why not enable `dependency-submission` by default? about actions HOT 1 CLOSED

Thanks for your interest and enthusiasm!
There are quite a few reasons that we can't yet (and maybe shouldn't ever) enable this by default for the setup-gradle action:

• Generating a dependency graph is quite a new feature, and we aren't sure that it works in all cases. It should be more well used and tested before it's enabled by default.
• The dependency-submission workflow/job requires contents: write permissions. This might not be desirable for other workflows/jobs that are executing Gradle builds.
• A CI pipeline may execute a large number of Gradle builds, and it may be wasteful if every one of the generated a separate dependency graph.
• It's common to only generate a dependency graph on pushes to main, and not for PRs and pushes to branches.

We recommend that dependency-submission be configured in a workflow separate from your main build:

• The graph will be submitted faster, which can help when combined with the dependency-review-action
• There's less risk of a build failure changing the dependency graph result

Using a separate workflow is much like the way that code-scanning (CodeQL) is configured. We are in talks with GitHub to make it easier to add such a workflow, with an end goal to possibly have a "default" setup that doesn't even require adding a workflow file. This would be similar to enabling the default setup for code scanning.

That said, we are open to see how this functionality evolves and how it proves most useful. If we could find a fairly non-invasive way to have dependency-graph submitted for every repo that uses setup-gradle, then that would be great!

from actions.