Compare commits

...

51 Commits

Author SHA1 Message Date
github-actions[bot] 8525842317 Empty commit to open PR
Publish Executables / publish (push) Has been cancelled
2025-05-12 15:09:37 +00:00
github-actions[bot] 16baf7d7ba Merge upstream:main 2025-05-12 15:09:37 +00:00
Indigo 477eb3e4cc Merge pull request #7 from actions/indigok-patch-1
Switch sync action to a PR flow
2025-05-12 08:08:53 -07:00
Indigo e7f955d71a Switch to a PR flow 2025-05-09 14:05:25 -07:00
Indigo 0da6b94cc8 Merge pull request #6 from actions/indigok-patch-1
Create action to sync upstream
2025-05-09 11:35:41 -07:00
Indigo cbd81244d8 Keep file ext consistent 2025-05-09 08:34:45 -07:00
Indigo ab28f47bd2 Update sync-fork.yaml 2025-05-09 08:29:40 -07:00
Indigo 99b170e015 Create action to sync upstream 2025-05-09 07:52:18 -07:00
Justin Holguín 4bf8a28b00 Merge pull request #108 from advanced-security/juxtin/release-docs
Update release docs to include release artifacts
2025-04-07 09:32:51 -07:00
Justin Holguín e457a508a1 Update release docs to include release artifacts 2025-04-07 16:25:07 +00:00
Justin Holguín aeab9f8852 Merge pull request #106 from advanced-security/juxtin/prep-412
Update version to 4.1.2 and update release instructions
2025-04-04 13:01:39 -07:00
Justin Holguín bc43a53a41 Update step numbers 2025-04-04 17:52:50 +00:00
Justin Holguín 8ec6a0b12e Add note about running npm build 2025-04-04 17:52:04 +00:00
Justin Holguín 8c8c37cf51 Merge branch 'main' into juxtin/prep-412 2025-04-04 10:49:59 -07:00
Justin Holguín 4ccf7bf0a3 Update version to 4.1.2 and update release instructions 2025-04-04 17:45:46 +00:00
Justin Holguín 973a8cf442 Merge pull request #104 from advanced-security/juxtin/prep-412
Prep for next release
2025-04-04 08:32:05 -07:00
Justin Holguín 48f232b0d1 Update dist files 2025-04-03 22:03:26 +00:00
Justin Holguín 769e1e8558 Prepare for 4.1.2 release 2025-04-03 18:34:20 +00:00
Justin Holguín 298a804769 Upgrade version of Maven plugin
See https://github.com/ferstl/depgraph-maven-plugin
2025-04-03 18:33:47 +00:00
Justin Holguín 29fd39885e Merge pull request #103 from advanced-security/juxtin/handle-cycles
Add cycle safety for transitive dependencies
2025-04-03 11:29:17 -07:00
Justin Holguín 595d586c88 Simplify test data and refactor 2025-04-03 16:59:49 +00:00
Justin Holguín 9e875aadac Add cycle safety for transitive dependencies 2025-04-02 22:45:08 +00:00
Kevin Dangoor 17ef6767ae Merge pull request #102 from advanced-security/GeekMasher-patch-1
Create CODEOWNERS
2025-04-02 14:01:23 -04:00
Mathew Payne 266293e200 feat: Create CODEOWNERS 2025-04-01 16:00:01 +01:00
Mathew Payne 499642b4a1 Merge pull request #94 from advanced-security/dependabot/npm_and_yarn/vitest-1.6.1
Bump vitest from 1.5.2 to 1.6.1
2025-04-01 15:46:33 +01:00
dependabot[bot] e8e224050e Bump vitest from 1.5.2 to 1.6.1
Bumps [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) from 1.5.2 to 1.6.1.
