This guide covers using the actions-dependency-submission action on GitHub
Enterprise Cloud with Enterprise Managed Users (EMU).
EMU environments often have forked actions from public GitHub (github.com) that have been mirrored to your EMU instance. This action needs:
- A token with
contents: writepermission to submit dependencies to your EMU instance - Optionally, a token with
contents: readpermission to public GitHub to look up original repositories for forked actions - If your workflows reference private or internal actions, the primary token
needs
contents: readpermission on those repositories
The primary token is used to submit dependencies and access your EMU instance.
The built-in GITHUB_TOKEN is the simplest and most secure option.
name: Submit Dependencies
on:
push:
branches: [main]
schedule:
- cron: '0 0 * * 0' # Weekly
jobs:
submit-dependencies:
runs-on: ubuntu-latest
permissions:
contents: write # Required for dependency submission
steps:
- uses: actions/checkout@v4
- uses: jessehouwing/actions-dependency-submission@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
fork-organizations: 'myenterprise'- ✅ Automatic: No setup required, automatically available
- ✅ Secure: Token is scoped to the workflow run and expires automatically
- ✅ No maintenance: No need to rotate or manage credentials
- ✅ Audit trail: Actions are attributed to the GitHub Actions bot
- ❌ Repository scoped: Cannot access private/internal actions in other repositories by default
- ❌ No public GitHub access: Cannot look up actions on public GitHub
Use the workflow token when:
- You only use actions mirrored to your EMU instance (no public GitHub lookups needed)
- Your workflows only use local composite actions within the same repository
- You have
fork-regexconfigured and all forked actions exist locally on your EMU instance
If your workflows reference private or internal actions in other repositories, configure access via Allowing access to components in a private repository.
Once configured, the GITHUB_TOKEN will have contents: read access to those
repositories.
A GitHub App provides flexibility for accessing multiple repositories and better audit trails.
- Create a GitHub App in your EMU organization
- Configure the app with these permissions:
- Repository permissions:
- Contents: Read and Write
- Repository permissions:
- Install the app on:
- The repository where you're submitting dependencies
- Any repositories containing private/internal actions you reference
- Note the App ID and generate a private key
name: Submit Dependencies
on:
push:
branches: [main]
schedule:
- cron: '0 0 * * 0' # Weekly
jobs:
submit-dependencies:
runs-on: ubuntu-latest
permissions:
contents: read # Only needed if checking out code
steps:
- uses: actions/checkout@v4
- name: Generate token
id: generate-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
repositories: |
my-repo
my-private-actions
- uses: jessehouwing/actions-dependency-submission@v1
with:
token: ${{ steps.generate-token.outputs.token }}
fork-organizations: 'myenterprise'- ✅ Organization-wide: Can be installed across multiple repositories
- ✅ Fine-grained permissions: Limit access to specific repositories
- ✅ Better audit trail: Actions are attributed to the app
- ✅ No user account dependency: Not tied to a specific user
- ✅ Cross-repository access: Can access private/internal actions
⚠️ Setup complexity: Requires creating and configuring a GitHub App⚠️ Key management: Need to securely store app private key⚠️ No public GitHub access: Cannot look up actions on public GitHub
Use a GitHub App token when:
- You need to access multiple repositories
- Your workflows reference private/internal actions in other repositories
- You want better audit trails
- You need organization-wide dependency submission
A personal access token can be used when GitHub Apps are not an option.
- Create a Fine-grained Personal Access Token (recommended)
- Configure with:
- Repository access: Select repositories or all repositories
- Permissions:
- Contents: Read and Write
- Store as a repository secret (e.g.,
DEPENDENCY_SUBMISSION_TOKEN)
name: Submit Dependencies
on:
push:
branches: [main]
schedule:
- cron: '0 0 * * 0' # Weekly
jobs:
submit-dependencies:
runs-on: ubuntu-latest
permissions:
contents: read # Only needed if checking out code
steps:
- uses: actions/checkout@v4
- uses: jessehouwing/actions-dependency-submission@v1
with:
token: ${{ secrets.DEPENDENCY_SUBMISSION_TOKEN }}
fork-organizations: 'myenterprise'- ✅ Simple setup: Easy to create and configure
- ✅ Flexible: Can access multiple repositories
- ✅ Cross-repository access: Can access private/internal actions
⚠️ Security risk: Long-lived, doesn't expire automatically⚠️ User-dependent: Tied to a specific user account⚠️ Manual rotation: Must be manually rotated⚠️ No public GitHub access: Cannot look up actions on public GitHub
When your EMU instance has forked actions without maintaining GitHub fork relationships, you need a token to look up the original repositories on public GitHub (github.com).
Create a separate GitHub App on public GitHub (github.com) for looking up action repositories.
