依赖项提交
依赖项提交 API 允许您提交项目的依赖项,例如在构建或编译项目时解析的依赖项。
关于依赖项提交 API
Note: The Dependency submission API is currently in public beta and subject to change.
The Dependency submission API lets you submit dependencies for a project. This enables you to add dependencies, such as those resolved when software is compiled or built, to GitHub's dependency graph feature, providing a more complete picture of all of your project's dependencies.
The dependency graph shows any dependencies you submit using the API in addition to any dependencies that are identified from manifest or lock files in the repository (for example, a package-lock.json
file in a JavaScript project). For more information about viewing the dependency graph, see "Exploring the dependencies of a repository."
Submitted dependencies will receive Dependabot 警报 and Dependabot 安全更新 for any known vulnerabilities. You will only get Dependabot 警报 for dependencies that are from one of the supported ecosystems of the GitHub Advisory Database. Submitted dependencies will not be surfaced in dependency review or your organization's dependency insights.
依赖项以快照的形式提交到依赖项提交 API。 快照是一组与提交 SHA 和其他元数据关联的依赖项,它反映了提交存储库的当前状态。 可以选择使用预制操作或创建自己的操作,以便在每次生成项目时以所需的格式将依赖项提交到依赖项提交 API。 有关使用依赖项提交 API 的详细信息,请参阅“使用依赖项提交 API”。
可以将多组依赖项提交到依赖项提交 API,以包含在依赖关系图中。 该 API 使用 job.correlator
属性和快照的 detector.name
类别来确保显示每个工作流程的最新提交。 correlator
属性本身是将用于使独立提交保持不同的主字段。 示例 correlator
可以是操作运行中可用的两个变量的简单组合: <GITHUB_WORKFLOW> <GITHUB_JOB>
。
Create a snapshot of dependencies for a repository
Create a new snapshot of a repository's dependencies. You must authenticate using an access token with the repo
scope to use this endpoint for a repository that the requesting user has access to.
参数
标头 | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
名称, 类型, 描述 | ||||||||||||||||||||
accept stringSetting to | ||||||||||||||||||||
路径参数 | ||||||||||||||||||||
名称, 类型, 描述 | ||||||||||||||||||||
owner string必选The account owner of the repository. The name is not case sensitive. | ||||||||||||||||||||
repo string必选The name of the repository. The name is not case sensitive. | ||||||||||||||||||||
正文参数 | ||||||||||||||||||||
名称, 类型, 描述 | ||||||||||||||||||||
version integer必选The version of the repository snapshot submission. | ||||||||||||||||||||
job object必选 | ||||||||||||||||||||
Properties of the |
名称, 类型, 描述 |
---|
id string必选The external ID of the job. |
correlator string必选Correlator provides a key that is used to group snapshots submitted over time. Only the "latest" submitted snapshot for a given combination of |
html_url stringThe url for the job. |
sha
string必选The commit SHA associated with this dependency snapshot.
ref
string必选The repository branch that triggered this snapshot.
detector
object必选A description of the detector used.
Properties of thedetector
object
名称, 类型, 描述 |
---|
name string必选The name of the detector used. |
version string必选The version of the detector used. |
url string必选The url of the detector used. |
metadata
objectUser-defined metadata to store domain-specific information limited to 8 keys with scalar values.
manifests
objectA collection of package manifests
Properties of themanifests
object
名称, 类型, 描述 |
---|
key stringA user-defined key to represent an item in |
Properties of thekey
object
名称, 类型, 描述 |
---|
name string必选The name of the manifest. |
file object |
metadata objectUser-defined metadata to store domain-specific information limited to 8 keys with scalar values. |
resolved |
Properties of thefile
object
名称, 类型, 描述 |
---|
source_location stringThe path of the manifest file relative to the root of the Git repository. |
Properties of theresolved
名称, 类型, 描述 |
---|
key stringA user-defined key to represent an item in |
Properties of thekey
object
名称, 类型, 描述 |
---|
package_url stringPackage-url (PURL) of dependency. See https://github.com/package-url/purl-spec for more details. |
metadata objectUser-defined metadata to store domain-specific information limited to 8 keys with scalar values. |
relationship stringA notation of whether a dependency is requested directly by this manifest or is a dependency of another dependency. 可以是以下其中之一: |
scope stringA notation of whether the dependency is required for the primary build artifact (runtime) or is only used for development. Future versions of this specification may allow for more granular scopes. 可以是以下其中之一: |
dependencies array of stringsArray of package-url (PURLs) of direct child dependencies. |
scanned
string必选The time at which the snapshot was scanned.
HTTP 响应状态代码
状态代码 | 描述 |
---|---|
201 | Created |
代码示例
curl \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: token <TOKEN>" \
https://api.github.com/repos/OWNER/REPO/dependency-graph/snapshots \
-d '{"version":0,"sha":"ce587453ced02b1526dfb4cb910479d431683101","ref":"refs/heads/main","job":{"correlator":"yourworkflowname_youractionname","id":"yourrunid"},"detector":{"name":"octo-detector","version":"0.0.1","url":"https://github.com/octo-org/octo-repo"},"scanned":"2022-06-14T20:25:00Z","manifests":{"package-lock.json":{"name":"package-lock.json","file":{"source_location":"src/package-lock.json"},"resolved":{"@actions/core":{"package_url":"pkg:/npm/%40actions/core@1.1.9","dependencies":["@actions/http-client"]},"@actions/http-client":{"package_url":"pkg:/npm/%40actions/http-client@1.0.7","dependencies":["tunnel"]},"tunnel":{"package_url":"pkg:/npm/tunnel@0.0.6"}}}}}'
Response
Status: 201
{
"id": 12345,
"created_at": "2018-05-04T01:14:52Z",
"message": "Dependency results for the repo have been successfully updated.",
"result": "SUCCESS"
}