Yicong-Huang opened a new pull request, #6163: URL: https://github.com/apache/texera/pull/6163
### What changes were proposed in this PR? Add `.github/workflows/dependency-graph.yml`: on every push to `main`, resolve the sbt build and submit the full dependency graph (all modules, transitive dependencies included) to GitHub via the Dependency Submission API, using [scalacenter/sbt-dependency-submission](https://github.com/scalacenter/sbt-dependency-submission). GitHub cannot parse `build.sbt`, so today Dependabot alerts cover only the npm/pip manifests and Scala dependencies are invisible — the jackson-databind CVE batch fixed in #6152 never appeared in the security tab and was caught by hand. With the graph submitted, Scala dependencies (Jackson, Pekko, …) get Dependabot alerts like npm/pip. Alerts only — no automatic PRs (Dependabot security updates do not support sbt). Notes for review: - The third-party actions are pinned to full commit SHAs per the [ASF GitHub Actions policy](https://infra.apache.org/github-actions-policy.html); `sbt/setup-sbt` and `coursier/cache-action` reuse the exact pins already used elsewhere in this repo. The same submission action (same SHA) is used by apache/pekko and 7 other ASF repos. - `configs-ignore` drops test/provided/optional/tooling scopes so alerts reflect what ships. - The job is guarded with `if: github.repository == 'apache/texera'` and only triggers on push to `main`, so it never runs on forks or PRs. ### Any related issues, documentation, discussions? Closes #6162 ### How was this PR tested? The workflow itself only runs post-merge on `apache/texera` `main` (see guard above), so it cannot be exercised by PR CI. Verified locally by running the underlying sbt plugin against this build: ``` sbt --addPluginSbtFile=<plugin.sbt> \ 'githubGenerateSnapshot {"ignoredConfigs":["provided","optional","test","compile-internal","runtime-internal","scala-tool","scala-doc-tool"]}' ``` completes with `[success]` and writes a snapshot containing 577 resolved packages across all modules, including `com.fasterxml.jackson.core:jackson-databind:2.18.8` and `org.apache.pekko:pekko-actor_2.13:1.6.0`. (It also surfaces a stale transitive `jackson-databind:2.12.3` in the tree — exactly the kind of finding this graph will make visible as an alert.) ### Was this PR authored or co-authored using generative AI tooling? Generated-by: Claude Code (Claude Fable 5) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
