About automatic dependency submission
Remarque
Automatic dependency submission does not support all package ecosystems. For the current list of supported ecosystems, see Écosystèmes de packages pris en charge pour le graphe des dépendances.
Dependency graph analyzes the manifest and lock files in a repository, in order to help users understand the upstream packages that their software project depends on. However, in some ecosystems, the resolution of transitive dependencies occurs at build-time and GitHub isn't able to automatically discover all dependencies based on the contents of the repository alone.
When you enable automatic dependency submission for a repository, GitHub automatically identifies the transitive dependencies in the repository and will submit these dependencies to GitHub using the API de soumission de dépendances. You can then explore these dependencies using the dependency graph. Dependabot will notify you about security updates for these dependencies by generating Dependabot alerts .
Using automatic dependency submission counts toward your GitHub Actions minutes. For more information, see Facturation GitHub Actions.
Optionally, you can choose to configure self-hosted runners or GitHub-hosted exécuteurs plus grands for automatic dependency submission. For more information, see Accessing private registries with self-hosted runners and Using GitHub-hosted larger runners for automatic dependency submission.
Prerequisites
Dependency graph must be enabled for the repository for you to enable automatic dependency submission.
You must also enable GitHub Actions for the repository in order to use automatic dependency submission. For more information, see Gestion des paramètres de GitHub Actions pour un dépôt.
Enabling automatic dependency submission
Repository administrators can enable or disable automatic dependency submission for a repository by following the steps outlined in this procedure.
Organization owners can enable automatic dependency submission for multiple repositories using a security configuration. For more information, see Création d’une configuration de sécurité personnalisée.
-
Sur GitHub, accédez à la page principale du référentiel.
-
Sous le nom de votre référentiel, cliquez sur Paramètres. Si vous ne voyez pas l’onglet « Paramètres », sélectionnez le menu déroulant , puis cliquez sur Paramètres.
-
Dans la section « Sécurité » de la barre latérale, cliquez sur Advanced Security.
-
Under "Dependency graph", click the dropdown menu next to “Automatic dependency submission”, then select Enabled.
Once you've enabled automatic dependency submission for a repository, GitHub will:
- Watch for pushes to the repository.
- Run the dependency graph build action associated with the package ecosystem for any manifests in the repository.
- Perform an automatic dependency submission with the results.
You can view details about the automatic workflows run by viewing the Actions tab of your repository.
Remarque
After you enable automatic dependency submission, we'll automatically trigger a run of the action. Once enabled, it'll run each time a commit to the default branch updates a manifest.
Accessing private registries with self-hosted runners
You can configure self-hosted runners to run automatic dependency submission jobs, instead of using the GitHub Actions infrastructure. This is necessary to access private Maven registries. The self-hosted runners must be running on Linux or macOS. For .NET and Python auto-submission, they must have access to the public internet in order to download the latest component-detection release.
- Provision one or more self-hosted runners, at the repository or organization level. For more information, see Exécuteurs auto-hébergés and Ajout d’exécuteurs auto-hébergés.
- Assign a
dependency-submissionlabel to each runner you want automatic dependency submission to use. For more information, see Utilisation d’étiquettes avec des exécuteurs auto-hébergés. - Dans la section « Sécurité » de la barre latérale, cliquez sur Advanced Security.
- Under "Dependency graph", click the dropdown menu next to “Automatic dependency submission”, then select Enabled for labeled runners.
Once enabled, automatic dependency submission jobs will run on the self-hosted runners, unless:
- The self-hosted runners are unavailable.
- There aren't any runner groups tagged with a
dependency-submissionlabel.
Remarque
For Maven or Gradle projects that use self-hosted runners with private Maven registries, you need to modify the Maven server settings file to allow the dependency submission workflows to connect to the registries. For more information about the Maven server settings file, see Security and Deployment Settings in the Maven documentation.
Configuring network access for self-hosted runners
If your self-hosted runners operate behind a firewall with restricted outbound internet access, you must add certain URLs to the allowlist for automatic dependency submission. The required URLs depend on the ecosystems your repositories use.
Required URLs for all ecosystems
These URLs are required for all automatic dependency submission workflows:
https://github.com—Required for accessing GitHub and downloading actions.https://api.github.com—Required for GitHub API access.https://*.githubusercontent.com—Required for downloading action source code and releases (includingraw.githubusercontent.com,github-releases.githubusercontent.com, andobjects.githubusercontent.com).
Ecosystem-specific URLs
Depending on the ecosystems you use, you may need to allowlist additional URLs.
Go
https://go.dev—For downloading the Go toolchain.https://golang.org—Alternate domain for Go downloads.https://proxy.golang.org—Official Go module proxy for downloading Go modules during dependency detection.
Remarque
The actions/go-versions repository is accessed via https://raw.githubusercontent.com, which is already covered in the general requirements.
Java (Maven and Gradle)
https://repo.maven.apache.org—Maven Central repository for downloading dependencies.https://api.adoptium.net—For downloading Adoptium/Temurin JDK distributions (default distribution used byactions/setup-java).
