maennchen

maennchen

GitHub Dependency Submission for Mix

Hey everyone!

If your Elixir project lives on GitHub (public or private), there’s a new GitHub Action that might be worth adding to your CI setup:
:backhand_index_pointing_right: erlef/mix-dependency-submission

This Action extracts your dependencies from your mix.exs / mix.lock and submits them to GitHub’s Dependency Submission API. That unlocks several useful GitHub features:

  • :locked_with_key: Dependabot alerts and security updates — including transitive deps
  • :chart_increasing: Full dependency graph visibility — even without lockfiles
  • :eyes: Dependency Review — see what changed in PRs
  • :receipt: Helps with auditing and compliance for third-party packages

Quick Example

Add this to your GitHub Actions workflow:

on:
  push:
    branches:
      - "main"

jobs:
  report_mix_deps:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: erlef/mix-dependency-submission@v1

OS Support

It works out-of-the-box on GitHub-hosted runners for:

  • Linux (x64, ARM64)
  • macOS (x64, ARM64)
  • Windows (x64)

Check the README for full compatibility details.


The Action was built as part of the Erlang Ecosystem Foundation’s ongoing efforts to support the BEAM community’s tooling and security story. Feedback and adoption are super appreciated — especially if you’re managing multiple projects or teams.

Let me know if you try it out or run into any issues!

Most Liked Responses

maennchen

maennchen

I’ve already reached out to GitHub about the possibility to integrate this into GitHub itself and run for all Elixir projects. The project is engineered in a way that should also make it simple for them to integrate. (Small self-contained Burrito based binary)

For now we should try to get it implemented in many repositories so that GitHub will see the interest of the community.

On Gleam / Rebar3: We’re discussing the possibility to build this for rebar3 as well in the EEF. There’s however a few uncertainties that we have to clear up first. I did not yet look into gleam.

jjcarstens

jjcarstens

Nerves Core Team

@maennchen This is great and such perfect timing for us. We’ve been ramping up lots of security practices across all our repos and this helps get us one step closer to looking as shiny as the other natively support languages! :heart:

maennchen

maennchen

Yes, mix.exs files are arbitrary Elixir Code. mix.lock always has the same format, but still is elixir code.

Depending on the SCM (Git / Path, Hex, …), there will be an entry in the lockfile (optional) and it contains different content per SCM. For example, Hex saves the transitive dependencies, Git does not.

To get all the info out, I had to have mix running. (Mix.in_project)

Where Next?

Popular in Discussions Top

Jayshua
I recently came across the javascript library htmx. It reminded me a lot of liveview so I thought the community here might be interested....
New
Rustixir
Hi everyone, im working on find best language/framework/system for high concurrency, high performance and stable performance after wor...
New
pillaiindu
In django there is a cache framework backed by memcached. Rails also puts a lot of emphasis on caching, and even the idea of russian-doll...
New
axelson
Decided against including more info in the title, but the gist is that Plataformatec sponsored projects will continue with the assets bei...
New
arpan
Hello everyone :wave: Today I am very excited to announce a project that I have been working on for almost 3 months now. The project is...
New
fireproofsocks
This is more of a general question, but I’m wondering how other people in the community think about the pattern matching in function sign...
New
PragTob
Hey everyone, this has been on my mind for some time and I’d love your input on it! TLDR: I feel like maps are superioer for storing and...
New
eteeselink
Hi all, In the last days, two things happened: A blog post titled “They might never tell you it’s broken” made the rounds. It’s about ...
New
AstonJ
Can you believe the first professionally published Elixir book was published just 8 years ago? Since then I think we’ve seen more books f...
New
joeerl
I’m playing with Elixir - It’s fun. I think @rvirding does give Elixir courses these days. Re: files and database - when I given Erlang ...
New

Other popular topics Top

aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
chrismccord
This release brings a number of exciting features, including integration with the new Phoenix LiveDashboard and Phoenix LiveView. There h...
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New

We're in Beta

About us Mission Statement