search

gradle / gradle-build-action

Execute your Gradle build and trigger dependency submission
https://github.com/marketplace/actions/gradle-build-action
MIT License
679 stars 97 forks source link

Support GitHub dependencies review action/api #879

Closed hfhbd closed 1 year ago

hfhbd commented 1 year ago

Currently, the dependency submission is called in the Post step, not directly after the execution of Gradle. This is incompatible with the https://github.com/actions/dependency-review-action, which validates the submitted dependencies (from a PR) and will fail your build, eg if you submit vulnerabilities in the PR. The review action needs to be run after Gradle and after the submission of dependencies.

hfhbd commented 1 year ago

Hm, don't know if this is a GitHub issue, but the workaround to run the review action in another job didn't work:

  reviewDependencies:
    runs-on: ubuntu-latest
    needs:
      - build
    if: github.event_name == 'pull_request'
    steps:
      - uses: actions/dependency-review-action@v3
        with:
          retry-on-snapshot-warnings: true

https://github.com/hfhbd/ComposeTodo/blob/603a57e66752a8f2f7602a32f2fd657053a77437/.github/workflows/CI.yml

Update: This feature isn't yet implemented according to the issue tracker: https://github.com/actions/dependency-review-action/issues/545, but the docs already mention it: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together

Alternative: gradle-build-action could call the GitHub review REST api too (or via opt-in).

bigdaz commented 1 year ago

Thanks for trying this out. The action was never tested with the dependency-review-action, since it wasn't compatible with Dependency Submission at the time.

It looks like #882 will address the underlying issue. I'll leave this open until we can confirm that things are working.

felickz commented 1 year ago

relevant announcement: https://github.blog/changelog/2023-09-08-dependency-review-support-for-dependency-submission-results/

bigdaz commented 1 year ago

@hfhbd A fix for this issue has been added to the main branch. It would be helpful if you could test it out: you can do this by referencing gradle/gradle-build-action@main in your workflow.

hfhbd commented 1 year ago

@bigdaz This fix works 🎉 https://github.com/hfhbd/ComposeTodo/actions/runs/6326657590/job/17181840284

bigdaz commented 1 year ago

Thanks for checking. I'll release v2.9.0 shortly with this fix.

bigdaz commented 1 year ago

@hfhbd You should be able to switch back to v2, since v2.9.0 now includes this fix.