Merge pull request #103 from actions/ljones140/security-upgrades

Security Upgrade

.github/workflows/codeql.yml

@@ -20,7 +20,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'javascript-typescript' ]
+        language: [ 'javascript-typescript', 'actions', 'go' ]
 
     steps:
     - name: Checkout repository

.github/workflows/go-dependency-submission.yml

@@ -13,9 +13,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v5
         with:
           go-version: ">=1.18.0"
 

.github/workflows/test.yml

@@ -8,7 +8,10 @@ on: # rebuild any PRs and main branch changes
     branches:
       - main
       - 'releases/*'
-
+      
+permissions:
+  contents: read
+  
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -28,5 +31,10 @@ jobs:
         run: npm rebuild && npm run all
 
       - name: Verify no uncommitted files
-        run: '[ -z "$(git status --porcelain=v1 2>/dev/null)" ]'
+        run: |
+          if [ -n "$(git status --porcelain=v1 2>/dev/null)" ]; then
+            echo "There are uncommitted changes!"
+            git status --porcelain=v1
+            exit 1
+          fi
         shell: bash

CONTRIBUTING.md

@@ -28,6 +28,46 @@ Here are a few things you can do that will increase the likelihood of your pull
 - Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
 - Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
 
+## Cutting a new release
+
+<details>
+
+_Note: these instructions are for maintainers_
+
+1. Update the version number in [package.json](https://github.com/actions/go-dependency-submission/blob/main/package.json) and run `npm i` to update the lockfile.
+1. Go to [Draft a new
+   release](https://github.com/actions/go-dependency-submission/releases/new)
+   in the Releases page.
+1. Make sure that the `Publish this Action to the GitHub Marketplace`
+   checkbox is enabled
+
+<img width="481" alt="Screenshot 2022-06-15 at 12 08 19" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
+
+3. Click "Choose a tag" and then "Create new tag", where the tag name
+   will be your version prefixed by a `v` (e.g. `v1.2.3`).
+4. Use a version number for the release title (e.g. "1.2.3").
+
+<img width="700" alt="Screenshot 2022-06-15 at 12 08 36" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
+
+5. Add your release notes. If this is a major version make sure to
+   include a small description of the biggest changes in the new version.
+6. Click "Publish Release".
+
+You now have a tag and release using the semver version you used
+above. The last remaining thing to do is to move the dynamic version
+identifier to match the current SHA. This allows users to adopt a
+major version number (e.g. `v1`) in their workflows while
+automatically getting all the
+minor/patch updates.
+
+To do this just checkout `main`, force-create a new annotated tag, and push it:
+
+```
+git tag -fa v2 -m "Updating v2 to 2.0.1"
+git push origin v2 --force
+```
+</details>
+
 ## Resources
 
 - [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)

README.md

@@ -1,7 +1,7 @@
 # Go Dependency Submission
 
 This GitHub Action calculates dependencies for a Go build-target (a Go file with a
-`main` function) and submits the list to the [Dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). Dependencies then appear in your repository's dependency graph, and you'll receive Dependabot alerts and updates for vulnerable or out-of-date dependencies. 
+`main` function) and submits the list to the [Dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). Dependencies then appear in your repository's dependency graph, and you'll receive Dependabot alerts and updates for vulnerable or out-of-date dependencies.
 
