Skip to content

srz-zumix/gh-deps-kit

Repository files navigation

gh-deps-kit

A tool to manage GitHub Dependency graph.

Installation

To install the tool, you can use the following command:

gh extension install srz-zumix/gh-deps-kit

Shell Completion

Workaround Available! While gh CLI doesn't natively support extension completion, we provide a patch script that enables it.

Prerequisites: Before setting up gh-deps-kit completion, ensure gh CLI completion is configured for your shell. See gh completion documentation for setup instructions.

For detailed installation instructions and setup for each shell, see the Shell Completion Guide.

Agent Skills

gh-deps-kit bundles agent skills for AI. Use the skills subcommand to install and manage them.

gh deps-kit skills [subcommand] [args...]

For details, see Songmu/skillsmith.

Commands

List dependency packages

gh deps-kit list [flags]

List dependency packages in the repository's SBOM.

Flags:

Flag Short Default Description
--exclude -e Exclude packages by ecosystem (can be specified multiple times)
--format Output format: {json}
--include -i Filter by ecosystem (can be specified multiple times)
--jq -q Filter JSON output using a jq expression
--name-only false Output only team names
--repo -R "" The repository in the format 'owner/repo'
--template -t Format JSON output using a Go template; see "gh help formatting"

Actions

Graph actions dependency

gh deps-kit actions graph [flags]

Output dependency relationships of GitHub Actions as a Mermaid flowchart. Use --recursive to traverse referenced action repositories.

Flags:

Flag Short Default Description
--format "mermaid" Output format: {json|dot|drawio|mermaid|markdown}
--jq -q Filter JSON output using a jq expression
--output -o Output file path (default: stdout)
--recursive -r false Recursively traverse referenced action repositories
--repo -R "" The repository in the format 'owner/repo'
--template -t Format JSON output using a Go template; see "gh help formatting"

Lint workflow and action YAML files

gh deps-kit actions lint [<workflow-id> | <workflow-name> | <filename>] [flags] [-- <tool-args>...]

Run an external lint tool against workflow YAML and action.yml files. Files are fetched via the GitHub API and saved to a temporary directory, then the specified lint tool is executed against them. Optionally specify a workflow by its ID, name, or filename to lint only that workflow's dependencies. Use --recursive to also lint files from referenced action repositories and reusable workflows. Extra arguments after '--' are passed directly to the lint tool.

Supported tools: actionlint, zizmor

Flags:

Flag Short Default Description
--recursive -r false Recursively traverse referenced action repositories
--ref "" Git reference (branch, tag, or commit SHA) to read workflow files from
--repo -R "" The repository in the format 'owner/repo'
--tmpdir "" Directory to store downloaded files (default: auto-created temp dir, removed after lint)
--tool "zizmor" Lint tool to use (supported: actionlint, zizmor)

List action dependencies from workflow YAML files

gh deps-kit actions workflow [<workflow-id> | <workflow-name> | <filename>] [flags]

Parse workflow YAML (.github/workflows/*.yml) and action.yml files in the repository to list GitHub Actions dependencies. Unlike the list command which uses the Dependency Graph API, this command directly parses YAML files. Optionally specify a workflow by its ID, name, or filename to parse only that workflow. Use --min-node-version to filter for workflows and actions that depend on Node actions older than the specified version (automatically enables --recursive). Use --filter-using to filter by runs.using type; prefix match is supported (automatically enables --recursive).

Flags:

Flag Short Default Description
--field Comma-separated list of fields to display in table output. Available fields: Name, Version, Owner, Repo, Path, Raw, Using, Node_Version, Job
--filter-using Filter to show only actions/workflows whose runs.using matches the specified type (e.g. node16, composite, docker); prefix match supported (e.g. node matches node16/node20); repeatable; automatically enables --recursive
--format Output format: {json|dot|drawio|mermaid|markdown|tree}
--jq -q Filter JSON output using a jq expression
--min-node-version 0 Filter to show only actions/workflows that use a Node action older than the specified version (e.g. 24 shows node20, node16); automatically enables --recursive
--name-only false Output only action names
--name-with-ref false Output action names with version ref (e.g. actions/checkout@v4)
--recursive -r false Recursively traverse referenced action repositories
--ref "" Git reference (branch, tag, or commit SHA) to read workflow files from
--repo -R "" The repository in the format 'owner/repo'
--template -t Format JSON output using a Go template; see "gh help formatting"

List actions dependency packages

gh deps-kit actions list [flags]

List dependency packages related to GitHub Actions in the repository's SBOM. Use --recursive to traverse referenced action repositories.

Flags:

Flag Short Default Description
--format Output format: {json}
--jq -q Filter JSON output using a jq expression
--name-only false Output only team names
--recursive -r false Recursively traverse referenced action repositories
--repo -R "" The repository in the format 'owner/repo'
--template -t Format JSON output using a Go template; see "gh help formatting"

Submodule

List repository submodules

gh deps-kit submodule list [flags]

List submodules of the specified repository. Use --recursive to include nested submodules.

Flags:

Flag Short Default Description
--format Output format: {json}
--jq -q Filter JSON output using a jq expression
--name-only false Output only submodule names
--recursive -r false Recursively list nested submodules
--repo -R "" The repository in the format 'owner/repo'
--template -t Format JSON output using a Go template; see "gh help formatting"

Unity

List Unity package dependencies

gh deps-kit unity list [flags]

List dependency packages defined in a Unity project's Packages/manifest.json. The file path within the repository defaults to Packages/manifest.json and can be overridden with --path. Use --ref to target a specific branch, tag, or commit.

Flags:

Flag Short Default Description
--field "Name,Version,SHA,Path,URL" Comma-separated list of fields to display in table output. Available fields: Name, Version, SHA, Path, URL
--format Output format: {json}
--jq -q Filter JSON output using a jq expression
--name-only false Output only package names
--path "Packages/manifest.json" Path to manifest.json within the repository
--ref "" Branch, tag, or commit SHA to read from (default: repository default branch)
--repo -R "" The repository in the format 'owner/repo'
--template -t Format JSON output using a Go template; see "gh help formatting"

About

A GitHub CLI extension to inspect and manage dependency graphs, Actions dependencies, and submodules

Topics

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Contributors