book

Learning GitHub Actions

by Brent Laster

August 2023

Intermediate to advanced

411 pages

9h 24m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

The Structure of This BookPart I: FoundationsPart II: Building BlocksPart III: Security and MonitoringPart IV: Advanced TopicsIntended AudienceContinuing with GitHub ActionsConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
What Is GitHub Actions?Automation PlatformFrameworkWhat Are the Use Cases for GitHub Actions?Starter WorkflowsActions MarketplaceWhat Costs Are Involved?The Free ModelThe Paid ModelWhen Does Moving to GitHub Actions Make Sense?Investment in GitHubUse of Public ActionsCreating Your Own ActionsArtifact ManagementAction ManagementConclusion
An OverviewTriggering WorkflowsComponentsStepsRunnersJobsWorkflowWorkflow ExecutionConclusion
The Structure of an actionInterfacing with actionsUsing actionsPublic actions and the MarketplaceConclusion
Creating the First Workflow in a RepositoryCommitting the Initial WorkflowUsing the VS Code GitHub Actions ExtensionConclusion
GitHub-Hosted RunnersWhat’s in the Runner Images?Adding Additional Software on RunnersSelf-Hosted RunnersRequirements for Self-Hosted RunnersLimits for Self-Hosted RunnersSecurity Considerations for Using Self-Hosted RunnersSetting Up a Self-Hosted RunnerUsing a Self-Hosted RunnerUsing Labels with Self-Hosted RunnersTroubleshooting Self-Hosted RunnersRemoving a Self-Hosted RunnerAutoscaling Self-Hosted RunnersJust-in-Time RunnersConclusion
Naming Your Workflow and Workflow RunsContextsEnvironment VariablesDefault Environment VariablesSecrets and Configuration VariablesManaging Permissions for Your WorkflowDeployment EnvironmentsConclusion

Working with Inputs and Outputs in WorkflowsDefining and Referencing Workflow InputsCapturing Output from a StepCapturing Output from a JobCapturing Output from an Action Used in a StepDefining ArtifactsUploading and Downloading ArtifactsAdding ParametersUsing Caches in GitHub ActionsUsing the Explicit Cache ActionMonitoring CachesActivating a Cache with a Setup ActionConclusion
Advanced Triggering from ChangesTriggering Based on Activity TypesUsing Filters to Refine TriggersTriggering Workflows Without a ChangeDealing with ConcurrencyRunning a Workflow with a MatrixWorkflow FunctionsConditionals and Status FunctionsConclusion
Security by ConfigurationManaging Execution of Workflows from Pull RequestsWorkflow PermissionsThe CODEOWNERS FileProtected TagsProtected BranchesRepository RulesSecurity by DesignSecretsSecuring SecretsTokensDealing with Untrusted InputSecuring Your DependenciesSecurity by MonitoringScanningProcessing Pull Requests SecurelyVulnerabilities with Workflows in Pull RequestsVulnerabilities with Source Code in Pull RequestsAdding a Pull Request Validation ScriptSafely Handling Pull RequestsConclusion
Gaining More ObservabilityUnderstanding Status at a High LevelCreating Status Badges for WorkflowsWorking with Past StatesMapping Workflow Versions to RunsRe-running Jobs in a WorkflowDebugging WorkflowsStep Debug LoggingDebugging the Runner EnvironmentActivating DebuggingAugmenting and Customizing LoggingAdding Your Own Messages in LogsAdditional Log CustomizationsCreating a Customized Job SummaryConclusion
Anatomy of an actionTypes of ActionsComposite ActionDocker Container ActionCreating a JavaScript ActionCompleting Your Action CreationPublishing Actions on the GitHub MarketplaceUpdating Actions on the MarketplaceRemoving an Action from the MarketplaceThe Actions ToolkitUsing Workflow Commands from the ToolkitLocal actionsConclusion
Creating Your Own Starter WorkflowsCreating a Starter Workflow AreaCreating a Starter Workflow FileAdding Supporting PiecesUsing the New Starter WorkflowReusable WorkflowsInputs and SecretsOutputsLimitationsRequired WorkflowsConstraintsExampleExecutionConclusion
Driving GitHub from Your WorkflowUsing the GitHub CLICreating ScriptsInvoking GitHub APIsUsing a Matrix Strategy to Automatically Create JobsOne-Dimensional MatricesMulti-dimensional MatricesIncluding Extra ValuesExcluding ValuesHandling Failure CasesDefining Max Concurrent JobsUsing Containers in Your WorkflowUsing a Container as the Environment for a JobUsing a Container with a StepRunning Containers as Services in a JobConclusion
PrepSource CodeAutomationInfrastructureUsersAzure PipelinesCircleCIGitLab CI/CDJenkinsTravis CIGitHub Actions ImporterAuthenticationPlanningBuild Steps and RelatedManual TasksFile ManifestForecastingDoing a Dry RunCreating Custom Transformers for the ImporterDoing the Actual MigrationConclusion

Content preview from Learning GitHub Actions

Chapter 9. Actions and Security

As seen throughout the preceding chapters, actions provide impressive levels of automation. They also provide ways to accomplish tasks in GitHub directly that would not be possible otherwise. However, these same capabilities can also imply security risks that must be considered and planned for in advance. Otherwise, you are opening your repositories up to multiple attack surfaces and vulnerabilities. This can be either through someone taking deliberate advantage of security holes or through accidental misuse. And you are opening up the repository of anyone who forks yours to the same kinds of exposures.

Keep in mind that you are using a framework wholly designed for collaboration. While GitHub provides world-class security for its platform and data, it is still up to the individual repository owners to take the appropriate precautions and measures to secure their repositories. This includes managing who and what is allowed to operate within them. This is especially important with workflows and actions in the mix since the specific purpose of them is to execute code.

In this chapter, I’ll look at the security implications of working with workflows and actions in the context of your repositories. And I’ll review the mechanisms that GitHub provides to allow you to set appropriate bounds on what your actions can do and when they can be executed. Throughout, I’ll also highlight some best practices from GitHub around security with workflows and actions. ...