A Github action to submit the dependency graph of an sbt build to the Github Dependency submission API.
Before running the workflow, make sure that the Dependency Graph
feature is enabled in the settings of your repository (Settings
> Code Security and Analysis
).
The graph of your sbt build will be visible in the Dependency Graph page of the Insights
tab.
Enable Dependabot in your project settings to receive alerts for vulnerabilities that affect your sbt project.
Any sbt project whose sbt version is equal to or greater than 1.5.
Create a Github Action file under .github/workflows
containing the following definition.
# .github/workflows/dependency-graph.yml
name: Update Dependency Graph
on:
push:
branches:
- main # default branch of the project
jobs:
dependency-graph:
name: Update Dependency Graph
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: sbt/setup-sbt@v1
- uses: scalacenter/sbt-dependency-submission@v2
The relative path of the working directory of your sbt build.
Default value is .
A list of space-separated names of modules to ignore. The action will not resolve nor submit the dependencies of these modules. The name of a module contains the name of the project and its binary version.
Example: foo_2.13 bar_2.13
A list of space-separated names of configurations to ignore. The action will not submit the dependencies of these configurations.
Example of configurations are compile
, test
, scala-tool
, scala-doc-tool
.
An optional identifier to distinguish between multiple dependency snapshots of the same type. Defaults to the concatenation of the workflow name, the job id and the action id.
Typically you would specify the correlator in a matrix-based job like this:
correlator: ${{ github.job }}-${{ matrix.directory }}
GitHub Personal Access Token (PAT). Defaults to PAT provided by Action runner.
Example: ${{ secrets.USER_TOKEN }}
Once the snapshot of the dependencies has been submitted, GitHub responds with an ID of this snapshot.
The API URL of the submission created by the action. It can be queried to get the submitted snapshot.
Path to the temporary JSON file with the dependency snapshot that has been submitted.
In this example the snapshot will not contain the graphs of foo_2.13
and bar_3
.
## in .github/workflows/dependency-graph.md
...
steps:
- uses: actions/checkout@v3
- uses: scalacenter/sbt-dependency-submission@v2
with:
working-directory: ./my-scala-project
modules-ignore: foo_2.13 bar_3
In this example the snapshot will not contain the dependencies of the scala-doc-tool configuration.
## in .github/workflows/dependency-graph.md
...
steps:
- uses: actions/checkout@v3
- uses: scalacenter/sbt-dependency-submission@v2
with:
working-directory: ./my-scala-project
configs-ignore: scala-doc-tool
For troubleshooting, it can be convenient to generate a snapshot locally.
To do so you need to install the sbt-dependency-submission
plugin in your sbt project.
// In project/plugins.sbt
addSbtPlugin("ch.epfl.scala" % "sbt-github-dependency-submission" % "3.1.0")
After reloading your build, you can run:
sbt:example> githubGenerateSnapshot
...
[info] Dependency snapshot written to /tmp/dependency-snapshot-3080240838874963577.json
Or if you want to exclude some modules or configs:
sbt:example> githubGenerateSnapshot {"ignoredModules":["server_2.13"], "ignoredConfigs":["test"]}
...
[info] Dependency snapshot written to /tmp/dependency-snapshot-14803616116503623758.json
This error happens when the Dependency Graph
feature is disabled.
You can enable it in Settings
> Code Security and Analysis
.
This error happens when the workflow does not have the right permission on the repository.
First you should check that the workflow is not triggered on PR from forked repositories. It should be triggered by push to the default branch.
## in .github/workflows/dependency-graph.md
on:
push:
branches:
- main # default branch of the project
...
Then check that you enabled the read and write permissions for all workflows, at the bottom of the Settings > Actions > General
page.
If you do not want to enable this you can add the write permission on the dependency-graph
workflow only:
## in .github/workflows/dependency-graph.md
...
permissions:
contents: write # this permission is needed to submit the dependency graph
...
This error may happen when you try to access artifacts from private GitHub packages with the default GitHub token. You need to pass personal access token which is allowed to access private packages in the token
input.