GitHub Actions Cheat Sheet

3 Mar 2024 3 Mar 2024 2 min read GitHub GitHub Actions


Default Environment Variables:

GitHub Context:

Capture Job Step Output 

Define it via:

      - name: Determine Hugo version
        id: hugo-version
        run: echo 'version=1.2.3' >> $GITHUB_OUTPUT

Use it via:

${{ steps.hugo-version.outputs.version }}

Security Considerations 

  • The permissions properties defines the permissions for the GITHUB_TOKEN. The default permission may be too permissive. So, it’s a good idea to reduce the necessary permissions as much as possible.
  • For 3rd party actions (i.e. actions that don’t come from actions/) it’s recommended to use @sha rather than @tag. Reason: If the source repository gets hacked, the attacker can add malicious code (send secrets to they attacker’s server) and change the tag to the commit with the malicious code. If you pin a certain sha, the action is not vulnerable to this type of attack.
    • Of course, with this you don’t automatically get newer (good) versions of the action. Make sure to subscribe the action for new releases.
    • Technically, if the GITHUB_TOKEN permissions only include read permissions (and if you don’t have any other secrets in your repository), it’s not necessary to do this. But since nothing is every static, doing this even in this scenario is simply another safety net.