DEV Community

Rob Bos
Rob Bos

Posted on

Request GitHub Actions to be added to the internal marketplace

In my previous post I showed you how to setup an internal marketplace for GitHub Actions to help you users find actions when you follow the best practices and fork all the actions you use (and limit the use to only those forks!).

This post is the follow up on that: now that we have an internal marketplace, how can we give users a process to follow to request actions to be added to it? We started a workflow called github-actions-requests for that!

My Workflow

We have multiple workflows that do the work, so let's go over the steps in our process:

  1. User follows the issue template to request an action to be reviewed for the marketplace.
  2. An engineer with a security mindset reviews the source of the action (it's open source, so check the code!) for big issues, like sending out your data into the web for example. If nothing found, the engineer labels the issue with 'security-check'.
  3. The issue-labeled-as-security-scan.yml workflow is triggered and runs all the security checks. The results are posted back to the request issue.
  4. We fork the action repository and enable dependabot to run it's software composition analysis so we can retrieve any vulnerability alerts. Unfortunately we cannot retrieve information about dependabot's last run or if it is currently running. We have to wait for that.
  5. After waiting sometime (can be minutes, can be longer). The engineer labels the issue with 'load-dependabot-alerts'.
  6. The workflow dependabot-alerts.yml is triggered and fetches all vulnerability alerts from the forked action. It then posts back the findings into the request issue.
  7. After a final check, the label final-signoff is used to sign off. The final-signoff.yml workflow is triggered and forks the action repository to its final destination: the organization that is used in production for storing all your used actions.

Workflow view:

The workflow has a couple of parallel jobs that give the UI renderer some issues 😎
Screenshot of the workflow execution in the GitHub UI

If you want to know more, check out this video on it:

Submission Category:

  • Maintainer Must-Haves

Yaml File or Link to Code

We use multiple workflows for this, but it starts with issue-labeled-as-security-scan workflow

Additional Resources / Info

Could not have done this without the help of Hindrik Bruinsma! We have lots of interest from the community in this process, with lots of ideas on how to improve!

Discussion (0)