From ae87e979e82fb59d909a89059d629dc2518459b8 Mon Sep 17 00:00:00 2001 From: daz Date: Fri, 19 Jul 2024 17:07:41 -0600 Subject: [PATCH] Add more input parameters for dependency-graph generation - dependency-graph-include-projects - dependency-graph-exclude-projects - dependency-graph include-configurations - dependency-graph-exclude-configurations --- .../integ-test-dependency-submission.yml | 34 +++++++++++++++++++ dependency-submission/action.yml | 24 +++++++++++++ docs/dependency-submission.md | 32 +++++++---------- setup-gradle/action.yml | 24 +++++++++++++ sources/src/configuration.ts | 24 +++++++++++++ sources/src/dependency-graph.ts | 13 +++++-- 6 files changed, 129 insertions(+), 22 deletions(-) diff --git a/.github/workflows/integ-test-dependency-submission.yml b/.github/workflows/integ-test-dependency-submission.yml index 41111c81..d28c2fa4 100644 --- a/.github/workflows/integ-test-dependency-submission.yml +++ b/.github/workflows/integ-test-dependency-submission.yml @@ -262,6 +262,40 @@ jobs: exit 1 fi + with-includes-and-excludes: + runs-on: ubuntu-latest # Test is not compatible with Windows + steps: + - name: Checkout sources + uses: actions/checkout@v4 + - name: Initialize integ-test + uses: ./.github/actions/init-integ-test + + - name: Generate and submit dependencies + id: dependency-submission + uses: ./dependency-submission + with: + build-root-directory: .github/workflow-samples/groovy-dsl + dependency-graph-exclude-projects: excluded-project + dependency-graph-include-projects: included-project + dependency-graph-exclude-configurations: excluded-configuration + dependency-graph-include-configurations: included-configuration + - name: Check generated dependency graph and env vars + shell: bash + run: | + if [ ! -e "${{ steps.dependency-submission.outputs.dependency-graph-file }}" ]; then + echo "Did not find generated dependency graph file" + exit 1 + fi + + if [ "$DEPENDENCY_GRAPH_EXCLUDE_PROJECTS" != "excluded-project" ] || + [ "$DEPENDENCY_GRAPH_INCLUDE_PROJECTS" != "included-project" ] || + [ "$DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS" != "excluded-configuration" ] || + [ "$DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS" != "included-configuration" ]; then + echo "Did not set expected environment variables" + exit 1 + fi + + custom-report-dir-submit: strategy: fail-fast: false diff --git a/dependency-submission/action.yml b/dependency-submission/action.yml index 67a40d6f..1034ed04 100644 --- a/dependency-submission/action.yml +++ b/dependency-submission/action.yml @@ -120,6 +120,30 @@ inputs: required: false default: false + dependency-graph-exclude-projects: + description: | + Gradle projects that should be excluded from dependency graph (regular expression). + When set, any matching project will be excluded. + required: false + + dependency-graph-include-projects: + description: | + Gradle projects that should be included in dependency graph (regular expression). + When set, only matching projects will be included. + required: false + + dependency-graph-exclude-configurations: + description: | + Gradle configurations that should be included in dependency graph (regular expression). + When set, anymatching configurations will be excluded. + required: false + + dependency-graph-include-configurations: + description: | + Gradle configurations that should be included in dependency graph (regular expression). + When set, only matching configurations will be included. + required: false + artifact-retention-days: description: Specifies the number of days to retain any artifacts generated by the action. If not set, the default retention settings for the repository will apply. required: false diff --git a/docs/dependency-submission.md b/docs/dependency-submission.md index f4e36416..0502802e 100644 --- a/docs/dependency-submission.md +++ b/docs/dependency-submission.md @@ -242,26 +242,26 @@ contribute to the dependency graph. > These dependencies would be assigned to different scopes (eg development, runtime, testing) and the GitHub UI would make it easy to opt-in to security alerts for different dependency scopes. > However, this functionality does not yet exist. -### Excluding certain Gradle projects from the dependency graph +### Selecting Gradle projects that will contribute to the dependency graph If you do not want the dependency graph to include dependencies from every project in your build, -you can easily