Feature/dependency check #13587
Merged
Feature/dependency check #13587
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ndencies doesn't match the one on-file in "dependencies.txt" in the root of the project.
…s-platform differences
…orkflow for running the test.
…orkflow for running the test.
…lure after it has proven to work
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added a check to the build, that fails the build if the list of dependencies reported by the sbom project doesn't match the list on file in the "dependencies.json" file in the root of the project. This way PRs changing the dependencies also need to update this file, which makes it more obvious which dependencies have been added or removed from the build in a PR.
As the usage of the maven "-pl" and "-am" have a huge impact on the content the sbom plugin will report, it doesn't really make much sense to have this check active per default, so I've implemented the check to only be active by setting the property
dependencyCheck.skipto true. So by adding `-DdependencyCheck.skip=true" to the commandline.In order to ensure the check is run for a PR, I've added a new github-actions pipeline, which only has the goal to do this check.
Here's an example on what the build output produces with enabled check if I added one dependency (plc4j-spi) to the build without updating the dependencies.json file.