Comparison of GitHub Actions with competitors
Deep dive into workflow syntax, triggers, and job configuration
Explore matrices, reusable workflows, and composite actions
•Runner Types and Execution Environments
•Persisting Build Outputs with Artifacts
•Controlling GitHub Permissions
•Authenticating to Third-Party Systems
•Matrix Strategies, Conditionals, and Concurrency Controls
Discover and integrate community actions from the GitHub Marketplace
Build custom JavaScript and Docker actions from scratch
•JavaScript and TypeScript Actions
Optimize logs, secrets, environments, and permissions for teams
•Developer Experience (Actions)
Harden workflows with security, reliability, and cost-saving techniques
•Maintainable Workflow Patterns
Apply course concepts by automating a real-world deployment pipeline
The GitHub Actions Marketplace contains thousands of reusable building blocks that can accelerate your automation workflows. This lesson focuses on navigating the catalog so you can surface actions worth deeper evaluation.
Head to github.com/marketplace?type=actions to browse the catalog. Each entry represents a separate repository that publishes an action. From the listing you can:
Most actions are small applications that you invoke from a uses:
step inside your workflow. Treat the marketplace as a discovery layer: once you find a candidate, read its README, skim recent commits, and decide whether it fits your needs.
Actions are dependencies that execute with the same permissions and secrets as the rest of your workflow. Apply the same scrutiny you would for any open-source library:
If you cannot confirm an action's quality or long-term support, consider building the step yourself or forking the action so you can control updates.
Because actions are versioned repositories, you control which revision executes by changing the uses:
reference. To guarantee reproducible results—and protect against supply-chain attacks—pin to an exact commit SHA rather than a mutable tag:
dangerous:
steps:
- uses: actions/checkout
- uses: actions/checkout@v5
- uses: actions/checkout@v5.0.0
secure:
steps:
- uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
Tags can be retargeted after publication, but commit hashes are immutable. In early 2025, a compromised action retagged historical releases to ship malicious code—repositories that pinned commits were unaffected. Add an inline comment with the human-friendly version so future maintainers can tell which release you audited.
actions/checkout
– clone your repository into the runner.actions/cache
– persist dependencies or build outputs between runs.actions/upload-artifact
and actions/download-artifact
– move build artifacts across jobs.actions/github-script
– run short JavaScript snippets authenticated against the GitHub API.These actions configure language toolchains and bake in best practices such as caching and path configuration.
They streamline acquiring temporary credentials for cloud providers without hard-coding secrets in your workflow.
github/super-linter
– run language-agnostic linting in one step.docker/build-push-action
– build and publish multi-architecture container images.