-
Notifications
You must be signed in to change notification settings - Fork 0
39 lines (33 loc) · 1.32 KB
/
submit-dependencies.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# Dependency graph doesn't automatically detect all dependencies for ecosystems like Gradle.
# GitHub Actions adds your dependencies using the dependency submission API so you can receive Dependabot alerts for known vulnerabilities.
# https://docs.github.com/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api
# https://github.com/gradle/actions/blob/main/dependency-submission/README.md
name: Submit Gradle dependencies
on:
workflow_dispatch:
schedule:
- cron: '0 5 * * MON' # At 05:00 on Monday.
push: # will only trigger if both conditions are satisfied
branches:
- 'main'
paths:
- 'build.gradle.kts'
permissions:
contents: write # The Dependency Submission API requires write permission
jobs:
submit-dependencies:
name: Dependencies
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 21
- name: Generate and submit dependency graph
uses: gradle/actions/dependency-submission@v3
env:
# Exclude dependencies that are only resolved in test classpaths
DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS: '.*[Tt]est(Compile|Runtime)Classpath'