From c8fcdd534437c28af54113d473f0483fe6f53ef7 Mon Sep 17 00:00:00 2001 From: edeleon Date: Tue, 15 Oct 2024 16:21:08 -0700 Subject: [PATCH 1/3] remove snyk scanning workflow --- .github/workflows/snyk_scan.yml | 29 ----------------------------- 1 file changed, 29 deletions(-) delete mode 100644 .github/workflows/snyk_scan.yml diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml deleted file mode 100644 index f6acdd6..0000000 --- a/.github/workflows/snyk_scan.yml +++ /dev/null @@ -1,29 +0,0 @@ -# This workflow automates the process of identifying potential security vulnerabilities -# using Snyk. Dependency vulnerability scans will be run when a push is made to the main -# branch, on a weekly schedule, and can also be triggered manually. - -name: Snyk Vulnerability Scan -on: - workflow_dispatch: - schedule: - - cron: '00 15 * * 1' - push: - branches: - - main - -jobs: - security: - runs-on: ubuntu-latest - steps: - - name: Checkout Code - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # pin@v4 - with: - ref: 'main' - - - name: Run Snyk To Check For Vulnerabilities - uses: snyk/actions/gradle-jdk11@8349f9043a8b7f0f3ee8885bf28f0b388d2446e8 # pin@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - command: monitor - args: --all-sub-projects --org=java-agent --configuration-matching='(^compileClasspath$)|(^runtimeClasspath$)' From 5b9b5bfecf72d17e013c2c131d535438a07736c7 Mon Sep 17 00:00:00 2001 From: edeleon Date: Tue, 15 Oct 2024 16:39:46 -0700 Subject: [PATCH 2/3] add dependency-submission workflow --- .github/workflows/dependency-submission.yml | 29 +++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/dependency-submission.yml diff --git a/.github/workflows/dependency-submission.yml b/.github/workflows/dependency-submission.yml new file mode 100644 index 0000000..621291a --- /dev/null +++ b/.github/workflows/dependency-submission.yml @@ -0,0 +1,29 @@ +name: Dependency Submission + +on: + push: + branches: [ 'main' ] + +permissions: + contents: write + +jobs: + dependency-submission: + runs-on: ubuntu-latest + steps: + - name: Checkout sources + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # pin@v4 + - name: Setup Java + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # pin@v4 + with: + distribution: 'temurin' + java-version: '11' + - name: Generate and submit dependency graph + uses: gradle/actions/dependency-submission@d156388eb19639ec20ade50009f3d199ce1e2808 # pin@v4 + with: + gradle-version: 7.5.1 + dependency-graph-exclude-configurations: '.*[Tt]est(Compile|Runtime)Classpath' + dependency-graph-continue-on-failure: true + build-scan-publish: true + build-scan-terms-of-use-url: "https://gralde.com/help/legal-terms-of-use" + build-scan-terms-of-use-agree: "yes" From ce901cc2190ba7413194b3d059bf5928b25356ef Mon Sep 17 00:00:00 2001 From: edeleon Date: Wed, 16 Oct 2024 16:44:33 -0700 Subject: [PATCH 3/3] add notes to dependency-submission workflow --- .github/workflows/dependency-submission.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-submission.yml b/.github/workflows/dependency-submission.yml index 621291a..099f035 100644 --- a/.github/workflows/dependency-submission.yml +++ b/.github/workflows/dependency-submission.yml @@ -1,3 +1,13 @@ +# Workflow: Dependency Graph Submission and Vulnerability Reporting +# +# Trigger: This workflow runs on every merge to the main branch. +# +# Purpose: It generates and submits a dependency graph to the GitHub Dependency Submission API. The graph is used to +# trigger Dependabot Alerts for vulnerable dependencies, and to populate the Dependency Graph insights view in GitHub. +# +# Excludes: +# - Test-only dependencies + name: Dependency Submission on: @@ -21,9 +31,7 @@ jobs: - name: Generate and submit dependency graph uses: gradle/actions/dependency-submission@d156388eb19639ec20ade50009f3d199ce1e2808 # pin@v4 with: - gradle-version: 7.5.1 dependency-graph-exclude-configurations: '.*[Tt]est(Compile|Runtime)Classpath' - dependency-graph-continue-on-failure: true build-scan-publish: true build-scan-terms-of-use-url: "https://gralde.com/help/legal-terms-of-use" build-scan-terms-of-use-agree: "yes"