Skip to main content

Using the Dependency submission API

You can use the Dependency submission API to submit dependencies for projects, such as the dependencies resolved when a project is built or compiled.

Note: The Dependency submission API is currently in public beta and subject to change.

Acerca de la API de emisión de dependencias

The Dependency submission API lets you submit dependencies for a project. This enables you to add dependencies, such as those resolved when software is compiled or built, to GitHub's dependency graph feature, providing a more complete picture of all of your project's dependencies.

The dependency graph shows any dependencies you submit using the API in addition to any dependencies that are identified from manifest or lock files in the repository (for example, a package-lock.json file in a JavaScript project). For more information about viewing the dependency graph, see "Exploring the dependencies of a repository."

Submitted dependencies will receive Las alertas del dependabot and Actualizaciones de seguridad del dependabot for any known vulnerabilities. Solo obtendrás Las alertas del dependabot para las dependencias que sean de uno de los ecosistemas compatibles de la GitHub Advisory Database. Submitted dependencies will not be surfaced in dependency review or your organization's dependency insights.

Las dependencias se envían a la API de emisión de dependencias en forma de una captura. Una captura es un conjunto de dependencias asociadas con el SHA de una confirmación y otros metadatos, la cual refleja el estado actual de tu repositorio para una confirmación. For more information about the Dependency submission API, see the Dependency submission REST API documentation.

Submitting dependencies at build-time

You can use the Dependency submission API in a GitHub Actions workflow to submit dependencies for your project when your project is built.

Using pre-made actions

The simplest way to use the Dependency submission API is by adding a pre-made action to your repository that will gather and convert the list of dependencies to the required snapshot format and submit the list to the API. Actions that complete these steps for various ecosystems are available on GitHub Marketplace and more actions will be created during the course of the beta and beyond. You can find links to the currently available actions in the table below:

EcosystemAcción
GoGo Dependency Submission

For example, the following Go Dependency Submission workflow calculates the dependencies for a Go build-target (a Go file with a main function) and submits the list to the Dependency Submission API.


name: Go Dependency Submission
on:
  push:
    branches:
      - main

# The API requires write permission on the repository to submit dependencies
permissions:
  contents: write

# Envionment variables to configure Go and Go modules. Customize as necessary
env:
  GOPROXY: '' # A Go Proxy server to be used
  GOPRIVATE: '' # A list of modules are considered private and not requested from GOPROXY
jobs:
  go-action-detection:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3

      - uses: actions/setup-go@v3
        with:
          go-version: ">=1.18.0"

      - name: Run snapshot action
        uses: @actions/go-dependency-submission@v1
        with:
            # Required: Define the repo path to the go.mod file used by the
            # build target
            go-mod-path: go-example/go.mod
            #
            # Optional. Define the repo path of a build target,
            # a file with a `main()` function.
            # If undefined, this action will collect all dependencies
            # used by all build targets for the module. This may
            # include Go dependencies used by tests and tooling.
            go-build-target: go-example/cmd/octocat.go

Creating your own action

Alternatively, you can write your own action to submit dependencies for your project at build-time. Your workflow should:

  1. Generate a list of dependencies for your project.
  2. Translate the list of dependencies into the snapshot format accepted by the Dependency submission API. For more information about the format, see the body parameters for the "Create a repository snapshot" API operation in the Dependency submission REST API documentation.
  3. Submit the formatted list of dependencies to the Dependency submission API.

GitHub maintains the Dependency Submission Toolkit, a TypeScript library to help you build your own GitHub Action for submitting dependencies to the Dependency submission API. For more information about writing an action, see "Creating actions".