Advanced GitHub Actions

Michael Heap / Advanced GitHub Actions Nova 2021

Michael Heap / Advanced GitHub Actions Nova 2021 Hi, I’m
Michael

Michael Heap / Advanced GitHub Actions Nova 2021 GitHub Actions

Michael Heap / Advanced GitHub Actions Nova 2021 If A
new issue doesn’t change the default template Then Add a comment asking for more information

deployment fails Then Attach the logs as a comment on the pull request

Michael Heap / Advanced GitHub Actions Nova 2021 If We
merge to main in repo X Then Update the submodule in repo Y

new issue is raised by a sponsor Then Apply the urgent label

Michael Heap / Advanced GitHub Actions Nova 2021 It’s like:
If then for

Michael Heap / Advanced GitHub Actions Nova 2021 GitHub Actions

Michael Heap / Advanced GitHub Actions Nova 2021 Advanced GitHub
Actions

Michael Heap / Advanced GitHub Actions Nova 2021 10 11
Tips, 17 Minutes Ready?

Michael Heap / Advanced GitHub Actions Nova 2021 Tip 1:
Debug Artifact name: Debug Artifacts on: push jobs: debug-artifacts: name: Debug Artifacts runs-on: ubuntu-latest steps: - name: Debug Artifacts uses: mheap/debug-artifact@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} Uploads event.json and .env as an artifact, which you can download and inspect to help debug

Automatic caching - uses: actions/setup-node@v2 with: node-version: "16" - name: Cache node modules uses: actions/cache@v2 env: cache-name: cache-node-modules with: path: ~/.npm key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }} restore-keys: | ${{ runner.os }}-build-${{ env.cache-name }}- ${{ runner.os }}-build- - run: npm install - run: npm test

Automatic caching - uses: actions/setup-node@v2 with: node-version: "16" cache: "npm" - run: npm install - run: npm test

Use python in workflow.yml steps: - name: Display the path run: echo $PATH shell: bash steps: - name: Display the path run: echo ${env:PATH} shell: pwsh steps: - name: Display the path run: | import os print(os.environ['PATH']) shell: python

Michael Heap / Advanced GitHub Actions Nova 2021 Tip 3.5:
Use any language in workflow.yml steps: - name: Show the environment variables with Perl run: | print %ENV shell: perl {0} steps: - name: Show the environment variables with PHP run: | print_r($_ENV); shell: php {0} steps: - name: Show the environment variables with Ruby run: | print ENV.to_h shell: ruby {0} steps: - name: Show the environment variables with Node run: | console.log(process.env) shell: node --harmony {0} Set the shell value to a template string in the following format: $ my_command --any-flags --here {0}

Interacting with the GitHub API

Interacting with the GitHub API # Check if a PR already exists for the branch PR_COUNT=$(gh pr list --author mheap --state all --json number | jq '. | length') # Add a comment if [[ $PR_COUNT -eq "0" ]]; then gh issue comment ${{ github.event.issue.number }} --body "Welcome, new contributor!" fi

Interacting with the GitHub API # Check if a PR already exists for the branch PR_COUNT=$(gh pr list --author mheap --state all --json number | jq '. | length') # Add a comment if [[ $PR_COUNT -eq "1" ]]; then gh issue comment ${{ github.event.issue.number }} --body "Welcome, new contributor!" fi on: pull_request jobs: welcome: runs-on: ubuntu-latest steps: - uses: actions/github-script@v5 with: script: | const creator = context.payload.sender.login const opts = github.rest.issues.listForRepo .endpoint.merge({ ... context.issue, creator, state: 'all' }) const issues = await github.paginate(opts) for (const issue of issues) { if (issue.number === context.issue.number) { continue } if (issue.pull_request) { return // Creator is already a contributor. } } await github.rest.issues.createComment ({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: 'Welcome, new contributor!' })

Testing Beta releases --- name: build on: [push] jobs: build: runs-on: ubuntu-latest strategy: matrix: php: [ '7.2', '7.3', '7.4', '8.0' ]

