Show GitHub Actions
I recently needed to audit all of the actions being used by an organisation and realised that there's no way to do so in the GitHub interface.
Fortunately, all of the information I need is available in the API so I set out to build github-show-actions, a CLI that shows all actions used grouped by either the action name or the repo.
You can run it with npx github-show-actions
if you have NPM installed. For extended usage information, see the README
Here's how it looks when run against my GitHub account. Straight away I can see that I need to standardise on the version of actions/checkout
I'm using and that most of the actions are used by actions-test
, the repo I use for testing workflows:
❯ npx github-show-actions --target mheap --group action actions/checkout@v1 mheap/phpunit-problem-matcher-test actions/checkout@v2 mheap/action-guard mheap/action-router mheap/action-run mheap/convert-action mheap/debug-artifact mheap/gatsby-plugin-redirect-to mheap/github-action-fail-at-weekend mheap/github-action-heroku-logs mheap/github-action-hold-your-horses mheap/github-action-issue-management mheap/github-action-issue-to-jira mheap/github-action-pr-heroku-review-app mheap/github-action-required-labels mheap/github-default-branch mheap/github-show-actions mheap/github-social-image mheap/github-update-secret mheap/json-schema-spell-checker mheap/local-credentials mheap/markdown-to-jira mheap/octokit-commit-multiple-files mheap/octokit-fetch-all-repos mheap/phpunit-github-actions-printer mheap/pin-github-action mheap/pocket-auth mheap/pocket-tagger mheap/pocket-tagger-cli mheap/problem-matcher mheap/regex-rules mheap/require-checklist-action mheap/reviewed-by-trailer-action mheap/trello-cli mheap/url-tagger mheap/wait-for-gem-version actions/github-script@v2 mheap/action-test actions/setup-node@v1 mheap/action-guard mheap/action-router mheap/action-run mheap/convert-action mheap/gatsby-plugin-redirect-to mheap/github-default-branch mheap/github-show-actions mheap/github-social-image mheap/github-update-secret mheap/json-schema-spell-checker mheap/local-credentials mheap/markdown-to-jira mheap/octokit-commit-multiple-files mheap/octokit-fetch-all-repos mheap/pin-github-action mheap/pocket-auth mheap/pocket-tagger mheap/pocket-tagger-cli mheap/problem-matcher mheap/regex-rules mheap/require-checklist-action mheap/trello-cli mheap/url-tagger mheap/wait-for-gem-version JasonEtco/build-and-tag-action@v1 mheap/debug-artifact mheap/github-action-heroku-logs mheap/github-action-hold-your-horses mheap/github-action-issue-management mheap/github-action-issue-to-jira mheap/github-action-pr-heroku-review-app mheap/github-action-required-labels mheap/require-checklist-action mheap/reviewed-by-trailer-action JasonEtco/github-action-auto-compile-node@custom-entrypoint mheap/github-action-fail-at-weekend mheap/debug-artifact@v1 mheap/action-test mheap/github-action-issue-to-jira@v1 mheap/action-test mheap/github-action-required-labels@v1 mheap/action-test mheap/reviewed-by-trailer-action@main mheap/action-test shivammathur/setup-php@v2 mheap/phpunit-github-actions-printer
If you were to run npx github-show-actions --target mheap --group repo
to group by repo rather than action, here's an example of how it would be rendered. You can see that the majority of my actions depend on actions/checkout
and actions/setup-node
for running any CI tasks:
❯ npx github-show-actions --target mheap --group repo mheap/action-guard actions/checkout@v2 actions/setup-node@v1 mheap/action-router actions/checkout@v2 actions/setup-node@v1 mheap/action-run actions/checkout@v2 actions/setup-node@v1 mheap/action-test actions/github-script@v2 mheap/debug-artifact@v1 mheap/github-action-issue-to-jira@v1 mheap/github-action-required-labels@v1 mheap/node14-action@master mheap/reviewed-by-trailer-action@main
Being able to see at a glance which actions are used within an org allows you to audit what code is running in your repos. Here are a couple of things you might want to check:
- Show different versions of the same action being used
- Search for any actions that aren't pinned to a specific release
- Search for any actions that aren't pinned to a specific SHA
- See which actions are being used the most in your org