Merge pull request #103 from actions/ljones140/security-upgrades

Security Upgrade
generated dist
2026-04-22 11:46:41 +01:00 · 2026-04-20 15:29:48 +01:00 · 2026-04-20 15:29:12 +01:00 · 2025-11-24 13:51:11 +00:00 · 2025-11-17 21:54:46 +00:00 · 2025-09-01 17:32:10 +01:00
11 changed files with 15472 additions and 11562 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -20,7 +20,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        language: [ 'javascript-typescript' ]
+        language: [ 'javascript-typescript', 'actions', 'go' ]

    steps:
    - name: Checkout repository
--- a/.github/workflows/go-dependency-submission.yml
+++ b/.github/workflows/go-dependency-submission.yml
@@ -13,9 +13,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4

-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v5
        with:
          go-version: ">=1.18.0"

--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,7 +8,10 @@ on: # rebuild any PRs and main branch changes
    branches:
      - main
      - 'releases/*'
-
+      
+permissions:
+  contents: read
+  
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -28,5 +31,10 @@ jobs:
        run: npm rebuild && npm run all

      - name: Verify no uncommitted files
-        run: '[ -z "$(git status --porcelain=v1 2>/dev/null)" ]'
+        run: |
+          if [ -n "$(git status --porcelain=v1 2>/dev/null)" ]; then
+            echo "There are uncommitted changes!"
+            git status --porcelain=v1
+            exit 1
+          fi
        shell: bash
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # Go Dependency Submission

 This GitHub Action calculates dependencies for a Go build-target (a Go file with a
-`main` function) and submits the list to the [Dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). Dependencies then appear in your repository's dependency graph, and you'll receive Dependabot alerts and updates for vulnerable or out-of-date dependencies. 
+`main` function) and submits the list to the [Dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). Dependencies then appear in your repository's dependency graph, and you'll receive Dependabot alerts and updates for vulnerable or out-of-date dependencies.

 ### Running locally

@@ -53,3 +53,81 @@ jobs:
            # include Go dependencies used by tests and tooling.
            go-build-target: go-example/cmd/octocat.go
 ```
+
+### Accessing Private Go Modules
+
+This action will fail if your `go.mod` contains private Go modules.
+To access private Go modules the action requires an extra step to access your
+private module registry.
+
+See official Go documentation for more information at https://go.dev/doc/faq#git_https
+
+#### Accessing Private Go Modules Hosted on GitHub
+
+If your private Go modules are hosted on GitHub, there are various ways for the action to
+access them. You can use either HTTPS authentication with a Personal Access Token (PAT) or SSH authentication with deploy keys or SSH keys.
+
+#### Authentication Methods
+
+**HTTPS with Personal Access Token**: Uses a GitHub Personal Access Token to authenticate with private repositories. This method requires storing the token as a repository secret. See [Creating a personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) for setup instructions.
+
+**SSH Authentication**: Uses SSH keys or deploy keys for authentication. This method doesn't require storing tokens and can be more secure for some use cases. See the [GitHub documentation on SSH authentication](https://docs.github.com/en/authentication/connecting-to-github-with-ssh) for setup instructions.
+
+#### Additional Environment Variables
+
+- **`GONOPROXY`**: Set this to bypass the module proxy entirely for specific modules
+- **`GOSUMDB`**: Set to `off` or configure to skip checksum verification for private modules
+- **`GOPROXY`**: Can be set to `direct` to bypass proxies completely
+
+#### Example: HTTPS Authentication with Personal Access Token
+
+This example adds a step to the workflow which uses a GitHub
+[Personal Access Token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)
+which has repo permissions. The PAT is saved as a repo [actions secret](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions) `GH_ACCESS_TOKEN`.
+
+The env variable `GOPRIVATE` has also been set so that the GitHub org `foo` is considered private.
