actions/gradle
1
0
Fork 0
mirror of https://github.com/gradle/actions.git synced 2025-08-24 19:01:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

Document auto-publish of build scans

Browse Source
This commit is contained in:
Daz DeBoer 2024-01-31 13:04:12 -07:00 committed by GitHub
parent e4ee7d7f94
commit 7fda81ffd5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
dependency-submission/README.md
View File

@ -83,7 +83,7 @@ dependencies of your project. In the case of transitive dependencies, it may not
used or what you can do to address the vulnerability alert. used or what you can do to address the vulnerability alert.
The first step to investigating a Dependabot Alert is to determine the source of the dependency. One of the best ways to The first step to investigating a Dependabot Alert is to determine the source of the dependency. One of the best ways to
do so is with a free Gradle Develocity Build Scan®, which makes it easy to explore the dependencies resolved in your build. do so is with a free Develocity Build Scan®, which makes it easy to explore the dependencies resolved in your build.
<img width="1069" alt="image" src="https://github.com/gradle/actions/assets/179734/3a637dfd-396c-4e94-8332-dcc6eb5a35ac"> <img width="1069" alt="image" src="https://github.com/gradle/actions/assets/179734/3a637dfd-396c-4e94-8332-dcc6eb5a35ac">
@ -94,7 +94,21 @@ Knowing the source of the dependency can help determine how to deal with the Dep
Note that you may need to look at both the _Dependencies_ and the _Build Dependencies_ of your project to find the Note that you may need to look at both the _Dependencies_ and the _Build Dependencies_ of your project to find the
offending dependency. offending dependency.
### When you cannot use Build Scans ### Publishing a Develocity Build Scan® from your dependency submission workflow
You can automatically publish a Build Scan on every run of `gradle/actions/dependency-submission`. Three input parameters are
required, one to enable publishing and two more to accept the [Develocity terms of service](https://gradle.com/terms-of-service).
```yaml
- name: Generate and submit dependency graph
uses: gradle/actions/dependency-submission@v3
with:
build-scan-publish: true
build-scan-terms-of-service-url: "https://gradle.com/terms-of-service"
build-scan-terms-of-service-agree: "yes"
```
### When you cannot use Build Scans®
If publishing a free Build Scan to https://scans.gradle.com isn't an option, and you don't have access to a private [Develocity If publishing a free Build Scan to https://scans.gradle.com isn't an option, and you don't have access to a private [Develocity
server](https://gradle.com/) for your project, you can use the [GitHub Dependency Graph Gradle Plugin to generate a report]([https://github.com/gradle/github-dependency-graph-gradle-plugin/blob/main/README.md#using-the-plugin-in-a-standalone-project](https://github.com/gradle/github-dependency-graph-gradle-plugin/blob/main/README.md#using-the-plugin-to-generate-dependency-reports)) server](https://gradle.com/) for your project, you can use the [GitHub Dependency Graph Gradle Plugin to generate a report]([https://github.com/gradle/github-dependency-graph-gradle-plugin/blob/main/README.md#using-the-plugin-in-a-standalone-project](https://github.com/gradle/github-dependency-graph-gradle-plugin/blob/main/README.md#using-the-plugin-to-generate-dependency-reports))