actions/maven-dependency-submission-action
1
0
Fork 0
mirror of https://github.com/actions/maven-dependency-submission-action synced 2026-04-05 18:24:59 +00:00
Code Issues Projects Releases Packages Wiki Activity
No description
183 commits 9 branches 0 tags 32 MiB
  • TypeScript 98.1%
  • Shell 1.9%
Find a file
Exact
Lewis Jones 600bc1c22b
 Merge pull request #15 from actions/weekly-sync-branch-15812379965 
Sync Fork with Upstream
2025-06-23 09:58:40 +01:00
.devcontainer Updating devcontainer base image for Node.js 20 support 2024-04-29 10:00:45 +00:00
.github Fix CODEOWNERS 2025-05-22 16:45:01 -04:00
.vscode Adding support for maven multi module projects 2022-10-26 15:19:31 +00:00
dist Update version to 5.0.0 since this has breaking changes 2025-05-14 22:58:01 +00:00
src Update wording in error message 2025-05-15 09:09:03 -07:00
test-data Simplify test data and refactor 2025-04-03 16:59:49 +00:00
.gitignore Revert "Modifications to support conversion from ESM in to CJS for the executables" 2024-03-05 10:20:56 -06:00
action.yml Do not aggregate manifest files in multi-module projects 2025-05-14 22:46:16 +00:00
CODE_OF_CONDUCT.md Preparing for new location 2022-08-30 13:39:05 +00:00
CONTRIBUTING.md Bump the tag mentioned in the contrib doc to v5 2025-05-21 14:04:55 -04:00
LICENSE.txt Updating CLI to include the same inputs that the action supports 2023-12-18 07:41:27 +00:00
package-lock.json Bump tar-fs in the npm_and_yarn group across 1 directory 2025-06-03 09:26:27 +00:00
package.json Merge branch 'main' into juxtin/file-centric-manifests 2025-05-21 12:37:29 -04:00
README.md README updates for v5.0.0 2025-05-21 12:35:36 -04:00
SECURITY.md Preparing for new location 2022-08-30 13:39:05 +00:00
tsconfig.json CLI generation fixes to support ESM backed libraries 2024-04-29 09:28:27 +00:00
vitest.config.ts Removing jest and replacing with vitest 2024-01-23 15:58:26 +00:00

README.md

maven-dependency-submission-action

This is a GitHub Action that will generate a complete dependency graph for a Maven project and submit the graph to the GitHub repository so that the graph is complete and includes all the transitive dependencies.

The action will invoke maven using the com.github.ferstl:depgraph-maven-plugin:4.0.3 plugin to generate JSON output of the complete dependency graph, which is then processed and submitted using the Dependency Submission Toolkit to the GitHub repository.

Usage

As of version 3.0.0 this action now supports Maven multi-module projects as well as additional Maven configuration parameters. As of version 5.0.0, multi-module projects report dependencies as coming from their respective pom.xml files.

Pre-requisites

For this action to work properly, you must have the Maven available on PATH (mvn) or using a mvnw Maven wrapper in your maven project directory. Maven will need to be configured to be able to access and pull your dependencies from whatever sources you have defined (i.e. a properly configured settings.xml or all details provided in the POM).

Custom maven settings.xml can now be specified as an input parameter to the action.

This action writes information in the repository dependency graph, so if you are using the default token, you need to set the contents: write permission to the workflow or job. If you are using a personal access token, this token must have the repo scope. (API used by this action)

Inputs

  • directory - The directory that contains the pom.xml that will be used to generate the dependency graph from. Defaults to the github.workspace which is where the source will check out to by default when using actions/checkout .

  • token - The GitHub token that will be used to submit the generated dependency snapshot to the repository. Defaults to the github.token from the actions environment.

  • settings-file - An optional path to a Maven settings.xml file that you want to use to provide additional configuration to Maven.

  • ignore-maven-wrapper - An optional true/false flag parameter to ignore the Maven wrapper (if present) in the maven project directory and instead use the version of Maven from the PATH. This is set to false by default to use the wrapper if one is present.

  • maven-args - An optional string value (space separated) options to pass to the maven command line when generating the dependency snapshot. This is empty by default.

  • correlator: An optional identifier to distinguish between multiple dependency snapshots of the same type. Defaults to the job_id of the current job.

Examples

Generating and submitting a dependency snapshot using the defaults:

- name: Submit Dependency Snapshot
  uses: advanced-security/maven-dependency-submission-action@v5

Upon success it will generate a snapshot captured from Maven POM like; Screenshot 2022-08-15 at 09 33 47

Configuring for Matrix-Based Workflows

To ensure that the job parameter of the submission remains unique when the action is being called from a workflow that has a matrix, you can pass a correlator to the action. This identifier will be appended to the default correlator propterty of a job, ensuring uniqueness across matrix-based workflows. When dealing with Maven-based Java projects that utilize different pom.xml files across matrix jobs, you can specify the directory relevant to each matrix job. This ensures that the dependency snapshot accurately reflects the dependencies for each specific configuration.

Example of specifying pom.xml files for different matrix jobs:

jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - java-version: 8
            directory: project1
          - java-version: 11
            directory: project2
    steps:
    - uses: actions/checkout@v2
    - name: Set up JDK ${{ matrix.java-version }}
      uses: actions/setup-java@v2
      with:
        java-version: ${{ matrix.java-version }}
    - name: Submit Dependency Snapshot
      uses: advanced-security/maven-dependency-submission-action@v3
       with:
        directory: ${{ matrix.directory }}
        correlator: ${{ github.job }}-${{ matrix.directory }}

In this example, the action is configured to use different working directories based on the Java version specified in the matrix. This ensures that the dependency snapshot is accurate for each Java version being tested.

Command Line Usage

There are experimental command line clients, Linux only for now that will provide the same functionality as the GitHub Action but can be embedded into your existing CI tooling and invoked from the commandline to upload a dependency snapshot.

You can obtain the executables from the latest actions workflow run https://github.com/advanced-security/maven-dependency-submission-action/actions/workflows/publish_executables.yml.

Parameters

Run the command line tool with the --help option to display all the possible configuration options;

Usage: maven-dependency-submission [options]

Options:
  -V, --version                             output the version number
  -t, --token <token>                       GitHub access token
  -r --repository <repository>              GitHub repository, owner/repo_name format
  -b --branch-ref <ref>                     GitHub repository branch reference
  -s --sha <commitSha>                      GitHub repository commit SHA
  -d --directory <maven-project-directory>  the directory containing the Maven POM file (default: ".")
  --github-api-url <url>                    GitHub API URL (default: "https://api.github.com")
  -j --job-name <jobName>                   Optional name for the activity creating and submitting the graph (default: "maven-dependency-submission-cli")
  -i --run-id <jobName>                     Optional Run ID number for the activity that is providing the graph
  -h, --help                                display help for command

Development

To develop on this project, a Codespace has been provided that will provide all the necessary tools and installation of a JDK and Maven for the test suite to pass. Just open a Codespace and you can start to develop in the quickest possible timeframe.

The codebase is in TypeScript to make it easier for maintenance.

The source code lives under src and the Action is provided in the src/index.ts file.

To build the software npm has been configured with scripts for test and build script to validate any work before publishing the action code.