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v1.6.1/packages/vitest)

---
updated-dependencies:
- dependency-name: vitest
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-01 14:42:10 +00:00
Jon Janego 49866fead7 Merge pull request #90 from advanced-security/jonjanego-patch-2
Update README.md
2024-09-24 16:58:59 -05:00
Jon Janego f5f71df9a0 Update README.md
Dependency submission is no longer in beta
2024-09-23 17:21:52 -05:00
github-actions 4f64ddab9d chore: Updating release files 2024-08-07 14:33:45 +00:00
github-actions dba3dacedd 4.1.1 2024-08-07 14:33:28 +00:00
Henri Maurer 4883574ccf Merge pull request #89 from david-wiggs/hotfix/fix-test
Remove reference to undefined function
2024-08-07 15:31:23 +01:00
David Wiggs 33e1d3d801 Remove reference to undefined function 2024-08-07 14:29:22 +00:00
Henri Maurer 4b85c77703 Merge pull request #88 from david-wiggs/unique-job-matrix
Distinguish between multiple dependency snapshots of the same type
2024-08-07 15:10:49 +01:00
David Wiggs 73d9d97f9f Update src/snapshot-generator.test.ts
Co-authored-by: Mitchell Rysavy <mitchell.rysavy@gmail.com>
2024-07-29 10:08:09 -05:00
David Wiggs 967455e178 No need to import getMavenSettingsFile when testing 2024-07-24 12:59:25 +00:00
David Wiggs 7592e88109 Use supplied correlator without concatenation 2024-07-23 22:33:11 +00:00
David Wiggs 2ba839e04b Add some tests 2024-07-22 23:27:03 +00:00
David Wiggs 5275a08fb4 Address merge conflicts 2024-07-21 20:31:04 +00:00
Peter Murray f97a4078d8 Updating actions versions 2024-07-03 10:10:28 +00:00
github-actions bb3f7338b5 chore: Updating release files 2024-07-03 10:01:22 +00:00
github-actions 747e676a5b 4.1.0 2024-07-03 10:01:04 +00:00
Peter Murray 09cc6cfdaa Merge pull request #82 from mario-campos/patch-1
Update README example to use v4
2024-07-03 10:56:55 +01:00
Peter Murray 930cebc310 Adding detector settings into the CLI executables 2024-07-03 09:52:52 +00:00
Peter Murray 828a337135 Fixing audit warnings on dependencies 2024-07-03 09:52:29 +00:00
Peter Murray 2219818c44 Merge pull request #86 from advanced-security/detector-input
Allow customising detector name
2024-07-03 10:31:02 +01:00
Henri Maurer 97fd7ee78d Input to set detector information 2024-07-03 09:57:16 +01:00
Henri Maurer 1203a182b5 Merge pull request #85 from advanced-security/hmaurer-patch-1
Delete .github/workflows/sync-fork.yml
2024-06-18 16:26:52 +01:00
Henri Maurer cf49e89c64 Delete .github/workflows/sync-fork.yml 2024-06-18 16:24:07 +01:00
Henri Maurer 5a174b166e Update sync-fork.yml 2024-06-18 16:22:37 +01:00
Henri Maurer 899f6fb168 Merge pull request #83 from actions/hm/sync-fork
Sync fork daily at midnight
2024-06-18 16:19:21 +01:00
Mario Campos da97c2a80f Update README example to use v4 2024-06-03 14:05:29 -05:00
17 changed files with 705 additions and 400 deletions
-123
View File
@@ -1,123 +0,0 @@
name: Release
run-name: Release ${{ inputs.version }}
on:
workflow_dispatch:
inputs:
version:
type: string
required: true
jobs:
build_and_test:
name: Build and test
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
cache: npm
- name: Build and Test
run: |
npm ci
npm run test --if-present
npm run build --if-present
npm run build-exe --if-present
validate_version:
name: Validate version number
runs-on: ubuntu-22.04
steps:
- name: Process version number as SemVer
id: semver
uses: peter-murray/semver-data-action@v1
with:
version: ${{ inputs.version }}
release:
name: Release
needs:
- validate_version
- build_and_test
runs-on: ubuntu-22.04
steps:
- name: Process version number as SemVer
id: semver
uses: peter-murray/semver-data-action@v1
with:
version: ${{ inputs.version }}
- name: Checkout
uses: actions/checkout@v4
- name: Set git user
run: |
git config user.name github-actions
git config user.email github-actions@github.com
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
cache: npm
- name: Version application
run: |
npm version ${{ steps.semver.outputs.semver }}
- name: Build
run: |
npm ci
npm run build --if-present
npm run build-exe --if-present
- name: Check that build is clean
id: clean_build
continue-on-error: true
run: |
git diff --exit-code
- name: Update release
if: steps.clean_build.outcome == 'failure'
run: |
git add .
