GitHub Actions in Action: Continuous integration and delivery for DevOps

GitHub Actions in Action....1

brief contents....7

contents....8

foreword....14

preface....15

acknowledgments....16

about this book....17

Who should read this book?....17

How this book is organized: A roadmap....18

About the code....19

liveBook discussion forum....19

about the authors....20

about the cover illustration....22

Part 1 Action fundamentals....23

1 Introduction to GitHub Actions ....25

1.1 An introduction to the GitHub universe....26

1.2 What are GitHub Actions and workflows?....28

1.3 GitHub Actions: More than CI/CD pipelines....30

1.4 Hosting and pricing for GitHub and GitHub Actions....30

1.4.1 GitHub Enterprise Cloud....31

1.4.2 GitHub Enterprise Server....31

1.4.3 GitHub pricing....32

1.4.4 GitHub Actions pricing....32

1.5 Conclusion....34

2 Hands-on: My first Actions workflow....35

2.1 Creating a new workflow....36

2.2 Using the workflow editor....38

2.3 Using actions from the marketplace....40

2.4 Running the workflow....42

2.5 Conclusion....45

3 Workflows....46

3.1 YAML....47

3.1.1 YAML basics....47

3.1.2 Data types....47

3.2 The workflow syntax....49

3.3 Events and triggers....49

3.3.1 Webhook triggers....49

3.3.2 Scheduled triggers....50

3.3.3 Manual triggers....51

3.4 Workflow jobs and steps....55

3.4.1 Workflow jobs....55

3.4.2 Workflow steps....56

3.4.3 Using GitHub actions....57

3.4.4 The matrix strategy ....58

3.5 Expressions and contexts....59

3.6 Workflow commands....61

3.6.1 Writing a debug message....62

3.6.2 Creating error or warning messages....62

3.6.3 Passing an output to subsequent steps and jobs....64

3.6.4 Environment files....64

3.6.5 Job summaries....65

3.7 Secrets and variables....67

3.8 Workflow permissions....69

3.9 Authoring and debugging workflows....70

3.10 Conclusion....72

4 GitHub Actions....74

4.1 Types of actions....75

4.1.1 Docker container actions....75

4.1.2 JavaScript actions....76

4.1.3 Composite actions....76

4.2 Authoring actions....77

4.2.1 Getting started....78

4.2.2 Storing actions in GitHub....78

4.2.3 Compatibility with GitHub Enterprise Server....79

4.2.4 Release management....79

4.3 Hands-on lab: My first Docker container action....80

4.3.1 Using the template to create a new repository....80

4.3.2 Creating the Dockerfile for the action....81

4.3.3 Creating the action.yml file....82

4.3.4 Creating the entrypoint.sh script....82

4.3.5 Create a workflow to test the container....82

4.4 Sharing actions....84

4.4.1 Sharing actions in your organization....84

4.4.2 Sharing actions publicly....85

4.5 Advanced action development....90

4.6 Best practices....91

4.7 Conclusion....92

Workflow runtime....93

Part 2 Workflow runtime....93

5 Runners....95

5.1 Targeting a runner....96

5.2 Queuing jobs....96

5.3 The runner application....97

5.4 GitHub-hosted runners....97

5.5 Hosted operating systems....99

5.6 Installed software....100

5.7 Default shells....102

5.8 Installing extra software....102

5.9 Location and hardware specifications of the hosted runners ....103

5.10 Concurrent jobs....103

5.11 Larger GitHub-hosted runners....104

5.12 GitHub-hosted runners in your own Azure Virtual Network....105

5.13 Billing GitHub-hosted runners....106

5.14 Analyzing the usage of GitHub-hosted runners....108

5.15 Self-hosted runners....110

6 Self-hosted runners....111

6.1 Setting up self-hosted runners....112

6.1.1 Runner communication....116

6.1.2 Queued jobs....119

6.1.3 Updating self-hosted runners....119

6.1.4 Available runners....120

6.1.5 Downloading actions and source code....120

6.1.6 Runner capabilities....122

6.1.7 Self-hosted runner behind a proxy....123

6.1.8 Usage limits of self-hosted runners....123

6.1.9 Installing extra software....123

6.1.10 Runner service account....125

6.1.11 Pre- and post-job scripts....125

6.1.12 Adding extra information to your logs....126

6.1.13 Customizing the containers during a job....127

6.2 Security risks of self-hosted runners....128

6.3 Single-use runners....129

6.3.1 Ephemeral runners....130

6.3.2 Just-in-time runners....130

6.4 Disabling self-hosted runner creation....131

6.5 Autoscaling options....132

6.5.1 Autoscaling with Actions Runner Controller....133

6.5.2 Communication in ARC....134

6.5.3 ARC monitoring....134

7 Managing your self-hosted runners ....136

7.1 Runner groups....136

7.1.1 Assigning a runner to a runner group....139

7.2 Monitoring your runners....140

7.2.1 What to monitor....142

7.2.2 Monitoring available runners using GitHub Actions....143

7.2.3 Building a custom solution....144

7.2.4 Using a monitoring solution....145

7.3 Runner utilization and capacity needs....146

7.4 Monitoring network access....148

7.4.1 Monitor and limit network access....148

7.4.2 Recommended setup....150

7.5 Internal billing for action usage....150

CI/CD with GitHub Actions....153

Part 3 CI/CD with GitHub Actions....153

8 Continuous integration....155

8.1 GloboTicket: A sample application....156

8.2 Why continuous integration?....157

8.3 Types of CI....158

