name: Build
on: [ push ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v4
- name: Setup Gradle
uses: gradle/gradle-build-action@v3
- name: Build with Gradle
run: ./gradlew build
gradle-build-action
Execute your Gradle build and trigger dependency submission
With this action you can use a private plugin repository for GitHub Actions and a dependency-review-action for guarding your dependencies by watching changes in dependencies and the security implications behind that. It also specially said different workflows to manage permission securely, when pull is requested from public forked repositories.
This allows us to have some flexibility with how we configure GitHub Actions, with a single common setup for all repositories, most useful in restricted environments. Add this dependency-review-action to better serve the ability to follow through and manage the changes in the dependencies to build a better security path for our project. Dynamic: Enabling the dual workflow approach on public forked repositories is both secure and functional.
How to Generate and Submit a Dependency Graph for a Gradle Project
The dependency-submission
action generates and submits a dependency graph for a Gradle project, enabling GitHub to alert you about reported issues regarding dependencies from your project. To set this up, follow the steps below:
Add the following workflow file to your repository (e.g., .github/workflows/dependency-submission.yml
).
name: Dependency Submission
on:
push:
branches: [ 'main' ]
permissions:
contents: write
jobs:
dependency-submission:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v4
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 17
- name: Generate and submit dependency graph
uses: gradle/actions/dependency-submission@v3
This workflow generates a dependency graph for a Gradle project and submits it to the repository using the Dependency Submission API. The default configuration should work for most projects; however, the full action documentation supports more advanced use cases as needed.
How to Validate Gradle Wrapper JAR Files
The wrapper-validation
action validates the checksums of all Gradle Wrapper JAR files in the repository and can fail if any unknown Gradle Wrapper JAR files are found. Here is how to set it up:
Add the following workflow file to your repository (e.g., .github/workflows/validate-gradle-wrapper.yml
).
name: "Validate Gradle Wrapper"
on:
push:
pull_request:
jobs:
validation:
name: "Validation"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: gradle/actions/wrapper-validation@v3
This action should be run in the root of the repo, as it will walk the directory tree, searching for any files named gradle-wrapper.jar
, ensuring that all files in the repository are known and validated. This enhances security by ensuring that no tampered or otherwise untrusted or unverified files are used.
How to Integrate the dependency-review-action with pull request actions
Workflow example that builds and runs the dependency-review-action
name: Pull Request Dependency Review
on:
pull_request:
permissions:
contents: write
jobs:
dependency-submission:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
- name: Generate and submit Dependency Graph
uses: gradle/dependency-submission@v3
- name: Dependency review
uses: actions/dependency-review-action@v1
This gives us visibility into dependency changes, and their security impacts from the PR level by diffing the dependency graph against the HEAD commit.
How to approve pull requests from public forked repositories?
Because workflows can only have restricted write permissions for workflows triggered by pull requests from forks, we need a 2nd workflow.
name: Create and Save Dependency Visualization
on:
pull_request:
permissions:
contents: read
jobs:
dependency-submission:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
- name: Generate dependency graph and save it
uses: gradle/actions/dependency-[email protected]
with:
dependency-graph: generate-and-deploy
name: download and submit dependency graph
on:
workflow_run:
workflows: [ Name: 'Generate and save dependency graph' ]
types: [completed]
permissions:
actions: read
contents: write
jobs:
submit-dependency-graph:
runs-on: ubuntu-latest
steps:
- name: Download and upload dependency graph
uses: gradle/subject-action/dependency-submission@v3
with:
download-and-submit
These workflows make sure dependency graphs are built and published in a secure manner, from public forks as well, by splitting the tasks in two different workflows.
How to integrate dependency-review-action to run only on public pull requests from forked repositories
One more workflow is needed to wait for the dependency graph results to perform the dependency review.
name: dependency-review
on:
pull_request:
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Dependency Review'
uses: github/codeql-action/analyze@von
with:
restart-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 600
This workflow will wait up to 10 minutes for previous workflows to be completed, to make sure that the dependency review has the latest accurate information.