Testing Beta releases --- name: build on: [push] jobs: build: runs-on: ubuntu-latest strategy: matrix: php: [ '7.2', '7.3', '7.4', '8.0', '8.1' ]

Testing Beta releases --- name: build on: [push] jobs: build: runs-on: ubuntu-latest strategy: matrix: php: [ '7.2', '7.3', '7.4', '8.0', '8.1' ] continue-on-error: ${{ matrix.php == '8.1' }}

Secure Workﬂows jobs: build: name: Do Thing runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Do the specific thing uses: mheap/do-thing@main

Secure Workﬂows jobs: build: name: Do Thing runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Do the specific thing uses: mheap/do-thing@main jobs: build: name: Do Thing runs-on: ubuntu-latest steps: - uses: actions/checkout@db41740e12847bb616a339b75eb9414e711417df - name: Do the specific thing uses: mheap/do-thing@73549280c1c566830040d9a01fe9050dae6a3036

Secure Workﬂows jobs: build: name: Do Thing runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Do the specific thing uses: mheap/do-thing@main jobs: build: name: Do Thing runs-on: ubuntu-latest steps: - uses: actions/checkout@db41740e12847bb616a339b75eb9414e711417df # pin@v2 - name: Do the specific thing uses: mheap/do-thing@73549280c1c566830040d9a01fe9050dae6a3036 # pin@main $ npx pin-github-action /path/to/.github/workflows/your-name.yml

Composite Actions

Composite Actions steps: - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true .github/workflows/docker.yml

Composite Actions steps: - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true .github/workflows/docker.yml

Composite Actions - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} steps: - name: Docker meta id: meta uses: docker/metadata-action@v3 with: images: | ghcr.io/${{inputs.image_name}} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=sha .github/workflows/docker.yml

Composite Actions - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} steps: - name: Docker meta id: meta uses: docker/metadata-action@v3 with: images: | ghcr.io/${{inputs.image_name}} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=sha - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} steps: - name: Docker meta id: meta uses: docker/metadata-action@v3 with: images: | ghcr.io/${{inputs.image_name}} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=sha - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} steps: - name: Docker meta id: meta uses: docker/metadata-action@v3 with: images: | ghcr.io/${{inputs.image_name}} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=sha - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} steps: - name: Docker meta id: meta uses: docker/metadata-action@v3 with: images: | ghcr.io/${{inputs.image_name}} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=sha - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} steps: - name: Docker meta id: meta uses: docker/metadata-action@v3 with: images: | ghcr.io/${{inputs.image_name}} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=sha - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} steps: - name: Docker meta id: meta uses: docker/metadata-action@v3 with: images: | ghcr.io/${{inputs.image_name}} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=sha - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} steps: - name: Docker meta id: meta uses: docker/metadata-action@v3 with: images: | ghcr.io/${{inputs.image_name}} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=sha - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} steps: - name: Docker meta id: meta uses: docker/metadata-action@v3 with: images: | ghcr.io/${{inputs.image_name}} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=sha - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} steps: - name: Docker meta id: meta uses: docker/metadata-action@v3 with: images: | ghcr.io/${{inputs.image_name}} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=sha - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} steps: - name: Docker meta id: meta uses: docker/metadata-action@v3 with: images: | ghcr.io/${{inputs.image_name}} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=sha - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} steps: - name: Docker meta id: meta uses: docker/metadata-action@v3 with: images: | ghcr.io/${{inputs.image_name}} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=sha - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} steps: - name: Docker meta id: meta uses: docker/metadata-action@v3 with: images: | ghcr.io/${{inputs.image_name}} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=sha

Composite Actions - uses: docker/setup-buildx-action@v1 - uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - uses: docker/build-push-action@v2 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} runs: using: "composite" steps: - name: Docker meta id: meta uses: docker/metadata-action@v3 with: images: | ghcr.io/${{inputs.image_name}} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=sha name: "Publish to Docker" description: "Pushes built artifacts to Docker" inputs: image_name: description: The name of the image to build required: true mheap/docker-build/action.yml