8.3.1 Using a branching strategy: GitHub Flow....158

8.3.2 CI for integration....159

8.3.3 CI for quality control....160

8.3.4 CI for security testing....160

8.3.5 CI for packaging....160

8.4 Generic CI workflow steps....161

8.4.1 Getting the sources....161

8.4.2 Building the sources into artifacts....161

8.4.3 Testing the artifacts....163

8.4.4 Test result reporting....163

8.4.5 Using containers for jobs....164

8.4.6 Multiple workflows vs. multiple jobs: Which to choose?....165

8.4.7 Parallel execution of jobs....166

8.5 Preparing for deployment....167

8.5.1 Traceability of source to artifacts....167

8.5.2 Ensuring delivery integrity: The software bill of materials....169

8.5.3 Versioning....170

8.5.4 Testing for security with container scanning....172

8.5.5 Using GitHub package management and container registry....172

8.5.6 Using the upload/download capability to store artifacts....176

8.5.7 Preparing deployment artifacts....178

8.5.8 Creating a release....180

8.6 The CI workflows for GloboTicket....183

8.6.1 The integration CI for APIs and frontends....183

8.6.2 CI workflows for quality control....184

8.6.3 The CI workflow for security testing....185

8.6.4 The CI workflows for container image creation and publishing....189

8.6.5 Creating a release....189

8.7 Conclusion....189

9 Continuous delivery....191

9.1 CD workflow steps....192

9.1.1 Steps to deploy our GloboTicket application....192

9.1.2 Triggering the deployment....193

9.1.3 Getting the deployment artifacts....193

9.1.4 Deployment....194

9.1.5 Verifying the deployment....195

9.2 Using environments....196

9.2.1 What is an environment?....197

9.2.2 Manual approval....197

9.2.3 Environment variables....198

9.2.4 Dealing with secrets....199

9.3 Deployment strategies....200

9.3.1 Deploying on premises....200

9.3.2 Deploying to cloud....200

9.3.3 OpenID Connect (OIDC)....200

9.3.4 Using health endpoints....204

9.3.5 Deployment vs. release....205

9.3.6 Zero-downtime deployments....206

9.3.7 Red–green deployments....207

9.3.8 Ring-based deployments....211

10 Security....214

10.1 Preventing pwn requests....215

10.2 Managing untrusted input....218

10.3 GitHub Actions security....221

10.3.1 The principle of least privileged....222

10.3.2 Referencing actions....223

10.4 Supply chain security....225

10.4.1 Dependabot version updates for actions....226

10.4.2 Code scanning actions....227

11 Compliance....229

11.1 How to ensure traceability of work....230

11.1.1 How to ensure commits are traceable....230

11.2 How to enforce the four-eyes principle....233

11.2.1 Enforcing segregation of duties with CODEOWNERS file....234

11.2.2 Showing end-to-end traceability....234

11.3 Mandatory workflows....235

Summary....237

12 Improving workflow performance and costs....238

12.1 Dealing with high-volume builds....239

12.1.1 Concurrency groups....239

12.1.2 Merge queues....240

12.2 Reducing the costs of maintaining artifacts....241

12.3 Improving performance....242

12.3.1 Using a sparse checkout....242

12.3.2 Adding caching....242

12.3.3 Detecting a cache hit and skipping the work....245

12.3.4 Selecting other runners....246

12.4 Optimizing your jobs....247

Index....249

Continuous delivery (CI/CD) pipelines help you automate the software development process and maximize your team’s efficiency. GitHub Actions in Action teaches you to build real-world build, test, and deploy pipelines in GitHub Actions through hands-on labs and projects.

In GitHub Actions in Action you will learn how to:

• Create and share GitHub Actions workflows
• Automate CI/CD workloads and other GitHub tasks
• Secure release pipelines with secrets, variables, and environments
• Support compliance frameworks
• Create safe and scalable self-hosted runners

GitHub Actions in Action is filled with battle-tested methods for automating delivery pipelines and delivering features faster. DevOps engineers will love the coverage of reliable methods for Infrastructure-as-Code and automating cloud environments. Written by three Microsoft MVPs and tech reviewed by a Staff DevOps Architect from GitHub, this book delivers the hardworking skills and advice you’ll need to be successful on the job.

About the book

GitHub Actions in Action shows you exactly how to implement a secure and reliable continuous delivery process with just the tools available in GitHub—no complex CI/CD frameworks required! You’ll follow an extended example application for selling tickets, taking it all the way from initial build to cloud deployment.The first part of the book introduces the basics of workflows and actions, all illustrated with simple examples. You’ll then move on to the platform’s architecture, security considerations, and in-depth coverage of the workflow runtime. Finally, you’ll learn how to deliver a complete CI/CD pipeline, including compliance and performance and costs optimization. You’ll even learn to create your own actions that you can share in the GitHub marketplace!

About the reader

For software developers and DevOps engineers already working with GitHub and looking to expand to GitHub Actions.