A Gradle plugin for generating a GitHub dependency graph for a Gradle build, which can be uploaded to the GitHub Dependency Submission API.
This plugin is designed to be used in a GitHub Actions workflow, an is tightly integrated into the Gradle Build Action.
For other uses, the core plugin (org.gradle.github.GitHubDependencyGraphPlugin)
should be applied to the Gradle instance via a Gradle init script as follows:
import org.gradle.github.GitHubDependencyGraphPlugin
initscript {
repositories {
maven {
url = uri("https://plugins.gradle.org/m2/")
}
}
dependencies {
classpath("org.gradle:github-dependency-graph-gradle-plugin:+")
}
}
apply plugin: GitHubDependencyGraphPlugin
This causes 2 separate plugins to be applied, that can be used independently:
GitHubDependencyExtractorPlugincollects all dependencies that are resolved during a build execution and writes these to a file. The output file can be found at<root>/build/reports/github-depenency-graph-snapshots/<job-correlator>.json.ForceDependencyResolutionPlugincreates aForceDependencyResolutionPlugin_resolveAllDependenciestask that will attempt to resolve all dependencies for a Gradle build, by simply invokingdependencieson all projects.
The following environment variables configure the snapshot generated by the GitHubDependencyExtractorPlugin. See the GitHub Dependency Submission API docs for details:
GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR: Sets thejob.correlatorvalue for the dependency submissionGITHUB_DEPENDENCY_GRAPH_JOB_ID: Sets thejob.idvalue for the dependency submissionGITHUB_DEPENDENCY_GRAPH_REF: Sets therefvalue for the commit that generated the dependency graphGITHUB_DEPENDENCY_GRAPH_SHA: Sets theshavalue for the commit that generated the dependency graphGITHUB_DEPENDENCY_GRAPH_WORKSPACE: Sets the root directory of the github repositoryDEPENDENCY_GRAPH_REPORT_DIR(optional): Specifies where the dependency graph report will be generated
Each of these values can also be provided via a system property.
eg: Env var DEPENDENCY_GRAPH_REPORT_DIR can be set with -DDEPENDENCY_GRAPH_REPORT_DIR=... on the command-line.
If you do not want to include every dependency configuration in every project in your build, you can limit the dependency extraction to a subset of these.
To restrict which Gradle subprojects contribute to the report, specify which projects to include via a regular expression.
You can provide this value via the DEPENDENCY_GRAPH_INCLUDE_PROJECTS environment variable or system property.
To restrict which Gradle configurations contribute to the report, you can filter configurations by name using a regular expression.
You can provide this value via the DEPENDENCY_GRAPH_INCLUDE_CONFIGURATIONS environment variable or system property.
The plugin should be compatible with most versions of Gradle >= 5.2, and has been tested against Gradle versions "5.2.1", "5.6.4", "6.0.1", "6.9.4", "7.1.1" and "7.6.3", as well as all patched versions of Gradle 8.x.
The plugin is compatible with running Gradle with the configuration-cache enabled: this support is
limited to Gradle "8.1.0" and later. Earlier Gradle versions will not work with --configuration-cache.
Note that no dependency graph will be generated when configuration state is loaded from the configuration-cache.
| Gradle version | Compatible | Compatible with configuration-cache |
|---|---|---|
| 1.x - 4.x | ❌ | ❌ |
| 5.0 - 5.1.1 | ❌ | ❌ |
| 5.2 - 5.6.4 | ✅ | ❌ |
| 6.0 - 6.9.4 | ✅ | ❌ |
| 7.0 - 7.0.2 | ❌ | ❌ |
| 7.1 - 7.6.3 | ✅ | ❌ |
| 8.0 - 8.0.2 | ✅ | ❌ |
| 8.1+ | ✅ | ✅ |
To build and test this plugin, run the following task:
./gradlew checkTo self-test this plugin and generate a dependency graph for this repository, run:
./plugin-self-test-localThe generated dependency graph will be submitted to GitHub only if you supply a
GitHub API token
via the environment variable GITHUB_TOKEN.