git commit -m "chore: Updating release files"
- name: Update tags
if: steps.semver.outputs.isPreRelease == 'false'
run: |
git tag "v${{ steps.semver.outputs.semver }}" --force
git tag "v${{ steps.semver.outputs.major }}" --force
git tag "v${{ steps.semver.outputs.major }}.${{ steps.semver.outputs.minor }}" --force
git tag "v${{ steps.semver.outputs.major }}.${{ steps.semver.outputs.minor }}.${{ steps.semver.outputs.patch }}" --force
git push origin ${{ github.ref_name }}
git push origin --tags --force
- name: Attach CLI artifacts
uses: actions/upload-artifact@v3
with:
name: cli
path: cli
- name: Create release
uses: ncipollo/release-action@v1.13.0
with:
artifacts: cli/*
prerelease: ${{ steps.semver.outputs.isPreRelease }}
tag: v${{ steps.semver.outputs.semver }}
+1 -1
View File
@@ -113,7 +113,7 @@ jobs:
git push origin --tags --force
- name: Attach CLI artifacts
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: cli
path: cli
+36 -7
View File
@@ -1,15 +1,44 @@
name: Sync fork
name: Sync Fork with Upstream
on:
schedule:
# Daily at 4:24am
- cron: "24 4 * * *"
workflow_dispatch: {}
- cron: '0 0 * * 1' # Runs at midnight UTC every Monday
workflow_dispatch:
permissions:
contents: write
jobs:
sync:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- run: gh repo sync actions/maven-dependency-submission-action -b main
- name: Checkout Repository
uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0
- name: Fetch Upstream Remote
run: |
git remote add upstream https://github.com/advanced-security/maven-dependency-submission-action.git
git fetch upstream
- name: Set Git Config
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
- name: Create and Push Branch
run: |
git checkout -b weekly-sync-branch-${{ github.run_id }}
git merge upstream/main --no-commit
git reset -- ./.github
git commit -m "Merge upstream:main"
git commit --allow-empty -m "Empty commit to open PR"
git push --set-upstream origin weekly-sync-branch-${{ github.run_id }}
- name: Open Pull Request
run: |
gh repo set-default actions/maven-dependency-submission-action
gh pr create -B main -H weekly-sync-branch-${{ github.run_id }} --title 'Sync Fork with Upstream' --body 'Weekly Cron. Created by GitHub Actions.'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+41
View File
@@ -24,6 +24,47 @@ Here are a few things you can do that will increase the likelihood of your pull
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
- Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
## Cutting a new release
<details>
_Note: these instructions are for maintainers_
1. Update the version number in [package.json](https://github.com/advanced-security/maven-dependency-submission-action/blob/main/package.json) and run `npm i` to update the lockfile. This is also a good time to make sure that the `dist/index.js` file is up to date by running `npm run build`.
2. Go to [Draft a new
release](https://github.com/advanced-security/maven-dependency-submission-action/releases/new)
in the Releases page.
3. Make sure that the `Publish this Action to the GitHub Marketplace`
checkbox is enabled
<img width="481" alt="Screenshot 2022-06-15 at 12 08 19" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
4. Click "Choose a tag" and then "Create new tag", where the tag name
will be your version prefixed by a `v` (e.g. `v4.1.2`).
5. Use a version number for the release title (e.g. "4.1.2").
<img width="700" alt="Screenshot 2022-06-15 at 12 08 36" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
6. Add your release notes. If this is a major version make sure to
include a small description of the biggest changes in the new version.
7. Build the release executables by manually triggering [this action](https://github.com/advanced-security/maven-dependency-submission-action/actions/workflows/publish_executables.yml). The output of this action will be a zip file that you should download, extract, and drag into the binaries section. There should be three files there: ending in `-linux`, `-macos`, and `-win.exe`.
8. Click "Publish Release".
You now have a tag and release using the semver version you used
above. The last remaining thing to do is to move the dynamic version
identifier to match the current SHA. This allows users to adopt a
major version number (e.g. `v1`) in their workflows while
automatically getting all the
minor/patch updates.