+
+```yaml
+name: Go Dependency Submission
+on:
+  push:
+    branches:
+      - main
+
+# The API requires write permission on the repository to submit dependencies
+permissions:
+  contents: write
+
+# Environment variables to configure Go and Go modules. Customize as necessary
+env:
+  GOPROXY: 'https://proxy.golang.org,direct' # To add a private proxy, place it between the public golang proxy and direct
+  GOPRIVATE: 'github.com/foo/*' # repositories in organization foo are considered private
+
+jobs:
+  go-action-detection:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ">=1.18.0"
+
+      # Authentication step
+      - name: Authenticate with GitHub
+        run: git config --global url.https://${{ secrets.GH_ACCESS_TOKEN }}@github.com/.insteadOf https://github.com/
+
+      - name: Run snapshot action
+        uses: actions/go-dependency-submission@v2
+        with:
+            # Required: Define the repo path to the go.mod file used by the
+            # build target
+            go-mod-path: go-example/go.mod
+            #
+            # Optional: Define the path of a build target (a file with a
+            # `main()` function) If not defined, this Action will collect all
+            # dependencies used by all build targets for the module, which may
+            # include Go dependencies used by tests and tooling.
+            go-build-target: go-example/cmd/octocat.go
+```
--- a/action.yml
+++ b/action.yml
@@ -17,6 +17,34 @@ inputs:
    required: true
    description: 'Build target to detect build dependencies. If unspecified, will use "all", with will detect all dependencies used in all build targets (including tests and tools).'
    default: 'all'
+  snapshot-sha:
+    description: The SHA that the results will be linked to in the dependency snapshot
+    type: string
+    required: false
+    default: ''
+  snapshot-ref:
+    description: The ref that the results will be linked to in the dependency snapshot
+    type: string
+    required: false
+    default: ''
+
+  # If any of detector-name, detector-version, or detector-url are provided, they all have to be provided.  
+  # Defaults will be used if none are not provided.  If only one or two are provided, the action will fail.
+  detector-name:
+    description: The name of the detector that generated the dependency snapshot
+    type: string
+    required: false
+    default: ''
+  detector-version:
+    description: The version of the detector that generated the dependency snapshot
+    type: string
+    required: false
+    default: ''
+  detector-url:
+    description: The URL to the detector that generated the dependency snapshot
+    type: string
+    required: false
+    default: ''
 runs:
-  using: 'node20'
+  using: 'node24'
  main: 'dist/index.js'
--- a/dist/index.js
+++ b/dist/index.js
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/dist/licenses.txt
+++ b/dist/licenses.txt
@@ -71,28 +71,6 @@ The above copyright notice and this permission notice shall be included in all c

 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

-@fastify/busboy
-MIT
-Copyright Brian White. All rights reserved.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
-IN THE SOFTWARE.
-
@github/dependency-submission-toolkit
 MIT
 MIT License
@@ -290,16 +268,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.


-@vercel/ncc
-MIT
-Copyright 2018 ZEIT, Inc.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
 before-after-hook
 Apache-2.0
                                 Apache License
--- a/package-lock.json
+++ b/package-lock.json
@@ -9,9 +9,9 @@
      "version": "2.0.3",
      "license": "ISC",
      "dependencies": {
-        "@actions/core": "^1.9.1",
+        "@actions/core": "^1.11.1",
        "@actions/exec": "^1.1.1",
-        "@actions/github": "^6.0.0",
+        "@actions/github": "^6.0.1",
        "@github/dependency-submission-toolkit": "^2.0.5",
        "packageurl-js": "^0.0.6"
      },
@@ -33,6 +33,9 @@
        "prettier": "^3.5.3",
        "ts-jest": "^29.0.0",
        "typescript": "^4.6.4"
+      },
+      "engines": {
+        "node": ">=24"
      }
    },
    "node_modules/@actions/core": {
