GitHub Actions in Action Continuous integration and delivery for DevOps (Michael Kaufmann, Rob Bos, Marcel de Vries)（Z-Library）

📄 File Format: PDF

💾 File Size: 4.5 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

M A N N I N G Michael Kaufmann Rob Bos Marcel de Vries Foreword by Scott Hanselman Continuous integration and delivery for DevOps

📄 Page 2

Collaborative coding Issues Projects Jira Boards Actions Planning and tracking Workflows Productivity Security Advanced Security Codespaces Copilot Mobile Search Packages CLI DesktopTeams Slack Jenkins Circle CI Client applications Azure Google Cloud snyk Discussions Pages Code Visual Studio

📄 Page 3

i GitHub Actions in Action

📄 Page 4

ii

📄 Page 5

MANN I NG Shelter ISland GitHub Actions in Action Michael Kaufmann, Rob Bos, and Marcel de Vries FOREWORD BY SCOTT HANSELMAN Continuous integration and delivery for DevOps

📄 Page 6

For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher offers discounts on this book when ordered in quantity. For more information, please contact Special Sales Department Manning Publications Co. 20 Baldwin Road PO Box 761 Shelter Island, NY 11964 Email: orders@manning.com © 2025 Manning Publications Co. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps. Recognizing the importance of preserving what has been written, it is Manning’s policy to have the books we publish printed on acid- free paper, and we exert our best efforts to that end. Recognizing also our responsibility to conserve the resources of our planet, Manning books are printed on paper that is at least 15 percent recycled and processed without the use of elemental chlorine. ∞ Manning Publications Co. 20 Baldwin Road PO Box 761 Shelter Island, NY 11964 ISBN 9781633437302 Printed in the United States of America The author and publisher have made every effort to ensure that the information in this book was correct at press time. The author and publisher do not assume and hereby disclaim any liability to any party for any loss, damage, or disruption caused by errors or omissions, whether such errors or omissions result from negligence, accident, or any other cause, or from any usage of the information herein. Development editor: Doug Rudder Technical editor: James Michael Gousset Review editor: Kishor Rit Production editor: Andy Marinkovich Copy editor: Christian Berk Proofreader: Mike Beady Technical proofreader: Trevoir Williams Typesetter: Mara Torbica Cover designer: Marija Tudor

📄 Page 7

brief contents Part 1 Action fundamentals ...................................1 1 ■ Introduction to GitHub Actions 3 2 ■ Hands-on: My first Actions workflow 13 3 ■ Workflows 24 4 ■ GitHub Actions 52 Part 2 Workflow runtime .....................................71 5 ■ Runners 73 6 ■ Self-hosted runners 89 7 ■ Managing your self-hosted runners 114 Part 3 CI/CD with GitHub Actions .................... 131 8 ■ Continuous integration 133 9 ■ Continuous delivery 169 10 ■ Security 192 11 ■ Compliance 207 12 ■ Improving workflow performance and costs 216

📄 Page 8

vi contents foreword xii preface xiii acknowledgments xiv about this book xv about the authors xviii about the cover illustration xx Part 1 Action fundamentals .....................................1 1 Introduction to GitHub Actions 3 1.1 An introduction to the GitHub universe 4 1.2 What are GitHub Actions and workflows? 6 1.3 GitHub Actions: More than CI/CD pipelines 8 1.4 Hosting and pricing for GitHub and GitHub Actions 8 GitHub Enterprise Cloud 9 ■ GitHub Enterprise Server 9 GitHub pricing 10 ■ GitHub Actions pricing 10 1.5 Conclusion 12 2 Hands-on: My first Actions workflow 13 2.1 Creating a new workflow 14 2.2 Using the workflow editor 16

