Publish GitHub action from private repo in the organization

From the documentation:

Actions are published to GitHub Marketplace immediately and aren’t reviewed by GitHub as long as they meet these requirements:

How can I reach out so that I can get my action to be published to the GitHub marketplace from my private organization?

I’m curious, what is your goal?

Normally an item in the marketplace exists as something that can be used by any GitHub user. Effectively, someone writes a workflow and when the workflow runs, the GitHub Action Runtime retrieves a tarball of the specified version of the action, dumps it into the environment, and then arranges to run it.

Anyone who can run a workflow can see and copy the entire content of the workflow. If you’re worried about someone stealing your sources, then putting something into the marketplace would be a bad idea as anyone could read their contents.

OTOH, by publishing to the marketplace, you aren’t responsible for paying for the CPU cycles when someone else runs your action.

For perspective, I have perhaps a dozen users of my action. They might run a couple of times an hour in each repository. That’d be a lot of cpu cycles I’d have to pay for and infrastructure I’d have to host if I wanted to self-host my action as a service. I’m much happier publishing to the marketplace and letting people use GitHub’s cpu cycles to run my action.

From an IP perspective, I rely on copyright and an open source license to “protect” my IP (that said, the license I’ve chosen is permissive, so it’s mostly imaginary).

People can publish items to the marketplace and offer them as a paid service.

Hey @jsoref,

Thanks for taking the time to look at my question. The goal is to provide an action for use to 3-4 repositories of the organization that I am part of. The contents of code are fine to be visible by everybody, for me it is more important that the whole team can easily contribute to the GH Action repository, do any changes and maintain it, hence I wanted to publish the action from the org itself. For me this is a preference of easy to find/contribute rather than the “protection” of the rights of code.

Perfect. In that case, as long as you create a repository and make it public, you’ll be able to publish it to the marketplace. And from there, you’ll be able to use it in your private repositories.

To use actions from a private repo, what we did was add those as a submodule. In the end what we have on the yml file is something like uses: ./.github/github-actions/slack-notification. Currently, I prefer to add the actions on the Marketplace as public repositories.

1 Like

For the avoidance of doubt and for future reference, a GitHub Organization is neither “public” nor “private”, rather the existence of a GitHub Organization is visible on GitHub and it’s the resources within it that are either public or private on a per-resource basis. Resources include Repositories, Packages, Projects, Teams and Memberships.

The GitHub Marketplace (for Actions) is just an opt-in list of public repositories and their metadata, it does not have any impact on Actions themselves. An Action repository can be public without being on the marketplace. The function of posting an Action on the GitHub Marketplace is to promote it beyond your organisation.

The value of uses in a GitHub Workflow is just a repository reference, it does not interface with the marketplace at all. You can create a public repository and then immediately reference it within a GitHub Workflow without ever submitting it to the GitHub Marketplace. The use-case you’ve described indicates you do not need the GitHub Marketplace, and can instead simply point your team members to the applicable repository.

As a somewhat relevant additional piece of information – in case in future you do need to keep your code secret – I’ve previously written a comment about private actions, here’s the most relevant part:

The native implementation of private repository support for Actions is still on the GitHub Roadmap but there are a number of ways to achieve it yourself, e.g: daspn/private-actions-checkout , nick-invision/private-action-loader or with submodules or even the documented approach of using actions/checkout .

3 Likes