Skip to main content

依赖项提交

依赖项提交 API 允许您提交项目的依赖项,例如在构建或编译项目时解析的依赖项。

关于依赖项提交 API

Note: The Dependency submission API is currently in public beta and subject to change.

The Dependency submission API lets you submit dependencies for a project. This enables you to add dependencies, such as those resolved when software is compiled or built, to GitHub's dependency graph feature, providing a more complete picture of all of your project's dependencies.

The dependency graph shows any dependencies you submit using the API in addition to any dependencies that are identified from manifest or lock files in the repository (for example, a package-lock.json file in a JavaScript project). For more information about viewing the dependency graph, see "Exploring the dependencies of a repository."

Submitted dependencies will receive Dependabot 警报 and Dependabot 安全更新 for any known vulnerabilities. You will only get Dependabot 警报 for dependencies that are from one of the supported ecosystems of the GitHub Advisory Database. Submitted dependencies will not be surfaced in dependency review or your organization's dependency insights.

依赖项以快照的形式提交到依赖项提交 API。 快照是一组与提交 SHA 和其他元数据关联的依赖项,它反映了提交存储库的当前状态。 可以选择使用预制操作或创建自己的操作,以便在每次生成项目时以所需的格式将依赖项提交到依赖项提交 API。 有关使用依赖项提交 API 的详细信息,请参阅“使用依赖项提交 API”。

可以将多组依赖项提交到依赖项提交 API,以包含在依赖关系图中。 该 API 使用 job.correlator 属性和快照的 detector.name 类别来确保显示每个工作流程的最新提交。 correlator 属性本身是将用于使独立提交保持不同的主字段。 示例 correlator 可以是操作运行中可用的两个变量的简单组合: <GITHUB_WORKFLOW> <GITHUB_JOB>

Create a snapshot of dependencies for a repository

Create a new snapshot of a repository's dependencies. You must authenticate using an access token with the repo scope to use this endpoint for a repository that the requesting user has access to.

参数

标头
名称, 类型, 描述
acceptstring

Setting to application/vnd.github+json is recommended.

路径参数
名称, 类型, 描述
ownerstring必选

The account owner of the repository. The name is not case sensitive.

repostring必选

The name of the repository. The name is not case sensitive.

正文参数
名称, 类型, 描述
versioninteger必选

The version of the repository snapshot submission.

jobobject必选
名称, 类型, 描述
idstring必选

The external ID of the job.

correlatorstring必选

Correlator provides a key that is used to group snapshots submitted over time. Only the "latest" submitted snapshot for a given combination of job.correlator and detector.name will be considered when calculating a repository's current dependencies. Correlator should be as unique as it takes to distinguish all detection runs for a given "wave" of CI workflow you run. If you're using GitHub Actions, a good default value for this could be the environment variables GITHUB_WORKFLOW and GITHUB_JOB concatenated together. If you're using a build matrix, then you'll also need to add additional key(s) to distinguish between each submission inside a matrix variation.

html_urlstring

The url for the job.

shastring必选

The commit SHA associated with this dependency snapshot.

refstring必选

The repository branch that triggered this snapshot.

detectorobject必选

A description of the detector used.

名称, 类型, 描述
namestring必选

The name of the detector used.

versionstring必选

The version of the detector used.

urlstring必选

The url of the detector used.

metadataobject

User-defined metadata to store domain-specific information limited to 8 keys with scalar values.

manifestsobject

A collection of package manifests

名称, 类型, 描述
keystring

A user-defined key to represent an item in manifests.

名称, 类型, 描述
namestring必选

The name of the manifest.

fileobject
metadataobject

User-defined metadata to store domain-specific information limited to 8 keys with scalar values.

resolved
名称, 类型, 描述
source_locationstring

The path of the manifest file relative to the root of the Git repository.

名称, 类型, 描述
keystring

A user-defined key to represent an item in resolved.

名称, 类型, 描述
package_urlstring

Package-url (PURL) of dependency. See https://github.com/package-url/purl-spec for more details.

metadataobject

User-defined metadata to store domain-specific information limited to 8 keys with scalar values.

relationshipstring

A notation of whether a dependency is requested directly by this manifest or is a dependency of another dependency.

可以是以下其中之一: direct, indirect

scopestring

A notation of whether the dependency is required for the primary build artifact (runtime) or is only used for development. Future versions of this specification may allow for more granular scopes.

可以是以下其中之一: runtime, development

dependenciesarray of strings

Array of package-url (PURLs) of direct child dependencies.

scannedstring必选

The time at which the snapshot was scanned.

HTTP 响应状态代码

状态代码描述
201

Created

代码示例

post/repos/{owner}/{repo}/dependency-graph/snapshots
curl \ -X POST \ -H "Accept: application/vnd.github+json" \ -H "Authorization: token <TOKEN>" \ https://api.github.com/repos/OWNER/REPO/dependency-graph/snapshots \ -d '{"version":0,"sha":"ce587453ced02b1526dfb4cb910479d431683101","ref":"refs/heads/main","job":{"correlator":"yourworkflowname_youractionname","id":"yourrunid"},"detector":{"name":"octo-detector","version":"0.0.1","url":"https://github.com/octo-org/octo-repo"},"scanned":"2022-06-14T20:25:00Z","manifests":{"package-lock.json":{"name":"package-lock.json","file":{"source_location":"src/package-lock.json"},"resolved":{"@actions/core":{"package_url":"pkg:/npm/%40actions/core@1.1.9","dependencies":["@actions/http-client"]},"@actions/http-client":{"package_url":"pkg:/npm/%40actions/http-client@1.0.7","dependencies":["tunnel"]},"tunnel":{"package_url":"pkg:/npm/tunnel@0.0.6"}}}}}'

Response

Status: 201
{ "id": 12345, "created_at": "2018-05-04T01:14:52Z", "message": "Dependency results for the repo have been successfully updated.", "result": "SUCCESS" }