purl-spec icon indicating copy to clipboard operation
purl-spec copied to clipboard
verified publisher icon package-url

Add GitHub Actions type

Open jhutchings1 opened this issue 2 years ago • 3 comments

This PR adds GitHub Actions as a distinct type. We use this in the GitHub Dependency graph because GitHub Actions are distinct in meaning from the GitHub repository package references, and sometimes get CVEs published on them.

jhutchings1 avatar Jul 19 '23 01:07 jhutchings1

@pombredanne @stevespringett Can you take a look at this? We're already using it in practice within GitHub, and I'd love to make sure that it's an accepted type definition.

jhutchings1 avatar Aug 16 '23 15:08 jhutchings1

Hi! I'm trying to use this schema, how would you say this vulnerability would fit into the actions pURL? https://github.com/advisories/GHSA-hw6r-g8gj-2987

emilwareus avatar Nov 28 '23 13:11 emilwareus

Hi! I'm trying to use this schema, how would you say this vulnerability would fit into the actions pURL? GHSA-hw6r-g8gj-2987

This schema is intended to refer to a GitHub Actions action, not a workflow, so in your case, I think the regular GitHub namespace is more appropriate.

jhutchings1 avatar Nov 28 '23 17:11 jhutchings1

Poke for progress, as I just wasted 10 minutes trying to work out what the prefix was to use with actions/dependency-review-action's allow-dependencies-licenses option.

github and github-actions didn't work, despite Copilot's claim the latter was correct.

I worked out it should be githubactions eventually by tracing the action's code to get to this line, at which point I realised I could download an SBOM from the repo, open it and search for an action to find the emitted purl prefix from there.

martincostello avatar Jul 25 '25 13:07 martincostello

@martincostello Hey, there have been discussions recently in a community whether this should exist as a type and whether not just use github for actions... and a github-action may not be needed?

Also, after the merge of PR #514, PURL types are now defined in JSON :angel: :innocent: :

  • See #514

With the new approach... this PR would need to be updated if we go with a separate type.

Thanks for your understanding and patience!

pombredanne avatar Jul 26 '25 15:07 pombredanne

2 years, quite the zombie PR! @trevrosen may have thoughts on this. I'm no longer working on supply chain security, so I can't say if GitHub still wants this capability or how.

jhutchings1 avatar Jul 29 '25 22:07 jhutchings1

Would it make sense to revive this ticket, in light of https://www.getsafety.com/blog-posts/shai-hulud-npm-attack and https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised ?

I'd love to see github produce SBOMs describing what actions where used during a run, where any actions that were "pulled in" were referred to in the form of a PackageURL that clearly distinguishes actions from other types of package dependencies.

Different things should look different. Similar things should look similar. – Larry Wall

sjn avatar Sep 16 '25 13:09 sjn

@sjn good idea. I created #698 as placeholder issue.

nicorikken avatar Oct 02 '25 09:10 nicorikken