Dependency graph now supports GitHub Actions

The dependency graph helps developers understand the software they depend on. While this has historically focused on traditional open source dependencies in your code from package managers like npm, NuGet, Maven, or RubyGems, millions of repositories are using GitHub Actions, and developers and maintainers can benefit from seeing who depends upon their actions.

Today, we are announcing that the dependency graph now supports GitHub Actions. From any repository which uses Actions, you can now see your Actions workflows listed alongside any other dependencies in the Insights/Dependency Graph experience.

Additionally, you can view a list of repositories that depend on your action under the Dependencies tab, or by looking at the “Used By” count on your repository homepage. This count does not include any private repositories that might use your action. In the event you maintain multiple packages or actions from one repository, you may also want to change the package that’s displayed on the repository home page to highlight the one you are most proud of.

The dependency graph is the foundation of GitHub’s supply chain security capabilities because understanding what you depend on is a crucial first step toward securing your software. You can configure Dependabot version updates to keep your Actions dependencies up to date automatically. Keep an eye on the public roadmap for more information about upcoming supply chain improvements in this area.

Learn more about the dependency graph

Written by

Justin Hutchings

@jhutchings1@github.com

Director of Product Management for supply chain security. I manage the team that's behind Dependabot, the Advisory Database, and the dependency graph. Twitter: https://twitter.com/jhutchings0