{"id":15678215,"url":"https://github.com/ckipp01/mill-github-dependency-graph","last_synced_at":"2025-05-07T02:27:48.114Z","repository":{"id":43928812,"uuid":"511255564","full_name":"ckipp01/mill-github-dependency-graph","owner":"ckipp01","description":"A Mill plugin to submit your dependency graph to the GitHub Dependency Graph API","archived":false,"fork":false,"pushed_at":"2025-04-18T09:53:18.000Z","size":251,"stargazers_count":14,"open_issues_count":6,"forks_count":5,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-18T23:04:39.292Z","etag":null,"topics":["mill","mill-plugin"],"latest_commit_sha":null,"homepage":"","language":"Scala","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ckipp01.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"ckipp01"}},"created_at":"2022-07-06T18:46:24.000Z","updated_at":"2025-04-18T09:52:38.000Z","dependencies_parsed_at":"2024-02-20T09:28:36.853Z","dependency_job_id":"fdbef5fe-3b00-45ba-98b2-679dbde728be","html_url":"https://github.com/ckipp01/mill-github-dependency-graph","commit_stats":null,"previous_names":[],"tags_count":23,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ckipp01%2Fmill-github-dependency-graph","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ckipp01%2Fmill-github-dependency-graph/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ckipp01%2Fmill-github-dependency-graph/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ckipp01%2Fmill-github-dependency-graph/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ckipp01","download_url":"https://codeload.github.com/ckipp01/mill-github-dependency-graph/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252801011,"owners_count":21806250,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["mill","mill-plugin"],"created_at":"2024-10-03T16:19:14.840Z","updated_at":"2025-05-07T02:27:48.094Z","avatar_url":"https://github.com/ckipp01.png","language":"Scala","funding_links":["https://github.com/sponsors/ckipp01"],"categories":[],"sub_categories":[],"readme":"# Mill GitHub Dependency Graph\n\nA [Mill](https://com-lihaoyi.github.io/mill/mill/Intro_to_Mill.html) plugin to\nsubmit your dependency graph to GitHub via their [Dependency Submission\nAPI](https://github.blog/2022-06-17-creating-comprehensive-dependency-graph-build-time-detection/).\n\nThe main benifits of doing this are:\n\n1. Being able to see your dependency graph on GitHub in your [Insights\n   tab](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#viewing-the-dependency-graph).\n   For example you can see this\n   [here](https://github.com/ckipp01/mill-github-dependency-graph/network/dependencies)\n   for this plugin.\n2. If enabled, Dependabot can send you\n   [alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts)\n   about security vulnerabilities in your dependencies.\n\n## Requirements\n\n- Make sure in your repo settings the Dependency Graph feature is enabled as\n    well as Dependabot Alerts if you'd like them. (Settings -\u003e Code security and\n    analysis) \n\n## Quick Start\n\nThe easiest way to use this plugin is with the [mill-dependency-submission](https://github.com/ckipp01/mill-dependency-submission) action. You can add this to a workflow like below:\n\n```yml\nname: github-dependency-graph\n\non:\n  push:\n    branches:\n      - main\n\njobs:\n  submit-dependency-graph:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v3\n    - uses: coursier/cache-action@v6\n    - uses: actions/setup-java@v3\n      with:\n        distribution: 'temurin'\n        java-version: '17'\n    - uses: ckipp01/mill-dependency-submission@v1\n```\n\nYou can also just run the following command from the root of your workspace\nwhich will create the file for you:\n\n```sh\ncurl -o .github/workflows/github-dependency-graph.yml --create-dirs https://raw.githubusercontent.com/ckipp01/mill-github-dependency-graph/main/.github/workflows/github-dependency-graph.yml\n```\nAfter you submit your graph you'll be able to [view your\ndependencies](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#viewing-the-dependency-graph).\n\n## How's this work?\n\nThe general idea is that the plugin works in a few steps:\n\n1. Gather all the modules in your build\n2. Gather all direct and transitive dependencies of those modules\n3. Create a tree-like structure of these dependencies. We piggy back off\n   coursier for this and use its `DependencyTree` functionality.\n4. We map this structure to that of a [`DependencySnapshot`](https://github.com/ckipp01/mill-github-dependency-graph/blob/main/domain/src/io/kipp/github/dependency/graph/domain/DependencySnapshot.scala), which is what GitHub understands\n5. We post this data to GitHub.\n\nYou can use another available task to see what the\n[`Manifest`s](https://github.com/ckipp01/mill-github-dependency-graph/blob/main/domain/src/io/kipp/github/dependency/graph/domain/Manifest.scala)\nlook like locally for your project, which are the main part of the\n`DependencySnapshot`.\n\n\n```sh\n./mill --import ivy:io.chris-kipp::mill-github-dependency-graph::0.1.0 show io.kipp.mill.github.dependency.graph.Graph/generate\n```\n\n### Limitation\n\nYou'll notice when using this that a lot of dependencies aren't linked back to\nthe repositories where they are located, some may be wrongly linked, and much of\nthe information the plugin is providing (like direct vs indirect) isn't actually\ndisplayed in the UI. Much of this is either bugs or limitations on the GitHub UI\nside. You can follow some conversation on this [here](https://github.com/orgs/community/discussions/19492).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fckipp01%2Fmill-github-dependency-graph","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fckipp01%2Fmill-github-dependency-graph","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fckipp01%2Fmill-github-dependency-graph/lists"}