From e1021a799ea192c8f6272bb7c545741b42fe458b Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Sat, 16 May 2026 10:52:47 -0700 Subject: [PATCH] Build: Add Gradle dependency-submission workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a workflow that runs gradle/actions/dependency-submission against the full multi-project build (-DallModules) to populate GitHub's dependency graph and enable Dependabot alerts for transitive Gradle dependencies across all subprojects. Complements cve-scan.yml (Trivy on shipped jars) by surfacing the declared Gradle dependency graph across every known Spark/Flink/Kafka versioned module. Triggers / safety: - push: main only — GitHub only consumes the default branch's graph for Dependabot, and limiting writes here keeps 'contents: write' off fork PRs. - schedule: daily at 06:17 UTC so newly-disclosed CVEs surface on quiet days; off-peak minute to avoid the top-of-hour GHA scheduler stampede. - workflow_dispatch for manual reruns. - if: github.repository_owner == 'apache' (matches stale.yml, publish-snapshot.yml, recurring-jmh-benchmarks.yml) so the job no-ops on forks where the Submission API rejects writes. - timeout-minutes: 30 caps the daily cron so a stalled metadata download cannot tie up the runner / contents:write slot indefinitely. Graph scope: - additional-arguments: -DallModules expands all Spark/Flink/Kafka versioned subprojects in settings.gradle. - dependency-graph-exclude-configurations: skip *TestCompile/*TestRuntime classpaths so JUnit, AssertJ, Mockito, TestContainers, etc. don't generate Dependabot noise for non-shipped deps. - dependency-graph-exclude-projects: ':buildSrc' — pure build-time tooling, never ships. - dependency-graph: generate-and-submit — skip the redundant 30-day workflow-artifact upload (snapshot is already persisted via the API). Other: - cache-read-only: true — java-ci's build-checks remains the canonical cache writer. - persist-credentials: false on checkout. - concurrency without cancel-in-progress so cron runs are never killed by overlapping pushes. - All actions pinned to SHAs matching java-ci.yml. --- .github/workflows/dependency-submission.yml | 77 +++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 .github/workflows/dependency-submission.yml diff --git a/.github/workflows/dependency-submission.yml b/.github/workflows/dependency-submission.yml new file mode 100644 index 000000000000..b63bca4d9785 --- /dev/null +++ b/.github/workflows/dependency-submission.yml @@ -0,0 +1,77 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# Submits the resolved Gradle dependency graph to GitHub's Dependency +# Submission API, populating the repo Dependency graph and Dependabot alerts. +# +# Push trigger is limited to the default branch so 'contents: write' is never +# granted to fork PRs; Dependabot only consumes the default branch's graph +# anyway. + +name: "Gradle Dependency Submission" + +on: + push: + branches: + - 'main' + schedule: + # Daily refresh so newly-disclosed CVEs surface even when main is quiet. + # Off-peak minute to avoid the top-of-hour GHA scheduler stampede. + - cron: '17 6 * * *' + workflow_dispatch: + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: false + +jobs: + dependency-submission: + # Skip on forks: Submission API rejects writes from non-canonical repos. + if: github.repository_owner == 'apache' + runs-on: ubuntu-24.04 + # Safety net for the daily cron; full graph normally completes well under 30m. + timeout-minutes: 30 + permissions: + # Required to upload the snapshot via the Dependency Submission API. + contents: write + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 + with: + distribution: zulu + java-version: 17 + - name: Generate and submit Gradle dependency graph + uses: gradle/actions/dependency-submission@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2 + with: + # Read-only: java-ci's build-checks is the canonical cache writer. + cache-read-only: true + # Submit only; skip the redundant 30-day workflow-artifact upload. + dependency-graph: generate-and-submit + # buildSrc is build-time tooling, never shipped. + dependency-graph-exclude-projects: ':buildSrc' + # Test classpaths aren't shipped; excluding them trims Dependabot noise. + dependency-graph-exclude-configurations: '.*[Tt]est(Compile|Runtime)Classpath' + # '-DallModules' expands to all known Spark/Flink/Kafka versions + # in settings.gradle. + additional-arguments: "-DallModules"