https://github.com/rmuir/uv-dependency-submission

GitHub Action for submitting uv.lock dependencies
https://github.com/rmuir/uv-dependency-submission

dependency-graph dependency-management github-actions python security uv

Last synced: about 1 month ago
JSON representation

GitHub Action for submitting uv.lock dependencies

• Host: GitHub
• URL: https://github.com/rmuir/uv-dependency-submission
• Owner: rmuir
• License: apache-2.0
• Created: 2025-10-02T06:33:06.000Z (8 months ago)
• Default Branch: main
• Last Pushed: 2026-04-23T03:12:17.000Z (about 1 month ago)
• Last Synced: 2026-04-23T05:08:48.360Z (about 1 month ago)
• Topics: dependency-graph, dependency-management, github-actions, python, security, uv
• Language: Python
• Homepage:
• Size: 273 KB
• Stars: 21
• Watchers: 2
• Forks: 1
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# uv-dependency-submission

GitHub Action for submitting uv.lock dependencies

This is a GitHub Action that will generate a complete dependency graph from `uv.lock` files in the repository and submit the graph to the GitHub repository so that the graph is complete and includes all the transitive dependencies.

The action will use `git ls-files` to locate all `uv.lock` files, validate their [schema version](https://docs.astral.sh/uv/concepts/resolution/#lockfile-versioning), then parse them with python's [tomllib](https://docs.python.org/3/library/tomllib.html) to generate JSON output of the complete dependency graph, and submit the manifests using the `gh` CLI to the GitHub repository.

![Screenshot](https://github.com/user-attachments/assets/89d5078b-2f71-4b52-a19e-c189f8a9b70a)

## Example workflow

Make sure you've enabled Dependency Graph in the Security section of the repository Settings first.

```yaml

name: Dependency Submission

on:

  # trigger manually (e.g. for initial setup)

  workflow_dispatch:

  # trigger when uv.lock files change in the default branch.

  push:

    branches: ['main', 'master']

    paths:

      - '**/uv.lock'

# Drop the broad default GITHUB_TOKEN permissions for least-privilege:

# https://docs.zizmor.sh/audits/#excessive-permissions

permissions: {}

concurrency:

  group: ${{ github.workflow }}-${{ github.ref }}

  cancel-in-progress: true

jobs:

  dependency-submission:

    name: Submit uv dependencies

    runs-on: ubuntu-latest

    timeout-minutes: 15

    permissions:

      contents: write # needs to submit dependency graph data

    steps:

      - name: Checkout repository

        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

        with:

          persist-credentials: false

      - name: Submit dependency snapshot

        uses: rmuir/uv-dependency-submission@8c650a3e5e519b93e604e644f7a4a3953144babe # v1.1.1

```

> [!NOTE]

> After committing the workflow file, trigger once manually from Actions UI for initial setup.

## Configuration

Currently there are no parameters.

The `gh` cli is used to upload the snapshot, you can pass `env:` variables to change some behavior:

- 

## Background

If you have a uv-based project, GitHub will detect dependencies from `uv.lock` automatically.

However, the built-in GitHub functionality is new and currently very minimal:

- Dependencies are submitted as a flat list from each `uv.lock`

- No indication of Transitive vs Direct.

- No SBOM paths (e.g. to see how particular dependency was brought in)

The built-in GitHub functionality is enough for you to receive Dependabot security alerts.

By using this action, the full graph metadata will be populated, enabling more of Github's security features.

## Caveats

- Very new and may have exciting bugs. Pull requests welcome.