Skip to content
/ uv-dependency-submission Public

GitHub Action for submitting uv.lock dependencies

License

Apache-2.0 license
21 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rmuir/uv-dependency-submission

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

87 Commits
.github
.github
 
 
test/airflow
test/airflow
 
 
.editorconfig
.editorconfig
 
 
.rumdl.toml
.rumdl.toml
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
action.py
action.py
 
 
action.yml
action.yml
 
 
pyproject.toml
pyproject.toml
 
 
uv.lock
uv.lock
 
 

Repository files navigation

uv-dependency-submission

GitHub Action for submitting uv.lock dependencies

This is a GitHub Action that will generate a complete dependency graph from uv.lock files in the repository and submit the graph to the GitHub repository so that the graph is complete and includes all the transitive dependencies.

The action will use git ls-files to locate all uv.lock files, validate their schema version, then parse them with python's tomllib to generate JSON output of the complete dependency graph, and submit the manifests using the gh CLI to the GitHub repository.

Screenshot

Example workflow

Make sure you've enabled Dependency Graph in the Security section of the repository Settings first.

name: Dependency Submission

on:
  # trigger manually (e.g. for initial setup)
  workflow_dispatch:
  # trigger when uv.lock files change in the default branch.
  push:
    branches: ['main', 'master']
    paths:
      - '**/uv.lock'

# Drop the broad default GITHUB_TOKEN permissions for least-privilege:
# https://docs.zizmor.sh/audits/#excessive-permissions
permissions: {}

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  dependency-submission:
    name: Submit uv dependencies
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: write # needs to submit dependency graph data
    steps:
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Submit dependency snapshot
        uses: rmuir/uv-dependency-submission@1c48aaac13e566e39fd04269ff1900b86c1105c5 # v1.0.0

Note

After committing the workflow file, trigger once manually from Actions UI for initial setup.

Configuration

Currently there are no parameters. The gh cli is used to upload the snapshot, you can pass env: variables to change some behavior:

Background

If you have a uv-based project, GitHub will detect dependencies from uv.lock automatically.

However, the built-in GitHub functionality is new and currently very minimal:

  • Dependencies are submitted as a flat list from each uv.lock
  • No indication of Transitive vs Direct.
  • No SBOM paths (e.g. to see how particular dependency was brought in)

The built-in GitHub functionality is enough for you to receive Dependabot security alerts.

By using this action, the full graph metadata will be populated, enabling more of Github's security features.

Caveats

  • Very new and may have exciting bugs. Pull requests welcome.

About

GitHub Action for submitting uv.lock dependencies

Topics

python security dependency-graph dependency-management uv github-actions

Resources

Readme

License

Apache-2.0 license
Activity

Stars

21 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Oct 2, 2025

Contributors 2

  •  
  •  

Languages