Advanced GitHub Actions

Michael Heap / Advanced GitHub Actions
Nova 2021

View Slide

Nova 2021
Hi, I’m Michael

View Slide

Nova 2021
GitHub Actions

View Slide

Nova 2021
If
A new issue doesn’t change the
default template
Then
Add a comment asking for more
information

View Slide

Nova 2021
If
A deployment fails
Then
Attach the logs as a comment on
the pull request

View Slide

Nova 2021
If
We merge to main in repo X
Then
Update the submodule in repo Y

View Slide

Nova 2021
If
A new issue is raised by a sponsor
Then
Apply the urgent label

View Slide

Nova 2021
It’s like:
If then for

View Slide

Nova 2021
GitHub Actions

View Slide

Nova 2021
Advanced
GitHub Actions

View Slide

Nova 2021
10 11 Tips, 17 Minutes
Ready?

View Slide

Nova 2021
Tip 1: Debug Artifact
name: Debug Artifacts
on: push
jobs:
debug-artifacts:
name: Debug Artifacts
runs-on: ubuntu-latest
steps:
- name: Debug Artifacts
uses: mheap/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Uploads event.json and .env as
an artifact, which you can download
and inspect to help debug

View Slide

Nova 2021
Tip 2: Automatic caching
- uses: actions/[email protected]
with:
node-version: "16"
- name: Cache node modules
uses: actions/[email protected]
env:
cache-name: cache-node-modules
with:
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{
hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-name }}-
${{ runner.os }}-build-
- run: npm install
- run: npm test

View Slide

Nova 2021
Tip 2: Automatic caching
with:
node-version: "16"
cache: "npm"
- run: npm install
- run: npm test

View Slide

Nova 2021
Tip 3: Use python in workflow.yml
steps:
- name: Display the path
run: echo $PATH
shell: bash
steps:
run: echo ${env:PATH}
shell: pwsh
steps:
run: |
import os
print(os.environ['PATH'])
shell: python

View Slide

Nova 2021
Tip 3.5: Use any language in workflow.yml
steps:
- name: Show the environment variables with Perl
run: |
print %ENV
shell: perl {0}
steps:
- name: Show the environment variables with PHP
run: |
print_r($_ENV);
shell: php {0}
steps:
- name: Show the environment variables with Ruby
run: |
print ENV.to_h
shell: ruby {0}
steps:
- name: Show the environment variables with Node
run: |
console.log(process.env)
shell: node --harmony {0}
Set the shell value to a template string in the following format:
$ my_command --any-flags --here {0}

View Slide

Nova 2021
Tip 4: Interacting with the GitHub API

View Slide

Nova 2021
# Check if a PR already exists for the branch
PR_COUNT=$(gh pr list --author mheap --state all --json
number | jq '. | length')
# Add a comment
if [[ $PR_COUNT -eq "0" ]]; then
gh issue comment ${{ github.event.issue.number }}
--body "Welcome, new contributor!"
fi

View Slide

Nova 2021
# Check if a PR already exists for the branch
PR_COUNT=$(gh pr list --author mheap --state all --json
number | jq '. | length')
# Add a comment
if [[ $PR_COUNT -eq "1" ]]; then
gh issue comment ${{ github.event.issue.number }}
--body "Welcome, new contributor!"
fi
on: pull_request
jobs:
welcome:
steps:
with:
script: |
const creator = context.payload.sender.login
const opts = github.rest.issues.listForRepo
.endpoint.merge({
...
context.issue,
creator,
state: 'all'
})
const issues = await github.paginate(opts)
for (const issue of issues) {
if (issue.number === context.issue.number) {
continue
}
if (issue.pull_request) {
return // Creator is already a contributor.
}
}
await github.rest.issues.createComment
({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: 'Welcome, new contributor!'
})

View Slide

Nova 2021
Tip 5: Testing Beta releases
---
name: build
on: [push]
jobs:
build:
strategy:
matrix:
php: [ '7.2', '7.3', '7.4', '8.0' ]

View Slide

Nova 2021
---
name: build
on: [push]
jobs:
build:
strategy:
matrix:
php: [ '7.2', '7.3', '7.4', '8.0', '8.1' ]

View Slide

Nova 2021
---
name: build
on: [push]
jobs:
build:
strategy:
matrix:
php: [ '7.2', '7.3', '7.4', '8.0', '8.1' ]
continue-on-error: ${{ matrix.php == '8.1' }}

View Slide

Nova 2021
Tip 6: Secure Workﬂows
jobs:
build:
name: Do Thing
steps:
- name: Do the specific thing

View Slide

Nova 2021
jobs:
build:
name: Do Thing
steps:
jobs:
build:
name: Do Thing
steps:

View Slide

Nova 2021
jobs:
build:
name: Do Thing
steps:
jobs:
build:
name: Do Thing
steps:
- uses: actions/[email protected] # [email protected]
uses: mheap/[email protected] # [email protected]
$ npx pin-github-action /path/to/.github/workflows/your-name.yml

