Yicong-Huang opened a new pull request, #6163:
URL: https://github.com/apache/texera/pull/6163

   ### What changes were proposed in this PR?
   
   Add `.github/workflows/dependency-graph.yml`: on every push to `main`, 
resolve the sbt build and submit the full dependency graph (all modules, 
transitive dependencies included) to GitHub via the Dependency Submission API, 
using 
[scalacenter/sbt-dependency-submission](https://github.com/scalacenter/sbt-dependency-submission).
   
   GitHub cannot parse `build.sbt`, so today Dependabot alerts cover only the 
npm/pip manifests and Scala dependencies are invisible — the jackson-databind 
CVE batch fixed in #6152 never appeared in the security tab and was caught by 
hand. With the graph submitted, Scala dependencies (Jackson, Pekko, …) get 
Dependabot alerts like npm/pip. Alerts only — no automatic PRs (Dependabot 
security updates do not support sbt).
   
   Notes for review:
   
   - The third-party actions are pinned to full commit SHAs per the [ASF GitHub 
Actions policy](https://infra.apache.org/github-actions-policy.html); 
`sbt/setup-sbt` and `coursier/cache-action` reuse the exact pins already used 
elsewhere in this repo. The same submission action (same SHA) is used by 
apache/pekko and 7 other ASF repos.
   - `configs-ignore` drops test/provided/optional/tooling scopes so alerts 
reflect what ships.
   - The job is guarded with `if: github.repository == 'apache/texera'` and 
only triggers on push to `main`, so it never runs on forks or PRs.
   
   ### Any related issues, documentation, discussions?
   
   Closes #6162
   
   ### How was this PR tested?
   
   The workflow itself only runs post-merge on `apache/texera` `main` (see 
guard above), so it cannot be exercised by PR CI. Verified locally by running 
the underlying sbt plugin against this build:
   
   ```
   sbt --addPluginSbtFile=<plugin.sbt> \
     'githubGenerateSnapshot 
{"ignoredConfigs":["provided","optional","test","compile-internal","runtime-internal","scala-tool","scala-doc-tool"]}'
   ```
   
   completes with `[success]` and writes a snapshot containing 577 resolved 
packages across all modules, including 
`com.fasterxml.jackson.core:jackson-databind:2.18.8` and 
`org.apache.pekko:pekko-actor_2.13:1.6.0`. (It also surfaces a stale transitive 
`jackson-databind:2.12.3` in the tree — exactly the kind of finding this graph 
will make visible as an alert.)
   
   ### Was this PR authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Code (Claude Fable 5)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to