Follow https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#usage-with-pull-requests-from-public-forked-repositories

Pil0tXia · Pil0tXia · commit d4bc876aced9 · 2024-04-23T16:51:28.000+08:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -56,6 +56,12 @@ jobs:
           java-version: 11
         if: matrix.language == 'java'
 
+      # Submit dependency graph Step 1
+      - name: Generate and save dependency graph
+        uses: gradle/actions/dependency-submission@v3
+        with:
+          dependency-graph: generate-and-upload
+
       # https://docs.gradle.org/current/userguide/performance.html
       - name: Build
         run: ./gradlew clean assemble compileTestJava --no-build-cache --parallel --daemon
diff --git a/.github/workflows/dependency-graph.yml b/.github/workflows/dependency-graph.yml
@@ -0,0 +1,37 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# https://github.com/gradle/actions/blob/main/docs/dependency-submission.md#usage-with-pull-requests-from-public-forked-repositories
+name: Submit dependency graph
+
+on:
+  workflow_run:
+    workflows: [ 'CodeQL' ]
+    types: [ completed ]
+
+permissions:
+  contents: write
+
+jobs:
+  submit-dependency-graph:
+    runs-on: ubuntu-latest
+    steps:
+      # Submit dependency graph Step 2
+      - name: Download and submit dependency graph
+        uses: gradle/actions/dependency-submission@v3
+        with:
+          dependency-graph: download-and-submit # Download saved dependency-graph and submit
diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml
@@ -19,21 +19,24 @@ name: 'License Check'
 on: [ pull_request ]
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v4
+
       - name: 'Check license header'
         uses: apache/skywalking-eyes@main
-      - name: 'Generate and submit dependency graph'
-        uses: gradle/actions/dependency-submission@v3
+
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v4
         with:
+          # Post 'Submit dependency graph'
+          retry-on-snapshot-warnings: true
+          retry-on-snapshot-warnings-timeout: 600
           vulnerability-check: false
           license-check: true
           # Incompatible licenses addressed here: https://www.apache.org/legal/resolved.html