@@ -49,20 +52,24 @@
      "version": "1.1.1",
      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
      "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
+      "license": "MIT",
      "dependencies": {
        "@actions/io": "^1.0.1"
      }
    },
    "node_modules/@actions/github": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@actions/github/-/github-6.0.0.tgz",
-      "integrity": "sha512-alScpSVnYmjNEXboZjarjukQEzgCRmjMv6Xj47fsdnqGS73bjJNDpiiXmp8jr0UZLdUB6d9jW63IcmddUP+l0g==",
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/github/-/github-6.0.1.tgz",
+      "integrity": "sha512-xbZVcaqD4XnQAe35qSQqskb3SqIAfRyLBrHMd/8TuL7hJSz2QtbDwnNM8zWx4zO5l2fnGtseNE3MbEvD7BxVMw==",
      "license": "MIT",
      "dependencies": {
        "@actions/http-client": "^2.2.0",
        "@octokit/core": "^5.0.1",
-        "@octokit/plugin-paginate-rest": "^9.0.0",
-        "@octokit/plugin-rest-endpoint-methods": "^10.0.0"
+        "@octokit/plugin-paginate-rest": "^9.2.2",
+        "@octokit/plugin-rest-endpoint-methods": "^10.4.0",
+        "@octokit/request": "^8.4.1",
+        "@octokit/request-error": "^5.1.1",
+        "undici": "^5.28.5"
      }
    },
    "node_modules/@actions/http-client": {
@@ -76,9 +83,10 @@
      }
    },
    "node_modules/@actions/io": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.2.tgz",
-      "integrity": "sha512-d+RwPlMp+2qmBfeLYPLXuSRykDIFEwdTA0MMxzS9kh4kvP1ftrc/9fzy6pX6qAjthdXruHQ6/6kjT/DNo5ALuw=="
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz",
+      "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==",
+      "license": "MIT"
    },
    "node_modules/@ampproject/remapping": {
      "version": "2.2.0",
@@ -1848,15 +1856,6 @@
        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
      }
    },
-    "node_modules/@fastify/busboy": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
-      "integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=14"
-      }
-    },
    "node_modules/@github/dependency-submission-toolkit": {
      "version": "2.0.5",
      "resolved": "https://registry.npmjs.org/@github/dependency-submission-toolkit/-/dependency-submission-toolkit-2.0.5.tgz",
@@ -1945,9 +1944,9 @@
      }
    },
    "node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml": {
-      "version": "3.14.1",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz",
-      "integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==",
+      "version": "3.14.2",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
+      "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
      "dev": true,
      "dependencies": {
        "argparse": "^1.0.7",
@@ -2430,15 +2429,15 @@
      }
    },
    "node_modules/@octokit/core": {
-      "version": "5.2.0",
-      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.0.tgz",
-      "integrity": "sha512-1LFfa/qnMQvEOAdzlQymH0ulepxbxnCYAKJZfMci/5XJyIHWgEYnDmgnKakbTh7CH2tFQ5O60oYDvns4i9RAIg==",
+      "version": "5.2.2",
+      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.2.tgz",
+      "integrity": "sha512-/g2d4sW9nUDJOMz3mabVQvOGhVa4e/BN/Um7yca9Bb2XTzPPnfTWHWQg+IsEYO7M3Vx+EXvaM/I2pJWIMun1bg==",
      "license": "MIT",
      "dependencies": {
        "@octokit/auth-token": "^4.0.0",
        "@octokit/graphql": "^7.1.0",
        "@octokit/request": "^8.4.1",
-        "@octokit/request-error": "^5.1.0",
+        "@octokit/request-error": "^5.1.1",
        "@octokit/types": "^13.0.0",
        "before-after-hook": "^2.2.0",
        "universal-user-agent": "^6.0.0"
@@ -2461,9 +2460,9 @@
      }
    },
    "node_modules/@octokit/graphql": {
-      "version": "7.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-7.1.0.tgz",
-      "integrity": "sha512-r+oZUH7aMFui1ypZnAvZmn0KSqAUgE1/tUXIWaqUCa1758ts/Jio84GZuzsvUkme98kv0WFY8//n0J1Z+vsIsQ==",
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-7.1.1.tgz",
+      "integrity": "sha512-3mkDltSfcDUoa176nlGoA32RGjeWjl3K7F/BwHwRMJUW/IteSa4bnSV8p2ThNkcIcZU2umkZWxwETSSCJf2Q7g==",
      "license": "MIT",
      "dependencies": {
        "@octokit/request": "^8.4.1",
@@ -2544,6 +2543,7 @@
      "version": "8.4.1",
      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-8.4.1.tgz",
      "integrity": "sha512-qnB2+SY3hkCmBxZsR/MPCybNmbJe4KAlfWErXq+rBKkQJlbjdJeS85VI9r8UqeLYLvnAenU8Q1okM/0MBsAGXw==",
+      "license": "MIT",
      "dependencies": {
        "@octokit/endpoint": "^9.0.6",
        "@octokit/request-error": "^5.1.1",
@@ -5856,9 +5856,9 @@
      "dev": true
    },
    "node_modules/js-yaml": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
-      "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
      "dev": true,
      "dependencies": {
        "argparse": "^2.0.1"
@@ -7158,6 +7158,7 @@
      "version": "0.0.6",
      "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
      "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
+      "license": "MIT",
      "engines": {
        "node": ">=0.6.11 <=0.7.0 || >=0.7.3"
      }
@@ -7225,15 +7226,12 @@
      }
    },
    "node_modules/undici": {
-      "version": "5.28.5",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.5.tgz",
-      "integrity": "sha512-zICwjrDrcrUE0pyyJc1I2QzBkLM8FINsgOrt6WjA+BgajVq9Nxu2PbFFXUrAggLfDXlZGZBVZYw7WNV5KiBiBA==",
+      "version": "6.25.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.25.0.tgz",
+      "integrity": "sha512-ZgpWDC5gmNiuY9CnLVXEH8rl50xhRCuLNA97fAUnKi8RRuV4E6KG31pDTsLVUKnohJE0I3XDrTeEydAXRw47xg==",
      "license": "MIT",
-      "dependencies": {
-        "@fastify/busboy": "^2.0.0"
-      },
      "engines": {
-        "node": ">=14.0"
+        "node": ">=18.17"
      }
    },
    "node_modules/unicode-canonical-property-names-ecmascript": {
@@ -7498,14 +7496,17 @@
      }
    },
    "@actions/github": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@actions/github/-/github-6.0.0.tgz",
-      "integrity": "sha512-alScpSVnYmjNEXboZjarjukQEzgCRmjMv6Xj47fsdnqGS73bjJNDpiiXmp8jr0UZLdUB6d9jW63IcmddUP+l0g==",
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/github/-/github-6.0.1.tgz",
+      "integrity": "sha512-xbZVcaqD4XnQAe35qSQqskb3SqIAfRyLBrHMd/8TuL7hJSz2QtbDwnNM8zWx4zO5l2fnGtseNE3MbEvD7BxVMw==",
      "requires": {
        "@actions/http-client": "^2.2.0",
        "@octokit/core": "^5.0.1",
-        "@octokit/plugin-paginate-rest": "^9.0.0",
-        "@octokit/plugin-rest-endpoint-methods": "^10.0.0"
+        "@octokit/plugin-paginate-rest": "^9.2.2",
+        "@octokit/plugin-rest-endpoint-methods": "^10.4.0",
+        "@octokit/request": "^8.4.1",
+        "@octokit/request-error": "^5.1.1",
+        "undici": "^6.24.0"
      }
    },
    "@actions/http-client": {
@@ -7514,13 +7515,13 @@
      "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==",
      "requires": {
        "tunnel": "^0.0.6",
-        "undici": "^5.25.4"
+        "undici": "^6.24.0"
      }
    },
    "@actions/io": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.2.tgz",
-      "integrity": "sha512-d+RwPlMp+2qmBfeLYPLXuSRykDIFEwdTA0MMxzS9kh4kvP1ftrc/9fzy6pX6qAjthdXruHQ6/6kjT/DNo5ALuw=="
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz",
+      "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="
    },
    "@ampproject/remapping": {
      "version": "2.2.0",
@@ -8742,11 +8743,6 @@
        "strip-json-comments": "^3.1.1"
      }
    },
-    "@fastify/busboy": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
-      "integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA=="
-    },
    "@github/dependency-submission-toolkit": {
      "version": "2.0.5",
      "resolved": "https://registry.npmjs.org/@github/dependency-submission-toolkit/-/dependency-submission-toolkit-2.0.5.tgz",
@@ -8824,9 +8820,9 @@
          }
        },
        "js-yaml": {
-          "version": "3.14.1",
-          "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz",
-          "integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==",
+          "version": "3.14.2",
+          "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
+          "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
          "dev": true,
          "requires": {
            "argparse": "^1.0.7",
@@ -9203,14 +9199,14 @@
      "integrity": "sha512-tY/msAuJo6ARbK6SPIxZrPBms3xPbfwBrulZe0Wtr/DIY9lje2HeV1uoebShn6mx7SjCHif6EjMvoREj+gZ+SA=="
