GitHub Actions Tips & Tricks

Related Components

• github-runners

Security

https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

Tips & Tricks

Write Complex Steps in github-script

Rather than try some impossible concoction of YAML, use typescript to define your CI/CD logic.

https://github.com/actions/github-script

Easily Write Files in Workflows

The 1arp/create-a-file-action action is convenient for writing files.

    - name: Create ${{ steps.vars.outputs.argocd_app_root }}/config.yaml
      uses: 1arp/create-a-file-action@0.2
      with:
        path: "some/dir"
        file: config.yaml
        content: |
          name: "${{ github.event.deployment.payload.app }}"
          manifests: "${{ steps.vars.outputs.argocd_app_manifests }}"
          namespace: "${{ inputs.namespace }}"

Checkout and Run Private GitHub Actions

info

GitHub Enterprise users can now use private actions natively within the organization.

https://github.blog/changelog/2022-01-21-share-github-actions-within-your-enterprise/

      - name: Checkout Shared Actions
        uses: actions/checkout@v2
        with:
          repository: acme/actions
          path: ./.github/actions
          token: ${{ secrets.CROSS_REPO_TOKEN }}

      - name: Hello World
        uses: ./.github/actions/hello-world
        id: hello-world

Use Empty Commits to Trigger Actions

git commit --allow-empty --message 'bump'

Use workflow_dispatch to Manually Trigger Workflows

In this example, the workflow will trigger on workflow_dispatch and prompt the user to enter the required input for delete. Note, delete is just an example; the input parameters can be whatever you want.

on:
  # Enable manual runs
  workflow_dispatch:
    inputs:
      delete:
        description: 'Set to "true" to actually delete stuff'
        required: true
        default: 'false'

Known Limitations

There are a lot of non-obvious limitations when working with GitHub Actions. Here are the ones we’ve been bit by in developing workflows. Also, make sure to check out the Public Roadmap for GHA.

Roadmap Items

These are some roadmap items we’re excited to see implemented:

• https://github.com/github/roadmap/issues/52

• https://github.com/github/roadmap/issues/575

• https://github.com/github/roadmap/issues/199

• https://github.com/github/roadmap/issues/503

General

• Set in GitHub Actions running on self-hosted runner hangs indefinitely. Nothing meaningful in logs. The issue may be due to higher resource requirements for the summerwind/actions-runner-dind GHA runner. Increasing the resources may resolve the issue.

• Not all event types will run off of branches. Learn more here https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows

• A single workflow cannot build and then use the derived docker image. Docker image must exist before workflow is started.

• Workflow approval steps are a GitHub Enterprise feature. https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments

• GitHub Actions can only be used from public repos unless using GitHub Enterprise with an “enterprise” account to support internal (not “private”) repositories. To use in private repos, you need to git clone the repo and use the local path to the action. https://github.blog/changelog/2022-01-21-share-github-actions-within-your-enterprise/ https://github.com/github/roadmap/issues/254

https://github.com/github/roadmap/issues/74

• GitHub Actions cron jobs automatically disable after 60 days of inactivity (no new commits) https://docs.github.com/en/actions/managing-workflow-runs/disabling-and-enabling-a-workflow

• The GITHUB_TOKEN is scoped to only permit operations on the current repo of the GitHub Action workflow

• No ternary operator https://github.com/actions/runner/issues/409

• No way to restrict who can edit workflows to a subset of users with write permissionshttps://github.com/actions/runner/issues/494

Composite Actions

• Composite actions do not support if conditional. https://github.com/actions/runner/issues/834 Update! Released 2021-11-09 https://github.blog/changelog/2021-11-09-github-actions-conditional-execution-of-steps-in-actions/

• Composite actions do not support post-run capabilities https://github.community/t/no-post-run-capability-for-composite-actions/139046/4

• Composite actions cannot call other composite actions https://github.com/actions/runner/issues/862

• https://github.com/actions/runner/issues/665

• https://github.com/actions/runner/issues/1348

Shared Workflows

• GitHub Actions shared workflows can only be private in GitHub Enterprise using an internal (not private) repo.. https://docs.github.com/en/actions/learn-github-actions/reusing-workflows

• Private reusable workflows is in the GitHub Roadmap https://github.com/github/roadmap/issues/51

• Reusable workflows can't call other reusable workflows.

• Reusable workflows stored within a private repository can only be used by workflows within the same repository (unless using GitHub Enterprise).

• Any environment variables set in an env context defined at the workflow level in the caller workflow are not propagated to the called workflow. For more information about the env context, see "Context and expression syntax for GitHub Actions."

• You can't set the concurrency of a called workflow from the caller workflow. For more information about jobs.<job_id>.concurrency, see "Workflow syntax for GitHub Actions."

• The strategy property is not supported in any job that calls a reusable workflow.

References

• Helpful github actions by ReviewDog https://github.com/reviewdog/reviewdog

• deployment documentation https://docs.github.com/en/rest/reference/deployments , https://docs.github.com/en/rest/reference/deployments#create-a-deployment

• GitHub Actions Public Roadmap