Drop-in GitHub Actions integration for KMP-IMPACT. This directory contains the two files that make the analyzer run automatically on every Dependabot pull request that touches gradle/libs.versions.toml.
examples/github-action/
├── impact-analysis.yml # the pipeline workflow
└── dependabot.yml # Dependabot configuration biased toward minor/patch bumps
-
Copy both files into the target repo:
mkdir -p .github/workflows cp /path/to/kmp-impact/examples/github-action/impact-analysis.yml .github/workflows/ cp /path/to/kmp-impact/examples/github-action/dependabot.yml .github/
-
Vendor the analyzer under
tools/kmp-impact-analyzer/(the workflow expects it at this path):git clone --depth 1 https://github.com/EstebanCastel/KMP-IMPACT-Reviewing-Dependency-Updates-in-Kotlin-Multiplatform.git \ tools/kmp-impact-analyzer rm -rf tools/kmp-impact-analyzer/.git
Alternatively keep it as a Git submodule for easier upgrades.
-
Enable GitHub Pages with
Source: GitHub Actions:gh api -X PUT "repos/<owner>/<repo>/pages" -f "build_type=workflow"
-
Verify Actions permissions on the repo:
contents: read,pull-requests: write,pages: write,id-token: write. -
Commit and push. The next time Dependabot opens a PR, the workflow runs end-to-end.
The workflow has five jobs that mirror the pipeline phases:
detect— parses the PR diff againstgradle/libs.versions.tomland decides whether to continue.static-pipeline— runs the static phase against the BEFORE (merge-base) and AFTER (PR head) shadow copies.droidbot— boots an Android emulator onubuntu-latest, builds the BEFORE and AFTER APKs, and runs DroidBot against each.merge— combines the static and dynamic artifacts and produces the final consolidated JSON.deploy-pages— bundles the HTML report and publishes it viaactions/deploy-pages@v4. Comments on the PR with the URL.
If any step legitimately blocks (no APK produced, no UTG generated, version catalog not touched), the workflow surfaces the reason rather than masking it as skipped. See the pipeline reference in docs/architecture/ and the data contracts in docs/reference/contracts/.
-
Android module name. The workflow probes the following module names in order:
shared, composeApp, androidApp, app, common, kmm-shared, kmpShared. If none match, it falls back to:app. Expose your real module under one of these aliases, or edit theDetect Android app modulestep in the workflow itself. -
JDK / Gradle / Kotlin versions. The workflow defaults to JDK 21 and uses the project's Gradle wrapper. If the wrapper is older than the AGP requires (8.7 for AGP 8.x, 9.0 for AGP 9.x), the workflow upgrades it in-place for the duration of the run.
-
DroidBot exploration budget. Defaults are
count = 100,timeout = 90,policy = dfs_greedy. Increase for larger applications; the runtime cost scales roughly linearly. -
Dependabot biasing. Edit
dependabot.ymlto match your project's policy. The shipped defaults block major bumps of Kotlin, Compose, Coroutines, Serialization, Ktor, AGP, and KSP — major bumps of these tend to introduce ABI breaks that prevent the AFTER APK from building.
When a run does not produce the report you expect, walk the diagnosis flow in docs/troubleshooting.md. The most common cases:
| Symptom | First check |
|---|---|
Workflow says no Gradle catalog change found |
The PR does not touch gradle/libs.versions.toml. L1 — direct build.gradle.kts edits are not detected. |
Build BEFORE APK fails |
Gradle wrapper version vs. AGP version. L4 triage. |
DroidBot produced no UTG artifact |
Emulator boot, APK install, or adb permissions. L4 triage. |
deploy-pages cancelled |
Concurrent deploys across PRs. L6. |
UI shows many red checks but impact-analysis.yml is green |
Upstream workflows requiring missing secrets. Disable them in bulk (see the Troubleshooting page). |