The GitHub ToolKit for developing GitHub Actions.
Installations
npm install @actions/execReleases
Unable to fetch releases
Developer
Developer Guide
Module System
CommonJS
Min. Node Version
Typescript Support
Yes
Node Version
16.14.0
NPM Version
8.3.1
Statistics
5,030 Stars
1,355 Commits
1,452 Forks
137 Watching
165 Branches
151 Contributors
Updated on 27 Nov 2024
Bundle Size
17.14 kB
Minified
4.98 kB
Minified + Gzipped
Languages
TypeScript (98.79%)
JavaScript (0.76%)
PowerShell (0.3%)
Shell (0.06%)
Batchfile (0.05%)
C# (0.04%)
Total Downloads
Cumulative downloads
Total Downloads
58,617,238
Last day
-1.7%
246,993
Compared to previous day
Last week
0.5%
1,339,234
Compared to previous week
Last month
20%
5,531,665
Compared to previous month
Last year
89.8%
29,023,570
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
1
GitHub Actions Toolkit
The GitHub Actions ToolKit provides a set of packages to make creating actions easier.
Get started with the javascript-action template!
Packages
:heavy_check_mark: @actions/core
Provides functions for inputs, outputs, results, logging, secrets and variables. Read more here
1$ npm install @actions/core
:runner: @actions/exec
Provides functions to exec cli tools and process output. Read more here
1$ npm install @actions/exec
:ice_cream: @actions/glob
Provides functions to search for files matching glob patterns. Read more here
1$ npm install @actions/glob
:phone: @actions/http-client
A lightweight HTTP client optimized for building actions. Read more here
1$ npm install @actions/http-client
:pencil2: @actions/io
Provides disk i/o functions like cp, mv, rmRF, which etc. Read more here
1$ npm install @actions/io
:hammer: @actions/tool-cache
Provides functions for downloading and caching tools. e.g. setup-* actions. Read more here
See @actions/cache for caching workflow dependencies.
1$ npm install @actions/tool-cache
:octocat: @actions/github
Provides an Octokit client hydrated with the context that the current action is being run in. Read more here
1$ npm install @actions/github
:floppy_disk: @actions/artifact
Provides functions to interact with actions artifacts. Read more here
1$ npm install @actions/artifact
:dart: @actions/cache
Provides functions to cache dependencies and build outputs to improve workflow execution time. Read more here
1$ npm install @actions/cache
:lock_with_ink_pen: @actions/attest
Provides functions to write attestations for workflow artifacts. Read more here
1$ npm install @actions/attest
Creating an Action with the Toolkit
:question: Choosing an action type
Outlines the differences and why you would want to create a JavaScript or a container based action.
:curly_loop: Versioning
Actions are downloaded and run from the GitHub graph of repos. This contains guidance for versioning actions and safe releases.
:warning: Problem Matchers
Problem Matchers are a way to scan the output of actions for a specified regex pattern and surface that information prominently in the UI.
:warning: Proxy Server Support
Self-hosted runners can be configured to run behind proxy servers.
Hello World JavaScript Action
Illustrates how to create a simple hello world javascript action.
1... 2 const nameToGreet = core.getInput('who-to-greet'); 3 console.log(`Hello ${nameToGreet}!`); 4...
JavaScript Action Walkthrough
Walkthrough and template for creating a JavaScript Action with tests, linting, workflow, publishing, and versioning.
1async function run() { 2 try { 3 const ms = core.getInput('milliseconds'); 4 console.log(`Waiting ${ms} milliseconds ...`) 5 ...
1PASS ./index.test.js 2 ✓ throws invalid number 3 ✓ wait 500 ms 4 ✓ test runs 5 6Test Suites: 1 passed, 1 total 7Tests: 3 passed, 3 total
TypeScript Action Walkthrough
Walkthrough creating a TypeScript Action with compilation, tests, linting, workflow, publishing, and versioning.
1import * as core from '@actions/core'; 2 3async function run() { 4 try { 5 const ms = core.getInput('milliseconds'); 6 console.log(`Waiting ${ms} milliseconds ...`) 7 ...
1PASS ./index.test.js 2 ✓ throws invalid number 3 ✓ wait 500 ms 4 ✓ test runs 5 6Test Suites: 1 passed, 1 total 7Tests: 3 passed, 3 total
Docker Action Walkthrough
Create an action that is delivered as a container and run with docker.
1FROM alpine:3.10 2COPY LICENSE README.md / 3COPY entrypoint.sh /entrypoint.sh 4ENTRYPOINT ["/entrypoint.sh"]
Docker Action Walkthrough with Octokit
Create an action that is delivered as a container which uses the toolkit. This example uses the GitHub context to construct an Octokit client.
1FROM node:slim 2COPY . . 3RUN npm install --production 4ENTRYPOINT ["node", "/lib/main.js"]
1const myInput = core.getInput('myInput'); 2core.debug(`Hello ${myInput} from inside a container`); 3 4const context = github.context; 5console.log(`We can even get context data, like the repo: ${context.repo.repo}`)
Contributing
We welcome contributions. See how to contribute.
Code of Conduct
See our code of conduct.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Reason
all changesets reviewed
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Info: FSF or OSI recognized license: MIT License: LICENSE.md:0
Reason
SAST tool is run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Info: all commits (30) are checked with a SAST tool
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: SECURITY.md:1
Reason
binaries present in source code
Details
- Warn: binary detected: packages/tool-cache/scripts/externals/7zdec.exe:1
Reason
5 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-wqq4-5wpv-mx2g
- Warn: Project is vulnerable to: GHSA-3787-6prv-h9w3
- Warn: Project is vulnerable to: GHSA-9qxr-qj54-h672
- Warn: Project is vulnerable to: GHSA-m4v8-wqvr-p9f7
Reason
dependency not pinned by hash detected -- score normalized to 1
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/artifact-tests.yml:168: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/artifact-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/audit.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/audit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cache-tests.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/cache-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cache-tests.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/cache-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cache-windows-test.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/cache-windows-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cache-windows-test.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/cache-windows-test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releases.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/releases.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releases.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/releases.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releases.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/releases.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/releases.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/releases.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-tests.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/unit-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-tests.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/unit-tests.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-github.yaml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/update-github.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-github.yaml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/actions/toolkit/update-github.yaml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/audit.yml:30
- Warn: npmCommand not pinned by hash: .github/workflows/releases.yml:30
- Warn: npmCommand not pinned by hash: .github/workflows/unit-tests.yml:39
- Warn: npmCommand not pinned by hash: .github/workflows/update-github.yaml:17
- Info: 0 out of 25 GitHub-owned GitHubAction dependencies pinned
- Info: 6 out of 10 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/releases.yml:55
- Warn: no topLevel permission defined: .github/workflows/artifact-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/audit.yml:1
- Warn: no topLevel permission defined: .github/workflows/cache-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/cache-windows-test.yml:1
- Warn: no topLevel permission defined: .github/workflows/codeql.yml:1
- Warn: no topLevel permission defined: .github/workflows/releases.yml:1
- Warn: no topLevel permission defined: .github/workflows/unit-tests.yml:1
- Warn: no topLevel permission defined: .github/workflows/update-github.yaml:1
- Info: no jobLevel write permissions found
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
6.6
/10
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn MoreOther packages similar to @actions/exec
actions-exec-listener
@actions/exec wrapper to get listener data value as return value.
exec-sh
Execute shell command forwarding all stdio.
@sliit-foss/actions-exec-wrapper
A wrapper around the @actions/exec module which promisifies the console output of a command
@semantic-release/exec
semantic-release plugin to run custom shell commands