To do this just checkout `main`, force-create a new annotated tag, and push it:
```
git tag -fa v4 -m "Updating v4 to 4.1.2"
git push origin v4 --force
```
</details>
## Resources
- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
+32 -3
View File
@@ -4,8 +4,6 @@ This is a GitHub Action that will generate a complete dependency graph for a Mav
The action will invoke maven using the `com.github.ferstl:depgraph-maven-plugin:4.0.2` plugin to generate JSON output of the complete dependency graph, which is then processed and submitted using the [Dependency Submission Toolkit](https://github.com/github/dependency-submission-toolkit) to the GitHub repository.
> **Warning** The dependency submission APIs and toolkit are still currently in beta and as such subject to changes in future releases.
## Usage
@@ -35,6 +33,7 @@ This action writes informations in the repository dependency graph, so if you ar
* `snapshot-dependency-file-name`: An optional user control file path to the POM file, requires `snapshot-include-file-name` to be `true` for the value to be submitted.
* `correlator`: An optional identifier to distinguish between multiple dependency snapshots of the same type. Defaults to the [job_id](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_id) of the current job.
## Examples
@@ -42,13 +41,43 @@ Generating and submitting a dependency snapshot using the defaults:
```
- name: Submit Dependency Snapshot
uses: advanced-security/maven-dependency-submission-action@v3
uses: advanced-security/maven-dependency-submission-action@v4
```
Upon success it will generate a snapshot captured from Maven POM like;
![Screenshot 2022-08-15 at 09 33 47](https://user-images.githubusercontent.com/681306/184603264-3cd69fda-75ff-4a46-b014-630acab60fab.png)
### Configuring for Matrix-Based Workflows
To ensure that the job parameter of the submission remains unique when the action is being called from a workflow that has a matrix, you can pass a `correlator` to the action. This identifier will be appended to the default correlator propterty of a job, ensuring uniqueness across matrix-based workflows. When dealing with Maven-based Java projects that utilize different `pom.xml` files across matrix jobs, you can specify the `directory` relevant to each matrix job. This ensures that the dependency snapshot accurately reflects the dependencies for each specific configuration.
Example of specifying `pom.xml` files for different matrix jobs:
```yaml
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- java-version: 8
directory: project1
- java-version: 11
directory: project2
steps:
- uses: actions/checkout@v2
- name: Set up JDK ${{ matrix.java-version }}
uses: actions/setup-java@v2
with:
java-version: ${{ matrix.java-version }}
- name: Submit Dependency Snapshot
uses: advanced-security/maven-dependency-submission-action@v3
with:
directory: ${{ matrix.directory }}
correlator: ${{ github.job }}-${{ matrix.directory }}
```
In this example, the action is configured to use different working directories based on the Java version specified in the matrix. This ensures that the dependency snapshot is accurate for each Java version being tested.
## Command Line Usage
+17
View File
@@ -52,6 +52,23 @@ inputs:
required: false
default: ''
detector-name:
description: The name of the detector that generated the dependency snapshot
type: string
detector-version:
description: The version of the detector that generated the dependency snapshot
type: string
detector-url:
description: The URL to the detector that generated the dependency snapshot
type: string
correlator:
description: An optional identifier to distinguish between multiple dependency snapshots of the same type
type: string
required: false
default: ''
runs:
using: node20
+32 -9
View File
@@ -47,13 +47,19 @@ class MavenDependencyGraph {
const artifact = this.packageUrlToArtifact[depPackage.packageURL.toString()];
let scope = getDependencyScopeForMavenScope(artifact.scopes);
manifest.addDirectDependency(depPackage, scope);
function addTransitiveDeps(dependencies) {
function addTransitiveDeps(dependencies, seen = new Set()) {
if (dependencies) {
dependencies.forEach(transitiveDep => {
const transitiveDepArtifact = packageUrlToArtifact[transitiveDep.packageURL.toString()];
let purl = transitiveDep.packageURL.toString();
if (seen.has(purl)) {
// we're in a cycle! skip this one.
