marc-adaptive · marc-adaptive · Jul 15, 2024 · Jul 15, 2024 · Jul 15, 2024 · Jul 15, 2024
diff --git a/.github/workflows/dependency-review-generate.yml b/.github/workflows/dependency-review-generate.yml
@@ -0,0 +1,21 @@
+name: Dependency Review (generate)
+
+on:
+  pull_request:
+
+permissions:
+  contents: read # 'write' permission is not available
+
+jobs:
+  dependency-submission:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          distribution: zulu
+          java-version: 8
+      - name: Generate and save dependency graph
+        uses: gradle/actions/dependency-submission@v3
+        with:
+          dependency-graph: generate-and-upload
diff --git a/.github/workflows/dependency-review-upload.yml b/.github/workflows/dependency-review-upload.yml
@@ -0,0 +1,19 @@
+name: Dependency Review (upload)
+
+on:
+  workflow_run:
+    workflows: ['Dependency Review (generate)']
+    types: [completed]
+
+permissions:
+  actions: read
+  contents: write
+
+jobs:
+  submit-dependency-graph:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download and submit dependency graph
+        uses: gradle/actions/dependency-submission@v3
+        with:
+          dependency-graph: download-and-submit
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -1,35 +1,17 @@
-# Submits a dependency graph and performs dependency review on every pull request
-name: Dependency review for pull requests
+name: Dependency Review (review)
 
 on:
   pull_request:
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
-  dependency-submission:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout sources
-      uses: actions/checkout@v4
-
-    - name: Set up the JDK used to run Gradle
-      uses: actions/setup-java@v4
-      with:
-        distribution: 'temurin'
-        java-version: '17'
-
-    - name: Generate and submit dependency graph for the PR
-      uses: gradle/actions/dependency-submission@v3
-      with:
-        build-scan-publish: true
-        build-scan-terms-of-service-url: "https://gradle.com/terms-of-service"
-        build-scan-terms-of-service-agree: "yes"
-
   dependency-review:
-    needs: dependency-submission
     runs-on: ubuntu-latest
     steps:
-    - name: Perform dependency review
-      uses: actions/dependency-review-action@v4
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v3
+        with:
+          retry-on-snapshot-warnings: true
+          retry-on-snapshot-warnings-timeout: 600
diff --git a/.github/workflows/dependency-submission.yml b/.github/workflows/dependency-submission.yml
@@ -15,13 +15,11 @@ jobs:
     steps:
     - name: Checkout sources
       uses: actions/checkout@v4
-
     - name: Set up the JDK used to run Gradle
       uses: actions/setup-java@v4
       with:
-        distribution: 'temurin'
-        java-version: '17'
-
+        distribution: 'zulu'
+        java-version: '8'
     - name: Generate and submit dependency graph
       uses: gradle/actions/dependency-submission@v3
       with:

diff --git a/build.gradle.kts b/build.gradle.kts
@@ -1,3 +1,15 @@
+// Constrain 'com.squareup.okio:okio' to avoid https://github.com/advisories/GHSA-w33c-445m-f8w7
+buildscript {
+    repositories {
+        gradlePluginPortal()
+    }
+    dependencies {
+        constraints {
+            classpath(libs.okio)
+        }
+    }
+}
+
 plugins {
     alias(libs.plugins.versions)
 }
diff --git a/file.txt b/file.txt
@@ -0,0 +1 @@
+Hi
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -2,9 +2,13 @@
 # https://docs.gradle.org/current/userguide/platforms.html#sub::toml-dependencies-format
 
 [libraries]
+commons-compress = { module = "org.apache.commons:commons-compress", version = "1.26.1" }
 commons-text = { module = "org.apache.commons:commons-text", version = "1.9" }
-minio = { module = "io.minio:minio", version = "8.5.8" }
+minio = { module = "io.minio:minio", version = "8.5.11" }
 junit-jupiter = { module = "org.junit.jupiter:junit-jupiter", version = "5.10.2" }
+okio = { module = "com.squareup.okio:okio", version = "3.4.0" }
+jackson = { module = "com.fasterxml.jackson.core:jackson-databind", version = "2.9.9" }
+spring = { module = "org.springframework.boot:spring-boot-starter-web", version = "2.5.11" }
 
 [plugins]
 versions = { id = "com.github.ben-manes.versions", version = "0.51.0" }
diff --git a/lib/build.gradle.kts b/lib/build.gradle.kts
@@ -1,3 +1,4 @@
+
 plugins {
     `java-library`
 }
@@ -9,6 +10,13 @@ repositories {
 dependencies {
     implementation(libs.commons.text)
     implementation(libs.minio)
+    implementation(libs.jackson)
+    implementation(libs.spring)
+
+    constraints {
+        // Force a newer version of commons-compress in transitive resolution
+        implementation(libs.commons.compress)
+    }
 
     testImplementation(libs.junit.jupiter)
     testRuntimeOnly("org.junit.platform:junit-platform-launcher")