Composite Actions name: Docker Build and Push on: push: release: jobs: build: name: Build runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - name: Build and Push uses: mheap/action-test@master with: image_name: mheap/action-test .github/workflows/docker.yml

Running non-JS actions without Docker

Running non-JS actions without Docker // Via https://github.com/peter-evans/python-action const core = require("@actions/core"); const exec = require("@actions/exec"); async function run() { try { const src = __dirname + "/src"; await exec.exec("python", [ `${src}/python_action.py`, inputs.message, inputs.sender ]); } catch (error) { core.setFailed(error.message); } } run(); GitHub Runners come preinstalled with: • Erlang • C++ • Fortran • Julia • Kotlin • Mono • Node • Perl • Python • Ruby • Swift

Running non-JS actions without Docker // Via https://github.com/peter-evans/python-action const core = require("@actions/core"); const exec = require("@actions/exec"); async function run() { try { const src = __dirname + "/src"; await exec.exec("python", [ `${src}/python_action.py`, inputs.message, inputs.sender ]); } catch (error) { core.setFailed(error.message); } } run(); GitHub Runners come preinstalled with: • Erlang • C++ • Fortran • Julia • Kotlin • Mono • Node • Perl • Python • Ruby • Swift ⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠ ⚠⚠⚠⚠ The installed software and available versions may change between runner images ⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠⚠ ⚠⚠⚠⚠

Problem Matchers

Problem Matchers { "owner": "eslint-compact", "pattern": [ { "regexp": "^(.+):\\sline\\s(\\d+),\\scol\\s(\\d+),\ \s(Error|Warning|Info)\\s-\\s(.+)\\s\$(. +)\$$", "file": 1, "line": 2, "column": 3, "severity": 4, "message": 5, "code": 6 } ] } badFile.js: line 50, col 11, Error - 'myVar' is defined but never used. (no-unused-vars)

Problem Matchers { "owner": "eslint-compact", "pattern": [ { "regexp": "^(.+):\\sline\\s(\\d+),\\scol\\s(\\d+),\ \s(Error|Warning|Info)\\s-\\s(.+)\\s\$(. +)\$$", "file": 1, "line": 2, "column": 3, "severity": 4, "message": 5, "code": 6 } ] } [ { "file": "badFile.js", "line": "50", "column": "11", "severity": "Error", "message": "'myVar' is defined but never used.", "code": "no-unused-vars" } ] badFile.js: line 50, col 11, Error - 'myVar' is defined but never used. (no-unused-vars)

Problem Matchers JS Library https://github.com/mheap/problem- matcher React Testing UI https://github.com/mheap/problem- matcher-tester Deployed UI https://problem-matcher.netlify.app/

Dynamic Matrix Generation on: push jobs: ci: runs-on: ubuntu-latest strategy: matrix: version: [12, 14, 16] steps: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 with: node-version: ${{ matrix.version }} - run: npm ci - run: npm test

Dynamic Matrix Generation jobs: ci: strategy: matrix: version: [12, 14, 16] steps: - uses: actions/setup-node@v2 with: node-version: ${{ matrix.version }}

Dynamic Matrix Generation jobs: ci: strategy: matrix: version: ${{ fromJson('["12","14","16"]') }} steps: - uses: actions/setup-node@v2 with: node-version: ${{ matrix.version }}

Dynamic Matrix Generation jobs: create_matrix: steps: - id: set-matrix run: echo '::set-output name=version_matrix::["12","14","16"]' outputs: version_matrix: ${{ steps.set-matrix.outputs.version_matrix }} ci: needs: create_matrix strategy: matrix: version: ${{ fromJson(needs.create_matrix.outputs.version_matrix) }} steps: - uses: actions/setup-node@v2 with: node-version: ${{ matrix.version }}

Dynamic Matrix Generation $ curl https://endoflife.date/api/nodejs.json | jq -c '[.[] | select(.eol > (now | strftime("%Y-%m-%d"))) | .cycle]' # ["12","14","16"]

