While GitHub actions most likely are not packaged into the distributable and thus probably not relevant for license compliance, they are very relevant for security compliance and vulnerability checks, esp. as GitHub actions have some design flaws.
Thus, an analyzer to determine transitive dependencies of GitHub action in a project repository would be useful, and a subsequent advisor run could be used to detect any known vulnerabilities (probably the github PURL type can be used for this).
As a bonus, the support of GitHub actions would make comparison to GitHub dependency insights (which do support GitHub actions) easier.
While GitHub actions most likely are not packaged into the distributable and thus probably not relevant for license compliance, they are very relevant for security compliance and vulnerability checks, esp. as GitHub actions have some design flaws.
Thus, an analyzer to determine transitive dependencies of GitHub action in a project repository would be useful, and a subsequent advisor run could be used to detect any known vulnerabilities (probably the
githubPURL type can be used for this).As a bonus, the support of GitHub actions would make comparison to GitHub dependency insights (which do support GitHub actions) easier.