Add GitHub workflow to compare dependencies with customizable package… (#451)

Linesmerrill · web-flow · commit 0722609cb74b · 2026-01-05T11:51:24.000-07:00
* Add GitHub workflow to compare dependencies with customizable package and version

- Add workflow_dispatch workflow that accepts package and version inputs
- Run Maven versions:compare-dependencies command
- Parse output to identify downgrades and upgrades
- Display downgrades first (most important)
- Show notable upgrades (Spring, Hibernate, Jackson, etc.)
- Generate markdown summary with collapsible full upgrade list
- Upload summary as artifact and display in job summary

* Add explicit permissions to workflow for security

- Add permissions block to restrict GITHUB_TOKEN access
- Set contents: read for repository access
- Set issues: write for PR comment functionality
- Follows security best practices for GitHub Actions

* test with push branch

* test with push branch

* Update workflow to use default inputs on push and fix step summary size limit

- Add push trigger to run workflow automatically on branch pushes
- Use default inputs (Spring Boot 3.5.9) when triggered by push
- Create truncated step summary to stay under GitHub's 1024k limit
- Keep full summary in artifact for complete details
- Step summary now shows downgrades and first 50 notable upgrades only

* Add push trigger to workflow

- Add push trigger for feature branch to automatically run workflow
- Uses default inputs (Spring Boot 3.5.9) when triggered by push
- Workflow is now PR-ready

* ready for review

* Categorize upgrades into Major and Minor, ignore patch upgrades

- Replace 'notable upgrades' with Major (x.0.0) and Minor (0.x.0) categories
- Ignore patch-level upgrades (0.0.x) to reduce noise
- Summary now shows: Downgrades → Major Upgrades → Minor Upgrades
- Both full summary and step summary use the new categorization

* Fix default value syntax in workflow expressions

- Add quotes around default values in logical OR expressions
- Ensures proper syntax for GitHub Actions expressions
- Defaults work correctly when triggered by push event