exclude certain projects from the dependency extraction process. +you can easily exclude or include certain projects from the dependency extraction process. -To restrict which Gradle subprojects contribute to the report, specify which projects to exclude via a regular expression. -You can provide this value via the `DEPENDENCY_GRAPH_EXCLUDE_PROJECTS` environment variable or system property. +To restrict which Gradle subprojects contribute to the report, specify which projects to exclude or include via a regular expression. +You can use the `dependency-graph-exclude-projects` and `dependency-graph-include-projects` input parameters for this purpose. Note that excluding a project in this way only removes dependencies that are _resolved_ as part of that project, and may not necessarily remove all dependencies _declared_ in that project. If another project depends on the excluded project then it may transitively resolve dependencies declared in the excluded project: these dependencies will still be included in the generated dependency graph. -### Excluding certain Gradle configurations from the dependency graph +### Selecting Gradle configurations that will contribute to the dependency graph -Similarly to Gradle projects, it is possible to exclude a set of configuration instances from dependency graph generation, -so that dependencies resolved by those configurations are not included. +Similarly to Gradle projects, it is possible to exclude or include a set of dependency configurations from dependency graph generation, +so that only dependencies resolved by the included configurations are reported. -To restrict which Gradle configurations contribute to the report, specify which configurations to exclude via a regular expression. -You can provide this value via the `DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS` environment variable or system property. +To restrict which Gradle configurations contribute to the report, specify which configurations to exclude or include via a regular expression. +You can use the `dependency-graph-exclude-configurations` and `dependency-graph-include-configurations` input parameters for this purpose. Note that configuration exclusion applies to the configuration in which the dependency is _resolved_ which is not necessarily the configuration where the dependency is _declared_. For example if you decare a dependency as `implementation` in @@ -269,24 +269,18 @@ a Java project, that dependency will be resolved in `compileClasspath`, `runtime ### Example of project and configuration filtering -For example, if you want to exclude dependencies in the `buildSrc` project, and exclude dependencies from the `testCompileClasspath` and `testRuntimeClasspath` configurations, you would use the following configuration: +For example, if you want to exclude dependencies resolved by the `buildSrc` project, and exclude dependencies from the `testCompileClasspath` and `testRuntimeClasspath` configurations, you would use the following configuration: ```yaml - name: Generate and submit dependency graph uses: gradle/actions/dependency-submission@v3 - env: + with: # Exclude all dependencies that originate solely in the 'buildSrc' project - DEPENDENCY_GRAPH_EXCLUDE_PROJECTS: ':buildSrc' + dependency-graph-exclude-projets: ':buildSrc' # Exclude dependencies that are only resolved in test classpaths - DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS: '.*[Tt]est(Compile|Runtime)Classpath' + dependency-graph-exclude-configurations: '.*[Tt]est(Compile|Runtime)Classpath' ``` -### Other filtering options - -The [GitHub Dependency Graph Gradle Plugin](https://plugins.gradle.org/plugin/org.gradle.github-dependency-graph-gradle-plugin) -has other filtering options that may be useful. - See [the docs](https://github.com/gradle/github-dependency-graph-gradle-plugin?tab=readme-ov-file#filtering-which-gradle-configurations-contribute-to-the-dependency-graph) for details. - # Advance usage scenarios ## Using a custom plugin repository diff --git a/setup-gradle/action.yml b/setup-gradle/action.yml index 6177db13..bac045da 100644 --- a/setup-gradle/action.yml +++ b/setup-gradle/action.yml @@ -96,6 +96,30 @@ inputs: required: false default: true + dependency-graph-exclude-projects: + description: | + Gradle projects that should be excluded from dependency graph (regular expression). + When set, any matching project will be excluded. + required: false + + dependency-graph-include-projects: + description: | + Gradle projects that should be included in dependency graph (regular expression). + When set, only matching projects will be included. + required: false + + dependency-graph-exclude-configurations: + description: | + Gradle configurations that should be included in dependency graph (regular expression). + When set, anymatching configurations will be excluded. + required: false + + dependency-graph-include-configurations: + description: | + Gradle configurations that should be included in dependency graph (regular expression). + When set, only matching configurations will be included. + required: false + artifact-retention-days: description: Specifies the number of days to retain any artifacts generated by the action. If not set, the default retention settings for the repository will apply. required: false diff --git a/sources/src/configuration.ts b/sources/src/configuration.ts index 4bf97e29..10b45aaa 100644 --- a/sources/src/configuration.ts +++ b/sources/src/configuration.ts @@ -54,6 +54,22 @@ export class DependencyGraphConfig { return process.env['DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME'] } + getExcludeProjects(): string | undefined { + return getOptionalInput('dependency-graph-exclude-projects') + } + + getIncludeProjects(): string | undefined { + return getOptionalInput('dependency-graph-include-projects') + } + + getExcludeConfigurations(): string | undefined { + return getOptionalInput('dependency-graph-exclude-configurations') + } + + getIncludeConfigurations(): string | undefined { + return getOptionalInput('dependency-graph-include-configurations') + } + static constructJobCorrelator(workflow: string, jobId: string, matrixJson: string): string { const matrixString = this.describeMatrix(matrixJson) const label = matrixString ? `${workflow}-${jobId}-${matrixString}` : `${workflow}-${jobId}` @@ -401,6 +417,14 @@ export function parseNumericInput(paramName: string, paramValue: string, paramDe return numericValue } +function getOptionalInput(paramName: string): string | undefined { + const paramValue = core.getInput(paramName) + if (paramValue.length > 0) { + return paramValue + } + return undefined +} + function getBooleanInput(paramName: string, paramDefault = false): boolean { const paramValue = core.getInput(paramName) switch (paramValue.toLowerCase().trim()) { diff --git a/sources/src/dependency-graph.ts b/sources/src/dependency-graph.ts index 56501584..cfabc1e0 100644 --- a/sources/src/dependency-graph.ts +++ b/sources/src/dependency-graph.ts @@ -31,12 +31,17 @@ export async function setup(config: DependencyGraphConfig): Promise { core.exportVariable('GITHUB_DEPENDENCY_GRAPH_ENABLED', 'true') maybeExportVariable('GITHUB_DEPENDENCY_GRAPH_CONTINUE_ON_FAILURE', config.getDependencyGraphContinueOnFailure()) maybeExportVariable('GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR', config.getJobCorrelator()) - maybeExportVariable('GITHUB_DEPENDENCY_GRAPH_JOB_ID', github.context.runId) + maybeExportVariable('GITHUB_DEPENDENCY_GRAPH_JOB_ID', github.context.runId.toString()) maybeExportVariable('GITHUB_DEPENDENCY_GRAPH_REF', github.context.ref) maybeExportVariable('GITHUB_DEPENDENCY_GRAPH_SHA', getShaFromContext()) maybeExportVariable('GITHUB_DEPENDENCY_GRAPH_WORKSPACE', getWorkspaceDirectory()) maybeExportVariable('DEPENDENCY_GRAPH_REPORT_DIR', config.getReportDirectory()) + maybeExportVariable('DEPENDENCY_GRAPH_EXCLUDE_PROJECTS', config.getExcludeProjects()) + maybeExportVariable('DEPENDENCY_GRAPH_INCLUDE_PROJECTS', config.getIncludeProjects()) + maybeExportVariable('DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS', config.getExcludeConfigurations()) + maybeExportVariable('DEPENDENCY_GRAPH_EXCLUDE_CONFIGURATIONS', config.getIncludeConfigurations()) + // To clear the dependency graph, we generate an empty graph by excluding all projects and configurations if (option === DependencyGraphOption.Clear) { core.exportVariable('DEPENDENCY_GRAPH_INCLUDE_PROJECTS', '') @@ -44,9 +49,11 @@ export async function setup(config: DependencyGraphConfig): Promise { } } -function maybeExportVariable(variableName: string, value: unknown): void { +function maybeExportVariable(variableName: string, value: string | boolean | undefined): void { if (!process.env[variableName]) { - core.exportVariable(variableName, value) + if (value !== undefined) { + core.exportVariable(variableName, value) + } } }