lhotari opened a new pull request, #25748: URL: https://github.com/apache/pulsar/pull/25748
### Motivation GitHub Dependabot can only raise vulnerability alerts for dependencies it is aware of. For Gradle projects, Dependabot parses the `build.gradle` files statically and therefore only sees the dependencies declared directly there; it does not see the transitive dependencies pulled in during resolution. As a result, CVEs in transitive dependencies are not surfaced as Dependabot alerts on this repository. The [`gradle/actions/dependency-submission`](https://github.com/gradle/actions/blob/main/docs/dependency-submission.md) action resolves the full Gradle dependency graph and submits it to GitHub via the Dependency Submission API. Once submitted, the complete (direct + transitive) graph is visible to Dependabot, which can then raise alerts and updates for vulnerabilities anywhere in the graph. ### Modifications - Added a new workflow `.github/workflows/ci-gradle-dependency-submission.yaml` that runs on each push to `master`. It checks out the repo, sets up JDK 21 and Gradle (with the existing `setup-gradle` composite action), and runs `gradle/actions/dependency-submission@v6` to generate and submit the dependency graph to GitHub. - The workflow uses `permissions: contents: write` as required by the dependency submission action to upload the graph. - Concurrency is configured so that overlapping runs on the same ref cancel earlier ones. ### Verifying this change - [x] Make sure that the change passes the CI checks. This change is a trivial CI configuration change without any test coverage. It will be exercised by the new scheduled workflow on `master` after merge; the produced dependency graph will be visible under the repository's *Insights → Dependency graph* view, and Dependabot alerts for transitive dependencies will start appearing from that point on. ### Does this pull request potentially affect one of the following parts: - [ ] Dependencies (add or upgrade a dependency) - [ ] The public API - [ ] The schema - [ ] The default values of configurations - [ ] The threading model - [ ] The binary protocol - [ ] The REST endpoints - [ ] The admin CLI options - [ ] The metrics - [ ] Anything that affects deployment -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
