A Mill plugin to submit your dependency graph to the GitHub Dependency Graph API

Mill GitHub Dependency Graph

A Mill plugin to submit your dependency graph to GitHub via their Dependency Submission API.

The main benifits of doing this are:

  1. Being able to see your dependency graph on GitHub in your Insights tab. For example you can see this here for this plugin.
  2. If enabled, Dependabot can send you alerts about security vulnerabilities in your dependencies.

Requirements

  • Right now this plugin only supports the Mill 0.10.x series.
  • Make sure in your repo settings the Dependency Graph feature is enabled as well as Dependabot Alerts if you'd like them. (Settings -> Code security and analysis)

Quick Start

The easiest way to use this plugin is with the mill-dependency-submission action. You can add this to a workflow like below:

name: github-dependency-graph

on:
  push:
    branches:
      - main

jobs:
  submit-dependency-graph:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: coursier/cache-action@v6
    - uses: actions/setup-java@v3
      with:
        distribution: 'temurin'
        java-version: '17'
    - uses: ckipp01/mill-dependency-submission@v1

You can also just run the following command from the root of your workspace which will create the file for you:

curl -o .github/workflows/github-dependency-graph.yml --create-dirs https://raw.githubusercontent.com/ckipp01/mill-github-dependency-graph/main/.github/workflows/github-dependency-graph.yml

After you submit your graph you'll be able to view your dependencies.

How's this work?

The general idea is that the plugin works in a few steps:

  1. Gather all the modules in your build
  2. Gather all direct and transitive dependencies of those modules
  3. Create a tree-like structure of these dependencies. We piggy back off coursier for this and use its DependencyTree functionality.
  4. We map this structure to that of a DependencySnapshot, which is what GitHub understands
  5. We post this data to GitHub.

You can use another available task to see what the Manifests look like locally for your project, which are the main part of the DependencySnapshot.

./mill --import ivy:io.chris-kipp::mill-github-dependency-graph::0.1.0 show io.kipp.mill.github.dependency.graph.Graph/generate

Limitation

You'll notice when using this that a lot of dependencies aren't linked back to the repositories where they are located, some may be wrongly linked, and much of the information the plugin is providing (like direct vs indirect) isn't actually displayed in the UI. Much of this is either bugs or limitations on the GitHub UI side. You can follow some conversation on this here.