Show GitHub Actions CLI
Audit all GitHub Actions used by a user or organisation
I recently needed to audit all of the actions being used by an organisation and realised that there’s no way to do so in the GitHub interface.
Fortunately, all of the information I need is available in the API so I set out to build github-show-actions, a CLI that shows all actions used grouped by either the action name or the repo.
You can run it with npx github-show-actions
if you have NPM installed. For extended usage information, see the README
Here’s how it looks when run against my GitHub account. Straight away I can see that I need to standardise on the version of actions/checkout
I’m using and that most of the actions are used by actions-test
, the repo I use for testing workflows:
❯ npx github-show-actions --target mheap --group action actions/[email protected] mheap/phpunit-problem-matcher-test actions/[email protected] mheap/action-guard mheap/action-router mheap/action-run mheap/convert-action mheap/debug-artifact mheap/gatsby-plugin-redirect-to mheap/github-action-fail-at-weekend mheap/github-action-heroku-logs mheap/github-action-hold-your-horses mheap/github-action-issue-management mheap/github-action-issue-to-jira mheap/github-action-pr-heroku-review-app mheap/github-action-required-labels mheap/github-default-branch mheap/github-show-actions mheap/github-social-image mheap/github-update-secret mheap/json-schema-spell-checker mheap/local-credentials mheap/markdown-to-jira mheap/octokit-commit-multiple-files mheap/octokit-fetch-all-repos mheap/phpunit-github-actions-printer mheap/pin-github-action mheap/pocket-auth mheap/pocket-tagger mheap/pocket-tagger-cli mheap/problem-matcher mheap/regex-rules mheap/require-checklist-action mheap/reviewed-by-trailer-action mheap/trello-cli mheap/url-tagger mheap/wait-for-gem-version actions/[email protected] mheap/action-test actions/[email protected] mheap/action-guard mheap/action-router mheap/action-run mheap/convert-action mheap/gatsby-plugin-redirect-to mheap/github-default-branch mheap/github-show-actions mheap/github-social-image mheap/github-update-secret mheap/json-schema-spell-checker mheap/local-credentials mheap/markdown-to-jira mheap/octokit-commit-multiple-files mheap/octokit-fetch-all-repos mheap/pin-github-action mheap/pocket-auth mheap/pocket-tagger mheap/pocket-tagger-cli mheap/problem-matcher mheap/regex-rules mheap/require-checklist-action mheap/trello-cli mheap/url-tagger mheap/wait-for-gem-version JasonEtco/[email protected] mheap/debug-artifact mheap/github-action-heroku-logs mheap/github-action-hold-your-horses mheap/github-action-issue-management mheap/github-action-issue-to-jira mheap/github-action-pr-heroku-review-app mheap/github-action-required-labels mheap/require-checklist-action mheap/reviewed-by-trailer-action JasonEtco/[email protected] mheap/github-action-fail-at-weekend mheap/[email protected] mheap/action-test mheap/[email protected] mheap/action-test mheap/[email protected] mheap/action-test mheap/[email protected] mheap/action-test shivammathur/[email protected] mheap/phpunit-github-actions-printer
If you were to run npx github-show-actions --target mheap --group repo
to group by repo rather than action, here’s an example of how it would be rendered. You can see that the majority of my actions depend on actions/checkout
and actions/setup-node
for running any CI tasks:
❯ npx github-show-actions --target mheap --group repo mheap/action-guard actions/[email protected] actions/[email protected] mheap/action-router actions/[email protected] actions/[email protected] mheap/action-run actions/[email protected] actions/[email protected] mheap/action-test actions/[email protected] mheap/[email protected] mheap/[email protected] mheap/[email protected] mheap/[email protected] mheap/[email protected]
Being able to see at a glance which actions are used within an org allows you to audit what code is running in your repos. Here are a couple of things you might want to check:
- Show different versions of the same action being used
- Search for any actions that aren’t pinned to a specific release
- Search for any actions that aren’t pinned to a specific SHA
- See which actions are being used the most in your org