We updated all gradle workflows to the supported 5.0.2 setup-gradle version and hash:
uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
However, we also use their dependency-submission action from the same repository/hash/version, which is no longer allowed (maybe the patterns became more strict?):
uses: gradle/actions/dependency-submission@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
workflow: https://github.com/apache/lucene/blob/main/.github/workflows/dependency-submission.yml
Without the explicit dependency-submission, transitive Java dependencies (maven ecosystem) aren't tracked in the github dependency graph, and we won't receive vulnerability notifications for them: we'll only see direct dependencies.
Just opening the issue to see if there is any concern. I can try to follow the docs and open a PR.
We updated all gradle workflows to the supported 5.0.2
setup-gradleversion and hash:However, we also use their
dependency-submissionaction from the same repository/hash/version, which is no longer allowed (maybe the patterns became more strict?):workflow: https://github.com/apache/lucene/blob/main/.github/workflows/dependency-submission.yml
Without the explicit dependency-submission, transitive Java dependencies (maven ecosystem) aren't tracked in the github dependency graph, and we won't receive vulnerability notifications for them: we'll only see direct dependencies.
Just opening the issue to see if there is any concern. I can try to follow the docs and open a PR.