Support GitHub dependencies review action/api
hfhbd opened this issue · 7 comments
Currently, the dependency submission is called in the Post step, not directly after the execution of Gradle. This is incompatible with the https://github.com/actions/dependency-review-action, which validates the submitted dependencies (from a PR) and will fail your build, eg if you submit vulnerabilities in the PR. The review action needs to be run after Gradle and after the submission of dependencies.
Hm, don't know if this is a GitHub issue, but the workaround to run the review action in another job didn't work:
reviewDependencies:
runs-on: ubuntu-latest
needs:
- build
if: github.event_name == 'pull_request'
steps:
- uses: actions/dependency-review-action@v3
with:
retry-on-snapshot-warnings: trueUpdate: This feature isn't yet implemented according to the issue tracker: actions/dependency-review-action#545, but the docs already mention it: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together
Alternative: gradle-build-action could call the GitHub review REST api too (or via opt-in).
Thanks for trying this out. The action was never tested with the dependency-review-action, since it wasn't compatible with Dependency Submission at the time.
It looks like #882 will address the underlying issue. I'll leave this open until we can confirm that things are working.
@hfhbd A fix for this issue has been added to the main branch. It would be helpful if you could test it out: you can do this by referencing gradle/gradle-build-action@main in your workflow.
Thanks for checking. I'll release v2.9.0 shortly with this fix.