book

GitHub Actions in Action

by Michael Kaufmann, Marcel de Vries, Rob Bos

December 2024

Beginner to intermediate

256 pages

6h 44m

English

Manning Publications

Read now

Unlock full access

forewordprefaceacknowledgmentsabout this bookWho should read this book?How this book is organized: A roadmapAbout the codeliveBook discussion forumabout the authorsabout the cover illustration
1.1 An introduction to the GitHub universe1.2 What are GitHub Actions and workflows?1.3 GitHub Actions: More than CI/CD pipelines1.4 Hosting and pricing for GitHub and GitHub Actions1.4.1 GitHub Enterprise Cloud1.4.2 GitHub Enterprise Server1.4.3 GitHub pricing1.4.4 GitHub Actions pricing1.5 ConclusionSummary
2.1 Creating a new workflow2.2 Using the workflow editor2.3 Using actions from the marketplace2.4 Running the workflow2.5 ConclusionSummary
3.1 YAML3.1.1 YAML basics3.1.2 Data types3.2 The workflow syntax3.3 Events and triggers3.3.1 Webhook triggers3.3.2 Scheduled triggers3.3.3 Manual triggers3.4 Workflow jobs and steps3.4.1 Workflow jobs3.4.2 Workflow steps3.4.3 Using GitHub actions3.4.4 The matrix strategy3.5 Expressions and contexts3.6 Workflow commands3.6.1 Writing a debug message3.6.2 Creating error or warning messages3.6.3 Passing an output to subsequent steps and jobs3.6.4 Environment files3.6.5 Job summaries3.7 Secrets and variables3.8 Workflow permissions3.9 Authoring and debugging workflows3.10 ConclusionSummary
4.1 Types of actions4.1.1 Docker container actions4.1.2 JavaScript actions4.1.3 Composite actions4.2 Authoring actions4.2.1 Getting started4.2.2 Storing actions in GitHub4.2.3 Compatibility with GitHub Enterprise Server4.2.4 Release management4.3 Hands-on lab: My first Docker container action4.3.1 Using the template to create a new repository4.3.2 Creating the Dockerfile for the action4.3.3 Creating the action.yml file4.3.4 Creating the entrypoint.sh script4.3.5 Create a workflow to test the container4.4 Sharing actions4.4.1 Sharing actions in your organization4.4.2 Sharing actions publicly4.5 Advanced action development4.6 Best practices4.7 ConclusionSummary

5.1 Targeting a runner5.2 Queuing jobs5.3 The runner application5.4 GitHub-hosted runners5.5 Hosted operating systems5.6 Installed software5.7 Default shells5.8 Installing extra software5.9 Location and hardware specifications of the hosted runners5.10 Concurrent jobs5.11 Larger GitHub-hosted runners5.12 GitHub-hosted runners in your own Azure Virtual Network5.13 Billing GitHub-hosted runners5.14 Analyzing the usage of GitHub-hosted runners5.15 Self-hosted runnersSummary
6.1 Setting up self-hosted runners6.1.1 Runner communication6.1.2 Queued jobs6.1.3 Updating self-hosted runners6.1.4 Available runners6.1.5 Downloading actions and source code6.1.6 Runner capabilities6.1.7 Self-hosted runner behind a proxy6.1.8 Usage limits of self-hosted runners6.1.9 Installing extra software6.1.10 Runner service account6.1.11 Pre- and post-job scripts6.1.12 Adding extra information to your logs6.1.13 Customizing the containers during a job6.2 Security risks of self-hosted runners6.3 Single-use runners6.3.1 Ephemeral runners6.3.2 Just-in-time runners6.4 Disabling self-hosted runner creation6.5 Autoscaling options6.5.1 Autoscaling with Actions Runner Controller6.5.2 Communication in ARC6.5.3 ARC monitoringSummary
7.1 Runner groups7.1.1 Assigning a runner to a runner group7.2 Monitoring your runners7.2.1 What to monitor7.2.2 Monitoring available runners using GitHub Actions7.2.3 Building a custom solution7.2.4 Using a monitoring solution7.3 Runner utilization and capacity needs7.4 Monitoring network access7.4.1 Monitor and limit network access7.4.2 Recommended setup7.5 Internal billing for action usageSummary
8.1 GloboTicket: A sample application8.2 Why continuous integration?8.3 Types of CI8.3.1 Using a branching strategy: GitHub Flow8.3.2 CI for integration8.3.3 CI for quality control8.3.4 CI for security testing8.3.5 CI for packaging8.4 Generic CI workflow steps8.4.1 Getting the sources8.4.2 Building the sources into artifacts8.4.3 Testing the artifacts8.4.4 Test result reporting8.4.5 Using containers for jobs8.4.6 Multiple workflows vs. multiple jobs: Which to choose?8.4.7 Parallel execution of jobs8.5 Preparing for deployment8.5.1 Traceability of source to artifacts8.5.2 Ensuring delivery integrity: The software bill of materials8.5.3 Versioning8.5.4 Testing for security with container scanning8.5.5 Using GitHub package management and container registry8.5.6 Using the upload/download capability to store artifacts8.5.7 Preparing deployment artifacts8.5.8 Creating a release8.6 The CI workflows for GloboTicket8.6.1 The integration CI for APIs and frontends8.6.2 CI workflows for quality control8.6.3 The CI workflow for security testing8.6.4 The CI workflows for container image creation and publishing8.6.5 Creating a release8.7 ConclusionSummary
9.1 CD workflow steps9.1.1 Steps to deploy our GloboTicket application9.1.2 Triggering the deployment9.1.3 Getting the deployment artifacts9.1.4 Deployment9.1.5 Verifying the deployment9.2 Using environments9.2.1 What is an environment?9.2.2 Manual approval9.2.3 Environment variables9.2.4 Dealing with secrets9.3 Deployment strategies9.3.1 Deploying on premises9.3.2 Deploying to cloud9.3.3 OpenID Connect (OIDC)9.3.4 Using health endpoints9.3.5 Deployment vs. release9.3.6 Zero-downtime deployments9.3.7 Red–green deployments9.3.8 Ring-based deploymentsSummary
10.1 Preventing pwn requests10.2 Managing untrusted input10.3 GitHub Actions security10.3.1 The principle of least privileged10.3.2 Referencing actions10.4 Supply chain security10.4.1 Dependabot version updates for actions10.4.2 Code scanning actionsSummary
11.1 How to ensure traceability of work11.1.1 How to ensure commits are traceable11.2 How to enforce the four-eyes principle11.2.1 Enforcing segregation of duties with CODEOWNERS file11.2.2 Showing end-to-end traceability11.3 Mandatory workflowsSummary
12.1 Dealing with high-volume builds12.1.1 Concurrency groups12.1.2 Merge queues12.2 Reducing the costs of maintaining artifacts12.3. Improving performance12.3.1 Using a sparse checkout12.3.2 Adding caching12.3.3 Detecting a cache hit and skipping the work12.3.4 Selecting other runners12.4 Optimizing your jobsSummary

Content preview from GitHub Actions in Action

10 Security

This chapter covers

Writing secure action workflows
Securing the actions used in workflows
Adding supply chain security
Enabling Dependabot for dependency scanning
Enabling code scanning with CodeQL

This chapter shares best practices to ensure you use actions and workflows in a safe and secure way. In the chapter, we will describe problems commonly encountered when using actions as well as how you can deal with them. We start this chapter with some basic security bugs you need to be aware of and how your team or organization can avoid them. The second part of the chapter covers how to ensure you are doing all you can to deliver software that is secure as a result of the automation process.