Merge branch 'main' into dependabot/npm_and_yarn/undici-5.29.0

This commit is contained in:
Ahmed ElMallah
2025-06-20 12:06:48 -04:00
committed by GitHub
6 changed files with 204 additions and 16 deletions
+6 -1
View File
@@ -28,5 +28,10 @@ jobs:
run: npm rebuild && npm run all
- name: Verify no uncommitted files
run: '[ -z "$(git status --porcelain=v1 2>/dev/null)" ]'
run: |
if [ -n "$(git status --porcelain=v1 2>/dev/null)" ]; then
echo "There are uncommitted changes!"
git status --porcelain=v1
exit 1
fi
shell: bash
+79 -1
View File
@@ -1,7 +1,7 @@
# Go Dependency Submission
This GitHub Action calculates dependencies for a Go build-target (a Go file with a
`main` function) and submits the list to the [Dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). Dependencies then appear in your repository's dependency graph, and you'll receive Dependabot alerts and updates for vulnerable or out-of-date dependencies.
`main` function) and submits the list to the [Dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). Dependencies then appear in your repository's dependency graph, and you'll receive Dependabot alerts and updates for vulnerable or out-of-date dependencies.
### Running locally
@@ -53,3 +53,81 @@ jobs:
# include Go dependencies used by tests and tooling.
go-build-target: go-example/cmd/octocat.go
```
### Accessing Private Go Modules
This action will fail if your `go.mod` contains private Go modules.
To access private Go modules the action requires an extra step to access your
private module registry.
See official Go documentation for more information at https://go.dev/doc/faq#git_https
#### Accessing Private Go Modules Hosted on GitHub
If your private Go modules are hosted on GitHub, there are various ways for the action to
access them. You can use either HTTPS authentication with a Personal Access Token (PAT) or SSH authentication with deploy keys or SSH keys.
#### Authentication Methods
**HTTPS with Personal Access Token**: Uses a GitHub Personal Access Token to authenticate with private repositories. This method requires storing the token as a repository secret. See [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) for setup instructions.
**SSH Authentication**: Uses SSH keys or deploy keys for authentication. This method doesn't require storing tokens and can be more secure for some use cases. See the [GitHub documentation on SSH authentication](https://docs.github.com/en/authentication/connecting-to-github-with-ssh) for setup instructions.
#### Additional Environment Variables
- **`GONOPROXY`**: Set this to bypass the module proxy entirely for specific modules
- **`GOSUMDB`**: Set to `off` or configure to skip checksum verification for private modules
- **`GOPROXY`**: Can be set to `direct` to bypass proxies completely
#### Example: HTTPS Authentication with Personal Access Token
This example adds a step to the workflow which uses a GitHub
[Personal Access Token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)
which has repo permissions. The PAT is saved as a repo [actions secret](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions) `GH_ACCESS_TOKEN`.
The env variable `GOPRIVATE` has also been set so that the GitHub org `foo` is considered private.
```yaml
name: Go Dependency Submission
on:
push:
branches:
- main
# The API requires write permission on the repository to submit dependencies
permissions:
contents: write
# Environment variables to configure Go and Go modules. Customize as necessary
env:
GOPROXY: 'https://proxy.golang.org,direct' # To add a private proxy, place it between the public golang proxy and direct
GOPRIVATE: 'github.com/foo/*' # repositories in organization foo are considered private
jobs:
go-action-detection:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: ">=1.18.0"
# Authentication step
- name: Authenticate with GitHub
run: git config --global url.https://${{ secrets.GH_ACCESS_TOKEN }}@github.com/.insteadOf https://github.com/
- name: Run snapshot action
uses: actions/go-dependency-submission@v2
with:
# Required: Define the repo path to the go.mod file used by the
# build target
go-mod-path: go-example/go.mod
#
# Optional: Define the path of a build target (a file with a
# `main()` function) If not defined, this Action will collect all
# dependencies used by all build targets for the module, which may
# include Go dependencies used by tests and tooling.
go-build-target: go-example/cmd/octocat.go
```
+28
View File
@@ -17,6 +17,34 @@ inputs:
required: true
description: 'Build target to detect build dependencies. If unspecified, will use "all", with will detect all dependencies used in all build targets (including tests and tools).'