View Slide

Nova 2021
Tip 7: Composite Actions

View Slide

Nova 2021
steps:
- uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
with:
context: .
push: true
.github/workflows/docker.yml

View Slide

Nova 2021
steps:
with:
registry: ghcr.io
with:
context: .
push: true

View Slide

Nova 2021
with:
registry: ghcr.io
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{
steps.meta.outputs.labels }}
steps:
- name: Docker meta
id: meta
uses: docker/[email protected]
with:
images: |
ghcr.io/${{inputs.image_name}}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=sha

View Slide

Nova 2021
with:
registry: ghcr.io
with:
context: .
push: true
labels: ${{ steps.meta.outputs.labels }}
steps:
- name: Docker meta
id: meta
with:
images: |
tags: |
type=ref,event=pr
type=sha
with:
registry: ghcr.io
with:
context: .
push: true
steps:
- name: Docker meta
id: meta
with:
images: |
tags: |
type=ref,event=pr
type=sha
with:
registry: ghcr.io
with:
context: .
push: true
steps:
- name: Docker meta
id: meta
with:
images: |
tags: |
type=ref,event=pr
type=sha
with:
registry: ghcr.io
with:
context: .
push: true
steps:
- name: Docker meta
id: meta
with:
images: |
tags: |
type=ref,event=pr
type=sha
with:
registry: ghcr.io
with:
context: .
push: true
steps:
- name: Docker meta
id: meta
with:
images: |
tags: |
type=ref,event=pr
type=sha
with:
registry: ghcr.io
with:
context: .
push: true
steps:
- name: Docker meta
id: meta
with:
images: |
tags: |
type=ref,event=pr
type=sha
with:
registry: ghcr.io
with:
context: .
push: true
steps:
- name: Docker meta
id: meta
with:
images: |
tags: |
type=ref,event=pr
type=sha
with:
registry: ghcr.io
with:
context: .
push: true
steps:
- name: Docker meta
id: meta
with:
images: |
tags: |
type=ref,event=pr
type=sha
with:
registry: ghcr.io
with:
context: .
push: true
steps:
- name: Docker meta
id: meta
with:
images: |
tags: |
type=ref,event=pr
type=sha
with:
registry: ghcr.io
with:
context: .
push: true
steps:
- name: Docker meta
id: meta
with:
images: |
tags: |
type=ref,event=pr
type=sha
with:
registry: ghcr.io
with:
context: .
push: true
steps:
- name: Docker meta
id: meta
with:
images: |
tags: |
type=ref,event=pr
type=sha
with:
registry: ghcr.io
with:
context: .
push: true
steps:
- name: Docker meta
id: meta
with:
images: |
tags: |
type=ref,event=pr
type=sha

View Slide

Nova 2021
with:
registry: ghcr.io
with:
context: .
push: true
labels: ${{
steps.meta.outputs.labels }}
runs:
using: "composite"
steps:
- name: Docker meta
id: meta
with:
images: |
tags: |
type=ref,event=pr
type=sha
name: "Publish to Docker"
description: "Pushes built artifacts to
Docker"
inputs:
image_name:
description: The name of the image to
build
required: true
mheap/docker-build/action.yml

View Slide

Nova 2021
name: Docker Build and Push
on:
push:
release:
jobs:
build:
name: Build
steps:
- name: Checkout
- name: Build and Push
with:
image_name: mheap/action-test

View Slide

Nova 2021
Tip 8: Running non-JS actions without Docker

View Slide

Nova 2021
// Via https://github.com/peter-evans/python-action
const core = require("@actions/core");
const exec = require("@actions/exec");
async function run() {
try {
const src = __dirname + "/src";
await exec.exec("python", [
`${src}/python_action.py`,
inputs.message,
inputs.sender
]);
} catch (error) {
core.setFailed(error.message);
}
}
run();
GitHub Runners come preinstalled with:
● Erlang
● C++
● Fortran
● Julia
● Kotlin
● Mono
● Node
● Perl
● Python
● Ruby
● Swift

View Slide

Nova 2021
// Via https://github.com/peter-evans/python-action
const core = require("@actions/core");
const exec = require("@actions/exec");
async function run() {
try {
const src = __dirname + "/src";
await exec.exec("python", [
`${src}/python_action.py`,
inputs.message,
inputs.sender
]);
} catch (error) {
core.setFailed(error.message);
}
}
run();
GitHub Runners come preinstalled with:
● Erlang
● C++
● Fortran
● Julia
● Kotlin
● Mono
● Node
● Perl
● Python
● Ruby
● Swift
⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠
⚠⚠⚠⚠
The installed software and
available versions may change
between runner images
⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠
⚠⚠⚠⚠

View Slide

Nova 2021
Tip 9: Problem Matchers

View Slide

Nova 2021
{
"owner": "eslint-compact",
"pattern": [
{
"regexp":
"^(.+):\\sline\\s(\\d+),\\scol\\s(\\d+),\
\s(Error|Warning|Info)\\s-\\s(.+)\\s\$(.
+)\$$",
"file": 1,
"line": 2,
"column": 3,
"severity": 4,
"message": 5,
"code": 6
}
]
}
badFile.js: line 50, col 11, Error - 'myVar' is defined but never used.
(no-unused-vars)