📄 Page 9

viicontents 2.3 Using actions from the marketplace 18 2.4 Running the workflow 20 2.5 Conclusion 23 3 Workflows 24 3.1 YAML 25 YAML basics 25 ■ Data types 25 3.2 The workflow syntax 27 3.3 Events and triggers 27 Webhook triggers 27 ■ Scheduled triggers 28 ■ Manual triggers 29 3.4 Workflow jobs and steps 33 Workflow jobs 33 ■ Workflow steps 34 ■ Using GitHub actions 35 ■ The matrix strategy 36 3.5 Expressions and contexts 37 3.6 Workflow commands 39 Writing a debug message 40 ■ Creating error or warning messages 40 ■ Passing an output to subsequent steps and jobs 42 ■ Environment files 42 ■ Job summaries 43 3.7 Secrets and variables 45 3.8 Workflow permissions 47 3.9 Authoring and debugging workflows 48 3.10 Conclusion 50 4 GitHub Actions 52 4.1 Types of actions 53 Docker container actions 53 ■ JavaScript actions 54 Composite actions 54 4.2 Authoring actions 55 Getting started 56 ■ Storing actions in GitHub 56 Compatibility with GitHub Enterprise Server 57 ■ Release management 57 4.3 Hands-on lab: My first Docker container action 58 Using the template to create a new repository 58 ■ Creating the Dockerfile for the action 59 ■ Creating the action.yml file 60 Creating the entrypoint.sh script 60 ■ Create a workflow to test the container 60 4.4 Sharing actions 62

📄 Page 10

viii contents Sharing actions in your organization 62 ■ Sharing actions publicly 63 4.5 Advanced action development 68 4.6 Best practices 69 4.7 Conclusion 70 Part 2 Workflow runtime .......................................71 5 Runners 73 5.1 Targeting a runner 74 5.2 Queuing jobs 74 5.3 The runner application 75 5.4 GitHub-hosted runners 75 5.5 Hosted operating systems 77 5.6 Installed software 78 5.7 Default shells 80 5.8 Installing extra software 80 5.9 Location and hardware specifications of the hosted runners 81 5.10 Concurrent jobs 81 5.11 Larger GitHub-hosted runners 82 5.12 GitHub-hosted runners in your own Azure Virtual Network 83 5.13 Billing GitHub-hosted runners 84 5.14 Analyzing the usage of GitHub-hosted runners 86 5.15 Self-hosted runners 88 6 Self-hosted runners 89 6.1 Setting up self-hosted runners 90 Runner communication 94 ■ Queued jobs 97 ■ Updating self-hosted runners 97 ■ Available runners 98 ■ Downloading actions and source code 98 ■ Runner capabilities 100 ■ Self- hosted runner behind a proxy 101 ■ Usage limits of self-hosted runners 101 ■ Installing extra software 101 ■ Runner service account 103 ■ Pre- and post-job scripts 103 ■ Adding extra information to your logs 104 ■ Customizing the containers during a job 105 6.2 Security risks of self-hosted runners 106 6.3 Single-use runners 107

📄 Page 11

ixcontents Ephemeral runners 108 ■ Just-in-time runners 108 6.4 Disabling self-hosted runner creation 109 6.5 Autoscaling options 110 Autoscaling with Actions Runner Controller 111 Communication in ARC 112 ■ ARC monitoring 112 7 Managing your self-hosted runners 114 7.1 Runner groups 114 Assigning a runner to a runner group 117 7.2 Monitoring your runners 118 What to monitor 120 ■ Monitoring available runners using GitHub Actions 121 ■ Building a custom solution 122 ■ Using a monitoring solution 123 7.3 Runner utilization and capacity needs 124 7.4 Monitoring network access 126 Monitor and limit network access 126 ■ Recommended setup 128 7.5 Internal billing for action usage 128 Part 3 CI/CD with GitHub Actions ...................... 131 8 Continuous integration 133 8.1 GloboTicket: A sample application 134 8.2 Why continuous integration? 135 8.3 Types of CI 136 Using a branching strategy: GitHub Flow 136 ■ CI for integration 137 ■ CI for quality control 138 ■ CI for security testing 138 ■ CI for packaging 138 8.4 Generic CI workflow steps 139 Getting the sources 139 ■ Building the sources into artifacts 139 Testing the artifacts 141 ■ Test result reporting 141 ■ Using containers for jobs 142 ■ Multiple workflows vs. multiple jobs: Which to choose? 143 ■ Parallel execution of jobs 144 8.5 Preparing for deployment 145 Traceability of source to artifacts 145 ■ Ensuring delivery integrity: The software bill of materials 147 ■ Versioning 148 Testing for security with container scanning 150 ■ Using GitHub package management and container registry 150 ■ Using the

📄 Page 12

x contents upload/download capability to store artifacts 154 ■ Preparing deployment artifacts 156 ■ Creating a release 158 8.6 The CI workflows for GloboTicket 161 The integration CI for APIs and frontends 161 ■ CI workflows for quality control 162 ■ The CI workflow for security testing 163 The CI workflows for container image creation and publishing 167 Creating a release 167 8.7 Conclusion 167 9 Continuous delivery 169 9.1 CD workflow steps 170 Steps to deploy our GloboTicket application 170 ■ Triggering the deployment 171 ■ Getting the deployment artifacts 171 Deployment 172 ■ Verifying the deployment 173 9.2 Using environments 174 What is an environment? 175 ■ Manual approval 175 Environment variables 176 ■ Dealing with secrets 177 9.3 Deployment strategies 178 Deploying on premises 178 ■ Deploying to cloud 178 OpenID Connect (OIDC) 178 ■ Using health endpoints 182 Deployment vs. release 183 ■ Zero-downtime deployments 184 Red–green deployments 185 ■ Ring-based deployments 189 10 Security 192 10.1 Preventing pwn requests 193 10.2 Managing untrusted input 196 10.3 GitHub Actions security 199 The principle of least privileged 200 ■ Referencing actions 201 10.4 Supply chain security 203 Dependabot version updates for actions 204 ■ Code scanning actions 205 11 Compliance 207 11.1 How to ensure traceability of work 208 How to ensure commits are traceable 208 11.2 How to enforce the four-eyes principle 211 Enforcing segregation of duties with CODEOWNERS file 212 Showing end-to-end traceability 212

📄 Page 13

xicontents 11.3 Mandatory workflows 213 Summary 215 12 Improving workflow performance and costs 216 12.1 Dealing with high-volume builds 217 Concurrency groups 217 ■ Merge queues 218 12.2 Reducing the costs of maintaining artifacts 219 12.3 Improving performance 220 Using a sparse checkout 220 ■ Adding caching 220 Detecting a cache hit and skipping the work 223 ■ Selecting other runners 224 12.4 Optimizing your jobs 225 index 227

📄 Page 14

xii foreword With the introduction of GitHub Actions, the GitHub universe has quickly expanded from a place that we go to get open source code to one where we build, create, and release open source binary artifacts. It is truly the hub where our coding adventures begin. This book that Michael, Marcel, and Rob have written together here is a brilliant introduction to not just GitHub Actions but the larger GitHub ecosystem. In this book, the authors will walk you through a complete understanding of how GitHub Actions can be utilized and how surprisingly powerful it is. Certainly, Actions can build source code, and it is a fantastic tool for continuous integration and continuous deployment. But you’ll soon realize that Actions is far more than just a build tool—it’s actually an incredibly capable and complete automation platform you can use to run automations and workflows of any kind! You might think a book like this is just for the most advanced and senior engineers. How- ever, what they’ve put together is a gentle introduction that will take you from a complete beginner to an advanced GitHub Actions connoisseur. I love that the book includes real- world examples. I especially enjoyed how much I learned about self-hosted runners that allow you to run your own Actions environments on your own locally supported systems. These run- ners are open source and a testament to the GitHub ecosystem and how it all snaps together. By the end, you will have expanded your understanding of how Actions works, you’ll have written and deployed your own workflows and actions, and you might even have set up your own self-hosted runners. You’ll have a secure and compliant continuous integration and con- tinuous delivery pipeline that you can implement not only at work but also on your own per- sonal projects and (ideally!) you’ll be able to help open source teams take their workflows to the next level. I hope you enjoy reading GitHub Actions in Action as much as I did. Welcome to open source! —Scott Hanselman, vice president developer community, Microsoft

📄 Page 15

xiii preface In our opinion, GitHub Actions is the best workflow solution for continuous delivery and all kinds of automation—and it is disrupting the market. With AI-assisted develop- ment, like GitHub Copilot, it is more important than ever to automate manual tasks in engineering to participate in the enormous productivity gains that can be achieved. We give GitHub Actions training and boot camps around the globe, and we often find that people are already using GitHub Actions but that they started it in a trial-and-error fashion without really learning. This can be done, as GitHub Actions is quite easy to use, and the documentation is good—but it is not optimal. Learning how GitHub actions work and the best practices for using them is a much simpler approach that will save a lot of time and frustration, as there is normally a simple way to achieve great results. We also realized that all other books out there either cover the basics or cover some parts of automation but not the full end-to-end story in a simple and ready-to-use form. This realization sparked the idea for the book to provide a comprehensive guide that covers the basics, explains why things work the way they do by explaining the underly- ing technology, and gives practical guidance on using the tool for real-world continu- ous delivery scenarios. We use Azure and .NET as illustrative examples in our examples in part 3 because they are commonly used and easy to understand. However, the principles can easily be applied to other languages and cloud platforms as well.

