A GitHub Action that scans your repository's workflow files and submits action dependencies to GitHub's Dependency Graph with fork traversal support.

• 🔍 Automatic Workflow Scanning: Scans .github/workflows directory for GitHub Actions dependencies
• 📦 Composite Actions: Recursively scans local composite actions for nested dependencies
• 🔄 Callable Workflows: Detects and processes callable workflows referenced from workflows
• 🎯 Additional Paths: Supports scanning custom directories for composite actions and callable workflows
• 🔀 Fork Traversal: Detects forked actions and submits both the fork and original repository as dependencies
• 🔗 GitHub API Integration: Uses GitHub's fork relationship to find original repositories
• 🎯 Regex Pattern Matching: Supports custom regex patterns for repositories without fork relationships (e.g., EMU or GitHub-DR)
• 📊 Dependency Graph Integration: Submits dependencies to GitHub's Dependency Graph for security advisory tracking

name: Submit Dependencieson: push: branches: [main]schedule: - cron: '0 0 * * 0'# Weeklyjobs: submit-dependencies: runs-on: ubuntu-latestpermissions: contents: write # Required to read workflow filesid-token: write # Required for dependency submissionsteps: - uses: actions/checkout@v4 - uses: jessehouwing/actions-dependency-submission@v1with: token: ${{secrets.GITHUB_TOKEN }}

If your enterprise uses forked actions (e.g., myenterprise/actions-checkout as a fork of actions/checkout):

- uses: jessehouwing/actions-dependency-submission@v1with: token: ${{secrets.GITHUB_TOKEN }}fork-organizations: 'myenterprise,myorg'

This will submit both myenterprise/actions-checkout and the original actions/checkout as dependencies, ensuring security advisories for the original repository also apply to your fork.

For cases where fork relationships don't exist (e.g., EMU or GitHub-DR environments):

- uses: jessehouwing/actions-dependency-submission@v1with: token: ${{secrets.GITHUB_TOKEN }}fork-organizations: 'myenterprise'fork-regex: '^myenterprise/(?<org>[^_]+)_(?<repo>.+)'

The regex must contain named captures org and repo to identify the original repository. In this example:

• myenterprise/actions_checkout would resolve to actions/checkout
• This is useful when forks follow a naming convention but don't have GitHub fork relationships

If you store composite actions or callable workflows in custom directories:

- uses: jessehouwing/actions-dependency-submission@v1with: token: ${{secrets.GITHUB_TOKEN }}additional-paths: | .github/actions custom/workflows shared/actions

This will:

• Scan the specified directories for composite actions (identified by runs.using: composite)
• Recursively extract dependencies from those composite actions
• Include dependencies from callable workflows (identified by on.workflow_call)
• Process local action references (e.g., uses: ./local-action) in workflows

1. Workflow Scanning: The action scans all .yml and .yaml files in the specified workflow directory
2. Dependency Extraction: Parses each workflow file to extract uses: statements that reference GitHub Actions
3. Local Action Processing: Detects local action references (e.g., uses: ./local-action):
   • Resolves the path relative to the workflow file
   • Checks if it's a composite action
   • Recursively extracts dependencies from the composite action
4. Callable Workflow Processing: Detects callable workflow references (e.g., uses: ./workflow.yml at job level):
   • Processes the callable workflow
   • Extracts all action dependencies from it
5. Additional Paths Scanning: If specified, scans additional directories for composite actions:
   • Finds all YAML files in the specified paths
   • Processes composite actions found there
   • Recursively extracts their dependencies
6. Fork Detection: For actions from organizations in the fork-organizations list:
   • First tries to apply the fork-regex pattern if provided
   • Falls back to checking GitHub's fork relationship via the API
7. Dependency Submission: Submits all dependencies to GitHub's Dependency Graph:
   • For forked actions, submits both the fork and original repository
   • Uses Package URL (purl) format: pkg:github/{owner}/{repo}@{ref}
8. Security Advisories: GitHub automatically matches submitted dependencies against its security advisory database

When you use forked GitHub Actions in your workflows, GitHub's Dependabot and security advisories only track the fork, not the original repository. This means:

• Security vulnerabilities in the original action won't trigger alerts for your fork
• You won't be notified when the original action has security updates

This action solves this problem by submitting both repositories as dependencies, ensuring you receive security advisories for both the fork and the original.

Your enterprise has forked actions/checkout to myenterprise/actions-checkout for additional security controls. Your workflows use:

- uses: myenterprise/actions-checkout@v4

Without this action, you only get security advisories for myenterprise/actions-checkout. With this action configured, you'll receive advisories for both:

• myenterprise/actions-checkout@v4
• actions/checkout@v4

The action requires the following permissions:

permissions: contents: read # To read workflow filesid-token: write # For dependency submission API

1. Install dependencies:

   npm install

2. Run tests:

   npm test

3. Bundle the action:

   npm run bundle

The action includes comprehensive unit tests for:

• Workflow file parsing
• Fork resolution via GitHub API
• Regex pattern matching
• Dependency submission

Run tests with coverage:

npm run all

MIT

Contributions are welcome! Please feel free to submit a Pull Request.