A Mill plugin to submit your dependency graph to GitHub via their Dependency Submission API.
The main benifits of doing this are:
- Being able to see your dependency graph on GitHub in your Insights tab. For example you can see this here for this plugin.
- If enabled, Dependabot can send you alerts about security vulnerabilities in your dependencies.
- Make sure in your repo settings the Dependency Graph feature is enabled as well as Dependabot Alerts if you'd like them. (Settings -> Code security and analysis)
The easiest way to use this plugin is with the mill-dependency-submission action. You can add this to a workflow like below:
name: github-dependency-graph
on:
push:
branches:
- main
jobs:
submit-dependency-graph:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: coursier/cache-action@v6
- uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'
- uses: ckipp01/mill-dependency-submission@v1
You can also just run the following command from the root of your workspace which will create the file for you:
curl -o .github/workflows/github-dependency-graph.yml --create-dirs https://raw.githubusercontent.com/ckipp01/mill-github-dependency-graph/main/.github/workflows/github-dependency-graph.yml
After you submit your graph you'll be able to view your dependencies.
The general idea is that the plugin works in a few steps:
- Gather all the modules in your build
- Gather all direct and transitive dependencies of those modules
- Create a tree-like structure of these dependencies. We piggy back off
coursier for this and use its
DependencyTree
functionality. - We map this structure to that of a
DependencySnapshot
, which is what GitHub understands - We post this data to GitHub.
You can use another available task to see what the
Manifest
s
look like locally for your project, which are the main part of the
DependencySnapshot
.
./mill --import ivy:io.chris-kipp::mill-github-dependency-graph::0.1.0 show io.kipp.mill.github.dependency.graph.Graph/generate
You'll notice when using this that a lot of dependencies aren't linked back to the repositories where they are located, some may be wrongly linked, and much of the information the plugin is providing (like direct vs indirect) isn't actually displayed in the UI. Much of this is either bugs or limitations on the GitHub UI side. You can follow some conversation on this here.