Dynamic Matrix Generation jobs: create_matrix: steps: - id: set-matrix run: echo '::set-output name=version_matrix::["12","14","16"]' outputs: version_matrix: ${{ steps.set-matrix.outputs.version_matrix }} ci: needs: create_matrix strategy: matrix: version: ${{ fromJson(needs.create_matrix.outputs.version_matrix) }} steps: - uses: actions/setup-node@v2 with: node-version: ${{ matrix.version }}

Dynamic Matrix Generation jobs: create_matrix: steps: - id: set-matrix run: echo "::set-output name=version_matrix::$(curl https://endoflife.date/api/nodejs.json | jq -c '[.[] | select(.eol > (now | strftime("%Y-%m-%d"))) | .cycle]')" outputs: version_matrix: ${{ steps.set-matrix.outputs.version_matrix }} ci: needs: create_matrix strategy: matrix: version: ${{ fromJson(needs.create_matrix.outputs.version_matrix) }} steps: - uses: actions/setup-node@v2 with: node-version: ${{ matrix.version }}

Dynamic Matrix Generation

Authentication

Authentication GITHUB_TOKEN : Expiry = job-duration

Authentication GITHUB_TOKEN : Expiry = job-duration on: push permissions: issues: write jobs: add-comment: runs-on: ubuntu-latest steps: - ...

Authentication Repository Permissions Actions Checks Contents Deployments Issues Metadata Packages Pull requests Projects Security events Commit statuses GITHUB_TOKEN : Expiry = job-duration

Authentication PAT : Expiry = 7 days to Never

Authentication Repository Permissions Pull requests PAT : Expiry = 7 days to Never

Authentication Repository Permissions Actions Administration Contents Discussions Environments Issues Metadata Pages Pull requests Webhooks Projects Secrets Single ﬁle Commit statuses PAT : Expiry = 7 days to Never

Authentication Repository Permissions Actions Administration Contents Discussions Environments Issues Metadata Organization packages Packages Pages Pull requests Webhooks Projects Secrets Security events Single ﬁle Commit statuses Workﬂows Organization Permissions Members Administration Events Webhooks Projects Secrets Self-hosted runners Blocking users Team discussions PAT : Expiry = 7 days to Never

Authentication Repository Permissions Actions Administration Contents Discussions Environments Issues Metadata Organization packages Packages Pages Pull requests Webhooks Projects Secrets Security events Single ﬁle Commit statuses Workﬂows Organization Permissions Members Administration Events Webhooks Projects Secrets Self-hosted runners Blocking users Team discussions PAT : Expiry = 7 days to Never https://github.com/github/roadmap/issues/184

Authentication Repository Permissions Actions Administration Checks Content references Contents Deployments Discussions Environments Issues Metadata Organization packages Packages Pages Pull requests Webhooks Projects Secret scanning alerts Secrets Security events Single ﬁle Commit statuses Dependabot alerts Workﬂows Organization Permissions Members Administration Events Webhooks Plan Projects Secrets Self-hosted runners Blocking users Team discussions GitHub Application

Authentication jobs: get-temp-token: runs-on: ubuntu-latest steps: - name: Get Token id: get_workflow_token uses: peter-murray/workflow-application-token-action@v1 with: application_id: ${{ secrets.APPLICATION_ID }} application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} organization: "my-test-org"

Authentication jobs: get-temp-token: runs-on: ubuntu-latest steps: - name: Get Token id: get_workflow_token uses: peter-murray/workflow-application-token-action@v1 with: application_id: ${{ secrets.APPLICATION_ID }} application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} organization: "my-test-org" - name: Use Application Token to create a release uses: actions/create-release@v1 env: GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }} with: ....

Authentication GitHub Applications = GREAT

Michael Heap / Advanced GitHub Actions Nova 2021 github.com/mheap michaelheap.com/talk/github-nova-2021
Questions! (probably via Slack)

Advanced GitHub Actions

Advanced GitHub Actions

More Decks by Michael Heap

Featured

Transcript