This GitHub Action extracts dependencies from an Elixir project using
mix and submits them to
GitHub's Dependency Submission API,
helping you unlock advanced dependency graph and security features for your
project.
By submitting your dependencies to GitHub:
- 🔐 Stay secure – Receive Dependabot alerts and security updates for known vulnerabilities in your direct and transitive dependencies.
- 🔎 Improve visibility – View your full dependency graph, including dependencies not found in lockfiles, right on GitHub.
- 🔁 Automated updates – Dependabot can automatically open pull requests to fix vulnerable dependencies.
- ✅ Better reviews – See dependencies in pull request diffs via GitHub’s Dependency Review.
- 📊 Support compliance – Help your team understand and audit what third-party code your software depends on.
This action is intended to be used within a GitHub Actions workflow.
name: "Mix Dependency Submission"
on:
push:
branches:
- "main"
# The API requires write permission on the repository to submit dependencies
permissions:
contents: write
jobs:
report_mix_deps:
name: "Report Mix Dependencies"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: erlef/mix-dependency-submission@v1name: "Mix Dependency Submission"
on:
push:
branches:
- "main"
pull_request: {}
# The API requires write permission on the repository to submit dependencies
permissions:
contents: write
jobs:
report_mix_deps:
name: "Report Mix Dependencies"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: erlef/mix-dependency-submission@v1
- uses: actions/dependency-review-action@v4
if: "${{ github.event_name == 'pull_request' }}"| Name | Description | Default |
|---|---|---|
token |
GitHub token to use for submission. | ${{ github.token }} |
project-path |
Path to the Mix project. | ${{ github.workspace }} |
install-deps |
Whether to run mix deps.get before analysis. Set to true for accurate transitive info. |
false |
ignore |
A comma-separated list of directories to ignore when searching for Mix projects. | (none) |
⚠️ Ifinstall-depsis set tofalse, the action may not fully resolve transitive dependencies, leading to an incomplete dependency graph.
| Name | Description | Example Value |
|---|---|---|
submission-json-path |
Path to the generated submission JSON file. | /tmp/submission-213124323.json |
snapshot-id |
ID of the submission. | 1234 |
snapshot-api-url |
URL of the submission API. | https://api.github.com/repos/{owner}/{repo}/dependency-graph/snapshots/1234 |
This action supports the following operating systems and architectures, tested using the corresponding GitHub-hosted runners:
| Operating System | Architecture | Supported | Tested Runner |
|---|---|---|---|
| Linux | x64 | ✅ | ubuntu-24.04 |
| Linux | ARM64 | ✅ | ubuntu-24.04-arm |
| macOS | x64 | ✅ | macos-13 |
| macOS | ARM64 | ✅ | macos-15 |
| Windows | x64 | ✅ | windows-2025 |
| Windows | ARM64 | ❌ | (not supported) |
❌ Not supported: Windows on ARM64 (due to missing support in burrito).
Copyright 2023 JOSHMARTIN GmbH
Copyright 2025 Erlang Ecosystem Foundation
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.