    },
    "@octokit/core": {
-      "version": "5.2.0",
-      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.0.tgz",
-      "integrity": "sha512-1LFfa/qnMQvEOAdzlQymH0ulepxbxnCYAKJZfMci/5XJyIHWgEYnDmgnKakbTh7CH2tFQ5O60oYDvns4i9RAIg==",
+      "version": "5.2.2",
+      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.2.tgz",
+      "integrity": "sha512-/g2d4sW9nUDJOMz3mabVQvOGhVa4e/BN/Um7yca9Bb2XTzPPnfTWHWQg+IsEYO7M3Vx+EXvaM/I2pJWIMun1bg==",
      "requires": {
        "@octokit/auth-token": "^4.0.0",
        "@octokit/graphql": "^7.1.0",
        "@octokit/request": "^8.4.1",
-        "@octokit/request-error": "^5.1.0",
+        "@octokit/request-error": "^5.1.1",
        "@octokit/types": "^13.0.0",
        "before-after-hook": "^2.2.0",
        "universal-user-agent": "^6.0.0"
@@ -9226,9 +9222,9 @@
      }
    },
    "@octokit/graphql": {
-      "version": "7.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-7.1.0.tgz",
-      "integrity": "sha512-r+oZUH7aMFui1ypZnAvZmn0KSqAUgE1/tUXIWaqUCa1758ts/Jio84GZuzsvUkme98kv0WFY8//n0J1Z+vsIsQ==",
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-7.1.1.tgz",
+      "integrity": "sha512-3mkDltSfcDUoa176nlGoA32RGjeWjl3K7F/BwHwRMJUW/IteSa4bnSV8p2ThNkcIcZU2umkZWxwETSSCJf2Q7g==",
      "requires": {
        "@octokit/request": "^8.4.1",
        "@octokit/types": "^13.0.0",
@@ -11738,9 +11734,9 @@
      "dev": true
    },
    "js-yaml": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
-      "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
      "dev": true,
      "requires": {
        "argparse": "^2.0.1"
@@ -12721,12 +12717,9 @@
      }
    },
    "undici": {
-      "version": "5.28.5",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.5.tgz",
-      "integrity": "sha512-zICwjrDrcrUE0pyyJc1I2QzBkLM8FINsgOrt6WjA+BgajVq9Nxu2PbFFXUrAggLfDXlZGZBVZYw7WNV5KiBiBA==",
-      "requires": {
-        "@fastify/busboy": "^2.0.0"
-      }
+      "version": "6.25.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.25.0.tgz",
+      "integrity": "sha512-ZgpWDC5gmNiuY9CnLVXEH8rl50xhRCuLNA97fAUnKi8RRuV4E6KG31pDTsLVUKnohJE0I3XDrTeEydAXRw47xg=="
    },
    "unicode-canonical-property-names-ecmascript": {
      "version": "2.0.1",
--- a/package.json
+++ b/package.json
@@ -3,6 +3,9 @@
  "version": "2.0.3",
  "description": "Go Dependency Submission",
  "main": "dist/index.js",
+  "engines": {
+    "node": ">=24"
+  },
  "scripts": {
    "build": "tsc",
    "format": "npx prettier --write '**/*.ts'",
@@ -44,10 +47,13 @@
    "typescript": "^4.6.4"
  },
  "dependencies": {
-    "@actions/core": "^1.9.1",
+    "@actions/core": "^1.11.1",
    "@actions/exec": "^1.1.1",
-    "@actions/github": "^6.0.0",
+    "@actions/github": "^6.0.1",
    "@github/dependency-submission-toolkit": "^2.0.5",
    "packageurl-js": "^0.0.6"
+  },
+  "overrides": {
+    "undici": "^6.24.0"
  }
 }
--- a/src/index.ts
+++ b/src/index.ts
@@ -77,19 +77,62 @@ async function main () {
    manifest.addIndirectDependency(dep)
  })

-  const snapshot = new Snapshot(
-    {
+  type SnapshotDetector = {
+    name: string
+    url: string
+    version: string
+  }
+  let snapshotDetector: SnapshotDetector
+
+  const detectorName = core.getInput('detector-name')
+  const detectorUrl = core.getInput('detector-url')
+  const detectorVersion = core.getInput('detector-version')
+
+  if (detectorName === '' && detectorUrl === '' && detectorVersion === '') {
+    // use defaults if none are specified
+    snapshotDetector = {
      name: 'actions/go-dependency-submission',
      url: 'https://github.com/actions/go-dependency-submission',
      version: '0.0.1'
-    },
-    github.context,
-    {
-      correlator: `${github.context.job}-${goBuildTarget}`,
-      id: github.context.runId.toString()
    }
-  )
+  } else if (
+    detectorName === '' ||
+    detectorUrl === '' ||
+    detectorVersion === ''
+  ) {
+    // if any of detectorName, detectorUrl, or detectorVersion have value, then they are all required
+    throw new Error(
+      "Invalid input: if any of 'detector-name', 'detector-url', or 'detector-version' have value, then thay are all required."
