Zulip Chat Archive

Stream: lean4

Topic: GitHub dependency support

---

Eric Wieser (Dec 23 2023 at 22:12):

It turns out that it's possible to teach GitHub how to read the lake manifest as part of a CI step, as described at https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api. It would be neat if someone (maybe at the FRO?) could prototype a GitHub action that does this; perhaps it would enable usage with dependabot or similar

Eric Wieser (Dec 23 2023 at 22:22):

Ah, looks like dependabot is not accepting new ecosystems

Eric Wieser (Dec 23 2023 at 22:22):

But dependency info would still be neat

Henrik Böving (Dec 23 2023 at 22:26):

Eric Wieser said:

Ah, looks like dependabot is not accepting new ecosystems

I mean if we really want to we could fork dependabot right?

Eric Wieser (Dec 23 2023 at 22:29):

I'm not sure to what extent dependabot relies on being first party

Yakov Pechersky (Dec 23 2023 at 22:46):

One can run a forked image of dependabot specialized to a language they don't support. Then, in a custom gh workflow, one runs the custom image and executes the API calls against the repo on one's own CI machines.

---

Last updated: May 02 2025 at 03:31 UTC