return;
}
const transitiveDepArtifact = packageUrlToArtifact[purl];
const transitiveDepScope = getDependencyScopeForMavenScope(transitiveDepArtifact.scopes);
manifest.addIndirectDependency(transitiveDep, transitiveDepScope);
addTransitiveDeps(transitiveDep.dependencies);
seen.add(purl);
addTransitiveDeps(transitiveDep.dependencies, seen);
});
}
}
@@ -251,6 +257,18 @@ function run() {
sha: core.getInput('snapshot-sha'),
ref: core.getInput('snapshot-ref'),
};
const correlator = core.getInput('correlator');
if (correlator) {
snapshotConfig.correlator = correlator;
}
const detectorName = core.getInput('detector-name');
if (detectorName !== '') {
snapshotConfig.detector = {
name: detectorName,
url: core.getInput('detector-url', { required: true }),
version: core.getInput('detector-version', { required: true }),
};
}
snapshot = yield (0, snapshot_generator_1.generateSnapshot)(directory, mavenConfig, snapshotConfig);
}
catch (err) {
@@ -472,9 +490,10 @@ const depgraph_1 = __nccwpck_require__(8047);
const maven_runner_1 = __nccwpck_require__(7433);
const file_utils_1 = __nccwpck_require__(799);
const packageData = __nccwpck_require__(2876);
const DEPGRAPH_MAVEN_PLUGIN_VERSION = '4.0.2';
const DEPGRAPH_MAVEN_PLUGIN_VERSION = '4.0.3';
function generateSnapshot(directory, mvnConfig, snapshotConfig) {
return __awaiter(this, void 0, void 0, function* () {
var _a, _b;
const depgraph = yield generateDependencyGraph(directory, mvnConfig);
try {
const mavenDependencies = new depgraph_1.MavenDependencyGraph(depgraph);
@@ -493,13 +512,17 @@ function generateSnapshot(directory, mvnConfig, snapshotConfig) {
else {
manifest = mavenDependencies.createManifest();
}
const snapshot = new dependency_submission_toolkit_1.Snapshot(getDetector(), snapshotConfig === null || snapshotConfig === void 0 ? void 0 : snapshotConfig.context, snapshotConfig === null || snapshotConfig === void 0 ? void 0 : snapshotConfig.job);
const detector = (_a = snapshotConfig === null || snapshotConfig === void 0 ? void 0 : snapshotConfig.detector) !== null && _a !== void 0 ? _a : getDetector();
const snapshot = new dependency_submission_toolkit_1.Snapshot(detector, snapshotConfig === null || snapshotConfig === void 0 ? void 0 : snapshotConfig.context, snapshotConfig === null || snapshotConfig === void 0 ? void 0 : snapshotConfig.job);
snapshot.addManifest(manifest);
const specifiedRef = getNonEmtptyValue(snapshotConfig === null || snapshotConfig === void 0 ? void 0 : snapshotConfig.ref);
snapshot.job.correlator = (snapshotConfig === null || snapshotConfig === void 0 ? void 0 : snapshotConfig.correlator)
? snapshotConfig.correlator
: (_b = snapshot.job) === null || _b === void 0 ? void 0 : _b.correlator;
const specifiedRef = getNonEmptyValue(snapshotConfig === null || snapshotConfig === void 0 ? void 0 : snapshotConfig.ref);
if (specifiedRef) {
snapshot.ref = specifiedRef;
}
const specifiedSha = getNonEmtptyValue(snapshot === null || snapshot === void 0 ? void 0 : snapshot.sha);
const specifiedSha = getNonEmptyValue(snapshot === null || snapshot === void 0 ? void 0 : snapshot.sha);
if (specifiedSha) {
snapshot.sha = specifiedSha;
}
@@ -599,7 +622,7 @@ function getRepositoryRelativePath(file) {
core.debug(`Snapshot relative file = ${result}`);
return result;
}
function getNonEmtptyValue(str) {
function getNonEmptyValue(str) {
if (str) {
const trimmed = str.trim();
if (trimmed.length > 0) {
@@ -33278,7 +33301,7 @@ exports.submitSnapshot = L;
/***/ ((module) => {
"use strict";
