[feat][ci] Add Gradle dependency submission workflow for Dependabot alerts#25748
Merged
Merged
Conversation
…lerts Submits the resolved Gradle dependency graph to GitHub on each push to master so Dependabot can raise vulnerability alerts for transitive dependencies that are not declared directly in the build scripts. See https://github.com/gradle/actions/blob/main/docs/dependency-submission.md
nodece
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
GitHub Dependabot can only raise vulnerability alerts for dependencies it is aware of. For Gradle projects, Dependabot parses the
build.gradlefiles statically and therefore only sees the dependencies declared directly there; it does not see the transitive dependencies pulled in during resolution. As a result, CVEs in transitive dependencies are not surfaced as Dependabot alerts on this repository.The
gradle/actions/dependency-submissionaction resolves the full Gradle dependency graph and submits it to GitHub via the Dependency Submission API. Once submitted, the complete (direct + transitive) graph is visible to Dependabot, which can then raise alerts and updates for vulnerabilities anywhere in the graph.Modifications
.github/workflows/ci-gradle-dependency-submission.yamlthat runs on each push tomaster. It checks out the repo, sets up JDK 21 and Gradle (with the existingsetup-gradlecomposite action), and runsgradle/actions/dependency-submission@v6to generate and submit the dependency graph to GitHub.permissions: contents: writeas required by the dependency submission action to upload the graph.Verifying this change
This change is a trivial CI configuration change without any test coverage. It will be exercised by the new scheduled workflow on
masterafter merge; the produced dependency graph will be visible under the repository's Insights → Dependency graph view, and Dependabot alerts for transitive dependencies will start appearing from that point on.Does this pull request potentially affect one of the following parts: