Calculates dependencies for a Go build-target and submits the list to the Dependency Submission API

Related tags

Learning resource dependencies
Overview

Go Dependency Submission

This GitHub Action calculates dependencies for a Go build-target (a Go file with a main function) and submits the list to the Dependency submission API. Dependencies then appear in your repository's dependency graph, and you'll receive Dependabot alerts and updates for vulnerable or out-of-date dependencies.

Example

name: Go Dependency Submission
on:
  push:
    branches:
      - main

# The API requires write permission on the repository to submit dependencies
permissions:
  contents: write

# Environment variables to configure Go and Go modules. Customize as necessary
env:
  GOPROXY: '' # A Go Proxy server to be used
  GOPRIVATE: '' # A list of modules are considered private and not requested from GOPROXY

jobs:
  go-action-detection:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3

      - uses: actions/setup-go@v3
        with:
          go-version: ">=1.18.0"

      - name: Run snapshot action
        uses: actions/go-dependency-submission@v1
        with:
            # Required: Define the repo path to the go.mod file used by the
            # build target
            go-mod-path: go-example/go.mod
            #
            # Optional: Define the path of a build target (a file with a
            # `main()` function) If not defined, this Action will collect all
            # dependencies used by all build targets for the module, which may
            # include Go dependencies used by tests and tooling.
            go-build-target: go-example/cmd/octocat.go
Comments
  • Add default value for go-mod-path

    Add default value for go-mod-path

    I noticed that we don't have a default value for the go-mod-path, even though it's usually at the root of the repository. I propose adding the default value here.

    opened by jhutchings1 3
  • Cannot download `npm` dependencies.

    Cannot download `npm` dependencies.

    Hi,

    I'm opening this issue to double-check if this is expected, but it is not possible to clone this repository and execute npm install, either directly on the local machine, or on the devcontainer as it requires credentials to retrieve github/dependency-submission-toolkit

    I've also opened an issue at dependency-submission-toolkit to clarify the issue. https://github.com/github/dependency-submission-toolkit/issues/14

    opened by caquino 2
  • Correctly identify dependency versions chosen by Go

    Correctly identify dependency versions chosen by Go

    Depends on https://github.com/actions/go-dependency-submission/pull/12. Merge first for a cleaner diff!

    go mod graph lists an associative list of possible versions of packages that can be chosen (given the constraints specified in go.mod files) and their required dependencies.

    go list -deps $build_target will list the packages and versions actually chosen by Go when building the build-target.

    This action melded the two sources of information to create a dependency snapshot with the packages chosen with a build-target and their dependency relationships. However, we had a flawed assumption. As it turns out, each line in go mod graph specifies minimum version of a dependency that a package requires. It does not list what package version is actually chosen.

    To give an example:

    Say go list -deps -f $template_string $build_target lists the dependencies [email protected], [email protected], and [email protected] as the dependencies chosen for a build-target

    go mod graph lists the following associative list of packages and their required dependencies:

    [email protected] [email protected]
[email protected] [email protected]

    Note on the first line, [email protected] specifies [email protected] as the required dependency, not [email protected], which was ultimately chosen for the build-target.

    You can see the effect of this output in this repo's Dependency Graph

    image

    This includes entries for both the dependencies selected for the build target, as well as the packages not selected (but are the minimum required versions of other dependencies)

    This PR re-works how packages are associated so they match the versions chosen for a build-target. [email protected] will be correctly shown to depend on [email protected] in the snapshot manifest.

    Testing

    In addition to unit and integration tests, the Action workflow was modified to run this PR and ran successfully. The output is what is expected: 4 dependencies (rather than 8), with the correct versions and relationships. https://github.com/actions/go-dependency-submission/actions/runs/2513328012

    opened by lseppala 1
  • Add publish-action to sync major release tags to latest minor

    Add publish-action to sync major release tags to latest minor

    This action provides a relatively minor convenience around releases. When creating a new release, the version should be given as something like v1.0.3. Seeing that, this action will automatically update the v1 tag to point to the newest minor release matching the major number.

    That way, users of this action who pin to (in this example) v1 will always get the latest point release.

    See this doc for a bit more background on this convention.

    I ran this on my own fork to verify that it works. You can see the action output here.

    opened by juxtin 0
  • Bump undici from 5.8.0 to 5.9.1

    Bump undici from 5.8.0 to 5.9.1

    Bumps undici from 5.8.0 to 5.9.1.

    Release notes

    Sourced from undici's releases.

    v5.9.1

    What's Changed

    New Contributors

    Full Changelog: https://github.com/nodejs/undici/compare/v5.8.2...v5.9.1

    v5.8.2

    ⚠️ Security Release ⚠️

    • CRLF Injection in Nodejs ‘undici’ via Content-Type GHSA-f772-66g8-q5h3 CVE-2022-35948
    • undici.request vulnerable to SSRF using absolute URL on pathname GHSA-8qr4-xgw6-wmr3 CVE-2022-35949

    What's Changed

    New Contributors

    Full Changelog: https://github.com/nodejs/undici/compare/v5.8.1...v5.8.2

    v5.8.1

    What's Changed

    New Contributors

    ... (truncated)

    Commits
    • 5890e16 5.9.1
    • ecae314 fix: don't timeout while waiting for client to send request (#1604)
    • fa9fd90 fix(File): respect typed array byteOffset and byteLength (#1601)
    • ae6f554 fix: add support for integrity option to Fetch (#1596)
    • deed628 fix(fetch): implement fully read body algorithm (#1597)
    • 0d1419c Fix array headers (#1598)
    • 52d1ce5 Bumped v5.8.2
    • 66165d6 Merge pull request from GHSA-f772-66g8-q5h3
    • 124f7eb Merge pull request from GHSA-8qr4-xgw6-wmr3
    • aef314c feat(webidl): better error message for ByteString converter (#1591)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Bump @actions/core from 1.8.2 to 1.9.1

    Bump @actions/core from 1.8.2 to 1.9.1

    Bumps @actions/core from 1.8.2 to 1.9.1.

    Changelog

    Sourced from @​actions/core's changelog.

    1.9.1

    • Randomize delimiter when calling core.exportVariable

    1.9.0

    • Added toPosixPath, toWin32Path and toPlatformPath utilities #1102
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Bump undici from 5.5.1 to 5.8.0

    Bump undici from 5.5.1 to 5.8.0

    Bumps undici from 5.5.1 to 5.8.0.

    Release notes

    Sourced from undici's releases.

    v5.8.0

    ⚠️ Security Fixes ⚠️

    What's Changed

    New Contributors

    Full Changelog: https://github.com/nodejs/undici/compare/v5.7.0...v5.7.1

    v5.7.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/nodejs/undici/compare/v5.6.1...v5.7.0

    v5.6.1

    What's Changed

    New Contributors

    Full Changelog: https://github.com/nodejs/undici/compare/v5.6.0...v5.6.1

    v5.6.0

    What's Changed

    ... (truncated)

    Commits
    • 26f60b7 Bumped v5.8.0
    • 0a5bee9 Merge pull request from GHSA-q768-x9m6-m9qp
    • a29a151 Merge pull request from GHSA-3cvr-822r-rqcc
    • 722976c docs: updated proxy docs - renamed already used const proxy to proxyServer (#...
    • b6af4e6 fix(body mixin): only allow Uint8Array chunks (#1550)
    • 6c9e634 fix(mock utils): set Readable.abort (#1549)
    • 22e2f39 ci: fix up exclude (#1544)
    • 99205ec feat: use weighted round robin in balancedPool (#1069)
    • 5b57e8c chore: exclude windows node 16 (#1542)
    • 93e31a2 Drop PR title validation (#1543)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Use dependency-submission-toolkit published on npmjs.com

    Use dependency-submission-toolkit published on npmjs.com

    Uses the @github/dependency-sbumission-toolkit published on the public npmjs.com registry (so no authentication is required to download).

    Updates to latest 1.2.2 version.

    Closes #17.

    opened by lseppala 0
  • Correctly validate gomodpath

    Correctly validate gomodpath

    Looked like previous logic suffered from some boolean confusion. Also, used the required option parameter to ensure we get a validation error from @action/core -- previously we would get an empty value.

    opened by brphelps 0
  • Fail if generated code is out of date, annotate generated code

    Fail if generated code is out of date, annotate generated code

    • If we annotate generated files, our PRs will be cleaner (generated files will be collapsed by default)
    • Because we are committing generated files, we should make sure that what we are checking in is reproducible (e.g. after we build again and they are regenerated, we should make sure no outstanding git changes exist). Not doing this opens us up to very weird scenarios like "someone hand edited a dist/ file and what we publish is different than what is in our src/ folder.
    • Added basic instructions to the README.
    opened by brphelps 0
  • Do not URL-safe encode the namespace. PackageURL does this

    Do not URL-safe encode the namespace. PackageURL does this

    Does what it says on the tin.

    Previously, we were URL-safe encoding the namespace of the Go package (the github.com/foo of github.com/foo/bar). This is incorrect by the PackageURL spec (https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst).

    The packageurl-js library does this for us.

    opened by lseppala 0
Releases(v1.0.2)
Owner
GitHub Actions
Automate your GitHub workflows
GitHub Actions
GitHub
Calculates maximum composite SLA for a list of sequentially provided cloud services or your custom-defined services.

SlaMax Calculates maximum composite SLA for a list of sequentially provided cloud services or your custom-defined services. Here are a few use-cases y

Mikael Vesavuori 4 Sep 19, 2022
👌A useful zero-dependencies, less than 434 Bytes (gzipped), pure JavaScript & CSS solution for drop an annoying pop-ups confirming the submission of form in your web apps.

