A GitHub Action that scans your repository's workflow files and submits action dependencies to GitHub's Dependency Graph with fork traversal support.
- 🔍 Automatic Workflow Scanning: Scans
.github/workflowsdirectory for GitHub Actions dependencies - 📦 Composite Actions: Recursively scans local composite actions for nested dependencies
- 🔄 Callable Workflows: Detects and processes callable workflows referenced from workflows
- 🎯 Additional Paths: Supports scanning custom directories for composite actions and callable workflows
- 🔀 Fork Traversal: Detects forked actions and submits both the fork and original repository as dependencies
- 🔗 GitHub API Integration: Uses GitHub's fork relationship to find original repositories
- 🎯 Regex Pattern Matching: Supports custom regex patterns for repositories without fork relationships (e.g., EMU or GitHub-DR)
- 📊 Dependency Graph Integration: Submits dependencies to GitHub's Dependency Graph for security advisory tracking
name: Submit Dependencieson: push: branches: [main]schedule: - cron: '0 0 * * 0'# Weeklyjobs: submit-dependencies: runs-on: ubuntu-latestpermissions: contents: write # Required to read workflow filesid-token: write # Required for dependency submissionsteps: - uses: actions/checkout@v4 - uses: jessehouwing/actions-dependency-submission@v1with: token: ${{secrets.GITHUB_TOKEN }}If your enterprise uses forked actions (e.g., myenterprise/actions-checkout as a fork of actions/checkout):
- uses: jessehouwing/actions-dependency-submission@v1with: token: ${{secrets.GITHUB_TOKEN }}fork-organizations: 'myenterprise,myorg'This will submit both myenterprise/actions-checkout and the original actions/checkout as dependencies, ensuring security advisories for the original repository also apply to your fork.
For cases where fork relationships don't exist (e.g., EMU or GitHub-DR environments):
- uses: jessehouwing/actions-dependency-submission@v1with: token: ${{secrets.GITHUB_TOKEN }}fork-organizations: 'myenterprise'fork-regex: '^myenterprise/(?<org>[^_]+)_(?<repo>.+)'The regex must contain named captures org and repo to identify the original repository. In this example:
myenterprise/actions_checkoutwould resolve toactions/checkout- This is useful when forks follow a naming convention but don't have GitHub fork relationships
If you store composite actions or callable workflows in custom directories:
- uses: jessehouwing/actions-dependency-submission@v1with: token: ${{secrets.GITHUB_TOKEN }}additional-paths: | .github/actions custom/workflows shared/actionsThis will:
- Scan the specified directories for composite actions (identified by
runs.using: composite) - Recursively extract dependencies from those composite actions
- Include dependencies from callable workflows (identified by
on.workflow_call) - Process local action references (e.g.,
uses: ./local-action) in workflows
If you're running on GitHub Enterprise Managed Users (EMU), GitHub Disaster Recovery (GitHub-DR), or GitHub Enterprise Server (GHES), and your workflows reference actions from public GitHub that aren't mirrored to your instance:
- uses: jessehouwing/actions-dependency-submission@v1with: token: ${{secrets.GITHUB_TOKEN }}fork-organizations: 'myenterprise'public-github-token: ${{secrets.PUBLIC_GITHUB_TOKEN }}This configuration:
- Uses
tokento access your local GitHub instance and submit dependencies - Uses
public-github-tokento look up actions on public GitHub (api.github.com) when they're not found on your local instance - Automatically determines whether each action lives on your local instance or public GitHub
- Caches the location decision to minimize API calls
- Resolves fork relationships and SHA-to-version mappings from the appropriate source
Note: The public-github-token should be a Personal Access Token (Classic) or Fine-grained Personal Access Token with public_repo (read-only) scope for accessing public repositories on GitHub.com.
| Input | Description | Required | Default |
|---|---|---|---|
token | GitHub token for API access and dependency submission | Yes | ${{github.token }} |
repository | Repository to submit dependencies for (owner/repo format) | No | ${{github.repository }} |
workflow-directory | Directory containing workflow files to scan | No | .github/workflows |
additional-paths | Additional paths to scan for composite actions and callable workflows (comma-separated or newline-separated) | No | - |
fork-organizations | Comma-separated list of organization names that contain forked actions | No | - |
fork-regex | Regular expression pattern to transform forked repository names. Must contain named captures org and repo | No | - |
public-github-token | GitHub token for accessing public GitHub (api.github.com) when running on EMU, GitHub-DR, or GHES. Used to look up actions not on local instance | No | - |
| Output | Description |
|---|---|
dependency-count | Number of dependencies submitted to the Dependency Graph |
- Workflow Scanning: The action scans all
.ymland.yamlfiles in the specified workflow directory - Dependency Extraction: Parses each workflow file to extract
uses:statements that reference GitHub Actions - Local Action Processing: Detects local action references (e.g.,
uses: ./local-action):- Resolves the path relative to the workflow file
- Checks if it's a composite action
- Recursively extracts dependencies from the composite action
- Callable Workflow Processing: Detects callable workflow references (e.g.,
uses: ./workflow.ymlat job level):- Processes the callable workflow
- Extracts all action dependencies from it
- Additional Paths Scanning: If specified, scans additional directories for composite actions:
- Finds all YAML files in the specified paths
- Processes composite actions found there
- Recursively extracts their dependencies
- Fork Detection: For actions from organizations in the
fork-organizationslist:- First tries to apply the
fork-regexpattern if provided - Falls back to checking GitHub's fork relationship via the API
- First tries to apply the
- EMU/DR/GHES Support: When
public-github-tokenis provided:- Determines whether each action repository exists on the local GitHub instance or public GitHub
- Caches this decision to avoid redundant API calls
- Uses the appropriate API endpoint for all subsequent operations on that repository
- Enables looking up fork relationships and SHA-to-version mappings from public GitHub when needed
- Dependency Submission: Submits all dependencies to GitHub's Dependency Graph:
- For forked actions, submits both the fork and original repository
- Uses Package URL (purl) format:
pkg:github/{owner}/{repo}@{ref}
- Security Advisories: GitHub automatically matches submitted dependencies against its security advisory database
When you use forked GitHub Actions in your workflows, GitHub's Dependabot and security advisories only track the fork, not the original repository. This means:
- Security vulnerabilities in the original action won't trigger alerts for your fork
- You won't be notified when the original action has security updates
This action solves this problem by submitting both repositories as dependencies, ensuring you receive security advisories for both the fork and the original.
Your enterprise has forked actions/checkout to myenterprise/actions-checkout for additional security controls. Your workflows use:
- uses: myenterprise/actions-checkout@v4Without this action, you only get security advisories for myenterprise/actions-checkout. With this action configured, you'll receive advisories for both:
myenterprise/actions-checkout@v4actions/checkout@v4
The action requires the following permissions:
permissions: contents: read # To read workflow filesid-token: write # For dependency submission APIInstall dependencies:
npm install
Run tests:
npm testBundle the action:
npm run bundle
The action includes comprehensive unit tests for:
- Workflow file parsing
- Fork resolution via GitHub API
- Regex pattern matching
- Dependency submission
Run tests with coverage:
npm run allMIT
Contributions are welcome! Please feel free to submit a Pull Request.