kevinjqliu opened a new pull request, #16367: URL: https://github.com/apache/iceberg/pull/16367
Runs `gradle/actions/dependency-submission` against the full multi-project build (`-DallModules`) to populate GitHub's dependency graph and enable Dependabot alerts for transitive Gradle deps across all subprojects. Complements `cve-scan.yml` (Trivy on shipped jars). Once merged, the resolved graph shows up at https://github.com/apache/iceberg/network/dependencies and lights up GitHub's native Dependabot CVE alerts for every transitive Maven coordinate the build pulls in. **Scope** - `-DallModules` covers every Spark/Flink/Kafka versioned subproject. - Excludes `:buildSrc` and `*Test{Compile,Runtime}Classpath` so Dependabot only alerts on shipped deps. **Safety** - Triggers: `push: main` + daily cron (06:17 UTC) + `workflow_dispatch`. No `pull_request`, so `contents: write` is never granted to fork PRs. - `if: github.repository_owner == 'apache'` no-ops on forks. - `timeout-minutes: 30`, `cache-read-only: true`, `persist-credentials: false`, all actions pinned to SHAs matching `java-ci.yml`. **Validation** Tested on my fork: 1,500 unique Maven artifacts resolved in ~1 min, `buildSrc` and test-classpath entries correctly excluded (0 hits each). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
