Discovering Actions in the GitHub Marketplace
The GitHub Marketplace is the primary hub for finding Actions contributed by GitHub and the wider community. You’ll find hundreds of Actions covering tasks like code analysis, Docker builds, notifications, and more.- Verified Actions: Marked with a ✅ badge to indicate GitHub has vetted the creator as a partner.
- Community Actions: Created by individual contributors or organizations without the verification badge.
Always review the source code of community Actions before adding them to your workflows. Verify they don’t expose secrets, log sensitive data, or perform unexpected network requests.
Adding an Action to Your Workflow
After selecting an Action, navigate to its documentation page to view usage examples, version compatibility, and required inputs. Then, add it to your workflow understeps: using the uses: keyword:
Specifying Action Versions
Pinning Actions to specific versions helps maintain stability and repeatability in your CI/CD workflows. You can reference an Action by tag, branch, or SHA:| Versioning Method | Stability | Syntax Example |
|---|---|---|
| Tag | Stable; semantic versioning | uses: actions/[email protected] |
| Branch | Rolling updates (risky) | uses: actions/checkout@main |
| SHA | Immutable commit | uses: actions/checkout@a824008085750b8e136effc585c3cd6082bd575f |
For production workflows, pin to a tagged release or a commit SHA to avoid unexpected breaking changes.
Best Practices
- Reuse official and verified Actions when possible to reduce security risks.
- Extract common steps into composite Actions to keep workflows DRY.
- Regularly audit and update pinned versions to include security patches and new features.