+    )
+  } else {
+    // use inputs since all are specified
+    snapshotDetector = {
+      name: detectorName,
+      url: core.getInput('detector-url', { required: true }),
+      version: core.getInput('detector-version', { required: true })
+    }
+  }
+
+  const snapshot = new Snapshot(snapshotDetector, github.context, {
+    correlator: `${github.context.job}-${goBuildTarget}`,
+    id: github.context.runId.toString()
+  })
  snapshot.addManifest(manifest)
+
+  // only override the sha if the input has a value
+  // otherwise, continue to use the sha set from the context in the Snapshot constructor
+  const inputSHA = core.getInput('sha')
+  if (inputSHA !== '') {
+    snapshot.sha = inputSHA
+  }
+
+  // only override the ref if the input has a value
+  // otherwise, continue to use the ref set from the context in the Snapshot constructor
+  const inputRef = core.getInput('ref')
+  if (inputRef !== '') {
+    snapshot.ref = inputRef
+  }
+
  submitSnapshot(snapshot)
 }
Author	SHA1	Message	Date
Lewis Jones	00fe44a873	Merge pull request #103 from actions/ljones140/security-upgrades Some checks failed Go Dependency Submission / go-action-detection (push) Has been cancelled Details build-test / build (push) Has been cancelled Details CodeQL / Analyze (actions) (push) Has been cancelled Details CodeQL / Analyze (go) (push) Has been cancelled Details CodeQL / Analyze (javascript-typescript) (push) Has been cancelled Details Security Upgrade	2026-04-22 11:46:41 +01:00
Lewis Jones	f00e6e9196	generated dist	2026-04-20 15:29:48 +01:00
Lewis Jones	af797f9868	Upgrade dependencies - @actions/core: ^1.9.1 → ^1.11.1 (minor bump within v1) - @actions/github: ^6.0.0 → ^6.0.1 (patch bump within v6) - Added "overrides": { "undici": "^6.24.0" } to force undici past the vulnerable range	2026-04-20 15:29:12 +01:00
Barry Gordon	72c2bf7f19	Merge pull request #95 from actions/dependabot/npm_and_yarn/js-yaml-3.14.2 Bump js-yaml from 3.14.1 to 3.14.2	2025-11-24 13:51:11 +00:00
dependabot[bot]	235fcc6594	Bump js-yaml from 3.14.1 to 3.14.2 Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 3.14.1 to 3.14.2. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2025-11-17 21:54:46 +00:00
Lewis Jones	9b61b9485b	Merge pull request #91 from salmanmkc/node24 Update Node and GitHub Actions versions to latest	2025-09-01 17:32:10 +01:00
Lewis Jones	7c50a64c44	Merge branch 'main' into node24	2025-09-01 17:24:31 +01:00
Ashely Tenesaca	d9b9b1fa96	Merge pull request #93 from actions/AshelyTC-patch-1 Add permissions to .github/workflows/test.yml	2025-08-19 14:30:14 -04:00
Ashely Tenesaca	0bd5fe6328	Add permissions to .github/workflows/test.yml	2025-08-19 12:48:03 -04:00
Ashely Tenesaca	b9bf40984f	Merge pull request #92 from actions/AshelyTC-patch-1 Add actions and go to CodeQL analysis languages	2025-08-18 16:32:47 -04:00
Ashely Tenesaca	703616f176	Add 'actions' and 'go' to CodeQL analysis languages	2025-08-18 16:05:44 -04:00
Salman Muin Kayser Chishti	6fe75f51e7	Update Node and GitHub Actions versions to latest Bump Node.js engine requirement to >=24 in package.json and package-lock.json. Update action.yml to use node24. Upgrade actions/checkout to v4 and actions/setup-go to v5 in the workflow. These changes ensure compatibility with the latest Node.js and GitHub Actions tooling.	2025-07-30 14:07:24 +01:00