* Remove patch-level upgrade exclusion note

* Add 'No Major Upgrades Found' message when no major upgrades exist

* Add 'No Minor Upgrades Found' message when no minor upgrades exist

* ready for review
diff --git a/.github/workflows/compare-dependencies.yml b/.github/workflows/compare-dependencies.yml
@@ -0,0 +1,238 @@
+name: Compare Dependencies
+
+on:
+  workflow_dispatch:
+    inputs:
+      package:
+        description: 'Maven package (e.g., org.springframework.boot:spring-boot-dependencies)'
+        required: true
+        default: 'org.springframework.boot:spring-boot-dependencies'
+        type: string
+      version:
+        description: 'Version to compare against (e.g., 3.5.9)'
+        required: true
+        default: '3.5.9'
+        type: string
+
+jobs:
+  compare:
+    permissions:
+      contents: read
+      issues: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'zulu'
+
+      - name: Cache Maven dependencies
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+
+      - name: Run Maven versions:compare-dependencies
+        id: compare
+        run: |
+          mvn versions:compare-dependencies -DremotePom=${{ inputs.package }}:${{ inputs.version }} > compare-output.txt 2>&1 || true
+          cat compare-output.txt
+
+      - name: Parse and generate summary
+        id: summary
+        env:
+          PACKAGE: ${{ inputs.package }}
+          VERSION: ${{ inputs.version }}
+        run: |
+          python3 << 'EOF'
+          import re
+          import os
+          
+          downgrades = set()
+          major_upgrades = []
+          minor_upgrades = []
+          
+          def get_version_type(old_ver, new_ver):
+              """
+              Compare two version strings.
+              Returns: 'downgrade', 'major', 'minor', 'patch', or 'same'
+              """
+              old_parts = re.findall(r'\d+', old_ver)
+              new_parts = re.findall(r'\d+', new_ver)
+              
+              if not old_parts or not new_parts:
+                  return 'same'
+              
+              # Compare major version (first number)
+              old_major = int(old_parts[0])
+              new_major = int(new_parts[0])
+              
+              if new_major < old_major:
+                  return 'downgrade'
+              elif new_major > old_major:
+                  return 'major'
+              
+              # Major versions are equal, check minor version
+              if len(old_parts) >= 2 and len(new_parts) >= 2:
+                  old_minor = int(old_parts[1])
+                  new_minor = int(new_parts[1])
+                  
+                  if new_minor < old_minor:
+                      return 'downgrade'
+                  elif new_minor > old_minor:
+                      return 'minor'
+              
+              # Major and minor are equal - this is a patch upgrade (we ignore these)
+              return 'patch'
+          
+          with open('compare-output.txt', 'r') as f:
+              for line in f:
+                  if '[INFO]   ' in line and ' -> ' in line:
+                      match = re.search(r'\[INFO\]\s+([^\s].*?)\s+\.+\s+([0-9.]+[^\s]*)\s+->\s+([0-9.]+[^\s]*)', line)
+                      if match:
+                          dep = match.group(1).strip()
+                          old_ver = match.group(2).strip()
+                          new_ver = match.group(3).strip()
+                          
+                          version_type = get_version_type(old_ver, new_ver)
+                          entry = f'{dep}: {old_ver} -> {new_ver}'
+                          
+                          if version_type == 'downgrade':
+                              downgrades.add(entry)
+                          elif version_type == 'major':
+                              major_upgrades.append(entry)
+                          elif version_type == 'minor':
+                              minor_upgrades.append(entry)
+                          # Ignore patch upgrades
+          
+          # Generate summary
+          package = os.environ.get('PACKAGE', 'unknown')
+          version = os.environ.get('VERSION', 'unknown')
+          
+          summary_lines = []
+          summary_lines.append("# Dependency Comparison Summary")
+          summary_lines.append(f"\n**Comparing against:** `{package}:{version}`\n")
+          
+          if downgrades:
+              summary_lines.append("## ⚠️ DOWNGRADES (Most Important)")
+              summary_lines.append("")
+              for d in sorted(downgrades):
+                  summary_lines.append(f"- `{d}`")
+              summary_lines.append(f"\n**Total downgrades:** {len(downgrades)}\n")
+          else:
+              summary_lines.append("## ✅ No Downgrades Found\n")
+          
+          if major_upgrades:
+              summary_lines.append("## 🔴 Major Upgrades (x.0.0)")
+              summary_lines.append("")
+              for u in sorted(set(major_upgrades)):
+                  summary_lines.append(f"- `{u}`")
+              summary_lines.append(f"\n**Total major upgrades:** {len(set(major_upgrades))}\n")
+          else:
+              summary_lines.append("## ✅ No Major Upgrades Found\n")
+          
+          if minor_upgrades:
+              summary_lines.append("## 🟡 Minor Upgrades (0.x.0)")
+              summary_lines.append("")
+              for u in sorted(set(minor_upgrades)):
+                  summary_lines.append(f"- `{u}`")
+              summary_lines.append(f"\n**Total minor upgrades:** {len(set(minor_upgrades))}\n")
+          else:
+              summary_lines.append("## ✅ No Minor Upgrades Found\n")
+          
+          summary = "\n".join(summary_lines)
+          
+          # Write full summary to file
+          with open('summary.md', 'w') as f:
+              f.write(summary)
+          
+          # Create truncated summary for step summary (GitHub limit: 1024k)
+          # Include downgrades and limited major/minor upgrades
+          step_summary_lines = []
+          step_summary_lines.append("# Dependency Comparison Summary")
+          step_summary_lines.append(f"\n**Comparing against:** `{package}:{version}`\n")
+          
+          if downgrades:
+              step_summary_lines.append("## ⚠️ DOWNGRADES (Most Important)")
+              step_summary_lines.append("")
+              for d in sorted(downgrades):
+                  step_summary_lines.append(f"- `{d}`")
+              step_summary_lines.append(f"\n**Total downgrades:** {len(downgrades)}\n")
+          else:
+              step_summary_lines.append("## ✅ No Downgrades Found\n")
+          
+          if major_upgrades:
+              unique_major = sorted(set(major_upgrades))
+              step_summary_lines.append("## 🔴 Major Upgrades (x.0.0)")
+              step_summary_lines.append("")
+              # Show first 50 major upgrades
+              for u in unique_major[:50]:
+                  step_summary_lines.append(f"- `{u}`")
+              if len(unique_major) > 50:
+                  step_summary_lines.append(f"\n... and {len(unique_major) - 50} more major upgrades")
+              step_summary_lines.append(f"\n**Total major upgrades:** {len(unique_major)}\n")
+          else:
+              step_summary_lines.append("## ✅ No Major Upgrades Found\n")
+          
+          if minor_upgrades:
+              unique_minor = sorted(set(minor_upgrades))
+              step_summary_lines.append("## 🟡 Minor Upgrades (0.x.0)")
+              step_summary_lines.append("")
+              # Show first 50 minor upgrades
+              for u in unique_minor[:50]:
+                  step_summary_lines.append(f"- `{u}`")
+              if len(unique_minor) > 50:
+                  step_summary_lines.append(f"\n... and {len(unique_minor) - 50} more minor upgrades")
+              step_summary_lines.append(f"\n**Total minor upgrades:** {len(unique_minor)}\n")
+          else:
+              step_summary_lines.append("## ✅ No Minor Upgrades Found\n")
+          
+          step_summary_lines.append("---\n")
+          step_summary_lines.append("📦 **Full details available in the workflow artifact:** `dependency-comparison-summary`")
+          
+          step_summary = "\n".join(step_summary_lines)
+          
+          # Write truncated summary for step summary
+          with open('step-summary.md', 'w') as f:
+              f.write(step_summary)
+          
+          # Also print to console
+          print("\n" + "="*80)
+          print(summary)
+          print("="*80)
+          EOF
+
+      - name: Display summary
+        run: |
+          cat summary.md
+
+      - name: Add job summary
+        run: |
+          cat step-summary.md >> $GITHUB_STEP_SUMMARY
+
+      - name: Comment on workflow (if PR)
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const summary = fs.readFileSync('summary.md', 'utf8');
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: summary
+            });
+
+      - name: Upload summary as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-comparison-summary
+          path: summary.md
+          retention-days: 30
+
