2: Why GitHub Actions?
Comparison of GitHub Actions with competitors
3: Core Features
Deep dive into workflow syntax, triggers, and job configuration
4: Advanced Features
Explore matrices, reusable workflows, and composite actions
•Runner Types and Execution Environments
•Persisting Build Outputs with Artifacts
•Controlling GitHub Permissions
•Authenticating to Third-Party Systems
•Matrix Strategies, Conditionals, and Concurrency Controls
5: Marketplace Actions
Discover and integrate community actions from the GitHub Marketplace
6: Authoring Actions
Build custom JavaScript and Docker actions from scratch
•JavaScript and TypeScript Actions
8: Developer Experience
Optimize logs, secrets, environments, and permissions for teams
•Developer Experience (Actions)
9: Best Practices
Harden workflows with security, reliability, and cost-saving techniques
•Maintainable Workflow Patterns
10: Capstone Project
Apply course concepts by automating a real-world deployment pipeline
Marketplace Actions
The GitHub Actions Marketplace contains thousands of reusable building blocks that can accelerate your automation workflows. This lesson focuses on navigating the catalog so you can surface actions worth deeper evaluation.
Exploring the Marketplace
Head to github.com/marketplace?type=actions to browse the catalog. Each entry represents a separate repository that publishes an action. From the listing you can:
- Filter by category or search for specific tools (for example, searching for "Cypress" reveals several options for running end-to-end tests).
- Open the action's detail page to read usage instructions and click View source code to inspect the backing repository.
- Identify official GitHub-maintained actions by the blue Verified badge next to the publisher name.
Most actions are small applications that you invoke from a uses: step inside your workflow. Treat the marketplace as a discovery layer: once you find a candidate, read its README, skim recent commits, and decide whether it fits your needs.
Evaluating third-party actions
Actions are dependencies that execute with the same permissions and secrets as the rest of your workflow. Apply the same scrutiny you would for any open-source library:
- Does it solve your problem? Favor actions that provide clear value over authoring custom scripts yourself.
- Is the publisher trustworthy? Verified badges indicate GitHub has confirmed the owner's identity, but unverified actions can still be legitimate—look for documentation, an active issue tracker, and maintainers who respond to contributions.
- Is the project healthy? Check the star count, release cadence, and whether recent commits demonstrate ongoing maintenance.
If you cannot confirm an action's quality or long-term support, consider building the step yourself or forking the action so you can control updates.
Pin specific commits for security
Because actions are versioned repositories, you control which revision executes by changing the uses: reference. To guarantee reproducible results—and protect against supply-chain attacks—pin to an exact commit SHA rather than a mutable tag:
dangerous:
steps:
- uses: actions/checkout
- uses: actions/checkout@v5
- uses: actions/checkout@v5.0.0
secure:
steps:
- uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
Tags can be retargeted after publication, but commit hashes are immutable. In early 2025, a compromised action retagged historical releases to ship malicious code—repositories that pinned commits were unaffected. Add an inline comment with the human-friendly version so future maintainers can tell which release you audited.
Popular Marketplace Actions
Official GitHub actions
actions/checkout– clone your repository into the runner.actions/cache– persist dependencies or build outputs between runs.actions/upload-artifactandactions/download-artifact– move build artifacts across jobs.actions/github-script– run short JavaScript snippets authenticated against the GitHub API.
Runtime and dependency installers
These actions configure language toolchains and bake in best practices such as caching and path configuration.
Authentication helpers
They streamline acquiring temporary credentials for cloud providers without hard-coding secrets in your workflow.
Additional utilities
github/super-linter– run language-agnostic linting in one step.docker/build-push-action– build and publish multi-architecture container images.