GitHub Actions

A few notes on the GitHub Actions features

Background

This page means to bring attention to a few features available to projects on GitHub.com for pipeline and code security needs. Where in the past we needed to rely on external tools (like travis-ci or circle-ci), since 2018 GitHub has been ramping up its own pipeline features such as GitHub Actions, Dependabot and Code Scanning.

GitHub Actions/Pipelines

Like Gitlab and Azure DevOps, you can have GitHub perform Continuous Integration pipelines to build your applications and run tests on every push/Pull Request/merge to catch problems early. Github Actions can also be used for Continuous Delivery to deploy your application to cloud services or binary repositories (such as Nuget or Maven central), either triggered manually or automatically when a release is created. GitHub has action runners available supporting most commonly used programming languages on either Windows or Linux infrastructure.

To get started, you can simply go to the “Actions” tab in your GitHub repository. GitHub has good documentation on GitHub Actions, its workflows and their syntax.

A few additional notes:

Dependabot and Code Scanning

Two other recommended features of GitHub are Dependabot and code scanning.

Dependabot can warn you of security vulnerabilities discovered in the libraries your project depends on. It can also be used to periodically/automatically update your project’s dependencies (when coupled with proper automated testing, auto-updating of dependencies is not as scary as it sounds). Refer to GitHub’s Dependabot Documentation for details.

GitHub can also detect vulnerabilities in your own source code by setting up code scanning. This, like dependabot alerts can be enabled in the “Security” tab of your repository. Refer to GitHub’s Code Scanning Documentation for details.