Save dependency-graph file as workflow artifact

Diagnosing unexpected dependencies in the GitHub Dependency Graph can be difficult. In order to aid with diagnosis, the `dependency-submission` action will now save each dependency-graph file as a workflow artifact. If this is undesirable, the prior behaviour can be restored by explicitly setting `dependency-graph: generate-and-submit`. Fixes #519
2025-12-06 07:48:07 +08:00 · 2025-01-21 11:41:58 -07:00
parent 28ab4dff3a
commit 245c8a24de
7 changed files with 84 additions and 23 deletions
--- a/dependency-submission/action.yml
+++ b/dependency-submission/action.yml
@@ -96,17 +96,20 @@ inputs:
  # Dependency Graph configuration
  dependency-graph:
    description: |
-      Specifies how the dependency-graph should be handled by this action. By default a dependency-graph will be generated and submitted.
+      Specifies how the dependency-graph should be handled by this action. 
+      By default a dependency-graph will be generated, submitted to the dependency-submission API, and saved as a workflow artifact.
      Valid values are:
-        'generate-and-submit' (default): Generates a dependency graph for the project and submits it in the same Job.
-        'generate-and-upload': Generates a dependency graph for the project and saves it as a workflow artifact.
+        'generate-and-submit': Generates a dependency graph for the project and submits it in the same Job.
+        'generate-submit-and-upload (default)': As per 'generate-and-submit', but also saves the dependency graph as a workflow artifact.
+        'generate-and-upload': Generates a dependency graph for the project and saves it as a workflow artifact. Does not submit it to the repository.
        'download-and-submit': Retrieves a previously saved dependency-graph and submits it to the repository.

+      Use `generate-and-submit` if you prefer not to save the dependency-graph as a workflow artifact.
      The `generate-and-upload` and `download-and-submit` options are designed to be used in an untrusted workflow scenario,
      where the workflow generating the dependency-graph cannot (or should not) be given the `contents: write` permissions
      required to submit via the Dependency Submission API.
    required: false
-    default: 'generate-and-submit'
+    default: 'generate-submit-and-upload'

  dependency-graph-report-dir:
    description: |
@@ -147,7 +150,6 @@ inputs:
  artifact-retention-days:
    description: Specifies the number of days to retain any artifacts generated by the action. If not set, the default retention settings for the repository will apply.
    required: false
-    default: 1

  # Build Scan configuration
  build-scan-publish: