Important
This action is not ready for public use. It is part of an upcoming public roadmap item (see GitHub Actions: Immutable actions publishing). Attempts to use this action to upload an OCI artifact will not work until this feature has been fully released to the public. Please do not attempt to use it until that time.
This action packages your action as an OCI container and publishes it to the GitHub Container registry. This allows your action to be consumed as an immutable package if a SemVer is specified in the consumer's workflow file.
Your workflow can be triggered by any event which has a GITHUB_REF that points to a Git tag.
Some examples of these events are:
release(uses tag associated with release)push(only applies to pushed tags)workflow_dispatch(only applies if subject of dispatch is a tag)
The associated tag must follow semantic versioning - this tag value will be used to create a package version.
Consumers of your action will then be able to specify that version to consume your action from the package, e.g.
- uses: your-name/[email protected]- uses: your-name/your-action@v1
Such packages will come with stronger security guarantees for consumers than existing git-based action resolution, such as:
- Provenance attestations generated using the
@actions/attestpackage - Tag immutability - it will not be possible to overwrite tags once published, ensuring versions of an action can't change once in use
- Namespace immutability - it will not be possible to delete and recreate the package with different content; this would undermine tag immutability
An actions workflow file like the following should be placed in your action repository:
name: "Publish Immutable Action Version"
on:
release:
types: [published]
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
packages: write
steps:
- name: Check out repo
uses: actions/checkout@v4
- name: Publish
id: publish
uses: actions/[email protected]The scripts and documentation in this project are released under the MIT License.