module.exports = JSON.parse('{"name":"maven-dependency-submission-action","version":"4.0.3","description":"Submit Maven dependencies to GitHub dependency submission API","main":"index.js","scripts":{"base-build":"npm ci && tsc","build":"npm run base-build && npm exec -- @vercel/ncc build --source-map lib/src/index.js","build-exe":"npm run build && pkg package.json --compress Gzip","test":"vitest --run"},"repository":{"type":"git","url":"git+https://github.com/advanced-security/maven-dependency-submission-action.git"},"keywords":[],"author":"GitHub, Inc","license":"MIT","bugs":{"url":"https://github.com/advanced-security/maven-dependency-submission-action/issues"},"homepage":"https://github.com/advanced-security/maven-dependency-submission-action","dependencies":{"@actions/core":"^1.10.1","@actions/exec":"^1.1.1","@github/dependency-submission-toolkit":"^2.0.0","commander":"^12.0.0","packageurl-js":"^1.2.0"},"devDependencies":{"@types/chai":"^4.3.1","@vercel/ncc":"^0.38.1","chai":"^4.3.6","@yao-pkg/pkg":"^5.11.5","ts-node":"^10.9.2","typescript":"^5.3.3","vitest":"^1.2.1"},"bin":{"cli":"lib/src/executable/cli.js"},"pkg":{"targets":["node20-linux-x64","node20-win-x64","node20-macos-x64"],"assets":["package.json"],"publicPackages":"*","outputPath":"cli"}}');
module.exports = JSON.parse('{"name":"maven-dependency-submission-action","version":"4.1.2","description":"Submit Maven dependencies to GitHub dependency submission API","main":"index.js","scripts":{"base-build":"npm ci && tsc","build":"npm run base-build && npm exec -- @vercel/ncc build --source-map lib/src/index.js","build-exe":"npm run build && pkg package.json --compress Gzip","test":"vitest --run"},"repository":{"type":"git","url":"git+https://github.com/advanced-security/maven-dependency-submission-action.git"},"keywords":[],"author":"GitHub, Inc","license":"MIT","bugs":{"url":"https://github.com/advanced-security/maven-dependency-submission-action/issues"},"homepage":"https://github.com/advanced-security/maven-dependency-submission-action","dependencies":{"@actions/core":"^1.10.1","@actions/exec":"^1.1.1","@github/dependency-submission-toolkit":"^2.0.0","commander":"^12.0.0","packageurl-js":"^1.2.0"},"devDependencies":{"@types/chai":"^4.3.1","@vercel/ncc":"^0.38.1","chai":"^4.3.6","@yao-pkg/pkg":"^5.11.5","ts-node":"^10.9.2","typescript":"^5.3.3","vitest":"^1.6.1"},"bin":{"cli":"lib/src/executable/cli.js"},"pkg":{"targets":["node20-linux-x64","node20-win-x64","node20-macos-x64"],"assets":["package.json"],"publicPackages":"*","outputPath":"cli"}}');
/***/ })
+1 -1
View File
File diff suppressed because one or more lines are too long
+376 -244
View File
File diff suppressed because it is too large Load Diff
+2 -2
View File
@@ -1,6 +1,6 @@
{
"name": "maven-dependency-submission-action",
"version": "4.0.3",
"version": "4.1.2",
"description": "Submit Maven dependencies to GitHub dependency submission API",
"main": "index.js",
"scripts": {
@@ -34,7 +34,7 @@
"@yao-pkg/pkg": "^5.11.5",
"ts-node": "^10.9.2",
"typescript": "^5.3.3",
"vitest": "^1.2.1"
"vitest": "^1.6.1"
},
"bin": {
"cli": "lib/src/executable/cli.js"
+19
View File
@@ -116,6 +116,25 @@ describe('depgraph', () => {
});
});
describe('cycle-tree', () => {
let depGraph;
beforeAll(() => {
depGraph = parseDependencyJson(getTestDataFile("cycle-tree"));
});
it('should parse out the top level dependencies', () => {
const mavenDependencies = new MavenDependencyGraph(depGraph);
expect(mavenDependencies.getPackageCount()).to.equal(3);
});
it('should be able to generate a manifest despite having a cycle', () => {
const mavenDependencies = new MavenDependencyGraph(depGraph);
const manifest = mavenDependencies.createManifest();
expect(manifest.name).to.equal('hadoop-main');
expect(manifest.countDependencies()).to.equal(2);
})
});
describe('bs-parent-dep-tree', () => {
+9 -3
View File
@@ -85,13 +85,19 @@ export class MavenDependencyGraph {
let scope = getDependencyScopeForMavenScope(artifact.scopes);
manifest.addDirectDependency(depPackage, scope);
function addTransitiveDeps(dependencies) {
function addTransitiveDeps(dependencies, seen: Set<string> = new Set()) {
if (dependencies) {
dependencies.forEach(transitiveDep => {
const transitiveDepArtifact = packageUrlToArtifact[transitiveDep.packageURL.toString()];
let purl = transitiveDep.packageURL.toString();
if (seen.has(purl)) {
// we're in a cycle! skip this one.
