Commit b1a0a4f
build(workflows): add uv.lock dependency submission to dependency-review (#1059)
## Description
Added uv.lock dependency submission to the *dependency-review* workflow
so that Python packages managed by uv appear in GitHub's dependency
graph and Dependabot alerts. A new **component-detection** step runs
before the existing dependency review, submitting uv.lock data via the
Dependency Submission API. The canonical **SHA-pinning registry** was
updated to include the new action and to correct a stale SHA for
`dependency-review-action`.
> The `contents: write` permission elevation is required by the
Dependency Submission API and follows existing precedent across other
workflows in the repository.
- Added
`advanced-security/component-detection-dependency-submission-action@v0.1.1`
(SHA-pinned) to `.github/workflows/dependency-review.yml` with
`detectorArgs: 'UvLock=EnableIfDefaultOff'`
- Positioned before `dependency-review-action` so submitted data is
available during review
- Inline comment documents fork PR behavior (read-only token causes
graceful skip)
- Elevated `contents` permission from `read` to `write` with inline
rationale comment
- Registered `component-detection-dependency-submission-action@v0` in
*Update-ActionSHAPinning.ps1* `$ActionSHAMap`
- Corrected stale `dependency-review-action` SHA (v4.3.4 → v4.9.0) in
`$ActionSHAMap`
## Related Issue(s)
Related to #891
## Type of Change
Select all that apply:
**Code & Documentation:**
* [ ] Bug fix (non-breaking change fixing an issue)
* [ ] New feature (non-breaking change adding functionality)
* [ ] Breaking change (fix or feature causing existing functionality to
change)
* [ ] Documentation update
**Infrastructure & Configuration:**
* [x] GitHub Actions workflow
* [ ] Linting configuration (markdown, PowerShell, etc.)
* [x] Security configuration
* [ ] DevContainer configuration
* [x] Dependency update
**AI Artifacts:**
* [ ] Reviewed contribution with `prompt-builder` agent and addressed
all feedback
* [ ] Copilot instructions (`.github/instructions/*.instructions.md`)
* [ ] Copilot prompt (`.github/prompts/*.prompt.md`)
* [ ] Copilot agent (`.github/agents/*.agent.md`)
* [ ] Copilot skill (`.github/skills/*/SKILL.md`)
> Note for AI Artifact Contributors:
>
> * Agents: Research, indexing/referencing other project (using standard
VS Code GitHub Copilot/MCP tools), planning, and general implementation
agents likely already exist. Review `.github/agents/` before creating
new ones.
> * Skills: Must include both bash and PowerShell scripts. See
[Skills](../docs/contributing/skills.md).
> * Model Versions: Only contributions targeting the **latest Anthropic
and OpenAI models** will be accepted. Older model versions (e.g.,
GPT-3.5, Claude 3) will be rejected.
> * See [Agents Not
Accepted](../docs/contributing/custom-agents.md#agents-not-accepted) and
[Model Version
Requirements](../docs/contributing/ai-artifacts-common.md#model-version-requirements).
**Other:**
* [ ] Script/automation (`.ps1`, `.sh`, `.py`)
* [ ] Other (please describe):
## Testing
- Verified SHA `9c110eb34dee187cd9eca76a652b9f6a0ed22927` resolves to
`v0.1.1` of
`advanced-security/component-detection-dependency-submission-action`
- Verified updated `dependency-review-action` SHA
`2031cfc080254a8a887f58cffee85186f0e49e48` resolves to `v4.9.0`
- Confirmed `$ActionSHAMap` entries are consistent with workflow file
SHAs
- Validated dependency-pinning, version-consistency, and permissions
checks pass
## Checklist
### Required Checks
* [x] Documentation is updated (if applicable)
* [x] Files follow existing naming conventions
* [x] Changes are backwards compatible (if applicable)
* [ ] Tests added for new functionality (if applicable)
### AI Artifact Contributions
<!-- Not applicable — no AI artifacts changed -->
### Required Automated Checks
The following validation commands must pass before merging:
* [x] Markdown linting: `npm run lint:md`
* [x] Spell checking: `npm run spell-check`
* [x] Frontmatter validation: `npm run lint:frontmatter`
* [x] Skill structure validation: `npm run validate:skills`
* [x] Link validation: `npm run lint:md-links`
* [x] PowerShell analysis: `npm run lint:ps`
* [x] Plugin freshness: `npm run plugin:generate`
## Security Considerations
<!-- 1 parent c77e064 commit b1a0a4f
File tree
2 files changed
+9
-3
lines changed- .github/workflows
- scripts/security
2 files changed
+9
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
16 | | - | |
| 16 | + | |
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
20 | 20 | | |
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
24 | | - | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
25 | 30 | | |
26 | 31 | | |
27 | 32 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
78 | 78 | | |
79 | 79 | | |
80 | 80 | | |
81 | | - | |
| 81 | + | |
| 82 | + | |
82 | 83 | | |
83 | 84 | | |
84 | 85 | | |
| |||
0 commit comments