Dependency Management
less than a minute
We use Sonatype Lifecycle to ensure our Community Projects use only the best open-source dependencies.
Each project should include Sonatype Lifecycle analysis scans during each Pull Request and upon each Release.
You can check out the real world implementation for this handbook - here for Continuous Integration and here for Release.
When implementing your scans, do reference the official Sonatype Lifecycle documentation that relates to the langugages and ecosystems in the project.
Example GitHub Action for Continuous Integration
env:
LC_APPLICATION_ID: community-handbook.sonatype.com # <-- Our standard is to use the GitHub Repository Name
jobs:
release:
...
steps:
...
- name: Sonatype Lifecycle Evaluation
id: evaluate
uses: sonatype/actions/evaluate@v1.0.1
with:
iq-server-url: ${{ vars.SONATYPE_PLATFORM_URL }}
username: ${{ secrets.SONATYPE_LIFECYCLE_USERNAME }}
password: ${{ secrets.SONATYPE_LIFECYCLE_PASSWORD }}
application-id: ${{ env.LC_APPLICATION_ID }}
scan-targets: '.'
stage: build # <!-- Set to 'build' for the Continuous Integration
...
Example GitHub Action for Release
env:
LC_APPLICATION_ID: community-handbook.sonatype.com # <-- Our standard is to use the GitHub Repository Name
jobs:
release:
...
steps:
...
- name: Sonatype Lifecycle Evaluation
id: evaluate
uses: sonatype/actions/evaluate@v1.0.1
with:
iq-server-url: ${{ vars.SONATYPE_PLATFORM_URL }}
username: ${{ secrets.SONATYPE_LIFECYCLE_USERNAME }}
password: ${{ secrets.SONATYPE_LIFECYCLE_PASSWORD }}
application-id: ${{ env.LC_APPLICATION_ID }}
scan-targets: '.'
stage: release # <!-- Set to 'release' for the Release Workflow
...
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.