Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Submit Gradle dependencies to GH dependency graph #27

Merged
merged 1 commit into from
Jan 18, 2024
Merged

Submit Gradle dependencies to GH dependency graph #27

merged 1 commit into from
Jan 18, 2024

Conversation

wzieba
Copy link
Member

@wzieba wzieba commented Jan 18, 2024

Description

This PR adds a GitHub Actions job to send Gradle/Maven dependencies to Github Dependency Graph for each push to trunk or release/* branch.

By sending those dependencies, we allow Dependabot to scan whether dependencies we use are affected by known vulnerabilities.

Soon, those metrics will be available to visualize on Apps Metrics (link).

More about this project can be found internally at paaHJt-5Tn-p2

I know Gravatar-SDK-Android is a small repository with not many dependencies at this point, but nevertheless I think it's worth collecting data and being informed about any security vulnerabilities as soon as possible.

Testing instructions

This can't really be tested without forking, and forks are disabled for this repository.

This job is used in all other Android projects in Automattic, so it should be safe to merge without testing.

hamorillo
hamorillo reviewed Jan 18, 2024
View reviewed changes
.github/workflows/submit-gradle-dependencies.yml
with:
dependency-graph: generate-and-submit
- name: Generate the dependency graph which will be submitted post-job
run: ./gradlew :gravatar:dependencies
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❓💡 We have to modules in this repo. The SDK itself. And a demo app that we are going to develop in parallel. Should we also add the demoApp dependencies?

./gradlew :app:dependencies

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, good question! I think we don't have to add dependencies of app module as this is only the sample app, not released to clients. Security vulnerabilities won't be a threat to the customers; hence I believe it's not worth to increase overhead of handling security vulnerabilities there 🙂.

hamorillo
hamorillo approved these changes Jan 18, 2024
View reviewed changes
Copy link
Contributor

@hamorillo hamorillo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 Awesome! Thanks for this!

@wzieba wzieba merged commit 904ff2d into trunk Jan 18, 2024
1 check passed
@wzieba wzieba deleted the submit-all-projects-dependencies-to-gh branch January 18, 2024 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hamorillo hamorillo hamorillo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wzieba @hamorillo