 ### Running locally
 
@@ -53,3 +53,81 @@ jobs:
             # include Go dependencies used by tests and tooling.
             go-build-target: go-example/cmd/octocat.go
 ```
+
+### Accessing Private Go Modules
+
+This action will fail if your `go.mod` contains private Go modules.
+To access private Go modules the action requires an extra step to access your
+private module registry.
+
+See official Go documentation for more information at https://go.dev/doc/faq#git_https
+
+#### Accessing Private Go Modules Hosted on GitHub
+
+If your private Go modules are hosted on GitHub, there are various ways for the action to
+access them. You can use either HTTPS authentication with a Personal Access Token (PAT) or SSH authentication with deploy keys or SSH keys.
+
+#### Authentication Methods
+
+**HTTPS with Personal Access Token**: Uses a GitHub Personal Access Token to authenticate with private repositories. This method requires storing the token as a repository secret. See [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) for setup instructions.
+
+**SSH Authentication**: Uses SSH keys or deploy keys for authentication. This method doesn't require storing tokens and can be more secure for some use cases. See the [GitHub documentation on SSH authentication](https://docs.github.com/en/authentication/connecting-to-github-with-ssh) for setup instructions.
+
+#### Additional Environment Variables
+
+- **`GONOPROXY`**: Set this to bypass the module proxy entirely for specific modules
+- **`GOSUMDB`**: Set to `off` or configure to skip checksum verification for private modules
+- **`GOPROXY`**: Can be set to `direct` to bypass proxies completely
+
+#### Example: HTTPS Authentication with Personal Access Token
+
+This example adds a step to the workflow which uses a GitHub
+[Personal Access Token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)
+which has repo permissions. The PAT is saved as a repo [actions secret](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions) `GH_ACCESS_TOKEN`.
+
+The env variable `GOPRIVATE` has also been set so that the GitHub org `foo` is considered private.
+
+```yaml
+name: Go Dependency Submission
+on:
+  push:
+    branches:
+      - main
+
+# The API requires write permission on the repository to submit dependencies
+permissions:
+  contents: write
+
+# Environment variables to configure Go and Go modules. Customize as necessary
+env:
+  GOPROXY: 'https://proxy.golang.org,direct' # To add a private proxy, place it between the public golang proxy and direct
+  GOPRIVATE: 'github.com/foo/*' # repositories in organization foo are considered private
+
+jobs:
+  go-action-detection:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ">=1.18.0"
+
+      # Authentication step
+      - name: Authenticate with GitHub
+        run: git config --global url.https://${{ secrets.GH_ACCESS_TOKEN }}@github.com/.insteadOf https://github.com/
+
+      - name: Run snapshot action
+        uses: actions/go-dependency-submission@v2
+        with:
+            # Required: Define the repo path to the go.mod file used by the
+            # build target
+            go-mod-path: go-example/go.mod
+            #
+            # Optional: Define the path of a build target (a file with a
+            # `main()` function) If not defined, this Action will collect all
+            # dependencies used by all build targets for the module, which may
+            # include Go dependencies used by tests and tooling.
+            go-build-target: go-example/cmd/octocat.go
+```

action.yml

@@ -17,6 +17,34 @@ inputs:
     required: true
     description: 'Build target to detect build dependencies. If unspecified, will use "all", with will detect all dependencies used in all build targets (including tests and tools).'
     default: 'all'
+  snapshot-sha:
+    description: The SHA that the results will be linked to in the dependency snapshot
+    type: string
+    required: false
+    default: ''
+  snapshot-ref:
+    description: The ref that the results will be linked to in the dependency snapshot
+    type: string
+    required: false
+    default: ''
+
+  # If any of detector-name, detector-version, or detector-url are provided, they all have to be provided.  
+  # Defaults will be used if none are not provided.  If only one or two are provided, the action will fail.
+  detector-name:
+    description: The name of the detector that generated the dependency snapshot
+    type: string
+    required: false
+    default: ''
+  detector-version:
+    description: The version of the detector that generated the dependency snapshot
+    type: string
+    required: false
+    default: ''
+  detector-url:
+    description: The URL to the detector that generated the dependency snapshot
+    type: string
+    required: false
+    default: ''
 runs:
-  using: 'node20'
+  using: 'node24'
   main: 'dist/index.js'

babel.config.js

@@ -0,0 +1,6 @@
+module.exports = {
+  presets: [
+    ['@babel/preset-env', { targets: { node: '20' } }],
+    '@babel/preset-typescript',
+  ],
+};

dist/licenses.txt

@@ -268,16 +268,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
 
-@vercel/ncc
-MIT
-Copyright 2018 ZEIT, Inc.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
 before-after-hook
 Apache-2.0
                                  Apache License
@@ -502,57 +492,6 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
 IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 
-is-plain-object
-MIT
-The MIT License (MIT)
-
-Copyright (c) 2014-2017, Jon Schlinkert.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
-
-
-node-fetch
-MIT
-The MIT License (MIT)
-
-Copyright (c) 2016 David Frank