return;
}
const transitiveDepArtifact = packageUrlToArtifact[purl];
const transitiveDepScope = getDependencyScopeForMavenScope(transitiveDepArtifact.scopes);
manifest.addIndirectDependency(transitiveDep, transitiveDepScope);
addTransitiveDeps(transitiveDep.dependencies);
seen.add(purl);
addTransitiveDeps(transitiveDep.dependencies, seen);
});
}
}
+27
View File
@@ -20,6 +20,10 @@ program.option('-i --run-id <jobName>', 'Optional Run ID number for the activity
program.option('--snapshot-exclude-file-name', 'exclude the file name in the dependency snapshot report. If false the name of the artifactor from the POM will be used, but any links in GitHub will not work.');
program.option('--snapshot-dependency-file-name <fileName>', 'optional override to specificy the path to the file that the snapshot will be associated with in the repository');
program.option('--detector-name <detectorName>', 'optional name of the detector that generated the snapshot');
program.option('--detector-url <detectorUrl>', 'optional URL of the detector that generated the snapshot, but not optional if you specify an detector-name');
program.option('--detector-version <detectorVersion>', 'optional version of the detector that generated the snapshot, but not optional if you specify an detector-name');
program.parse(process.argv);
const opts = program.opts();
@@ -44,6 +48,25 @@ async function execute() {
process.exit(1);
}
// If the detector-name is provided, then the other detector options become mandatory, check these early
let detector;
if (opts.detectorName) {
if (!opts.detectorUrl) {
console.error(`Error: detector-url is required when detector-name is provided\n`);
program.help({ error: true });
}
if (!opts.detectorVersion) {
console.error(`Error: detector-version is required when detector-name is provided\n`);
program.help({ error: true });
}
detector = {
name: opts.detectorName,
url: opts.detectorUrl,
version: opts.detectorVersion,
}
}
try {
// Build a fake GitHub Actions context so that values for the submission APIs can be retrieved
const context = {
@@ -71,8 +94,12 @@ async function execute() {
manifestFile: opts.snapshotDependencyFileName,
includeManifestFile: !opts.snapshotExcludeFileName,
detector: detector
}
snapshot = await generateSnapshot(opts.directory, mvnConfig, snapshotConfig);
} catch (err: any) {
+13 -1
View File
@@ -18,6 +18,18 @@ async function run() {
sha: core.getInput('snapshot-sha'),
ref: core.getInput('snapshot-ref'),
}
const correlator = core.getInput('correlator');
if (correlator) {
snapshotConfig.correlator = correlator;
}
const detectorName = core.getInput('detector-name');
if (detectorName !== '') {
snapshotConfig.detector = {
name: detectorName,
url: core.getInput('detector-url', { required: true }),
version: core.getInput('detector-version', { required: true }),
};
}
snapshot = await generateSnapshot(directory, mavenConfig, snapshotConfig);
} catch (err: any) {
@@ -36,4 +48,4 @@ async function run() {
}
}
run();
run();
+25
View File
@@ -68,5 +68,30 @@ describe('snapshot-generator', () => {
expect(snapshot.detector.version).toBe(version);
expect(snapshot.manifests['problem-dependency-graph-2602'].countDependencies()).toBe(230);
}, 40000);
it('should use correlator from snapshotConfig if it exists', async() => {
const projectDir = getMavenProjectDirectory('simple');
const snapshotConfig = {
correlator: 'configCorrelator',
job: {
correlator: 'jobCorrelator'
}
};
const snapshot = await generateSnapshot(projectDir, undefined, snapshotConfig);
expect(snapshot.job.correlator).toBe('configCorrelator');
}, 20000);
