GitHub Actions: Immutable Actions Publishing [Public Preview]

[glider-bot]

Value Prop

We are building a new way to publish and consume actions that will improve the security of the CI/CD supply chain. Building on top of the OCI distribution specification, actions can now be pushed to GitHub Packages as immutable image versions with familiar semantic versions. The immutable packages and semantic versions bring greater predictability and security to users' workflows.

Expected Outcome

Users consuming actions will be able to reference an immutable package of an action by version, providing better security in their CI/CD supply chain. Over time we will build additional functionality like signing, build attestation, malware scanning, etc. to further improve the security of the supply chain and allow organizations to apply more specific policies. Developers creating Actions will have a fully automated workflow for publishing their actions that follows a natural build, package, and publish model with standard package versioning.

Actions publishers will use a new packaging action and workflow to take their existing actions code and publish it to GitHub Packages. Users consuming actions by version tags will automatically start getting the packaged version of the action after it is published. Those referencing by commit SHA or git branch reference will simply need to switch to an appropriate version.