diff --git a/.github/workflows/integ-test-detect-java-toolchains.yml b/.github/workflows/integ-test-detect-java-toolchains.yml index d72698d..c8f214e 100644 --- a/.github/workflows/integ-test-detect-java-toolchains.yml +++ b/.github/workflows/integ-test-detect-java-toolchains.yml @@ -62,12 +62,12 @@ jobs: uses: actions/setup-java@v4 with: distribution: 'temurin' - java-version: '20' + java-version: 20 - name: Setup Java 16 uses: actions/setup-java@v4 with: distribution: 'temurin' - java-version: '16' + java-version: 16 - name: Setup Gradle uses: ./setup-gradle - name: List detected toolchains diff --git a/.github/workflows/integ-test-restore-configuration-cache.yml b/.github/workflows/integ-test-restore-configuration-cache.yml index 98e6e59..d75bd76 100644 --- a/.github/workflows/integ-test-restore-configuration-cache.yml +++ b/.github/workflows/integ-test-restore-configuration-cache.yml @@ -36,7 +36,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: 'liberica' - java-version: '21' + java-version: 17 - name: Setup Gradle uses: ./setup-gradle with: @@ -64,7 +64,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: 'liberica' - java-version: '21' + java-version: 17 - name: Setup Gradle uses: ./setup-gradle with: @@ -102,7 +102,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: 'liberica' - java-version: '21' + java-version: 17 - name: Setup Gradle with no extracted cache entries restored uses: ./setup-gradle env: @@ -131,7 +131,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: 'liberica' - java-version: '21' + java-version: 17 - name: Setup Gradle uses: ./setup-gradle with: @@ -159,7 +159,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: 'liberica' - java-version: '21' + java-version: 17 - name: Setup Gradle uses: ./setup-gradle with: @@ -188,7 +188,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: 'liberica' - java-version: '21' + java-version: 17 - name: Setup Gradle uses: ./setup-gradle with: diff --git a/README.md b/README.md index 7aa1d07..fbf352d 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,11 @@ jobs: steps: - name: Checkout sources uses: actions/checkout@v4 + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: 17 - name: Setup Gradle uses: gradle/actions/setup-gradle@v3 - name: Build with Gradle @@ -54,6 +59,11 @@ jobs: steps: - name: Checkout sources uses: actions/checkout@v4 + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: 17 - name: Generate and submit dependency graph uses: gradle/actions/dependency-submission@v3 ``` diff --git a/dependency-submission/README.md b/dependency-submission/README.md index d991c11..8c93877 100644 --- a/dependency-submission/README.md +++ b/dependency-submission/README.md @@ -21,6 +21,11 @@ jobs: steps: - name: Checkout sources uses: actions/checkout@v4 + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: 17 - name: Generate and submit dependency graph uses: gradle/actions/dependency-submission@v3 ``` diff --git a/docs/dependency-submission.md b/docs/dependency-submission.md index 70b4620..5282e74 100644 --- a/docs/dependency-submission.md +++ b/docs/dependency-submission.md @@ -34,11 +34,31 @@ jobs: dependency-submission: runs-on: ubuntu-latest steps: - - name: Checkout sources - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + - name: Generate and submit dependency graph uses: gradle/actions/dependency-submission@v3 ``` +### Publishing a Develocity Build Scan® from your dependency submission workflow + +You can automatically publish a free Develocity Build Scan on every run of `gradle/actions/dependency-submission`. +Three input parameters are required, one to enable publishing and two more to accept the +[Develocity terms of use](https://gradle.com/help/legal-terms-of-use). + +```yaml + - name: Generate and submit dependency graph + uses: gradle/actions/dependency-submission@v3 + with: + build-scan-publish: true + build-scan-terms-of-use-url: "https://gradle.com/help/legal-terms-of-use" + build-scan-terms-of-use-agree: "yes" +``` + +A Build Scan makes it easy to determine the source of any dependency vulnerabilities in your project. ### Configuration parameters @@ -47,19 +67,6 @@ In some cases, the default action configuration will not be sufficient, and addi See the example below for a summary, and the [Action Metadata file](action.yml) for a more detailed description of each input parameter. ```yaml -name: Dependency Submission with advanced config - -on: [ push ] - -permissions: - contents: read - -jobs: - dependency-submission: - runs-on: ubuntu-latest - steps: - - name: Checkout sources - uses: actions/checkout@v4 - name: Generate and save dependency graph uses: gradle/actions/dependency-submission@v3 with: @@ -96,20 +103,6 @@ Knowing the source of the dependency can help determine how to deal with the Dep Note that you may need to look at both the _Dependencies_ and the _Build Dependencies_ of your project to find the offending dependency. -### Publishing a Develocity Build Scan® from your dependency submission workflow - -You can automatically publish a Build Scan on every run of `gradle/actions/dependency-submission`. Three input parameters are -required, one to enable publishing and two more to accept the [Develocity terms of use](https://gradle.com/help/legal-terms-of-use). - -```yaml - - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@v3 - with: - build-scan-publish: true - build-scan-terms-of-use-url: "https://gradle.com/terms-of-service" - build-scan-terms-of-use-agree: "yes" -``` - ### When you cannot publish a Build Scan® If publishing a free Build Scan to https://scans.gradle.com isn't an option, and you don't have access to a private [Develocity @@ -244,12 +237,6 @@ a Java project, that dependency will be resolved in `compileClasspath`, `runtime For example, if you want to exclude dependencies in the `buildSrc` project, and exclude dependencies from the `testCompileClasspath` and `testRuntimeClasspath` configurations, you would use the following