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-
-
-
 once
 ISC
 The ISC License
@@ -574,9 +513,25 @@ IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 packageurl-js
 MIT
+Copyright (c) the purl authors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
-tr46
-MIT
 
 tunnel
 MIT
@@ -603,6 +558,31 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
 
+undici
+MIT
+MIT License
+
+Copyright (c) Matteo Collina and Undici contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
 universal-user-agent
 ISC
 # [ISC License](https://spdx.org/licenses/ISC)
@@ -614,60 +594,6 @@ Permission to use, copy, modify, and/or distribute this software for any purpose
 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 
-uuid
-MIT
-The MIT License (MIT)
-
-Copyright (c) 2010-2020 Robert Kieffer and other contributors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-
-webidl-conversions
-BSD-2-Clause
-# The BSD 2-Clause License
-
-Copyright (c) 2014, Domenic Denicola
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-
-whatwg-url
-MIT
-The MIT License (MIT)
-
-Copyright (c) 2015–2016 Sebastian Mayr
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
-
-
 wrappy
 ISC
 The ISC License

jest.config.js

@@ -1,5 +1,11 @@
-/** @type {import('ts-jest/dist/types').InitialOptionsTsJest} */
 module.exports = {
-  preset: 'ts-jest',
+  transform: {
+    '^.+\\.jsx?$': 'babel-jest',
+    '^.+\\.tsx?$': 'babel-jest',
+  },
   testEnvironment: 'node',
-};
+  moduleFileExtensions: ['js', 'jsx', 'ts', 'tsx'],
+  transformIgnorePatterns: [
+    '/node_modules/(?!@octokit|@github)',
+  ],
+};

package.json

@@ -1,12 +1,15 @@
 {
   "name": "go-dependency-submission",
-  "version": "2.0.1",
+  "version": "2.0.3",
   "description": "Go Dependency Submission",
   "main": "dist/index.js",
+  "engines": {
+    "node": ">=24"
+  },
   "scripts": {
     "build": "tsc",
-    "format": "prettier --write '**/*.ts'",
-    "format-check": "prettier --check '**/*.ts'",
+    "format": "npx prettier --write '**/*.ts'",
+    "format-check": "npx prettier --check '**/*.ts'",
     "lint": "eslint --fix src/**/*.ts",
     "package": "ncc build --source-map --license licenses.txt",
     "test": "jest --testTimeout=10000",
@@ -25,25 +28,32 @@
   },
   "homepage": "https://github.com/actions/go-dependency-submission#readme",
   "devDependencies": {
+    "@babel/core": "^7.26.10",
+    "@babel/preset-env": "^7.26.9",
+    "@babel/preset-typescript": "^7.27.0",
     "@types/jest": "^27.5.2",
     "@typescript-eslint/eslint-plugin": "^5.20.0",
     "@typescript-eslint/parser": "^5.20.0",
     "@vercel/ncc": "^0.33.4",
+    "babel-jest": "^29.7.0",
     "eslint": "^8.13.0",
     "eslint-config-standard": "^17.0.0",
     "eslint-plugin-import": "^2.26.0",
     "eslint-plugin-jest": "^26.5.3",
     "eslint-plugin-n": "^15.1.0",
     "eslint-plugin-promise": "^6.0.0",
-    "jest": "^28.0.0",
-    "ts-jest": "^28.0.4",
+    "prettier": "^3.5.3",
+    "ts-jest": "^29.0.0",
     "typescript": "^4.6.4"
   },
   "dependencies": {
-    "@actions/core": "^1.9.1",
+    "@actions/core": "^1.11.1",
     "@actions/exec": "^1.1.1",
-    "@actions/github": "^5.0.3",
-    "@github/dependency-submission-toolkit": "^1.2.10",
+    "@actions/github": "^6.0.1",
+    "@github/dependency-submission-toolkit": "^2.0.5",
     "packageurl-js": "^0.0.6"
+  },
+  "overrides": {
+    "undici": "^6.24.0"
   }
 }

src/index.ts

@@ -77,19 +77,62 @@ async function main () {
     manifest.addIndirectDependency(dep)
   })
 
-  const snapshot = new Snapshot(
-    {
+  type SnapshotDetector = {
+    name: string
+    url: string
+    version: string
+  }
+  let snapshotDetector: SnapshotDetector
+
+  const detectorName = core.getInput('detector-name')
+  const detectorUrl = core.getInput('detector-url')
+  const detectorVersion = core.getInput('detector-version')
+
+  if (detectorName === '' && detectorUrl === '' && detectorVersion === '') {
+    // use defaults if none are specified
+    snapshotDetector = {
       name: 'actions/go-dependency-submission',
       url: 'https://github.com/actions/go-dependency-submission',
       version: '0.0.1'
-    },
-    github.context,
-    {
-      correlator: `${github.context.job}-${goBuildTarget}`,
-      id: github.context.runId.toString()
     }
-  )
+  } else if (
+    detectorName === '' ||
+    detectorUrl === '' ||
+    detectorVersion === ''
+  ) {
+    // if any of detectorName, detectorUrl, or detectorVersion have value, then they are all required
+    throw new Error(
+      "Invalid input: if any of 'detector-name', 'detector-url', or 'detector-version' have value, then thay are all required."
+    )
+  } else {
+    // use inputs since all are specified
+    snapshotDetector = {
+      name: detectorName,
+      url: core.getInput('detector-url', { required: true }),
+      version: core.getInput('detector-version', { required: true })
+    }
+  }
+
+  const snapshot = new Snapshot(snapshotDetector, github.context, {
+    correlator: `${github.context.job}-${goBuildTarget}`,
+    id: github.context.runId.toString()
+  })
   snapshot.addManifest(manifest)
+
+  // only override the sha if the input has a value
+  // otherwise, continue to use the sha set from the context in the Snapshot constructor
+  const inputSHA = core.getInput('sha')
+  if (inputSHA !== '') {
+    snapshot.sha = inputSHA
+  }
+
+  // only override the ref if the input has a value
+  // otherwise, continue to use the ref set from the context in the Snapshot constructor
+  const inputRef = core.getInput('ref')
+  if (inputRef !== '') {
+    snapshot.ref = inputRef
+  }
+
   submitSnapshot(snapshot)
 }