runs-on: ubuntu-latest
    permissions:
      contents: write # The Dependency Submission API requires write permission
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Java
        uses: actions/setup-java@v3
        with:
          distribution: temurin
          java-version: 17

      - name: Setup Gradle to generate and submit dependency graphs
        uses: gradle/gradle-build-action@v2.9.0
        with:
          dependency-graph: generate-and-submit

      - name: Run a build, generating the dependency graph snapshot which will be submitted
        run: ./gradlew build