Reusable GitHub Actions for git-pkgs dependency analysis.
Installs git-pkgs and initializes the dependency database.
- uses: git-pkgs/actions/setup@v1
with:
version: "0.1.9" # optional, defaults to latestComments on PRs with a summary of dependency changes (added, removed, updated).
- uses: git-pkgs/actions/diff@v1Scans for known vulnerabilities. Can block on severity threshold and upload SARIF to GitHub Advanced Security.
- uses: git-pkgs/actions/vulns@v1
with:
severity: "high" # fail on high or critical
sarif: "true" # upload to GitHub Advanced SecurityEnforces license policy with allow/deny lists.
- uses: git-pkgs/actions/licenses@v1
with:
allow: "MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC"Generates a CycloneDX or SPDX Software Bill of Materials and uploads it as a workflow artifact.
- uses: git-pkgs/actions/sbom@v1
with:
format: "cyclonedx" # or spdxname: Dependencies
on:
pull_request:
permissions:
contents: read
pull-requests: write
security-events: write
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: git-pkgs/actions/setup@v1
- uses: git-pkgs/actions/diff@v1
- uses: git-pkgs/actions/vulns@v1
with:
severity: "high"
- uses: git-pkgs/actions/licenses@v1
with:
deny: "GPL-3.0-only,AGPL-3.0-only"Note: fetch-depth: 0 is required so git-pkgs can access the full commit history.
Copyright (c) 2026 Andrew Nesbitt. MIT License.
