A Mill plugin to submit your dependency graph to GitHub via their Dependency Submission API.
This is a derivative work of ckipp01/mill-github-dependency-graph, updated to support Mill 1.x and maintained by Eleven19.
The main benefits of doing this are:
- Being able to see your dependency graph on GitHub in your Insights tab.
- If enabled, Dependabot can send you alerts about security vulnerabilities in your dependencies.
- Mill 1.x (1.1.5+)
- Make sure in your repo settings the Dependency Graph feature is enabled as well as Dependabot Alerts if you'd like them. (Settings -> Code security and analysis)
Add the plugin as a build dependency in your build.mill.yaml:
mill-build:
mvnDeps:
- "io.eleven19.mill-github-dependency-graph::mill-github-dependency-graph:0.0.1"| Group ID | Artifact ID | Version | |
|---|---|---|---|
| Plugin | io.eleven19.mill-github-dependency-graph |
mill-github-dependency-graph_3 |
0.0.1 |
| Domain | io.eleven19.mill-github-dependency-graph |
github-dependency-graph-domain_3 |
0.0.1 |
Browse on Sonatype Central: mill-github-dependency-graph | github-dependency-graph-domain
To preview the dependency manifests for your project without submitting:
./mill io.eleven19.mill.github.dependency.graph.Graph/generateTo automatically submit your dependency graph on every push to main, add
this workflow to your project:
name: github-dependency-graph
on:
push:
branches:
- main
jobs:
submit-dependency-graph:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '21'
- name: Submit dependency graph
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: ./mill io.eleven19.mill.github.dependency.graph.Graph/submitAfter you submit your graph you'll be able to view your dependencies.
The plugin works in a few steps:
- Gather all the
JavaModules in your build - Gather all direct and transitive dependencies of those modules
- Create a tree-like structure of these dependencies using coursier's
DependencyTreefunctionality - Map this structure to a
DependencySnapshot, which is what the GitHub API expects - POST the snapshot to GitHub's Dependency Submission API
You'll notice when using this that a lot of dependencies aren't linked back to the repositories where they are located, some may be wrongly linked, and much of the information the plugin is providing (like direct vs indirect) isn't actually displayed in the UI. Much of this is either bugs or limitations on the GitHub UI side. You can follow some conversation on this here.
This project is based on mill-github-dependency-graph by Chris Kipp, licensed under the Apache License 2.0. See the NOTICE file for details.