The GitHub ToolKit for developing GitHub Actions.
Installations
npm install @actions/execDeveloper Guide
Typescript
Yes
Module System
CommonJS
Node Version
16.14.0
NPM Version
8.3.1
Score
99.2
Supply Chain
86.6
Quality
81.2
Maintenance
100
Vulnerability
100
License
Releases
Unable to fetch releases
Contributors
Languages
TypeScript (98.76%)
JavaScript (0.78%)
PowerShell (0.3%)
Shell (0.06%)
Batchfile (0.05%)
C# (0.04%)
Love this project? Help keep it running — sponsor us today! 🚀
Developer
Download Statistics
Total Downloads
73,869,035
Last Day
82,243
Last Week
1,793,973
Last Month
6,762,810
Last Year
40,473,463
GitHub Statistics
MIT License
5,151 Stars
1,420 Commits
1,500 Forks
139 Watchers
173 Branches
152 Contributors
Updated on Feb 18, 2025
Bundle Size
17.14 kB
Minified
4.98 kB
Minified + Gzipped
Maintainers
Package Meta Information
Latest Version
1.1.1
Package Id
@actions/exec@1.1.1
Unpacked Size
54.08 kB
Size
14.14 kB
File Count
12
NPM Version
8.3.1
Node Version
16.14.0
Total Downloads
Cumulative downloads
Total Downloads
73,869,035
Last Day
-4.8%
82,243
Compared to previous day
Last Week
7.7%
1,793,973
Compared to previous week
Last Month
48.6%
6,762,810
Compared to previous month
Last Year
157.7%
40,473,463
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
1
GitHub Actions Toolkit
The GitHub Actions ToolKit provides a set of packages to make creating actions easier.
Get started with the javascript-action template!
Packages
:heavy_check_mark: @actions/core
Provides functions for inputs, outputs, results, logging, secrets and variables. Read more here
1$ npm install @actions/core
:runner: @actions/exec
Provides functions to exec cli tools and process output. Read more here
1$ npm install @actions/exec
:ice_cream: @actions/glob
Provides functions to search for files matching glob patterns. Read more here
1$ npm install @actions/glob
:phone: @actions/http-client
A lightweight HTTP client optimized for building actions. Read more here
1$ npm install @actions/http-client
:pencil2: @actions/io
Provides disk i/o functions like cp, mv, rmRF, which etc. Read more here
1$ npm install @actions/io
:hammer: @actions/tool-cache
Provides functions for downloading and caching tools. e.g. setup-* actions. Read more here
See @actions/cache for caching workflow dependencies.
1$ npm install @actions/tool-cache
:octocat: @actions/github
Provides an Octokit client hydrated with the context that the current action is being run in. Read more here
1$ npm install @actions/github
:floppy_disk: @actions/artifact
Provides functions to interact with actions artifacts. Read more here
1$ npm install @actions/artifact
:dart: @actions/cache
Provides functions to cache dependencies and build outputs to improve workflow execution time. Read more here
1$ npm install @actions/cache
:lock_with_ink_pen: @actions/attest
Provides functions to write attestations for workflow artifacts. Read more here
1$ npm install @actions/attest
Creating an Action with the Toolkit
:question: Choosing an action type
Outlines the differences and why you would want to create a JavaScript or a container based action.
:curly_loop: Versioning
Actions are downloaded and run from the GitHub graph of repos. This contains guidance for versioning actions and safe releases.
:warning: Problem Matchers
Problem Matchers are a way to scan the output of actions for a specified regex pattern and surface that information prominently in the UI.
:warning: Proxy Server Support
Self-hosted runners can be configured to run behind proxy servers.
Hello World JavaScript Action
Illustrates how to create a simple hello world javascript action.
1... 2 const nameToGreet = core.getInput('who-to-greet'); 3 console.log(`Hello ${nameToGreet}!`); 4...
JavaScript Action Walkthrough
Walkthrough and template for creating a JavaScript Action with tests, linting, workflow, publishing, and versioning.
1async function run() { 2 try { 3 const ms = core.getInput('milliseconds'); 4 console.log(`Waiting ${ms} milliseconds ...`) 5 ...
