starred/pkl
1
0
Fork 0
mirror of https://github.com/apple/pkl.git synced 2026-05-25 16:19:20 +02:00
Code Issues 198 Packages Projects Releases 10 Wiki Activity
732 Commits 13 Branches 21 Tags
1733a4c6e71620defd3a9a4205bf990515fd7476
Commit Graph

5 Commits

Author SHA1 Message Date
Daniel Chao 4058f391a3 Fix dependabot (#1537) 
Looks like `directory` is a required property; we should also fix our
schema but that's orthogonal to this actual fix.
 2026-04-20 11:17:31 -07:00
Daniel Chao 07c68239b9 Remove lockfiles, manage Gradle dependencies with Dependabot (#1535) 
Dependabot currently does not update lockfiles in multi-module projects
(see https://github.com/dependabot/dependabot-core/issues/14633)

To work around this issue, we will simply remove our lockfiles, and
change our version catalog to use fully specified versions.
The removal of lockfiles introduces two issues:

1. It is less visible what our dependency graph is
2. Our builds are potentially non-reproducible

To work around this, two mitigations are in place:

1. Enable `failOnDynamicVersions()`, which causes Gradle to fail the
build if any dependencies declare a version range
2. Enable GitHub dependency submission, which provides insight into the
project SBOM
 2026-04-20 09:29:33 -07:00
Daniel Chao a8500b6b03 Add dependency submission (#1523) 
This adds jobs to add Gradle dependencies to [GitHub's dependency
submission
API](https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/using-the-dependency-submission-api),
and to review when these dependencies change.
 2026-04-15 22:21:17 -07:00
Daniel Chao 2578703081 Bump versions, fix dependabot updates (#1361) 2025-12-10 18:03:32 -08:00
Daniel Chao b170968e9e Bump pkl.impl.ghactions to 1.1.0, add version locking. (#1359) 
This adopts the version locking introduced in pkl.impl.ghactions@1.1.0.
 2025-12-10 16:35:15 -08:00