Gathering detailed insights and metrics for @actions/exec
Gathering detailed insights and metrics for @actions/exec
The GitHub ToolKit for developing GitHub Actions.
Installations
npm install @actions/execDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Node Version
16.14.0
NPM Version
8.3.1
Score
99.2
Supply Chain
86.6
Quality
81.7
Maintenance
100
Vulnerability
100
License
Releases
Unable to fetch releases
Languages
6
TypeScript
JavaScript
PowerShell
Shell
Batchfile
C#
TypeScript (98.8%)
JavaScript (0.75%)
PowerShell (0.29%)
Shell (0.06%)
Batchfile (0.05%)
C# (0.04%)
Developer
Download Statistics
Total Downloads
104,235,638
Last Day
126,460
Last Week
2,339,486
Last Month
9,766,020
Last Year
64,436,821
GitHub Statistics
MIT License
5,366 Stars
1,507 Commits
1,578 Forks
143 Watchers
196 Branches
157 Contributors
Updated on Jun 30, 2025
Bundle Size
17.14 kB
Minified
4.98 kB
Minified + Gzipped
Maintainers
5
Package Meta Information
Latest Version
1.1.1
Package Id
@actions/exec@1.1.1
Unpacked Size
54.08 kB
Size
14.14 kB
File Count
12
NPM Version
8.3.1
Node Version
16.14.0
Total Downloads
Cumulative downloads
Total Downloads
104,235,638
Last Day
-6.6%
126,460
Compared to previous day
Last Week
-8.2%
2,339,486
Compared to previous week
Last Month
9.3%
9,766,020
Compared to previous month
Last Year
261.4%
64,436,821
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
1
GitHub Actions Toolkit
The GitHub Actions ToolKit provides a set of packages to make creating actions easier.
Get started with the javascript-action template!
Packages
:heavy_check_mark: @actions/core
Provides functions for inputs, outputs, results, logging, secrets and variables. Read more here
1npm install @actions/core
:runner: @actions/exec
Provides functions to exec cli tools and process output. Read more here
1npm install @actions/exec
:ice_cream: @actions/glob
Provides functions to search for files matching glob patterns. Read more here
1npm install @actions/glob
:phone: @actions/http-client
A lightweight HTTP client optimized for building actions. Read more here
1npm install @actions/http-client
:pencil2: @actions/io
Provides disk i/o functions like cp, mv, rmRF, which etc. Read more here
1npm install @actions/io
:hammer: @actions/tool-cache
Provides functions for downloading and caching tools. e.g. setup-* actions. Read more here
See @actions/cache for caching workflow dependencies.
1npm install @actions/tool-cache
:octocat: @actions/github
Provides an Octokit client hydrated with the context that the current action is being run in. Read more here
1npm install @actions/github
:floppy_disk: @actions/artifact
Provides functions to interact with actions artifacts. Read more here
1npm install @actions/artifact
:dart: @actions/cache
Provides functions to cache dependencies and build outputs to improve workflow execution time. Read more here
1npm install @actions/cache
:lock_with_ink_pen: @actions/attest
Provides functions to write attestations for workflow artifacts. Read more here
1npm install @actions/attest
Creating an Action with the Toolkit
:question: Choosing an action type
Outlines the differences and why you would want to create a JavaScript or a container based action.
:curly_loop: Versioning
Actions are downloaded and run from the GitHub graph of repos. This contains guidance for versioning actions and safe releases.
:warning: Problem Matchers
Problem Matchers are a way to scan the output of actions for a specified regex pattern and surface that information prominently in the UI.
:warning: Proxy Server Support
Self-hosted runners can be configured to run behind proxy servers.
Hello World JavaScript Action
Illustrates how to create a simple hello world javascript action.
1... 2 const nameToGreet = core.getInput('who-to-greet'); 3 console.log(`Hello ${nameToGreet}!`); 4...
JavaScript Action Walkthrough
Walkthrough and template for creating a JavaScript Action with tests, linting, workflow, publishing, and versioning.
1async function run() { 2 try { 3 const ms = core.getInput('milliseconds'); 4 console.log(`Waiting ${ms} milliseconds ...`) 5 ...