it('should use a default job correlator when not specified', async() => {
const projectDir = getMavenProjectDirectory('simple');
const snapshotConfig = {
job: {
correlator: 'jobCorrelator'
}
};
const snapshot = await generateSnapshot(projectDir, undefined, snapshotConfig);
expect(snapshot.job.correlator).toBe('jobCorrelator');
}, 20000);
});
});
+17 -6
View File
@@ -7,7 +7,7 @@ import { MavenRunner } from './maven-runner';
import { loadFileContents } from './utils/file-utils';
const packageData = require('../package.json');
const DEPGRAPH_MAVEN_PLUGIN_VERSION = '4.0.2';
const DEPGRAPH_MAVEN_PLUGIN_VERSION = '4.0.3';
export type MavenConfiguration = {
ignoreMavenWrapper?: boolean;
@@ -22,6 +22,12 @@ export type SnapshotConfig = {
job?: any;
sha?: any;
ref?: any;
detector?: {
name: string;
url: string;
version: string;
};
correlator?: string;
};
export async function generateSnapshot(directory: string, mvnConfig?: MavenConfiguration, snapshotConfig?: SnapshotConfig) {
@@ -44,15 +50,20 @@ export async function generateSnapshot(directory: string, mvnConfig?: MavenConfi
manifest = mavenDependencies.createManifest();
}
const snapshot = new Snapshot(getDetector(), snapshotConfig?.context, snapshotConfig?.job);
const detector = snapshotConfig?.detector ?? getDetector();
const snapshot = new Snapshot(detector, snapshotConfig?.context, snapshotConfig?.job);
snapshot.addManifest(manifest);
const specifiedRef = getNonEmtptyValue(snapshotConfig?.ref);
snapshot.job.correlator = snapshotConfig?.correlator
? snapshotConfig.correlator
: snapshot.job?.correlator;
const specifiedRef = getNonEmptyValue(snapshotConfig?.ref);
if (specifiedRef) {
snapshot.ref = specifiedRef;
}
const specifiedSha = getNonEmtptyValue(snapshot?.sha);
const specifiedSha = getNonEmptyValue(snapshot?.sha);
if (specifiedSha) {
snapshot.sha = specifiedSha;
}
@@ -162,7 +173,7 @@ function getRepositoryRelativePath(file) {
return result;
}
function getNonEmtptyValue(str?: string) {
function getNonEmptyValue(str?: string) {
if (str) {
const trimmed = str.trim();
if (trimmed.length > 0) {
@@ -170,4 +181,4 @@ function getNonEmtptyValue(str?: string) {
}
}
return undefined;
}
}
@@ -0,0 +1,57 @@
{
"graphName" : "hadoop-main",
"artifacts" : [ {
"id" : "org.apache.hadoop:hadoop-annotations:jar:compile",
"numericId" : 1,
"groupId" : "org.apache.hadoop",
"artifactId" : "hadoop-annotations",
"version" : "3.5.0-SNAPSHOT",
"optional" : false,
"scopes" : [ "compile" ],
"types" : [ "jar" ]
}, {
"id" : "jdiff:jdiff:jar:provided",
"numericId" : 2,
"groupId" : "jdiff",
"artifactId" : "jdiff",
"version" : "1.0.9",
"optional" : false,
"scopes" : [ "provided" ],
"types" : [ "jar" ]
}, {
"id" : "org.apache.hadoop:hadoop-project-dist:pom:compile",
"numericId" : 3,
"groupId" : "org.apache.hadoop",
"artifactId" : "hadoop-project-dist",
"version" : "3.5.0-SNAPSHOT",
"optional" : false,
"scopes" : [ "compile" ],
"types" : [ "pom" ]
} ],
"dependencies" : [ {
"from" : "org.apache.hadoop:hadoop-annotations:jar:compile",
"to" : "jdiff:jdiff:jar:provided",
"numericFrom" : 1,
"numericTo" : 2,
"resolution" : "INCLUDED"
}, {
"from" : "org.apache.hadoop:hadoop-annotations:jar:compile",
"to" : "jdiff:jdiff:jar:provided",
"numericFrom" : 1,
"numericTo" : 3,
"resolution" : "INCLUDED"
}, {
"from" : "jdiff:jdiff:jar:provided",
"to" : "org.apache.hadoop:hadoop-project-dist:pom:compile",
"numericFrom" : 2,
"numericTo" : 3,
"resolution" : "INCLUDED"
}, {
"from" : "org.apache.hadoop:hadoop-project-dist:pom:compile",
"to" : "jdiff:jdiff:jar:provided",
"numericFrom" : 3,
"numericTo" : 2,
"resolution" : "INCLUDED"
}
]
}