actions/gradle
1
0
Fork 0
mirror of https://github.com/gradle/actions.git synced 2025-11-26 17:09:10 +08:00
Code Issues Packages Projects Releases Wiki Activity

Save dependency-graph file as workflow artifact

Browse Source 
Diagnosing unexpected dependencies in the GitHub Dependency Graph can
be difficult. In order to aid with diagnosis, the `dependency-submission`
action will  now save each dependency-graph file as a workflow artifact.

If this is undesirable, the prior behaviour can be restored by explicitly setting
`dependency-graph: generate-and-submit`.

Fixes #519
This commit is contained in:
daz
2025-01-21 11:41:58 -07:00
committed by Daz DeBoer
parent 28ab4dff3a
commit 245c8a24de
7 changed files with 84 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
docs/dependency-submission.md
View File

@@ -103,6 +103,9 @@ In some cases, the default action configuration will not be sufficient, and addi
# Do not attempt to submit the dependency-graph. Save it as a workflow artifact.
dependency-graph: generate-and-upload
# Change the number of days that workflow artifacts are retained. (Default is 30 days).
artifact-retention-days: 5
# Specify the location where dependency graph files will be generated.
dependency-graph-report-dir: custom-report-dir
@@ -118,6 +121,29 @@ The `GitHub Dependency Graph Gradle Plugin` can be further
These will be automatically set by the `dependency-submission` action, but you may override these values
by setting them explicitly in your workflow file.
### Reducing storage costs for saved dependency graph artifacts
By default, the dependency graph that is generated is stored as a workflow artifact.
To reduce storage costs for these artifacts, you can:
1. Set the `artifact-retention-days`:
```yaml
- name: Generate dependency graph but only store workflow artifacts for 1 day
uses: gradle/actions/dependency-submission@v4
with:
artifact-retention-days: 1 # Default is 30 days or as configured for repository
```
2. Disable storing dependency-graph artifacts using `generate-and-submit`
```yaml
- name: Generate and submit dependency graph but do not store as workflow artifact
uses: gradle/actions/dependency-submission@v4
with:
dependency-graph: 'generate-and-submit' # Default value is 'generate-submit-and-upload'
```
# Resolving a dependency vulnerability
## Finding the source of a dependency vulnerability