Use three stage dependency generate, submission and review Github action

eisop · Aug 7, 2024 · 832afc3 · 832afc3
1 parent 99c5603
commit 832afc3
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 20 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -154,23 +154,3 @@ jobs:
     - name: Run test script checker/bin-devel/test-${{ matrix.script }}
       shell: bash
       run: ./checker/bin-devel/test-${{ matrix.script }}.sh
-
-  dependency-submission:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    # Only run on the main repository because forks do not have write access to the main repository.
-    if: github.event.pull_request.head.repo.fork == false
-    steps:
-    - uses: actions/checkout@v4
-    - name: Set up JDK 21
-      uses: actions/setup-java@v4
-      with:
-        java-version: '21'
-        distribution: 'temurin'
-
-    # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies.
-    # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md
-    - name: Generate and submit dependency graph
-      uses: gradle/actions/[email protected]
-
diff --git a/.github/workflows/dependency-download-and-submit.yml b/.github/workflows/dependency-download-and-submit.yml
@@ -0,0 +1,19 @@
+name: Download and submit dependency graph
+
+on:
+  workflow_run:
+    workflows: ['Generate and save dependency graph']
+    types: [completed]
+
+permissions:
+  actions: read
+  contents: write
+
+jobs:
+  submit-dependency-graph:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download and submit dependency graph
+        uses: gradle/actions/dependency-submission@v4
+        with:
+          dependency-graph: download-and-submit # Download saved dependency-graph and submit
diff --git a/.github/workflows/dependency-generate-and-upload.yml b/.github/workflows/dependency-generate-and-upload.yml
@@ -0,0 +1,23 @@
+name: Generate and save dependency graph
+
+on:
+  pull_request:
+
+permissions:
+  contents: read # 'write' permission is not available
+
+jobs:
+  dependency-submission:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+
+      - name: Generate and save dependency graph
+        uses: gradle/actions/dependency-submission@v4
+        with:
+          dependency-graph: generate-and-upload
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,17 @@
+name: dependency-review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4
+        with:
+          retry-on-snapshot-warnings: true
+          retry-on-snapshot-warnings-timeout: 600