Throw out pop-ups confirming the submission of form! A useful zero-dependencies, less than 434 Bytes (gzipped), pure JavaScript & CSS solution for dro

Vic Shóstak 35 Aug 24, 2022
Grupprojekt för kurserna 'Javascript med Ramverk' och 'Agil Utveckling'

JavaScript-med-Ramverk-Laboration-3 Grupprojektet för kurserna Javascript med Ramverk och Agil Utveckling. Utvecklingsguide För information om hur utv

Svante Jonsson IT-Högskolan 3 May 18, 2022
Hemsida för personer i Sverige som kan och vill erbjuda boende till människor på flykt

Getting Started with Create React App This project was bootstrapped with Create React App. Available Scripts In the project directory, you can run: np

null 4 May 3, 2022
Kurs-repo för kursen Webbserver och Databaser

Webbserver och databaser This repository is meant for CME students to access exercises and codealongs that happen throughout the course. I hope you wi

null 14 Jan 3, 2023
Extracts favicon of the current page and calculates their murmurhash. Firefox extension source code.

Favicon to Murmurhash Extracts favicon of the current page and calculates their murmurhash. Shows links to shodan search based on favicon murmurhashes

null 16 Dec 17, 2022
Using Webpack and external API, this website saves and shows players' scores and allows the submission of new scores.

Microverse Students Leaderboard Microverse Students Leaderboard project that displays scores submitted by different students. All data is preserved in

Romina Patiño 5 Aug 19, 2022
In this project I have build a To Do List app that you can list, add, delete and manage your daily tasks better. Build with HTML, CSS, JS, ES6, JSON

ToDo List This project is build by javascript web packages which can add and remove daily tasks. Built With Html Css Javascript Sublime Text Author ??

Sahar Saba Amiri 7 Oct 25, 2022
A simple calculator for how many units of insulin to take with a meal depending on current and target blood sugar levels.

Insulin-Calculator One of my first programs, made to try building javascript-read HTML forms. A simple calculator for how many units of insulin to tak

Athena 1 Dec 26, 2021
Based on Google Chrome recorder, implement UI interface capture and notify the result to the target mailbox

chrome-recoder-crawler README-CN Modify the .js file exported by Google Chrome recorder. By default, the innerText property of the node operated in th

wudu 4 Oct 18, 2022
Invadium runs exploit playbooks against vulnerable target applications in an intuitive, reproducible, and well-defined manner.

Invadium Invadium runs exploits against one or more target applications in an intuitive, reproducable, and well-defined manner. It focuses on bridging

Dynatrace Open Source 10 Nov 6, 2022
EasyPen is a GUI program which helps pentesters do target discovery, vulnerability scan and exploitation

EasyPen Alpha 1.0.5 Do not use EasyPen for illegal purposes, this tool is for research only 查看中文 EasyPen is a GUI program which helps pentesters do ta

null 486 Dec 25, 2022
Init a target by promise only once.

once-init ?? Let Promise Function Executed Only Once. The Promise will be executed when the attribute target is called for the first time, and the Pro

Xmo 65 Dec 26, 2022
womenify - Submission for HackViolet '22

?? Inspiration There are several websites dedicated to fashion, beauty, health care, and other topics. However, there is no dedicated website for wome

Sahil Jain 2 Feb 13, 2022
Astro 1.0 Hackathon submission

title published description tags cover_image Trying out Astro SSR & Astro 1.0 Hackaton false astro, ssr, webcomponents, hackathon https://imgur.com/lV

Pascal Schilp 26 Jan 2, 2023
CLI tool to update caniuse-lite to refresh target browsers from Browserslist config

Update Browserslist DB CLI tool to update caniuse-lite with browsers DB from Browserslist config. Some queries like last 2 version or >1% depends on a

Browserslist 31 Dec 30, 2022
This is for homework submission of Filecoin Chinese Education Series - Coding with Filecoin.

Coding-with-Filecoin-Homework 课程简介 随着互联网和大数据技术的发展,我们正愈发依赖中心化的服务来存储和处理相关数据。但这背后有两个潜在的问题:用户不能完全控制自身数据的使用与传播,且很难验证公开数据的完整性与可靠性。为了解决这两个问题,新一代的协议和点对点网络已经问世

IPFS & Filecoin 15 Jul 14, 2022
Building #dotnet code to target WASM in the browser

WASM Running .NET in a Browser This solution shows you can compile .NET to target a WASM app bundle that can be used independently of a dotnet applica

Khalid Abuhakmeh 9 Oct 14, 2022
A speedrun event submission manager.

split-decision This is a Next.js site for managing speedrun marathon event submissions. It does these things: Allow users to authenticate via Discord,

May 5 Oct 31, 2022