I recently needed to audit all of the actions being used by an organisation and realised that there's no way to do so in the GitHub interface.

Fortunately, all of the information I need is available in the API so I set out to build github-show-actions, a CLI that shows all actions used grouped by either the action name or the repo.

You can run it with npx github-show-actions if you have NPM installed. For extended usage information, see the README

Here's how it looks when run against my GitHub account. Straight away I can see that I need to standardise on the version of actions/checkout I'm using and that most of the actions are used by actions-test, the repo I use for testing workflows:

❯ npx github-show-actions --target mheap --group action
actions/[email protected]
mheap/phpunit-problem-matcher-test

actions/[email protected]
mheap/action-guard
mheap/action-router
mheap/action-run
mheap/convert-action
mheap/debug-artifact
mheap/gatsby-plugin-redirect-to
mheap/github-action-fail-at-weekend
mheap/github-action-heroku-logs
mheap/github-action-hold-your-horses
mheap/github-action-issue-management
mheap/github-action-issue-to-jira
mheap/github-action-pr-heroku-review-app
mheap/github-action-required-labels
mheap/github-default-branch
mheap/github-show-actions
mheap/github-social-image
mheap/github-update-secret
mheap/json-schema-spell-checker
mheap/local-credentials
mheap/markdown-to-jira
mheap/octokit-commit-multiple-files
mheap/octokit-fetch-all-repos
mheap/phpunit-github-actions-printer
mheap/pin-github-action
mheap/pocket-auth
mheap/pocket-tagger
mheap/pocket-tagger-cli
mheap/problem-matcher
mheap/regex-rules
mheap/require-checklist-action
mheap/reviewed-by-trailer-action
mheap/trello-cli
mheap/url-tagger
mheap/wait-for-gem-version

actions/[email protected]
mheap/action-test

actions/[email protected]
mheap/action-guard
mheap/action-router
mheap/action-run
mheap/convert-action
mheap/gatsby-plugin-redirect-to
mheap/github-default-branch
mheap/github-show-actions
mheap/github-social-image
mheap/github-update-secret
mheap/json-schema-spell-checker
mheap/local-credentials
mheap/markdown-to-jira
mheap/octokit-commit-multiple-files
mheap/octokit-fetch-all-repos
mheap/pin-github-action
mheap/pocket-auth
mheap/pocket-tagger
mheap/pocket-tagger-cli
mheap/problem-matcher
mheap/regex-rules
mheap/require-checklist-action
mheap/trello-cli
mheap/url-tagger
mheap/wait-for-gem-version

JasonEtco/[email protected]
mheap/debug-artifact
mheap/github-action-heroku-logs
mheap/github-action-hold-your-horses
mheap/github-action-issue-management
mheap/github-action-issue-to-jira
mheap/github-action-pr-heroku-review-app
mheap/github-action-required-labels
mheap/require-checklist-action
mheap/reviewed-by-trailer-action

JasonEtco/[email protected]
mheap/github-action-fail-at-weekend

mheap/[email protected]
mheap/action-test

mheap/[email protected]
mheap/action-test

mheap/[email protected]
mheap/action-test

mheap/[email protected]
mheap/action-test

shivammathur/[email protected]
mheap/phpunit-github-actions-printer

If you were to run npx github-show-actions --target mheap --group repo to group by repo rather than action, here's an example of how it would be rendered. You can see that the majority of my actions depend on actions/checkout and actions/setup-node for running any CI tasks:

❯ npx github-show-actions --target mheap --group repo
mheap/action-guard
actions/[email protected]
actions/[email protected]

mheap/action-router
actions/[email protected]
actions/[email protected]

mheap/action-run
actions/[email protected]
actions/[email protected]

mheap/action-test
actions/[email protected]
mheap/[email protected]
mheap/[email protected]
mheap/[email protected]
mheap/[email protected]
mheap/[email protected]

Being able to see at a glance which actions are used within an org allows you to audit what code is running in your repos. Here are a couple of things you might want to check:

• Show different versions of the same action being used
• Search for any actions that aren't pinned to a specific release
• Search for any actions that aren't pinned to a specific SHA
• See which actions are being used the most in your org