{"id":32520742,"url":"https://github.com/rmuir/uv-dependency-submission","last_synced_at":"2026-04-27T13:00:29.997Z","repository":{"id":317655080,"uuid":"1068284814","full_name":"rmuir/uv-dependency-submission","owner":"rmuir","description":"GitHub Action for submitting uv.lock dependencies","archived":false,"fork":false,"pushed_at":"2026-04-23T03:12:17.000Z","size":280,"stargazers_count":21,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-04-23T05:08:48.360Z","etag":null,"topics":["dependency-graph","dependency-management","github-actions","python","security","uv"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rmuir.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-02T06:33:06.000Z","updated_at":"2026-04-23T03:12:21.000Z","dependencies_parsed_at":"2025-10-19T19:14:39.565Z","dependency_job_id":"c0083432-e090-4dd5-83ac-2355b010e5c9","html_url":"https://github.com/rmuir/uv-dependency-submission","commit_stats":null,"previous_names":["rmuir/uv-dependency-submission"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/rmuir/uv-dependency-submission","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rmuir%2Fuv-dependency-submission","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rmuir%2Fuv-dependency-submission/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rmuir%2Fuv-dependency-submission/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rmuir%2Fuv-dependency-submission/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rmuir","download_url":"https://codeload.github.com/rmuir/uv-dependency-submission/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rmuir%2Fuv-dependency-submission/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32337274,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"online","status_checked_at":"2026-04-27T02:00:06.769Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependency-graph","dependency-management","github-actions","python","security","uv"],"created_at":"2025-10-28T05:49:41.569Z","updated_at":"2026-04-27T13:00:29.990Z","avatar_url":"https://github.com/rmuir.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# uv-dependency-submission\n\nGitHub Action for submitting uv.lock dependencies\n\nThis is a GitHub Action that will generate a complete dependency graph from `uv.lock` files in the repository and submit the graph to the GitHub repository so that the graph is complete and includes all the transitive dependencies.\n\nThe action will use `git ls-files` to locate all `uv.lock` files, validate their [schema version](https://docs.astral.sh/uv/concepts/resolution/#lockfile-versioning), then parse them with python's [tomllib](https://docs.python.org/3/library/tomllib.html) to generate JSON output of the complete dependency graph, and submit the manifests using the `gh` CLI to the GitHub repository.\n\n![Screenshot](https://github.com/user-attachments/assets/89d5078b-2f71-4b52-a19e-c189f8a9b70a)\n\n## Example workflow\n\nMake sure you've enabled Dependency Graph in the Security section of the repository Settings first.\n\n```yaml\nname: Dependency Submission\n\non:\n  # trigger manually (e.g. for initial setup)\n  workflow_dispatch:\n  # trigger when uv.lock files change in the default branch.\n  push:\n    branches: ['main', 'master']\n    paths:\n      - '**/uv.lock'\n\n# Drop the broad default GITHUB_TOKEN permissions for least-privilege:\n# https://docs.zizmor.sh/audits/#excessive-permissions\npermissions: {}\n\nconcurrency:\n  group: ${{ github.workflow }}-${{ github.ref }}\n  cancel-in-progress: true\n\njobs:\n  dependency-submission:\n    name: Submit uv dependencies\n    runs-on: ubuntu-latest\n    timeout-minutes: 15\n    permissions:\n      contents: write # needs to submit dependency graph data\n    steps:\n      - name: Checkout repository\n        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n        with:\n          persist-credentials: false\n\n      - name: Submit dependency snapshot\n        uses: rmuir/uv-dependency-submission@8c650a3e5e519b93e604e644f7a4a3953144babe # v1.1.1\n```\n\n\u003e [!NOTE]\n\u003e After committing the workflow file, trigger once manually from Actions UI for initial setup.\n\n## Configuration\n\nCurrently there are no parameters.\nThe `gh` cli is used to upload the snapshot, you can pass `env:` variables to change some behavior:\n\n- \u003chttps://cli.github.com/manual/gh_help_environment\u003e\n\n## Background\n\nIf you have a uv-based project, GitHub will detect dependencies from `uv.lock` automatically.\n\nHowever, the built-in GitHub functionality is new and currently very minimal:\n\n- Dependencies are submitted as a flat list from each `uv.lock`\n- No indication of Transitive vs Direct.\n- No SBOM paths (e.g. to see how particular dependency was brought in)\n\nThe built-in GitHub functionality is enough for you to receive Dependabot security alerts.\n\nBy using this action, the full graph metadata will be populated, enabling more of Github's security features.\n\n## Caveats\n\n- Very new and may have exciting bugs. Pull requests welcome.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frmuir%2Fuv-dependency-submission","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frmuir%2Fuv-dependency-submission","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frmuir%2Fuv-dependency-submission/lists"}