configuration: ```yaml -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout sources - uses: actions/checkout@v4 - name: Generate and submit dependency graph uses: gradle/actions/dependency-submission@v3 env: @@ -269,21 +256,9 @@ has other filtering options that may be useful. ## Using a custom plugin repository -By default, the action downloads the `github-dependency-graph-gradle-plugin` from the Gradle Plugin Portal (https://plugins.gradle.org). If your GitHub Actions environment does not have access to this URL, you can specify a custom plugin repository to use. -Do so by setting the `GRADLE_PLUGIN_REPOSITORY_URL` environment variable. +By default, the action downloads the `github-dependency-graph-gradle-plugin` from the Gradle Plugin Portal (https://plugins.gradle.org). If your GitHub Actions environment does not have access to this URL, you can specify a custom plugin repository to use with an environment variable. -```yaml -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout sources - uses: actions/checkout@v4 - - name: Generate and submit dependency graph - uses: gradle/actions/dependency-submission@v3 - env: - GRADLE_PLUGIN_REPOSITORY_URL: "https://gradle-plugins-proxy.mycorp.com" -``` +See [the setup-gradle docs](setup-gradle.md#using-a-custom-plugin-repository) for details. ## Integrating the `dependency-review-action` @@ -305,8 +280,12 @@ jobs: dependency-submission: runs-on: ubuntu-latest steps: - - name: Checkout sources - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + - name: Generate and submit dependency graph uses: gradle/actions/dependency-submission@v3 @@ -343,8 +322,12 @@ jobs: dependency-submission: runs-on: ubuntu-latest steps: - - name: Checkout sources - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + - name: Generate and save dependency graph uses: gradle/actions/dependency-submission@v3 with: diff --git a/docs/setup-gradle.md b/docs/setup-gradle.md index c4009fd..5be21b2 100644 --- a/docs/setup-gradle.md +++ b/docs/setup-gradle.md @@ -27,7 +27,9 @@ The recommended way to execute any Gradle build is with the help of the [Gradle ```yaml name: Run Gradle on every push + on: push + jobs: gradle: strategy: @@ -39,8 +41,8 @@ jobs: - uses: actions/setup-java@v4 with: distribution: temurin - java-version: 11 - + java-version: 17 + - name: Setup Gradle uses: gradle/actions/setup-gradle@v3 @@ -91,7 +93,8 @@ jobs: - uses: actions/setup-java@v4 with: distribution: temurin - java-version: 11 + java-version: 17 + - uses: gradle/actions/setup-gradle@v3 id: setup-gradle with: @@ -181,6 +184,11 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + - uses: gradle/actions/setup-gradle@v3 with: gradle-version: 8.6 @@ -414,12 +422,17 @@ jobs: run-gradle-build: runs-on: ubuntu-latest steps: - - name: Checkout project sources - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + - name: Setup Gradle uses: gradle/actions/setup-gradle@v3 with: add-job-summary-as-pr-comment: on-failure # Valid values are 'never' (default), 'always', and 'on-failure' + - run: ./gradlew build --scan ``` @@ -446,12 +459,18 @@ jobs: gradle: runs-on: ubuntu-latest steps: - - name: Checkout project sources - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + - name: Setup Gradle uses: gradle/actions/setup-gradle@v3 + - name: Run build with Gradle wrapper run: ./gradlew build --scan + - name: Upload build reports uses: actions/upload-artifact@v3 if: always() @@ -518,6 +537,11 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + - name: Setup Gradle to generate and submit dependency graphs uses: gradle/actions/setup-gradle@v3 with: @@ -565,6 +589,11 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + - name: Setup Gradle to generate and submit dependency graphs uses: gradle/actions/setup-gradle@v3 with: @@ -590,6 +619,11 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 17 + - name: Setup Gradle to generate and submit dependency graphs uses: gradle/actions/setup-gradle@v3 with: @@ -626,7 +660,6 @@ By default, these artifacts are retained for 30 days (or as configured for the r To reduce storage costs for these artifacts, you can set the `artifact-retention-days` value to a lower number. ```yaml - steps: - name: Generate dependency graph, but only retain artifact for one day uses: gradle/actions/setup-gradle@v3 with: @@ -648,22 +681,15 @@ To enable Develocity injection for your build, you must provide the required con Here's a minimal example: ```yaml -name: Run build with Develocity injection - -env: - DEVELOCITY_INJECTION_ENABLED: true - DEVELOCITY_URL: https://develocity.your-server.com - DEVELOCITY_PLUGIN_VERSION: 3.17 - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - name: Setup Gradle uses: gradle/actions/setup-gradle@v3 + - name: Run a Gradle build with Develocity injection enabled run: ./gradlew build + env: + DEVELOCITY_INJECTION_ENABLED: true + DEVELOCITY_URL: https://develocity.your-server.com + DEVELOCITY_PLUGIN_VERSION: 3.17 ``` This configuration will automatically apply `v3.17` of the [Develocity Gradle plugin](https://docs.gradle.com/develocity/gradle-plugin/), and publish build scans to https://develocity.your-server.com. @@ -697,13 +723,6 @@ but is also useful for publishing to the public Build Scans instance (https://sc To publish to https://scans.gradle.com, you must specify in your workflow that you accept the [Gradle Terms of Use](https://gradle.com/help/legal-terms-of-use). ```yaml -name: Run build and publish Build Scan - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - name: Setup Gradle to publish build scans uses: gradle/actions/setup-gradle@v3 with: diff --git a/setup-gradle/README.md b/setup-gradle/README.md index b24a593..4087e60 100644 --- a/setup-gradle/README.md +++ b/setup-gradle/README.md @@ -19,6 +19,11 @@ jobs: steps: - name: Checkout sources uses: actions/checkout@v4 + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: 17 - name: Setup Gradle uses: gradle/actions/setup-gradle@v3 - name: Build with Gradle