actions / publish-immutable-action

A GitHub Action used for publishing an Action to ghcr.io as an OCI container.
MIT License
42 stars 7 forks source link

Publish Immutable Action

[!IMPORTANT] This action is not ready for public use. It is part of an upcoming public roadmap item (see GitHub Actions: Immutable actions publishing). Attempts to use this action to upload an OCI artifact will not work until this feature has been fully released to the public. Please do not attempt to use it until that time.

This action packages your action as an OCI container and publishes it to the GitHub Container registry. This allows your action to be consumed as an immutable package if a SemVer is specified in the consumer's workflow file.

Your workflow can be triggered by any event which has a GITHUB_REF that points to a Git tag. Some examples of these events are:

The associated tag must follow semantic versioning - this tag value will be used to create a package version.

Consumers of your action will then be able to specify that version to consume your action from the package, e.g.

Such packages will come with stronger security guarantees for consumers than existing git-based action resolution, such as:

Usage

An actions workflow file like the following should be placed in your action repository:

name: "Publish Immutable Action Version"

on:
  release:
    types: [published]

jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      packages: write
    steps:
    - name: Check out repo
      uses: actions/checkout@v4
    - name: Publish
      id: publish
      uses: actions/publish-immutable-action@0.0.3

License

The scripts and documentation in this project are released under the MIT License.