📄 Page 16

xiv acknowledgments We would like to thank everybody involved in the process of publishing this book: our editors at Manning for being always so patient, Jonathan Gennick for always bringing everything back on track, our technical reviewers for the great feedback, and the read- ers that took the time to provide their feedback in the early access program. A special thanks goes to Doug Rudder, for always supporting us and providing so much valuable feedback, and our technical editor, Mickey Gousset, a Staff DevOps Architect on the GitHub FastTrack team, who is also an international speaker, a published author, and also runs a YouTube channel focused on GitHub. To all the reviewers, your suggestions helped make this a better book. Thank you, Aleksandar Nikolic, Alessandro Campeis, Allan Makura, Bobby Lin, Craig Treptow, Francis Edwards, Giuliano Latini, Giuseppe Maxia, Glen Yu, Hariskumar Panakkal, Henry Stamerjohann, Jakub Morawski, Jan Vinterberg, Jasmeet Singh, Jon Hum- phrey, José Alberto Reyes Quevedo, Leonardo Taccari, Marcus Geselle, Mario-Leander Reimer, Paul Zuradzki, Peter Sellars, Sally K. Tsung, Sandeep Manchella, Seungjin Kim, Sriram Macharla, Steve Goodman, Sumit Singh, and William Jamir Silva.

📄 Page 17

xv about this book GitHub Actions is the workflow engine of GitHub. With over 15,000 actions in the marketplace, it is a big ecosystem that allows you to automate everything. You can use it to build and test software for any platform and deploy it to any cloud—but you can also use it to automate everything in your software delivery process, from ChatOps to IssueOps to GitOps. GitHub Actions is a lightweight, pipeline-as-code (YAML) workflow engine that is optimized for easy sharing of functionality and that allows easy integration for partners. This book provides guidance and insights on how to use GitHub Actions, an integral part of GitHub, to ensure a secure and compliant software delivery process without the need of additional tools. Who should read this book? This book is for software engineers who want to streamline their work or the software delivery process with automation to deliver new features faster and make the process less error prone. It is also relevant for DevOps engineers who want to automate infra- structure and configuration as code for all kinds of cloud environments. This book caters to beginners just learning about GitHub Actions and advanced users with plenty of experience. We also dive into the GitHub Actions runtime, show the differences between GitHub-hosted and self-hosted runners, and configure self-hosted runners as either a single runner or scaling up with GitHub’s recommended solution. We expect readers to have some basic programming skills to understand the simple code examples we use in the book as well as a basic knowledge of Git and GitHub.

📄 Page 18

xvi about this book How this book is organized: A roadmap This book has 12 chapters and is divided into three parts. In part 1, you will learn the basics of GitHub Actions through some simple, hands-on exercises that will prepare you for the more complex, in-depth, and practical examples in part 3. ¡ Chapter 1 introduces you to the vast GitHub ecosystem, which you can automate using GitHub Actions workflows. You will learn why GitHub Actions is more than just continuous integration/continuous delivery (CI/CD), and you will learn about the different hosting and pricing options. ¡ Chapter 2 gives you your first hands-on experience writing workflows, using the workflow editor, incorporating actions from the marketplace, and executing your workflow. ¡ Chapter 3 covers everything you need to know about GitHub Action workflows. You will learn YAML and the workflow syntax, workflow triggers, expressions, contexts, workflow commands, and how to author and debug workflows. ¡ Chapter 4 explains the different types of GitHub actions, how to author GitHub actions, and how to share actions using the GitHub marketplace. Part 2 explains the GitHub Actions runtime. When you finish this part of the book, you will know all about the runtime for GitHub Actions. ¡ Chapter 5 shows the different hosting types for executing your workflows on either GitHub-hosted or self-hosted runners. You will learn how to find prein- stalled software on hosted runners and locate operating system information from the logs. ¡ Chapter 6 shows all the intricacies of installing the runner yourself and all the security aspects you need to be responsible for. Self-hosting runners on a large scale for enterprises using GitHub’s recommended setup is also explained. ¡ Chapter 7 explains how to manage your self-hosted runners, from restricting access to the runners using runner groups to monitoring the usage of runners and checking capacity needs. Part 3 shows a practical way to use GitHub actions to implement CI/CD. When you fin- ish this part, you will be able to build a fully secure and compliant CI/CD process that is fully automated, using GitHub actions. ¡ Chapter 8 shows how to implement continuous integration and how to practi- cally implement it, using the most common branching and collaboration strat- egy: GitHub Flow. ¡ Chapter 9 is about implementing CI/CD. The chapter starts with the CI part, delivering the deployable artifacts with a release, and shows how to implement CD strategies, like zero downtime, blue/green deployment, and ring-based deployment. It then covers how to practically use various GitHub capabilities together with GitHub Actions to create a fully traceable deployment. ¡ Chapter 10 addresses ensuring your workflows are trustworthy and shows practi- cal ways to avoid security issues.