1PASS ./index.test.js 2 ✓ throws invalid number 3 ✓ wait 500 ms 4 ✓ test runs 5 6Test Suites: 1 passed, 1 total 7Tests: 3 passed, 3 total
TypeScript Action Walkthrough
Walkthrough creating a TypeScript Action with compilation, tests, linting, workflow, publishing, and versioning.
1import * as core from '@actions/core'; 2 3async function run() { 4 try { 5 const ms = core.getInput('milliseconds'); 6 console.log(`Waiting ${ms} milliseconds ...`) 7 ...
1PASS ./index.test.js 2 ✓ throws invalid number 3 ✓ wait 500 ms 4 ✓ test runs 5 6Test Suites: 1 passed, 1 total 7Tests: 3 passed, 3 total
Docker Action Walkthrough
Create an action that is delivered as a container and run with docker.
1FROM alpine:3.10 2COPY LICENSE README.md / 3COPY entrypoint.sh /entrypoint.sh 4ENTRYPOINT ["/entrypoint.sh"]
Docker Action Walkthrough with Octokit
Create an action that is delivered as a container which uses the toolkit. This example uses the GitHub context to construct an Octokit client.
1FROM node:slim 2COPY . . 3RUN npm install --production 4ENTRYPOINT ["node", "/lib/main.js"]
1const myInput = core.getInput('myInput'); 2core.debug(`Hello ${myInput} from inside a container`); 3 4const context = github.context; 5console.log(`We can even get context data, like the repo: ${context.repo.repo}`)
Note
Thank you for your interest in this GitHub repo, however, right now we are not taking contributions.
We continue to focus our resources on strategic areas that help our customers be successful while making developers' lives easier. While GitHub Actions remains a key part of this vision, we are allocating resources towards other areas of Actions and are not taking contributions to this repository at this time. The GitHub public roadmap is the best place to follow along for any updates on features we’re working on and what stage they’re in.
We are taking the following steps to better direct requests related to GitHub Actions, including:
-
We will be directing questions and support requests to our Community Discussions area
-
High Priority bugs can be reported through Community Discussions or you can report these to our support team https://support.github.com/contact/bug-report.
-
Security Issues should be handled as per our security.md.
We will still provide security updates for this project and fix major breaking changes during this time.
You are welcome to still raise bugs in this repo.
Code of Conduct
See our code of conduct.
No vulnerabilities found.
Reason
all changesets reviewed
Reason
27 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Info: FSF or OSI recognized license: MIT License: LICENSE.md:0
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: SECURITY.md:1
Reason
binaries present in source code
Details
- Warn: binary detected: packages/tool-cache/scripts/externals/7zdec.exe:1
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 29 commits out of 30 are checked with a SAST tool
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'main'
- Info: 'force pushes' disabled on branch 'main'
- Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'
- Info: 'stale review dismissal' is required to merge on branch 'main'
- Warn: required approving review count is 1 on branch 'main'
- Info: codeowner review is required on branch 'main'
- Info: 'last push approval' is required to merge on branch 'main'
- Warn: no status checks found to merge onto branch 'main'
- Info: PRs are required in order to make changes on branch 'main'
Reason
8 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3
Reason
dependency not pinned by hash detected -- score normalized to 1
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:168: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cache-tests.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/cache-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cache-tests.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/cache-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cache-windows-test.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/cache-windows-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cache-windows-test.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/cache-windows-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releases.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/releases.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releases.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/releases.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releases.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/releases.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releases.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/releases.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-tests.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/unit-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-tests.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/unit-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-github.yaml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/update-github.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-github.yaml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/update-github.yaml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/audit.yml:30
- Warn: npmCommand not pinned by hash: .github/workflows/releases.yml:43
- Warn: npmCommand not pinned by hash: .github/workflows/unit-tests.yml:39
- Warn: npmCommand not pinned by hash: .github/workflows/update-github.yaml:17
- Info: 0 out of 25 GitHub-owned GitHubAction dependencies pinned
- Info: 6 out of 10 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/releases.yml:68
- Warn: no topLevel permission defined: .github/workflows/artifact-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/audit.yml:1
- Warn: no topLevel permission defined: .github/workflows/cache-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/cache-windows-test.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql.yml:1
- Warn: no topLevel permission defined: .github/workflows/releases.yml:1
- Warn: no topLevel permission defined: .github/workflows/unit-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/update-github.yaml:1
- Info: no jobLevel write permissions found
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
6.2
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More