1PASS ./index.test.js 2 ✓ throws invalid number 3 ✓ wait 500 ms 4 ✓ test runs 5 6Test Suites: 1 passed, 1 total 7Tests: 3 passed, 3 total
TypeScript Action Walkthrough
Walkthrough creating a TypeScript Action with compilation, tests, linting, workflow, publishing, and versioning.
1import * as core from '@actions/core'; 2 3async function run() { 4 try { 5 const ms = core.getInput('milliseconds'); 6 console.log(`Waiting ${ms} milliseconds ...`) 7 ...
1PASS ./index.test.js 2 ✓ throws invalid number 3 ✓ wait 500 ms 4 ✓ test runs 5 6Test Suites: 1 passed, 1 total 7Tests: 3 passed, 3 total
Docker Action Walkthrough
Create an action that is delivered as a container and run with docker.
1FROM alpine:3.10 2COPY LICENSE README.md / 3COPY entrypoint.sh /entrypoint.sh 4ENTRYPOINT ["/entrypoint.sh"]
Docker Action Walkthrough with Octokit
Create an action that is delivered as a container which uses the toolkit. This example uses the GitHub context to construct an Octokit client.
1FROM node:slim 2COPY . . 3RUN npm install --production 4ENTRYPOINT ["node", "/lib/main.js"]
1const myInput = core.getInput('myInput'); 2core.debug(`Hello ${myInput} from inside a container`); 3 4const context = github.context; 5console.log(`We can even get context data, like the repo: ${context.repo.repo}`)
Contributing
We welcome contributions. See how to contribute.
Code of Conduct
See our code of conduct.
No vulnerabilities found.
Reason
30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Info: FSF or OSI recognized license: MIT License: LICENSE.md:0
Reason
SAST tool is run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Info: all commits (29) are checked with a SAST tool
Reason
Found 12/13 approved changesets -- score normalized to 9
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: SECURITY.md:1
Reason
binaries present in source code
Details
- Warn: binary detected: packages/tool-cache/scripts/externals/7zdec.exe:1
Reason
dependency not pinned by hash detected -- score normalized to 1
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:168: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cache-tests.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/cache-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cache-tests.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/cache-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cache-windows-test.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/cache-windows-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cache-windows-test.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/cache-windows-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releases.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/releases.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releases.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/releases.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releases.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/releases.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releases.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/releases.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-tests.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/unit-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-tests.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/unit-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-github.yaml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/update-github.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-github.yaml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/update-github.yaml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/audit.yml:30
- Warn: npmCommand not pinned by hash: .github/workflows/releases.yml:30
- Warn: npmCommand not pinned by hash: .github/workflows/unit-tests.yml:39
- Warn: npmCommand not pinned by hash: .github/workflows/update-github.yaml:17
- Info: 0 out of 25 GitHub-owned GitHubAction dependencies pinned
- Info: 6 out of 10 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/releases.yml:55
- Warn: no topLevel permission defined: .github/workflows/artifact-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/audit.yml:1
- Warn: no topLevel permission defined: .github/workflows/cache-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/cache-windows-test.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql.yml:1
- Warn: no topLevel permission defined: .github/workflows/releases.yml:1
- Warn: no topLevel permission defined: .github/workflows/unit-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/update-github.yaml:1
- Info: no jobLevel write permissions found
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
10 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-x4c5-c7rf-jjgv
- Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975
- Warn: Project is vulnerable to: GHSA-wqq4-5wpv-mx2g
- Warn: Project is vulnerable to: GHSA-3787-6prv-h9w3
- Warn: Project is vulnerable to: GHSA-9qxr-qj54-h672
- Warn: Project is vulnerable to: GHSA-m4v8-wqvr-p9f7
Score
6
/10
Last Scanned on 2025-02-17
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn MoreOther packages similar to @actions/exec
@sliit-foss/actions-exec-wrapper
A wrapper around the @actions/exec module which promisifies the console output of a command
actions-exec-wrapper
A wrapper around the @actions/exec module which promisifies the console output of a command
@actions/tool-cache
Actions tool-cache lib
actions-exec-listener
@actions/exec wrapper to get listener data value as return value.