default: 'all'
snapshot-sha:
description: The SHA that the results will be linked to in the dependency snapshot
type: string
required: false
default: ''
snapshot-ref:
description: The ref that the results will be linked to in the dependency snapshot
type: string
required: false
default: ''
# If any of detector-name, detector-version, or detector-url are provided, they all have to be provided.
# Defaults will be used if none are not provided. If only one or two are provided, the action will fail.
detector-name:
description: The name of the detector that generated the dependency snapshot
type: string
required: false
default: ''
detector-version:
description: The version of the detector that generated the dependency snapshot
type: string
required: false
default: ''
detector-url:
description: The URL to the detector that generated the dependency snapshot
type: string
required: false
default: ''
runs:
using: 'node20'
main: 'dist/index.js'
Generated Vendored
+39 -5
View File
@@ -94,15 +94,49 @@ function main() {
}
manifest.addIndirectDependency(dep);
});
const snapshot = new dependency_submission_toolkit_1.Snapshot({
name: 'actions/go-dependency-submission',
url: 'https://github.com/actions/go-dependency-submission',
version: '0.0.1'
}, github.context, {
let snapshotDetector;
const detectorName = core.getInput('detector-name');
const detectorUrl = core.getInput('detector-url');
const detectorVersion = core.getInput('detector-version');
if (detectorName === '' && detectorUrl === '' && detectorVersion === '') {
// use defaults if none are specified
snapshotDetector = {
name: 'actions/go-dependency-submission',
url: 'https://github.com/actions/go-dependency-submission',
version: '0.0.1'
};
}
else if (detectorName === '' ||
detectorUrl === '' ||
detectorVersion === '') {
// if any of detectorName, detectorUrl, or detectorVersion have value, then they are all required
throw new Error("Invalid input: if any of 'detector-name', 'detector-url', or 'detector-version' have value, then thay are all required.");
}
else {
// use inputs since all are specified
snapshotDetector = {
name: detectorName,
url: core.getInput('detector-url', { required: true }),
version: core.getInput('detector-version', { required: true })
};
}
const snapshot = new dependency_submission_toolkit_1.Snapshot(snapshotDetector, github.context, {
correlator: `${github.context.job}-${goBuildTarget}`,
id: github.context.runId.toString()
});
snapshot.addManifest(manifest);
// only override the sha if the input has a value
// otherwise, continue to use the sha set from the context in the Snapshot constructor
const inputSHA = core.getInput('sha');
if (inputSHA !== '') {
snapshot.sha = inputSHA;
}
// only override the ref if the input has a value
// otherwise, continue to use the ref set from the context in the Snapshot constructor
const inputRef = core.getInput('ref');
if (inputRef !== '') {
snapshot.ref = inputRef;
}
(0, dependency_submission_toolkit_1.submitSnapshot)(snapshot);
});
}
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+51 -8
View File
@@ -77,19 +77,62 @@ async function main () {
manifest.addIndirectDependency(dep)
})
const snapshot = new Snapshot(
{
type SnapshotDetector = {
name: string
url: string
version: string
}
let snapshotDetector: SnapshotDetector
const detectorName = core.getInput('detector-name')
const detectorUrl = core.getInput('detector-url')
const detectorVersion = core.getInput('detector-version')
if (detectorName === '' && detectorUrl === '' && detectorVersion === '') {
// use defaults if none are specified
snapshotDetector = {
name: 'actions/go-dependency-submission',
url: 'https://github.com/actions/go-dependency-submission',
version: '0.0.1'
},
github.context,
{
correlator: `${github.context.job}-${goBuildTarget}`,
id: github.context.runId.toString()
}
)
} else if (
detectorName === '' ||
detectorUrl === '' ||
detectorVersion === ''
) {
// if any of detectorName, detectorUrl, or detectorVersion have value, then they are all required
throw new Error(
"Invalid input: if any of 'detector-name', 'detector-url', or 'detector-version' have value, then thay are all required."
)
} else {
// use inputs since all are specified
snapshotDetector = {
name: detectorName,
url: core.getInput('detector-url', { required: true }),
version: core.getInput('detector-version', { required: true })
}
}
const snapshot = new Snapshot(snapshotDetector, github.context, {
correlator: `${github.context.job}-${goBuildTarget}`,
id: github.context.runId.toString()
})
snapshot.addManifest(manifest)
// only override the sha if the input has a value
// otherwise, continue to use the sha set from the context in the Snapshot constructor
const inputSHA = core.getInput('sha')
if (inputSHA !== '') {
snapshot.sha = inputSHA
}
// only override the ref if the input has a value
// otherwise, continue to use the ref set from the context in the Snapshot constructor
const inputRef = core.getInput('ref')
if (inputRef !== '') {
snapshot.ref = inputRef
}
submitSnapshot(snapshot)
}