Github Actions
Get status of private action with bash
Before running this command, you will need to create a
Personal Access Token
and set the env var PAT to its value.
curl -u "$(git config user.name):${PAT}" \
-s "https://api.github.com/repos/username/somerepo/actions/workflows/someaction.yml/runs" | \
jq -r '.workflow_runs[0].status'time
Get latest commit hash with github actions
# Set it:
- name: Add SHORT_SHA env property with commit short sha
run: echo "SHORT_SHA=`echo ${GITHUB_SHA} | cut -c1-8`" >> $GITHUB_ENV
# Use it:
- name: My step
run: myscript ${SHORT_SHA}
Resource: https://stackoverflow.com/questions/59810838/how-to-get-the-short-sha-for-the-github-workflow
Test github actions locally
If you need to specifically test macOS functionality:
act -P macos-latest=-self-hosted
Debug github actions
This will allow you to manually trigger a debug run:
jobs:
build:
runs-on: ubuntu-latest
steps:
# Enable tmate debugging of manually-triggered workflows if the input option was provided
- name: Setup tmate session
uses: mxschmitt/action-tmate@v3
# Only allow access using your registered public keys
# in github
with:
limit-access-to-actor: true
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled }}
Debug only if the previous step failed
name: CI
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Setup tmate session
if: ${{ failure() }}
# Only allow access using your registered public keys
# in github
with:
limit-access-to-actor: true
uses: mxschmitt/action-tmate@v3
Resources:
- https://github.com/marketplace/actions/debugging-with-tmate
- https://github.com/mxschmitt/action-tmate
Delete old workflow runs
The following action can be used to delete all of the old github action workflow runs in your project:
---
name: Delete old workflow runs
on:
workflow_dispatch:
pull_request:
branches: ["main"]
jobs:
del_runs:
runs-on: ubuntu-latest
permissions:
actions: write
steps:
- name: Delete workflow runs
uses: Mattraks/delete-workflow-runs@v2
with:
token: ${{ github.token }}
repository: ${{ github.repository }}
retain_days: 30
keep_minimum_runs: 6
This particular example will remove runs older than 30 days and will only keep the last 6 runs.
Resource: https://github.com/marketplace/actions/delete-workflow-runs
Test Action Locally
To test your GitHub Action locally, use the following command:
act -W ./.github/workflows/youraction.yaml
Here is a full example using a secret file:
Create a
.secretsfile with the following content:export AWS_ACCESS_KEY_ID=AKIA... export AWS_SECRET_ACCESS_KEY=REDACTED export AWS_DEFAULT_REGION=us-east-2 export BOT_TOKEN=ghp_REDACTED export GITHUB_USERNAME=l50Run the action and save the output to a log file:
act -W .github/workflows/terratest.yaml --secret-file .secrets --container-architecture linux/amd64 | tee -a terratest.log
Composite action
This allows you to turn a workflow into an ingestible action. Example repo: https://github.com/fbsamples/caldera-security-tests
Resources:
- https://damienaicheh.github.io/github/actions/2021/10/07/reuse-workflows-composite-action-en.html
- https://docs.github.com/en/actions/creating-actions/creating-a-composite-action
- https://doug.sh/posts/using-composite-actions-with-github-actions/
Close stale issues
name: "Close stale issues"
on:
schedule:
- cron: "0 0 * * *"
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v3.0.14
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: "This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs."
exempt-issue-labels: "keep open,v4.x,in progress"
days-before-stale: 90
days-before-close: 30
operations-per-run: 100
Resources: https://github.com/helm/helm/blob/main/.github/workflows/stale-issue-bot.yaml
Azure Pipelines
This is a great alternative to Travis CI or Circle CI. I was using it quite a bit for a number of projects before switching over to github actions.
Test a github project without committing
If you want to debug a pipeline without committing code to your github repo, you can do the following:
- Login to Azure Devops
- Click + New project
- Give the project a name, specify Private for the Visibility, and click Create
Once the project has been created, you’ll need to import the repo code:
- Click on Repos in the left-hand menu
- Click Import
- Specify the URL for your project and click Import
You should now be able to modify the azure-pipelines.yml file
local to the project you’ve created. However, you will need to
set up the Pipeline in order to start seeing test results:
- Click Pipelines in the left-hand menu
- Click Create Pipeline
- Select Azure Repos Git
- Click the Project you created previously
- Modify the yaml if you’d like, otherwise click Run
Delete a Project
- Login to Azure Devops
- Click on the Project you want to delete
- Click the gear icon in the bottom left-hand menu
- Click Delete
- Type in the name of the project and click Delete
Create a trigger that runs a specific pipeline
This can be used to have a pipeline for a specific area of your project. The idea is you have multiple pipelines to test certain things, so that you don’t end up with a massive monolith:
trigger:
branches:
include:
- master
paths:
include:
- path/to/specific/area/of/project/*
- Tests/project*
- azure-pipelines-project.yml
Specify Behavior for Pull Requests
This will dictate what to do whenever you do a pull request. In this case it will run a pipeline to test a specific area of a project:
pr:
branches:
include:
- master
paths:
include:
- path/to/specific/area/of/project/*
- Tests/project*
- azure-pipelines-project.yml
Run Pipeline on a schedule
schedules:
- cron: "0 0 * * 0"
displayName: Weekly midnight (UTC) build
branches:
include:
- master
always: true
Pre-commit
Create custom hook
Create directory to store them in the root of your repo:
mkdir .hooksCreate a bash script with your logic in
.hooks. For example:go-no-replacement.sh:#!/bin/bash REPO=$(cat .git/config | grep url | awk -F 'https://' '{print $2}' \ | rev | cut -c5- | rev) if grep "replace ${REPO}" $@ 2>&1 >/dev/null ; then echo "ERROR: Don't commit a replacement in go.mod!" exit 1 fiCall it in your
.pre-commit-config.yaml:- repo: local hooks: - id: go-no-replacement name: Avoid committing a go module replacement entry: .hooks/go-no-replacement.sh language: script files: go.mod
Resources:
Check write access to repo with PAT
This is expected to fail since GITHUB_TOKEN has read only access:
- name: Check write access to repo
run: |
token_login=$(curl -H "Authorization: Bearer ${token}" https://api.github.com/user | jq -r '.login')
echo token login is ${token_login}
echo $(curl -H "Authorization: Bearer ${token}" https://api.github.com/repos/${repo}/collaborators/${token_login}/permission) > result
cat result | jq '.permission == "admin" // .permission == "write"' > /dev/null || ( echo "Token does not have write access to ${repo}" >> ${GITHUB_STEP_SUMMARY}; exit 1)
curl -sS -f -I -H "Authorization: Bearer ${token}" https://api.github.com | \
grep 'x-oauth-scopes:' | grep 'repo' > /dev/null && exit 0 || echo "Token does not have repo scope on ${repo}" >> ${GITHUB_STEP_SUMMARY}
env:
repo: ${{ github.repository }}
token: ${{ secrets.GITHUB_TOKEN }}
Resource: https://github.com/peter-evans/create-pull-request/issues/1300
Test github action locally
This particular example will run the molecule job associated with
the workflow at .github/workflows/molecule.yaml. We also specify
--container-architecture if we are running on an ARM-based system.
act -j molecule -W .github/workflows/molecule.yaml --container-architecture linux/amd64