View Slide

Nova 2021
{
"owner": "eslint-compact",
"pattern": [
{
"regexp":
"^(.+):\\sline\\s(\\d+),\\scol\\s(\\d+),\
\s(Error|Warning|Info)\\s-\\s(.+)\\s\$(.
+)\$$",
"file": 1,
"line": 2,
"column": 3,
"severity": 4,
"message": 5,
"code": 6
}
]
}
[
{
"file": "badFile.js",
"line": "50",
"column": "11",
"severity": "Error",
"message": "'myVar' is defined but never used.",
"code": "no-unused-vars"
}
]
badFile.js: line 50, col 11, Error - 'myVar' is defined but never used.
(no-unused-vars)

View Slide

Nova 2021
JS Library
https://github.com/mheap/problem-
matcher
React Testing UI
https://github.com/mheap/problem-
matcher-tester
Deployed UI
https://problem-matcher.netlify.app/

View Slide

Nova 2021
Tip 10: Dynamic Matrix Generation
on: push
jobs:
ci:
strategy:
matrix:
version: [12, 14, 16]
steps:
with:
node-version: ${{ matrix.version }}
- run: npm ci
- run: npm test

View Slide

Nova 2021
jobs:
ci:
strategy:
matrix:
version: [12, 14, 16]
steps:
with:

View Slide

Nova 2021
jobs:
ci:
strategy:
matrix:
version: ${{ fromJson('["12","14","16"]') }}
steps:
with:

View Slide

Nova 2021
jobs:
create_matrix:
steps:
- id: set-matrix
run: echo '::set-output name=version_matrix::["12","14","16"]'
outputs:
version_matrix: ${{ steps.set-matrix.outputs.version_matrix }}
ci:
needs: create_matrix
strategy:
matrix:
version: ${{ fromJson(needs.create_matrix.outputs.version_matrix) }}
steps:
with:

View Slide

Nova 2021
$ curl https://endoflife.date/api/nodejs.json | jq -c '[.[] | select(.eol > (now | strftime("%Y-%m-%d"))) | .cycle]'
# ["12","14","16"]

View Slide

Nova 2021
jobs:
create_matrix:
steps:
- id: set-matrix
run: echo '::set-output name=version_matrix::["12","14","16"]'
outputs:
ci:
strategy:
matrix:
steps:
with:

View Slide

Nova 2021
jobs:
create_matrix:
steps:
- id: set-matrix
run: echo "::set-output name=version_matrix::$(curl https://endoflife.date/api/nodejs.json | jq -c '[.[] |
select(.eol > (now | strftime("%Y-%m-%d"))) | .cycle]')"
outputs:
ci:
strategy:
matrix:
steps:
with:

View Slide

Nova 2021

View Slide

Nova 2021
Tip 11: Authentication

View Slide

Nova 2021
GITHUB_TOKEN : Expiry = job-duration

View Slide

Nova 2021
on: push
permissions:
issues: write
jobs:
add-comment:
steps:
- ...

View Slide

Nova 2021
Repository Permissions
Actions Checks
Contents Deployments
Issues Metadata Packages
Pull requests Projects
Security events
Commit statuses

View Slide

Nova 2021
PAT : Expiry = 7 days to Never

View Slide

Nova 2021
Pull requests

View Slide

Nova 2021
Actions Administration
Contents Discussions Environments
Issues Metadata
Pages Pull requests Webhooks Projects
Secrets Single ﬁle
Commit statuses

View Slide

Nova 2021
Issues Metadata Organization packages Packages
Secrets Security events Single ﬁle
Commit statuses Workﬂows
Organization Permissions
Members Administration Events Webhooks
Projects Secrets Self-hosted runners
Blocking users Team discussions

View Slide

Nova 2021
Secrets Security events Single ﬁle
Commit statuses Workﬂows
Projects Secrets Self-hosted runners
https://github.com/github/roadmap/issues/184

View Slide

Nova 2021
Actions Administration Checks Content references
Contents Deployments Discussions Environments
Secret scanning alerts Secrets Security events Single ﬁle
Commit statuses Dependabot alerts Workﬂows
Plan Projects Secrets Self-hosted runners
GitHub Application

View Slide

Nova 2021
jobs:
get-temp-token:
steps:
- name: Get Token
id: get_workflow_token
uses: peter-murray/[email protected]
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: "my-test-org"

View Slide

Nova 2021
jobs:
get-temp-token:
steps:
- name: Get Token
id: get_workflow_token
uses: peter-murray/[email protected]
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: "my-test-org"
- name: Use Application Token to create a release
env:
GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
with: ....

View Slide

Nova 2021
GitHub Applications = GREAT

View Slide

Nova 2021
github.com/mheap
michaelheap.com/talk/github-nova-2021
Questions!
(probably via Slack)

View Slide

Advanced GitHub Actions

Advanced GitHub Actions

Michael Heap

More Decks by Michael Heap

Featured

Transcript