The dependency graph helps developers understand the software they depend on. While this has historically focused on traditional open source dependencies in your code from package managers like npm, NuGet, Maven, or RubyGems, millions of repositories are using GitHub Actions, and developers and maintainers can benefit from seeing who depends upon their actions.
Today, we are announcing that the dependency graph now supports GitHub Actions. From any repository which uses Actions, you can now see your Actions workflows listed alongside any other dependencies in the Insights/Dependency Graph experience.
Additionally, you can view a list of repositories that depend on your action under the Dependencies tab, or by looking at the “Used By” count on your repository homepage. This count does not include any private repositories that might use your action. In the event you maintain multiple packages or actions from one repository, you may also want to change the package that’s displayed on the repository home page to highlight the one you are most proud of.
The dependency graph is the foundation of GitHub’s supply chain security capabilities because understanding what you depend on is a crucial first step toward securing your software. You can configure Dependabot version updates to keep your Actions dependencies up to date automatically. Keep an eye on the public roadmap for more information about upcoming supply chain improvements in this area.
In this blog, I’ll look at CVE-2022-46395, a variant of CVE-2022-36449 (Project Zero issue 2327), and use it to gain arbitrary kernel code execution and root privileges from the untrusted app domain on an Android phone that uses the Arm Mali GPU. I’ll also explain how root cause analysis of CVE-2022-36449 led to the discovery of CVE-2022-46395.
GitHub is the home for all developers and on this Global Accessibility Awareness Day we are thrilled to celebrate the achievements of disabled developers and recent ships that help them build on GitHub.