I wonder if it would be worth adding support for dependency detection and submission to Docker-Coq-Action.
I don't follow. Isn't that just Opam support? Is there something specific about the supply chain of Coq?
Nothing specific, or at least, I don't have it in mind, but in this blog post they provide an example of using this API from a GitHub Action for detecting Go dependencies. So, since we already have a GitHub Action for building / testing Coq projects, it could be a place to implement this dependency detection for Coq projects (reporting about opam dependencies).
I took a look at the docs for dependency graph stuff, and from what I understand this is about exposing dependencies from many lower level tools like opam as part of the GitHub web API. From there, dependencies can be consumed by a variety of tools, for example, one can automatically draw a nice a repo dep graph without looking at
right now, our best approximation of the Coq ecosystem dependency graph would have to come from parsing a bunch of
.opam files in the Coq opam repo, which is imprecise/outdated
Instead of parsing and getting an approximate result, what about parsing the output of the opam install command from within the Docker-Coq-Action build process?
ah, I meant approximate in the sense of: we can take a snapshot of the packages in the Coq opam archive, and read their dependencies from the
.opam files in that snapshot. This won't cover upstream changes.
doing something like parsing output of
opam install and submitting to GitHub would be more accurate since it's in-repo, but one could also just parse the actual
.opam file that's being processed in the repo in CI
Yes, it depends on whether we want just direct dependencies or transitive dependencies as well.
normally, one would want the direct dependencies, I think
Last updated: Feb 04 2023 at 01:03 UTC