ruk·si
/notes

🐙 GitHub Actions

Updated at 2022-11-15 23:22

GitHub Actions

GitHub Actions is a continuous integration platform inside GitHub. It's cheap, very flexible and, best of all, part of GitHub.

  • GitHub repository contains workflows.
  • Workflows contain jobs.
  • Jobs contain steps e.g. running certain programs.

Workflows are triggered by events. These can be changes in the repository, scheduled or manually triggered.

You can filter these e.g. modifying certain files, has tags, branch name etc.

At the start of a job, GitHub creates a unique secrets.GITHUB_TOKEN for it.

You can use permissions to modify the default permissions granted to the job.

  • These can be defined either on the workflow level or the job level.
  • The default permissions come from the repository settings.
  • If the job needs permission not readily available in the GitHub Actions platform, you can use personal access tokens.
  • Jobs triggered by fork repositories receive the maximum of read permission to the origin repository for security reasons.

Dependabot

Dependabot is an automation tool in GitHub.

  • If security alerts are enabled, notifies if your dependencies are insecure.
  • If automatic updates are enabled, creates pull requests for the upgrades.

Dependabot works like GitHub Actions but has limited permissions:

  • Dependabot has its own secrets, not the normal GitHub Action secrets
  • Dependabot workflows have read-only permissions in the secrets.GITHUB_TOKEN
  • this holds true even if rerun by some other actor than Dependabot

Enable the Dependabot Alerts. For the repository, personal account and organization. Found under security settings.

Consider enabling Dependabot security and version updates. Your mileage may vary depending on the ecosystem and project. If not enabled, you will have to resolve security alerts and periodic upgrades manually or through some other form of automation.