mill-github-dependency-graph

A Mill plugin to submit your dependency graph to the GitHub Dependency Graph API

APACHE-2.0 License

Stars
12
View Code on GitHub View on X
Ecosystems: Scala

Mill GitHub Dependency Graph

A Mill plugin to submit your dependency graph to GitHub via their Dependency Submission API.

The main benifits of doing this are:

  1. Being able to see your dependency graph on GitHub in your Insights
    tab    .
    For example you can see this
    here
    for this plugin.
  2. If enabled, Dependabot can send you
    alerts
    about security vulnerabilities in your dependencies.

Requirements

  • Make sure in your repo settings the Dependency Graph feature is enabled as
    well as Dependabot Alerts if you'd like them. (Settings -> Code security and
    analysis)

Quick Start

The easiest way to use this plugin is with the mill-dependency-submission action. You can add this to a workflow like below:

name: github-dependency-graph

on:
  push:
    branches:
      - main

jobs:
  submit-dependency-graph:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: coursier/cache-action@v6
    - uses: actions/setup-java@v3
      with:
        distribution: 'temurin'
        java-version: '17'
    - uses: ckipp01/mill-dependency-submission@v1

You can also just run the following command from the root of your workspace which will create the file for you:

curl -o .github/workflows/github-dependency-graph.yml --create-dirs https://raw.githubusercontent.com/ckipp01/mill-github-dependency-graph/main/.github/workflows/github-dependency-graph.yml

After you submit your graph you'll be able to view your dependencies.

How's this work?

The general idea is that the plugin works in a few steps:

  1. Gather all the modules in your build
  2. Gather all direct and transitive dependencies of those modules
  3. Create a tree-like structure of these dependencies. We piggy back off
    coursier for this and use its DependencyTree functionality.
  4. We map this structure to that of a DependencySnapshot, which is what GitHub understands
  5. We post this data to GitHub.

You can use another available task to see what the Manifests look like locally for your project, which are the main part of the DependencySnapshot.

./mill --import ivy:io.chris-kipp::mill-github-dependency-graph::0.1.0 show io.kipp.mill.github.dependency.graph.Graph/generate

Limitation

You'll notice when using this that a lot of dependencies aren't linked back to the repositories where they are located, some may be wrongly linked, and much of the information the plugin is providing (like direct vs indirect) isn't actually displayed in the UI. Much of this is either bugs or limitations on the GitHub UI side. You can follow some conversation on this here.

Package Rankings
Top 32.0% on Repo1.maven.org
Related Projects
mill-vcs-version

Mill plugin to derive a version from (last) git tag and edit state

22 Jun 2020 15
dependency-analysis-gradle-plugin

Gradle plugin for JVM projects written in Java, Kotlin, Groovy, or Scala; and Android projects wr...

23 Oct 2019 1,604
sbt-dependency-submission

A Github Action to submit the dependency graph of an sbt build to the Dependency Submission API

16 Jun 2022 58
mill-osgi

OSGi Support for Mill build tool

05 Oct 2018 7
mill

Your shiny new Java/Scala build tool!

17 Oct 2017 1,965
mill-aspectj

AspectJ compiler/weaver support for mill build tool

27 Aug 2019 4
mill-dependency-submission

A GitHub action to submit your dependency graph from your Mill build to GitHub.

13 Jul 2022 6
mill-kotlin

Kotlin compiler support for Mill Build Tool

18 Feb 2020 21
mill-spring-boot

Support packaging Spring Boot Applications with Mill

07 Jul 2023 3