📄 Page 19

xviiabout this book ¡ Chapter 11 explains how to ensure your full delivery process can adhere to com- pliance frameworks common in various industries by ensuring the traceability and authenticity of changes during the entire delivery cycle. ¡ Chapter 12, the final chapter of this book, briefly addresses some tips and tricks to improve the performance and costs of your action workflows. About the code This book contains many examples of source code both in numbered listings and in line with normal text. In both cases, source code is formatted in a fixed-width font like this to separate it from ordinary text. Sometimes code is also in bold to high- light code that has changed from previous steps in the chapter, such as when a new feature adds to an existing line of code. In many cases, the original source code has been reformatted; we’ve added line breaks and reworked indentation to accommodate the available page space in the book. In rare cases, even this was not enough, and listings include line-continuation markers (➥). Additionally, comments in the source code have often been removed from the list- ings when the code is described in the text. Code annotations accompany many of the listings, highlighting important concepts. You can get executable snippets of code from the liveBook (online) version of this book at https://livebook.manning.com/book/github-actions-in-action. The complete code for the examples in the book is available for download from the Manning website at www.manning.com and from the book’s GitHub repository at https://github.com/ GitHubActionsInAction/. Links to the correct repositories are in the README on the front page. liveBook discussion forum Purchase of GitHub Actions in Action includes free access to liveBook, Manning’s online reading platform. Using liveBook’s exclusive discussion features, you can attach com- ments to the book globally or to specific sections or paragraphs. It’s a snap to make notes for yourself, ask and answer technical questions, and receive help from the authors and other users. To access the forum, go to https://livebook.manning.com/ book/github-actions-in-action/discussion. You can also learn more about Manning’s forums and the rules of conduct at https://livebook.manning.com/discussion. Manning’s commitment to our readers is to provide a venue where a meaningful dialogue between individual readers and between readers and the authors can take place. It is not a commitment to any specific amount of participation on the part of the authors, whose contribution to the forum remains voluntary (and unpaid). We sug- gest you try asking the authors some challenging questions lest their interest stray! The forum and the archives of previous discussions will be accessible from the publisher’s website for as long as the book is in print.

📄 Page 20

xviii about the authors Michael Kaufmann believes developers and engineers can be happy and productive at work. He loves DevOps, GitHub, Azure, and modern software engineering. Micro- soft has awarded him the titles Microsoft regional director (RD) and Microsoft Most Valuable Professional (MVP)— the latter in the category of DevOps and GitHub. Michael is also the founder and managing director of Xebia Germany. He shares his knowledge in books and training and is a fre- quent speaker at international conferences. Rob Bos strongly focuses on ALM and DevOps, automat- ing manual tasks and helping teams deliver value to the end user faster, using DevOps techniques. This is applied to anything Rob comes across, whether it’s an application, infrastructure, or a serverless or training environment. A lot of his focus goes to GitHub and GitHub Actions, improv- ing the security of applications and DevOps pipelines. He regularly shares his knowledge through blog posts, online videos, and international conferences, like Techorama and GitHub Universe. Rob is a trainer (Azure and GitHub), a Microsoft MVP, and a LinkedIn learning instructor.