GitHub: Add dependency uploading

[colin-foster-in-advantage]

Summary

The gradle components don't automatically get detected upon build. Use the dependency-submission API to enable this dependency tracking.

Documentation explaining this:

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#package-ecosystems-supported-via-dependency-submission-actions

That article links to this action:

https://github.com/marketplace/actions/build-with-gradle#the-dependency-submission-action

Screenshots

The GitHub front end will change 😄 It currently only displays GitHub and Ruby dependencies, not Gradle.

Link to pull request in Documentation repository

N/A

Any other notes

This is only for housekeeping / dependencies. I wasn't able to test the action easily due to app secrets, but it should work.

[home-assistant]

Hi @colin-foster-in-advantage

It seems you haven't yet signed a CLA. Please do so here.

Once you do that we will be able to review and accept this pull request.

Thanks!

[home-assistant]

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

Stale

[jpelgrom]

Thanks for the suggestion, it looks good to me. Could you explain "This is only for housekeeping" a bit more?

[colin-foster-in-advantage]

Thanks for the suggestion, it looks good to me. Could you explain "This is only for housekeeping" a bit more?

Yep. It'll do two things (as far as I understand).

1. It'll populate the dependencies correctly in the screenshot I included. That'll make "Export SBOM" correctly include Gradle dependencies in the SPDX export. It currently only references Ruby Gems and github actions.
2. It'll (likely?) publish security advisories in the "Security" tab. This one might differ based on how the repository is configured.

[colin-foster-in-advantage]

Thanks. Looks like it worked!