依赖项提交
依赖项提交 API 允许您提交项目的依赖项,例如在构建或编译项目时解析的依赖项。
关于依赖项提交 API
Note: The Dependency submission API is currently in public beta and subject to change.
The Dependency submission API lets you submit dependencies for a project. This enables you to add dependencies, such as those resolved when software is compiled or built, to GitHub's dependency graph feature, providing a more complete picture of all of your project's dependencies.
The dependency graph shows any dependencies you submit using the API in addition to any dependencies that are identified from manifest or lock files in the repository (for example, a package-lock.json file in a JavaScript project). For more information about viewing the dependency graph, see "Exploring the dependencies of a repository."
Submitted dependencies will receive Dependabot 警报 and Dependabot 安全更新 for any known vulnerabilities. You will only get Dependabot 警报 for dependencies that are from one of the supported ecosystems of the GitHub Advisory Database. Submitted dependencies will not be surfaced in dependency review or your organization's dependency insights.
依赖项以快照的形式提交到依赖项提交 API。 快照是一组与提交 SHA 和其他元数据关联的依赖项,它反映了提交存储库的当前状态。 可以选择使用预制操作或创建自己的操作,以便在每次生成项目时以所需的格式将依赖项提交到依赖项提交 API。 有关使用依赖项提交 API 的详细信息,请参阅“使用依赖项提交 API”。
可以将多组依赖项提交到依赖项提交 API,以包含在依赖关系图中。 该 API 使用 job.correlator 属性和快照的 detector.name 类别来确保显示每个工作流程的最新提交。 correlator 属性本身是将用于使独立提交保持不同的主字段。 示例 correlator 可以是操作运行中可用的两个变量的简单组合: <GITHUB_WORKFLOW> <GITHUB_JOB>。
Create a snapshot of dependencies for a repository
Create a new snapshot of a repository's dependencies. You must authenticate using an access token with the repo scope to use this endpoint for a repository that the requesting user has access to.
参数
| 标头 | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 名称, 类型, 描述 | ||||||||||||||||||||
acceptstringSetting to | ||||||||||||||||||||
| 路径参数 | ||||||||||||||||||||
| 名称, 类型, 描述 | ||||||||||||||||||||
ownerstring必选The account owner of the repository. The name is not case sensitive. | ||||||||||||||||||||
repostring必选The name of the repository. The name is not case sensitive. | ||||||||||||||||||||
| 正文参数 | ||||||||||||||||||||
| 名称, 类型, 描述 | ||||||||||||||||||||
versioninteger必选The version of the repository snapshot submission. | ||||||||||||||||||||
jobobject必选 | ||||||||||||||||||||
Properties of the | ||||||||||||||||||||
| 名称, 类型, 描述 |
|---|
idstring必选The external ID of the job. |
correlatorstring必选Correlator provides a key that is used to group snapshots submitted over time. Only the "latest" submitted snapshot for a given combination of |
html_urlstringThe url for the job. |
shastring必选The commit SHA associated with this dependency snapshot.
refstring必选The repository branch that triggered this snapshot.
detectorobject必选A description of the detector used.
Properties of thedetectorobject
| 名称, 类型, 描述 |
|---|
namestring必选The name of the detector used. |
versionstring必选The version of the detector used. |
urlstring必选The url of the detector used. |
metadataobjectUser-defined metadata to store domain-specific information limited to 8 keys with scalar values.
manifestsobjectA collection of package manifests
Properties of themanifestsobject
| 名称, 类型, 描述 |
|---|
keystringA user-defined key to represent an item in |
Properties of thekeyobject
| 名称, 类型, 描述 |
|---|
namestring必选The name of the manifest. |
fileobject |
metadataobjectUser-defined metadata to store domain-specific information limited to 8 keys with scalar values. |
resolved |
Properties of thefileobject
| 名称, 类型, 描述 |
|---|
source_locationstringThe path of the manifest file relative to the root of the Git repository. |
Properties of theresolved
| 名称, 类型, 描述 |
|---|
keystringA user-defined key to represent an item in |
Properties of thekeyobject
| 名称, 类型, 描述 |
|---|
package_urlstringPackage-url (PURL) of dependency. See https://github.com/package-url/purl-spec for more details. |
metadataobjectUser-defined metadata to store domain-specific information limited to 8 keys with scalar values. |
relationshipstringA notation of whether a dependency is requested directly by this manifest or is a dependency of another dependency. 可以是以下其中之一: |
scopestringA notation of whether the dependency is required for the primary build artifact (runtime) or is only used for development. Future versions of this specification may allow for more granular scopes. 可以是以下其中之一: |
dependenciesarray of stringsArray of package-url (PURLs) of direct child dependencies. |
scannedstring必选The time at which the snapshot was scanned.
HTTP 响应状态代码
| 状态代码 | 描述 |
|---|---|
201 | Created |
代码示例
curl \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: token <TOKEN>" \
https://api.github.com/repos/OWNER/REPO/dependency-graph/snapshots \
-d '{"version":0,"sha":"ce587453ced02b1526dfb4cb910479d431683101","ref":"refs/heads/main","job":{"correlator":"yourworkflowname_youractionname","id":"yourrunid"},"detector":{"name":"octo-detector","version":"0.0.1","url":"https://github.com/octo-org/octo-repo"},"scanned":"2022-06-14T20:25:00Z","manifests":{"package-lock.json":{"name":"package-lock.json","file":{"source_location":"src/package-lock.json"},"resolved":{"@actions/core":{"package_url":"pkg:/npm/%40actions/core@1.1.9","dependencies":["@actions/http-client"]},"@actions/http-client":{"package_url":"pkg:/npm/%40actions/http-client@1.0.7","dependencies":["tunnel"]},"tunnel":{"package_url":"pkg:/npm/tunnel@0.0.6"}}}}}'Response
Status: 201{
"id": 12345,
"created_at": "2018-05-04T01:14:52Z",
"message": "Dependency results for the repo have been successfully updated.",
"result": "SUCCESS"
}