Ahmed ElMallah	dacf4810ac	Merge pull request #86 from actions/dependabot/npm_and_yarn/undici-5.29.0 Bump undici from 5.28.5 to 5.29.0	2025-06-20 13:19:33 -04:00
ahmed3lmallah	91df78fe21	updating dist	2025-06-20 12:20:09 -04:00
Ahmed ElMallah	55972e19aa	Merge branch 'main' into dependabot/npm_and_yarn/undici-5.29.0	2025-06-20 12:06:48 -04:00
Lewis Jones	9750009dfa	Merge pull request #88 from actions/ljones140/example-for-private-go-modules Add documentation to authenticate to private go modules	2025-06-06 15:39:47 +01:00
Lewis Jones	48c3878c0b	Apply suggestion from @elrayle Co-authored-by: E. Lynette Rayle <elrayle@users.noreply.github.com>	2025-06-06 15:36:25 +01:00
Lewis Jones	3f1029a8a5	Add documentation of how to authenticate to private go modules	2025-06-04 14:39:22 +01:00
E. Lynette Rayle	5cde65f6ad	Merge pull request #87 from actions/elr/inputs add inputs used by autosubmission	2025-05-29 22:08:57 -04:00
E. Lynette Rayle	1600567d42	update dist from rebuild	2025-05-29 19:24:36 +00:00
E. Lynette Rayle	888b4d0158	improve comments about the sha and ref inputs	2025-05-29 19:23:09 +00:00
E. Lynette Rayle	6df4cede7a	improve detector comment and provide defaults	2025-05-29 19:13:21 +00:00
E. Lynette Rayle	9c1ae0dcfb	update rebuilt dist	2025-05-29 19:05:40 +00:00
E. Lynette Rayle	aa37531e2b	make sure sha and ref are only overwritten if a value was passed in	2025-05-29 19:01:50 +00:00
E. Lynette Rayle	ced71b5163	add updated files from rebuilding	2025-05-29 15:31:31 +00:00
E. Lynette Rayle	a493d67921	revert to directly using input for sha and ref and allowing the context to drive them if they are missing	2025-05-29 15:27:47 +00:00
E. Lynette Rayle	7bdee92e05	don't indent shell: bash	2025-05-28 22:34:32 +00:00
E. Lynette Rayle	8826bd4af6	make the uncommitted files message easier to understand	2025-05-28 22:30:43 +00:00
E. Lynette Rayle	343ae9cc50	add results from rebuilding	2025-05-28 22:18:35 +00:00
E. Lynette Rayle	4d284b90be	commit files generated during build	2025-05-28 20:45:18 +00:00
E. Lynette Rayle	50fef6cb9b	doh - drop the echo to run the command	2025-05-28 20:29:09 +00:00
E. Lynette Rayle	3d515f5ff4	Show the results of the check in step Verify no unommitted files	2025-05-28 20:23:32 +00:00
E. Lynette Rayle	3a3b0da726	set default for sha & ref	2025-05-28 18:30:40 +00:00
E. Lynette Rayle	3e507a8464	use reasonable defaults for sha and ref enforce all detector vars present or not present	2025-05-28 18:21:20 +00:00
E. Lynette Rayle	f3f97c6024	add inputs used by autosubmission	2025-05-27 22:02:13 +00:00
dependabot[bot]	4bd7d52f51	Bump undici from 5.28.5 to 5.29.0 Bumps [undici](https://github.com/nodejs/undici) from 5.28.5 to 5.29.0. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](https://github.com/nodejs/undici/compare/v5.28.5...v5.29.0) --- updated-dependencies: - dependency-name: undici dependency-version: 5.29.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2025-05-15 16:34:10 +00:00