Composite actions in internal repositories

Is it possible to add composite actions hosted in internal repo’s in an organization. Or is it only possible in public repositories?

I’ll go ahead and answer my own question. To my supprise, accessing composite actions in internal or private repo’s are not supported yet and planned for 21Q4 :confused:

Reference: Actions: Use actions from internal repositories · Issue #74 · github/roadmap · GitHub

Without this unreleased featue, it is possible if you clone your internal repository with a deployment ssh key or a Personal access token (with security in mind of a technical user with just enough access rights to clone the repo) as a secret then run them as local actions (instead of remote actions).
e.g.

- name: Checkout
  uses: actions/checkout@v2
- name: Checkout private tools
  uses: actions/checkout@v2
  with:
    repository: my-org/my-private-tools
    token: ${{ secrets.GitHub_PAT }} # `GitHub_PAT` is a secret that contains your PAT
    path: .github/my-tools
- uses: ./.github/my-tools/my-private-action

/my-private-action is the path of the action in the repo of the internal repository (omit if the action is in the repo root folder)

2 Likes

Note that technically the actions runtime appears to strip out the git metadata when it bundles up the action. So, if you want to have consistent behavior, you should also wipe out the .github/my-tools/.git/ directory :slight_smile: .

(As of a recent version of the runtime, it at least tells logs the version of an action it retrieved.)