If you use a different JDK distribution, you may also need:
https://aka.msandhttps://download.microsoft.com—For Microsoft Build of OpenJDK (note:aka.msis also used for .NET downloads).https://download.oracle.com—For Oracle JDK.https://api.azul.com—For Azul Zulu OpenJDK.
.NET (C#, F#, Visual Basic)
https://aka.ms—Microsoft URL shortener that redirects to .NET download locations.https://builds.dotnet.microsoft.com—Primary feed for .NET SDK and runtime downloads.https://ci.dot.net—Secondary feed for .NET builds.
Remarque
The microsoft/component-detection tool used by .NET autosubmission is downloaded from GitHub releases, which is already covered in the general requirements (https://github.com and https://*.githubusercontent.com).
Python
https://python.org—For downloading Python interpreters.
Remarque
The actions/python-versions repository and microsoft/component-detection releases are accessed via URLs already covered in the general requirements (https://*.githubusercontent.com and https://github.com).
Using GitHub-hosted exécuteurs plus grands for automatic dependency submission
GitHub Team or GitHub Enterprise Cloud users can use exécuteurs plus grands to run automatic dependency submissions jobs.
- Provision a larger runner at the organization level with the name
dependency-submission. For more information, see Adding a exécuteur plus grand to an organization. - Give your repository access to the runner. For more information, see Allowing repositories to access exécuteurs plus grands.
- Under "Dependency graph", click the dropdown menu next to “Automatic dependency submission”, then select Enabled for labeled runners.
Troubleshooting automatic dependency submission
Automatic dependency submission makes a best effort to cache package downloads between runs using the Cache action to speed up workflows. For self-hosted runners, you may want to manage this cache within your own infrastructure. To do this, you can disable the built-in caching by setting an environment variable of GH_DEPENDENCY_SUBMISSION_SKIP_CACHE to true. For more information, see Stocker des informations dans des variables.
Manifest deduplication
Le graphe des dépendances peut découvrir les dépendances de trois manières différentes : analyse statique, soumission automatique et soumission manuelle. Un référentiel peut avoir plusieurs méthodes configurées, ce qui peut entraîner l’analyse multiple du même manifeste de package, avec des sorties potentiellement différentes à chaque analyse. Le graphe des dépendances utilise une logique de déduplication pour analyser les sorties, en donnant la priorité aux informations les plus précises pour chaque fichier manifeste.
Le graphe des dépendances affiche uniquement une instance de chaque fichier manifeste à l’aide des règles de priorité suivantes.
- Les soumissions des utilisateurs ont la priorité absolue, car elles sont généralement créées lors de la génération des artefacts et contiennent donc les informations les plus complètes.
- S’il existe plusieurs instantanés manuels provenant de différents détecteurs, ils sont classés par ordre alphabétique selon le corrélateur et le premier est utilisé.
- S’il existe deux corrélateurs avec le même détecteur, les dépendances résolues sont fusionnées. Pour plus d’informations sur les corrélateurs et les détecteurs, consultez Points de terminaison d’API REST pour la soumission de dépendances.
- Les soumissions automatiques ont la deuxième priorité la plus élevée, car elles sont également créées lors de la génération des artefacts, mais ne sont pas soumises par les utilisateurs.
- Les résultats de l’analyse statique sont utilisés lorsqu’aucune autre donnée n’est disponible.
Package ecosystem-specific information
Maven projects
For Maven projects, automatic dependency submission runs an open source fork of the Maven Dependency Tree Dependency Submission. The fork allows GitHub to stay in sync with the upstream repository plus maintain some changes that are only applicable to automatic submission. The fork's source is available at advanced-security/maven-dependency-submission-action.
If your repository's dependencies seem inaccurate, check that the timestamp of the last dependency graph build matches the last change to your pom.xml file. The timestamp is visible on the table of alerts in the repository's Dependabot alerts tab. Pushing a commit which updates pom.xml will trigger a new run of the Dependency Tree Submission action and force a rebuild of that repository's dependency graph.
Gradle projects
For Gradle projects, automatic dependency submission runs a fork of the open source Gradle actions from gradle/actions. The fork is available at actions/gradle-build-tools-actions. You can view the results of the autosubmission action under your repository's Actions tab. Each run will be labeled "Automatic Dependency Submission (Gradle)" and its output will contain the JSON payload which the action submitted to the API.
.NET projects
The .NET autosubmission action uses the open source component-detection project as the engine for its dependency detection. It supports .NET 8.x, 9.x, and 10.x. .NET autosubmission runs if the repository's dependabot.yml defines nuget as a package-ecosystem or when there is a supported manifest file in the root directory of the repository. Supported manifest files include .sln, .csproj, packages.config, .vbproj, .vcxproj, and .fsproj.
Python projects
Python uses the open source component-detection project as its underlying graph generation engine. The autosubmission action for Python will only run if there is a requirements.txt file in the root directory of the repository. Python autosubmission does not currently support private packages; packages referenced in requirements.txt which are not publicly available will cause the autosubmission action to fail.
Remarque
This action uses actions/setup-python to install Python. You must include a .python-version file in your repository to specify the Python version to be installed.