Stop aggregating manifests in multi-module projects

[juxtin]

Currently, when you have a multi-module project all the manifest files are aggregated into a single file—a root-level pom.xml. This has some notable downsides:

1. Manifest deduplication doesn't really work, since the sub-project pom.xmls will all still appear in the Dependency Graph.
2. It's harder to figure out which particular pom.xml file brings in a given dependency, since all dependencies are shown at the root level no matter what.

What this PR does is stop using the aggregate function of depgraph-maven-plugin and instead map dependencies back to the appropriate* pom.xml file.

In practice, this does result in some duplication as each module may now have its own copy of certain dependencies. You can see this by comparing the repo insights views from before and after this change.

Despite the duplicate dependencies, I'm inclined to see this as a net benefit. The duplicates do communicate some extra information, namely that the duplicated dependency is in use in multiple modules.

I've also removed two actions parameters that no longer make sense (if they ever did):

• snapshot-dependency-file-name: the path to the single manifest submitted by the action. Since we no longer submit just one manifest, this is not applicable anymore.
• snapshot-include-file-name: this flag determined whether the manifest object included the file path. Since it should always be available and there's no reason to omit it, I'm just removing this flag.

[Copilot]

Pull Request Overview

This PR updates the Maven snapshot generator to stop aggregating all module manifests into a single root POM and instead produce individual manifests per module. It also removes two obsolete action inputs related to a single manifest file.

• Replace the aggregate reactor flow with per-module graph generation and manifest creation
• Introduce generateDependencyGraphs and getDepgraphFiles for recursive discovery
• Remove snapshot-include-file-name and snapshot-dependency-file-name inputs and bump version to 5.0.0

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/snapshot-generator.ts	Switched from single aggregated graph to multiple graphs; removed old flags; added recursive file discovery
src/depgraph.ts	Added filePath field; removed isMultiModule; improved JSON parsing to include POM path
src/snapshot-generator.test.ts	Updated tests for generateDependencyGraphs and added direct-dependency assertions
src/index.ts	Dropped deprecated includeManifestFile and manifestFile mappings
src/executable/cli.ts	Removed corresponding CLI options for snapshot file name flags
package.json	Bumped action version to 5.0.0
action.yml	Removed obsolete inputs snapshot-include-file-name and snapshot-dependency-file-name

Comments suppressed due to low confidence (2)

src/snapshot-generator.ts:142

• There are no unit tests covering getDepgraphFiles. Consider adding tests for recursive file discovery and error handling to ensure this utility behaves correctly in nested and failure scenarios.

function getDepgraphFiles(directory: string, filename: string): string[] {

src/snapshot-generator.test.ts:8

• The test description references generateDependencyGraph but the function was renamed to generateDependencyGraphs. Update the description to match the new function name.

describe('#generateDependencyGraph()', () => {

[dangoor]

This all makes sense to me. Also agree about bumping the major version, since this eliminates configuration options.

I'm going to "request changes" to update the README to no longer include those removed options (or maybe to even note in the README that those options are gone). I'll make that change tomorrow.

[dangoor]

I cringe a little at reading the directory twice, but I suspect the cost of doing that even on a relatively large repository is small when compared to all of the maven work being done.