Show GitHub Actions

I recently needed to audit all of the actions being used by an organisation and realised that there's no way to do so in the GitHub interface.

Fortunately, all of the information I need is available in the API so I set out to build github-show-actions, a CLI that shows all actions used grouped by either the action name or the repo.

You can run it with npx github-show-actions if you have NPM installed. For extended usage information, see the README

Here's how it looks when run against my GitHub account. Straight away I can see that I need to standardise on the version of actions/checkout I'm using and that most of the actions are used by actions-test, the repo I use for testing workflows:

❯ npx github-show-actions --target mheap --group action
actions/checkout@v1
mheap/phpunit-problem-matcher-test

actions/checkout@v2
mheap/action-guard
mheap/action-router
mheap/action-run
mheap/convert-action
mheap/debug-artifact
mheap/gatsby-plugin-redirect-to
mheap/github-action-fail-at-weekend
mheap/github-action-heroku-logs
mheap/github-action-hold-your-horses
mheap/github-action-issue-management
mheap/github-action-issue-to-jira
mheap/github-action-pr-heroku-review-app
mheap/github-action-required-labels
mheap/github-default-branch
mheap/github-show-actions
mheap/github-social-image
mheap/github-update-secret
mheap/json-schema-spell-checker
mheap/local-credentials
mheap/markdown-to-jira
mheap/octokit-commit-multiple-files
mheap/octokit-fetch-all-repos
mheap/phpunit-github-actions-printer
mheap/pin-github-action
mheap/pocket-auth
mheap/pocket-tagger
mheap/pocket-tagger-cli
mheap/problem-matcher
mheap/regex-rules
mheap/require-checklist-action
mheap/reviewed-by-trailer-action
mheap/trello-cli
mheap/url-tagger
mheap/wait-for-gem-version

actions/github-script@v2
mheap/action-test

actions/setup-node@v1
mheap/action-guard
mheap/action-router
mheap/action-run
mheap/convert-action
mheap/gatsby-plugin-redirect-to
mheap/github-default-branch
mheap/github-show-actions
mheap/github-social-image
mheap/github-update-secret
mheap/json-schema-spell-checker
mheap/local-credentials
mheap/markdown-to-jira
mheap/octokit-commit-multiple-files
mheap/octokit-fetch-all-repos
mheap/pin-github-action
mheap/pocket-auth
mheap/pocket-tagger
mheap/pocket-tagger-cli
mheap/problem-matcher
mheap/regex-rules
mheap/require-checklist-action
mheap/trello-cli
mheap/url-tagger
mheap/wait-for-gem-version

JasonEtco/build-and-tag-action@v1
mheap/debug-artifact
mheap/github-action-heroku-logs
mheap/github-action-hold-your-horses
mheap/github-action-issue-management
mheap/github-action-issue-to-jira
mheap/github-action-pr-heroku-review-app
mheap/github-action-required-labels
mheap/require-checklist-action
mheap/reviewed-by-trailer-action

JasonEtco/github-action-auto-compile-node@custom-entrypoint
mheap/github-action-fail-at-weekend

mheap/debug-artifact@v1
mheap/action-test

mheap/github-action-issue-to-jira@v1
mheap/action-test

mheap/github-action-required-labels@v1
mheap/action-test

mheap/reviewed-by-trailer-action@main
mheap/action-test

shivammathur/setup-php@v2
mheap/phpunit-github-actions-printer

If you were to run npx github-show-actions --target mheap --group repo to group by repo rather than action, here's an example of how it would be rendered. You can see that the majority of my actions depend on actions/checkout and actions/setup-node for running any CI tasks:

❯ npx github-show-actions --target mheap --group repo
mheap/action-guard
actions/checkout@v2
actions/setup-node@v1

mheap/action-router
actions/checkout@v2
actions/setup-node@v1

mheap/action-run
actions/checkout@v2
actions/setup-node@v1

mheap/action-test
actions/github-script@v2
mheap/debug-artifact@v1
mheap/github-action-issue-to-jira@v1
mheap/github-action-required-labels@v1
mheap/node14-action@master
mheap/reviewed-by-trailer-action@main

Being able to see at a glance which actions are used within an org allows you to audit what code is running in your repos. Here are a couple of things you might want to check:

• Show different versions of the same action being used
• Search for any actions that aren't pinned to a specific release
• Search for any actions that aren't pinned to a specific SHA
• See which actions are being used the most in your org