- Create a GitHub App on public GitHub (github.com)
- Configure with minimal permissions:
- Repository permissions:
- Contents: Read (for public repositories)
- Metadata: Read (automatically included)
- Repository permissions:
- Install the app on public repositories you need to access (or make it public)
- Store the App ID and private key as secrets
name: Submit Dependencies
on:
push:
branches: [main]
schedule:
- cron: '0 0 * * 0' # Weekly
jobs:
submit-dependencies:
runs-on: ubuntu-latest
permissions:
contents: write # Required for dependency submission
steps:
- uses: actions/checkout@v4
- name: Generate public GitHub token
id: generate-public-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.PUBLIC_GITHUB_APP_ID }}
private-key: ${{ secrets.PUBLIC_GITHUB_APP_PRIVATE_KEY }}
# This app is on public GitHub, not your EMU instance
github-api-url: https://api.github.com
- uses: jessehouwing/actions-dependency-submission@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
fork-organizations: 'myenterprise'
public-github-token: ${{ steps.generate-public-token.outputs.token }}- ✅ Secure: Short-lived tokens that auto-expire
- ✅ Fine-grained: Only needs read access to public repositories
- ✅ Better audit trail: Actions attributed to the app
- ✅ Automatic rotation: Tokens are generated on-demand
⚠️ Setup complexity: Requires creating an app on public GitHub⚠️ Key management: Need to securely store app private key⚠️ Additional step: Requires an extra workflow step
Create a personal access token on public GitHub (github.com) for read-only access to public repositories.
- Create a Fine-grained Personal Access Token on public GitHub (github.com)
- Configure with:
- Repository access: Public Repositories (read-only)
- Permissions:
- Contents: Read
- Metadata: Read
- Store as a repository secret (e.g.,
PUBLIC_GITHUB_TOKEN)
name: Submit Dependencies
on:
push:
branches: [main]
schedule:
- cron: '0 0 * * 0' # Weekly
jobs:
submit-dependencies:
runs-on: ubuntu-latest
permissions:
contents: write # Required for dependency submission
steps:
- uses: actions/checkout@v4
- uses: jessehouwing/actions-dependency-submission@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
fork-organizations: 'myenterprise'
public-github-token: ${{ secrets.PUBLIC_GITHUB_TOKEN }}- ✅ Simple setup: Easy to create
- ✅ Read-only access: Limited to reading public repositories
⚠️ Security risk: Long-lived token that doesn't expire automatically⚠️ User-dependent: Tied to a personal GitHub.com account⚠️ Manual rotation: Must be manually rotated⚠️ Audit trail: Actions attributed to the user
- Don't expire automatically
- Are tied to a user account
- Must be manually rotated
- Can be used indefinitely if compromised
Recommendation: Use a GitHub App token instead for better security.
Best for when forked actions follow a naming convention and you don't need to look up actions on public GitHub.
name: Submit Dependencies
on:
push:
branches: [main]
schedule:
- cron: '0 0 * * 0' # Weekly
jobs:
submit-dependencies:
runs-on: ubuntu-latest
permissions:
contents: write # Required for dependency submission
steps:
- uses: actions/checkout@v4
- uses: jessehouwing/actions-dependency-submission@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
fork-organizations: 'myenterprise'
fork-regex: '^myenterprise/(?<org>[^_]+)_(?<repo>.+)'In this example:
myenterprise/actions_checkoutresolves toactions/checkoutusing the regular expression pattern- This simplifies repository name resolution but still requires a public GitHub token to look up tags from commit SHAs on the parent repository
Best for production environments requiring maximum security and audit trails.
name: Submit Dependencies
on:
push:
branches: [main]
schedule:
- cron: '0 0 * * 0' # Weekly
jobs:
submit-dependencies:
runs-on: ubuntu-latest
permissions:
contents: read # Only needed for checkout
steps:
- uses: actions/checkout@v4
- name: Generate EMU token
id: generate-emu-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.EMU_APP_ID }}
private-key: ${{ secrets.EMU_APP_PRIVATE_KEY }}
- name: Generate public GitHub token
id: generate-public-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.PUBLIC_GITHUB_APP_ID }}
private-key: ${{ secrets.PUBLIC_GITHUB_APP_PRIVATE_KEY }}
github-api-url: https://api.github.com
- uses: jessehouwing/actions-dependency-submission@v1
with:
token: ${{ steps.generate-emu-token.outputs.token }}
fork-organizations: 'myenterprise'
public-github-token: ${{ steps.generate-public-token.outputs.token }}Workflow token for EMU, GitHub App for public GitHub lookups.
name: Submit Dependencies
on:
push:
branches: [main]
schedule:
- cron: '0 0 * * 0' # Weekly
jobs:
submit-dependencies:
runs-on: ubuntu-latest
permissions:
contents: write # Required for dependency submission
steps:
- uses: actions/checkout@v4
- name: Generate public GitHub token
id: generate-public-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.PUBLIC_GITHUB_APP_ID }}
private-key: ${{ secrets.PUBLIC_GITHUB_APP_PRIVATE_KEY }}
github-api-url: https://api.github.com
- uses: jessehouwing/actions-dependency-submission@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
fork-organizations: 'myenterprise'
public-github-token: ${{ steps.generate-public-token.outputs.token }}| Token | Purpose | Minimum Permissions |
|---|---|---|
| Primary Token | Submit dependencies to EMU | contents: write |
| Primary Token | Access private/internal actions | contents: read (automatic) |
| Public GitHub Token | Look up actions on GitHub.com | contents: read (public repos) |
- Always define permissions at the job level for least privilege
- Use GitHub Apps for both tokens when possible for maximum security
- Use regular expression patterns to simplify repository name resolution (note: a public GitHub token is still required to look up tags from commit SHAs)
- Regularly audit public GitHub token usage and permissions
- Document your fork naming conventions if using regular expression patterns
- Monitor for actions that cannot be resolved and may need manual mapping
- Configure access to private/internal action repositories via repository settings