book

GitHub Actions in Action

Name: GitHub Actions in Action
ISBN: 9781633437302

by Marcel de Vries, Rob Bos, Michael Kaufmann

December 2024

Beginner to intermediate

256 pages

6h 44m

English

Manning Publications

Read now

Unlock full access

GitHub Actions in Action
Copyright
contents
front matter
forewordprefaceacknowledgmentsabout this bookWho should read this book?How this book is organized: A roadmapAbout the codeliveBook discussion forumabout the authorsabout the cover illustration
Part 1. Action fundamentals
1 Introduction to GitHub Actions
1.1 An introduction to the GitHub universe1.2 What are GitHub Actions and workflows?1.3 GitHub Actions: More than CI/CD pipelines1.4 Hosting and pricing for GitHub and GitHub Actions1.4.1 GitHub Enterprise Cloud1.4.2 GitHub Enterprise Server1.4.3 GitHub pricing1.4.4 GitHub Actions pricing1.5 ConclusionSummary
2 Hands-on: My first Actions workflow
2.1 Creating a new workflow2.2 Using the workflow editor2.3 Using actions from the marketplace2.4 Running the workflow2.5 ConclusionSummary
3 Workflows
3.1 YAML3.1.1 YAML basics3.1.2 Data types3.2 The workflow syntax3.3 Events and triggers3.3.1 Webhook triggers3.3.2 Scheduled triggers3.3.3 Manual triggers3.4 Workflow jobs and steps3.4.1 Workflow jobs3.4.2 Workflow steps3.4.3 Using GitHub actions3.4.4 The matrix strategy3.5 Expressions and contexts3.6 Workflow commands3.6.1 Writing a debug message3.6.2 Creating error or warning messages3.6.3 Passing an output to subsequent steps and jobs3.6.4 Environment files3.6.5 Job summaries3.7 Secrets and variables3.8 Workflow permissions3.9 Authoring and debugging workflows3.10 ConclusionSummary
4 GitHub Actions
4.1 Types of actions4.1.1 Docker container actions4.1.2 JavaScript actions4.1.3 Composite actions4.2 Authoring actions4.2.1 Getting started4.2.2 Storing actions in GitHub4.2.3 Compatibility with GitHub Enterprise Server4.2.4 Release management4.3 Hands-on lab: My first Docker container action4.3.1 Using the template to create a new repository4.3.2 Creating the Dockerfile for the action4.3.3 Creating the action.yml file4.3.4 Creating the entrypoint.sh script4.3.5 Create a workflow to test the container4.4 Sharing actions4.4.1 Sharing actions in your organization4.4.2 Sharing actions publicly4.5 Advanced action development4.6 Best practices4.7 ConclusionSummary
Part 2. Workflow runtime

5 Runners
5.1 Targeting a runner5.2 Queuing jobs5.3 The runner application5.4 GitHub-hosted runners5.5 Hosted operating systems5.6 Installed software5.7 Default shells5.8 Installing extra software5.9 Location and hardware specifications of the hosted runners5.10 Concurrent jobs5.11 Larger GitHub-hosted runners5.12 GitHub-hosted runners in your own Azure Virtual Network5.13 Billing GitHub-hosted runners5.14 Analyzing the usage of GitHub-hosted runners5.15 Self-hosted runnersSummary
6 Self-hosted runners
6.1 Setting up self-hosted runners6.1.1 Runner communication6.1.2 Queued jobs6.1.3 Updating self-hosted runners6.1.4 Available runners6.1.5 Downloading actions and source code6.1.6 Runner capabilities6.1.7 Self-hosted runner behind a proxy6.1.8 Usage limits of self-hosted runners6.1.9 Installing extra software6.1.10 Runner service account6.1.11 Pre- and post-job scripts6.1.12 Adding extra information to your logs6.1.13 Customizing the containers during a job6.2 Security risks of self-hosted runners6.3 Single-use runners6.3.1 Ephemeral runners6.3.2 Just-in-time runners6.4 Disabling self-hosted runner creation6.5 Autoscaling options6.5.1 Autoscaling with Actions Runner Controller6.5.2 Communication in ARC6.5.3 ARC monitoringSummary
7 Managing your self-hosted runners
7.1 Runner groups7.1.1 Assigning a runner to a runner group7.2 Monitoring your runners7.2.1 What to monitor7.2.2 Monitoring available runners using GitHub Actions7.2.3 Building a custom solution7.2.4 Using a monitoring solution7.3 Runner utilization and capacity needs7.4 Monitoring network access7.4.1 Monitor and limit network access7.4.2 Recommended setup7.5 Internal billing for action usageSummary
Part 3. CI/CD with GitHub Actions
8 Continuous integration
8.1 GloboTicket: A sample application8.2 Why continuous integration?8.3 Types of CI8.3.1 Using a branching strategy: GitHub Flow8.3.2 CI for integration8.3.3 CI for quality control8.3.4 CI for security testing8.3.5 CI for packaging8.4 Generic CI workflow steps8.4.1 Getting the sources8.4.2 Building the sources into artifacts8.4.3 Testing the artifacts8.4.4 Test result reporting8.4.5 Using containers for jobs8.4.6 Multiple workflows vs. multiple jobs: Which to choose?8.4.7 Parallel execution of jobs8.5 Preparing for deployment8.5.1 Traceability of source to artifacts8.5.2 Ensuring delivery integrity: The software bill of materials8.5.3 Versioning8.5.4 Testing for security with container scanning8.5.5 Using GitHub package management and container registry8.5.6 Using the upload/download capability to store artifacts8.5.7 Preparing deployment artifacts8.5.8 Creating a release8.6 The CI workflows for GloboTicket8.6.1 The integration CI for APIs and frontends8.6.2 CI workflows for quality control8.6.3 The CI workflow for security testing8.6.4 The CI workflows for container image creation and publishing8.6.5 Creating a release8.7 ConclusionSummary
9 Continuous delivery
9.1 CD workflow steps9.1.1 Steps to deploy our GloboTicket application9.1.2 Triggering the deployment9.1.3 Getting the deployment artifacts9.1.4 Deployment9.1.5 Verifying the deployment9.2 Using environments9.2.1 What is an environment?9.2.2 Manual approval9.2.3 Environment variables9.2.4 Dealing with secrets9.3 Deployment strategies9.3.1 Deploying on premises9.3.2 Deploying to cloud9.3.3 OpenID Connect (OIDC)9.3.4 Using health endpoints9.3.5 Deployment vs. release9.3.6 Zero-downtime deployments9.3.7 Red–green deployments9.3.8 Ring-based deploymentsSummary
10 Security
10.1 Preventing pwn requests10.2 Managing untrusted input10.3 GitHub Actions security10.3.1 The principle of least privileged10.3.2 Referencing actions10.4 Supply chain security10.4.1 Dependabot version updates for actions10.4.2 Code scanning actionsSummary
11 Compliance
11.1 How to ensure traceability of work11.1.1 How to ensure commits are traceable11.2 How to enforce the four-eyes principle11.2.1 Enforcing segregation of duties with CODEOWNERS file11.2.2 Showing end-to-end traceability11.3 Mandatory workflowsSummary
12 Improving workflow performance and costs
12.1 Dealing with high-volume builds12.1.1 Concurrency groups12.1.2 Merge queues12.2 Reducing the costs of maintaining artifacts12.3. Improving performance12.3.1 Using a sparse checkout12.3.2 Adding caching12.3.3 Detecting a cache hit and skipping the work12.3.4 Selecting other runners12.4 Optimizing your jobsSummary
Index

Content preview from GitHub Actions in Action

10 Security

This chapter covers

Writing secure action workflows
Securing the actions used in workflows
Adding supply chain security
Enabling Dependabot for dependency scanning
Enabling code scanning with CodeQL

This chapter shares best practices to ensure you use actions and workflows in a safe and secure way. In the chapter, we will describe problems commonly encountered when using actions as well as how you can deal with them. We start this chapter with some basic security bugs you need to be aware of and how your team or organization can avoid them. The second part of the chapter covers how to ensure you are doing all you can to deliver software that is secure as a result of the automation process.

10.1 Preventing pwn requests

GitHub workflows ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781633437302Publisher Support Publisher Website

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

GitHub Actions in Action

by Marcel de Vries, Rob Bos, Michael Kaufmann

10 Security

10.1 Preventing pwn requests

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.