All third-party authored GitHub Actions at D2L have to be approved. We mirror the repos into independent branches of Brightspace/third-party-actions.
Instead of using third-party actions directly, like this:
uses: actions/checkout@v2Use the mirrors from this repo, like this:
- uses: Brightspace/third-party-actions@actions/checkoutThere is no @v2 (etc.) when using this repo.
We try to stick to a consistent version of each action across our org (configured and maintained by Dependabot in third-party-actions-config.
Here's what's available so far:
| Repository | Description |
|---|---|
| Azure/functions-action | Deploy Function App to Azure Functions |
| NuGet/setup-nuget | Official NuGet.exe setup action that supports cross-platform installation of specific NuGet.exe versions. |
| actions/cache | Cache artifacts like dependencies and build outputs to improve workflow execution time |
| actions/checkout | Checkout a Git repository at a particular version |
| actions/github-script | Run simple scripts using the GitHub client |
| actions/labeler | Automatically label new pull requests based on the paths of files being changed |
| actions/setup-dotnet | Used to build and publish .NET source. Set up a specific version of the .NET and authentication to private NuGet repository |
| actions/setup-go | DEPRECATED Setup a Go environment and add it to the PATH |
| actions/setup-java | Set up a specific version of the Java JDK and add the |
| actions/setup-node | Setup a Node.js environment by adding problem matchers and optionally downloading and adding it to the PATH. |
| actions/setup-python | Set up a specific version of Python and add the command-line tools to the PATH. |
| actions/stale | Close issues and pull requests with no recent activity |
| actions/upload-artifact | Upload a build artifact that can be used by subsequent workflow steps |
| amannn/action-semantic-pull-request | Ensure your PR title matches the Conventional Commits spec (https://www.conventionalcommits.org/). |
| android-actions/setup-android | Setup the Android SDK Tools and add them to the path |
| aws-actions/amazon-ecr-login | Logs in the local Docker client to one or more Amazon ECR Private registries or an Amazon ECR Public registry |
| aws-actions/amazon-ecs-deploy-task-definition | Registers an Amazon ECS task definition, and deploys it to an ECS service |
| aws-actions/amazon-ecs-render-task-definition | Inserts a container image URI into a container definition in an Amazon ECS task definition JSON file, creating a new file. |
| aws-actions/aws-codebuild-run-build | Execute CodeBuild::startBuild for the current repo. |
| aws-actions/configure-aws-credentials | Configures AWS credentials for use in subsequent steps in a GitHub Action workflow |
| cemkiy/action-slacker | Send slack messages with attachments, auto username, branch and other actions |
| codelytv/pr-size-labeler | Label a PR based on the amount of changes |
| dorny/paths-filter | Execute your workflow steps only if relevant files are modified. |
| hashicorp/packer-github-actions | Run Packer commands |
| hashicorp/setup-packer | A GitHub Action to install a specific version of HashiCorp Packer and add it to PATH. |
| hashicorp/setup-terraform | Sets up Terraform CLI in your GitHub Actions workflow. |
| hashicorp/terraform-github-actions | DEPRECATED Runs Terraform commands via GitHub Actions. |
| hmarr/auto-approve-action | Automatically approve pull requests |
| int128/hide-comment-action | hide comment(s) in a pull request |
| jakejarvis/hugo-build-action | Hugo as an action, with extended support and legacy versions |
| mavrosxristoforos/get-xml-info | Get Information from XML files to use into your GitHub workflows |
| micnncim/action-label-syncer | Sync GitHub labels in the declarative way. |
| mshick/add-pr-comment | Add a comment to a pull request |
| ncipollo/release-action | Creates github releases |
| neverendingqs/gh-action-node-update-deps | Updates Node dependencies and creates a pull request with the changes. |
| nikeee/docfx-action | Runs docfx as a GitHub Action. |
| omsmith/actions-tasklists | Turn Pull Request tasklists into actionable PR statuses |
| pascalgn/automerge-action | Automatically merge pull requests that are ready |
| peter-evans/create-pull-request | Creates a pull request for changes to your repository in the actions workspace |
| peter-evans/find-comment | Find an issue or pull request comment |
| reactivecircus/android-emulator-runner | Installs, configures and starts an Android Emulator directly on macOS virtual machines. |
| ruby/setup-ruby | Download a prebuilt Ruby and add it to the PATH in 5 seconds |
| slackapi/slack-github-action | Publish a message in a channel or send a JSON payload to the Slack Workflow Builder |
This repo is generated and maintained by Brightspace/third-party-actions-config.
We are forking all third-party-actions into this repo and disabling the ability to use external actions in our org. We're doing this to have more control over the third-party code that we use:
- We need to make sure that license is acceptable. e.g. Apache 2.0, ...
- We want to vet the actions we use: there is a wide range of quality in third-party code. The approval process gives us a place and time to do a gut check (with peer review).
- We want to try and coordinate: having one solution to a problem is usually better than 10 solutions to the same problem.
- We want a bit more pinning: the status quo for actions is to do something like
uses: actions/checkout@v2. This means that your workflow may grab a new version of the action on every run. With this setup we at least get the chance to review every change to third-party code (with diffs) at the org level first. - We want someone responsible for doing upgrades: we use
CODEOWNERSin Brightspace/third-party-actions-config to put specific people in charge of rolling out updates to each action. - We don't want builds to break if a repo disappears: we've had workflows break when someone (in our case, GitHub themselves) deprecates and deletes their repo. Brightspace/third-party-actions acts as a mirror so that won't happen to us out-of-the-blue.
Our hope is that this is a low-friction process.
The third-party actions we mirror in this repo often have their own workflows. We don't want to run them, because that could cause security problems (e.g. via self-hosted runners, etc.) So we've disabled actions in this repo.
However, the automatic syncing is itself built on actions. There is no way to only enable particular workflows, so we went with a split repo setup.