Allow specifying the configurations to use with the dependency graph

gradle / gradle-build-action

Execute your Gradle build and trigger dependency submission

https://github.com/marketplace/actions/gradle-build-action

MIT License

679 stars 97 forks source link

Allow specifying the configurations to use with the dependency graph #803

Closed eygraber closed 1 year ago

eygraber commented 1 year ago

A lot of the vulnerabilities being reported from my dependency graph are for libraries used by compile time tools, and a lot if not most of those vulnerabilities would only affect a server using them.

I'm only really interested in the runtime classpath configurations.

bigdaz commented 1 year ago

You can now do this with today's v2.6.1 release. It's not documented directly in the gradle-build-action, but there are some details in the GitHub Dependency Graph Gradle Plugin docs.

bigdaz commented 1 year ago

Note that you have to supply the environment variable during build execution, which may not be the same as the gradle-build-action step. Something like:

    - name: Setup Gradle
      uses: gradle/gradle-build-action@v2
      with:
        dependency-graph: generate
    - name: Run build, extracting dependencies
      run: ./gradlew assemble
      env:
        DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS: compileClasspath|runtimeClasspath

Let me know if this works! I've only tested with the plugin directly, and not yet with the action.

eygraber commented 1 year ago

That seems to have worked well, thanks!