GitHub Actions Using Marketplace Actions

The GitHub Marketplace hosts thousands of pre-built actions created by GitHub, companies, and open-source contributors. Instead of writing complex scripts from scratch, you use these actions to accomplish common tasks in a single line. This topic shows you how to find, use, and pin actions safely.

What a Marketplace Action Is

A Marketplace action is a reusable module that performs one specific task. It works like a power tool — instead of building a drill from scratch, you pick one up and use it. Actions handle tasks like:

  • Downloading your repository onto the runner
  • Setting up programming languages (Node.js, Python, Java, etc.)
  • Uploading files to AWS S3 or Azure Blob Storage
  • Sending Slack notifications
  • Publishing packages to npm or PyPI
  • Creating GitHub issues or comments automatically

How to Use an Action

You use an action inside a step with the uses keyword followed by the action's name and version:

steps:
  - uses: actions/checkout@v4

The format is: owner/repository@version

actions/checkout@v4
│        │        │
│        │        └── Version tag
│        └─────────── Repository name
└──────────────────── GitHub organization

The Most Important Action: actions/checkout

Almost every workflow starts with this step. The actions/checkout action downloads your repository code onto the runner. Without it, the runner has no access to your project files.

steps:
  - name: Get my repository code
    uses: actions/checkout@v4

Imagine the runner as an empty room. actions/checkout carries all your files into that room so the rest of your workflow can use them.

Passing Inputs to Actions

Many actions accept input parameters that customize their behavior. You pass inputs using the with key:

steps:
  - name: Set up Node.js
    uses: actions/setup-node@v4
    with:
      node-version: '20'
      cache: 'npm'

The actions/setup-node action installs Node.js version 20 on the runner and caches npm packages to speed up future runs. Without the with block, it would use default values.

Reading Action Outputs

Some actions produce output values you can use in later steps. Give the step an id, then reference the output:

steps:
  - name: Get release details
    id: release
    uses: actions/github-script@v7
    with:
      script: return '2.1.0'
      result-encoding: string

  - name: Use the version
    run: echo "Deploying version ${{ steps.release.outputs.result }}"

Commonly Used Official Actions

Action                        | What it does
------------------------------|--------------------------------------
actions/checkout@v4           | Downloads your repository code
actions/setup-node@v4         | Installs Node.js
actions/setup-python@v5       | Installs Python
actions/setup-java@v4         | Installs Java / JDK
actions/cache@v4              | Caches files between runs
actions/upload-artifact@v4    | Saves files from the workflow
actions/download-artifact@v4  | Retrieves previously saved files
actions/github-script@v7      | Runs JavaScript using GitHub API

Finding Actions in the Marketplace

Visit github.com/marketplace?type=actions and search for what you need. Each action page shows:

  • A description of what it does
  • Installation instructions (the exact uses line to copy)
  • A list of all input parameters and outputs
  • Example workflow snippets

The action page also shows its verified badge, star count, and version history — useful signals for evaluating trustworthiness.

Pinning Action Versions Safely

Using @v4 means "use the latest release in the v4 major version family." This is convenient but carries a small risk — a new v4.x release could change behavior unexpectedly.

For maximum security and stability, pin to an exact commit SHA instead of a version tag:

uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

This locks the action to a specific commit that can never change. This approach is the industry standard for production workflows because it prevents supply chain attacks where someone updates an action with malicious code.

Pinning methods — tradeoffs:

@v4         → Convenient, auto-receives patches, slight risk
@v4.2.0     → Specific release, more stable than major tag
@sha        → Most secure, requires manual updates

Third-Party Actions — Trust Considerations

An action runs directly on your runner with access to your repository and secrets. Follow these guidelines before using any third-party action:

  • Check the author — prefer actions from verified organizations
  • Read the action's source code on GitHub before using it
  • Check how many stars and forks the repository has
  • Look for recent maintenance activity (last commit date)
  • Pin to a specific SHA for anything in production

Creating a Simple Workflow Using Marketplace Actions

name: Node.js CI

on:
  push:
    branches: [main]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4            # Step 1: Get the code

      - uses: actions/setup-node@v4          # Step 2: Install Node.js
        with:
          node-version: '20'

      - run: npm ci                          # Step 3: Install dependencies

      - run: npm test                        # Step 4: Run tests

Four lines using Marketplace actions accomplish what would otherwise require dozens of lines of manual shell scripting. This is the real power of the GitHub Actions ecosystem.

Previous lessons
Back to courses
Next lessons

Leave a Comment

Your email address will not be published. Required fields are marked *