Actions: Use actions from private and internal repositories

[Freyert]

It's extremely inconvenient to have to develop actions for your company in a public repository. Quite a lot of security penetration research could be performed just by reviewing the actions an organization is building or reviewing issues/discussions on the action repository.

There's even a section in the documentation discussing how careful one should be when using actions due to the potential for code injection.

This feature would be highly appreciated: github/roadmap#74

Prior Art:
https://github.com/nick-invision/private-action-loader (@nick-invision, looks like your company pushed ownership of private-action-loader out of their responsibility for security concerns?)

Update: looks like github/roadmap#74 has been moved into the Q4 roadmap :) 🤞 it happens.

[rajbos]

You can checkout a private repo with v2 of the checkout action and then load the action from that folder by using a PAT that has access. See source here

- name: Get private repo with action
  uses: actions/checkout@v2
  with:
    repository: yourorg/privateactionrepo
    ref: master
    token: ${{ secrets.PAT_TOKEN }}
    path: .github/actions

uses: ./.github/actions/actionname

[Freyert]

Reusable workflows has been released, but the repository still needs to be public.

[Freyert]

https://docs.github.com/en/actions/using-workflows/reusing-workflows

[alonbl]

Hi,

I believe there is fundamental gap in the implementation, it seems like the workflow is fetched before it reaches a runner, when added reusable workflow, GitHub developers fetched the reusable references at this early stage to construct the workflow and pass it as-is. I guess at this early stage the access token is not available, hence the need to have a public (anonymous) repository.

This create another issues of reusability, for example[1], we cannot actually have reusable workflow and actions library as there is no way to construct the workflow/action name and reference out of context/parameters, so we cannot reuse a workflow repo1@v1 that reuses a workflow at the same repository at the same reference, as the early processing of the workflow construction does not support expressions.

First thing GitHub need to do is understanding the use case of reusability and the expectation of reusable components within CI, the concept of library reuse for complex scenarios, it is not single repo with single developer open source scenario in enterprise grade environments. The implementation should support lazy processing of the uses property, support expression in all the statement, including the uses expression and expose a context that refers to the current running workflow or action with their repo/name/ref so that they can checkout/call self.

I am unsure where such discussion can take place and why there is no bug tracker for the github actions to confirm and follow issues, so I am stating this here.

Regards,

[1] https://github.com/orgs/community/discussions/31054