Skip to main content
GitHub Actions
CHAPTER 09

Using Marketplace Actions

Updated: May 15, 2026
20 min read

# CHAPTER 9

Using Marketplace Actions

1. Introduction

If you had to write custom Bash scripts for every single task in your pipeline—from downloading code to configuring AWS networks—GitHub Actions would be exhausting to use. The true genius of the platform is the GitHub Marketplace. It is a centralized app store containing thousands of pre-built, open-source automation scripts (Actions) created by companies like Amazon, Google, Docker, and independent developers. In this chapter, we will explore how to search the Marketplace, implement third-party actions using the uses: keyword, and critically evaluate the security risks of executing other people's code on your infrastructure.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Understand the difference between the run: and uses: keywords.
  • Navigate the GitHub Marketplace to find automation tools.
  • Differentiate between Official actions and Third-Party actions.
  • Pass parameters into an action using the with: keyword.
  • Understand Supply Chain security and how to pin action versions.

3. Beginner-Friendly Explanation

Imagine building a house.
  • The run: keyword (DIY): You go into the forest, chop down a tree, cut it into planks, build a door, and install it. It takes a week, and it might be crooked.
  • The uses: keyword (The Home Depot): You go to the store (The GitHub Marketplace), buy a pre-built, professionally manufactured door, and simply screw it into the wall. It takes 5 minutes and works perfectly.

The Marketplace allows you to "buy" (for free) pre-built DevOps tasks so you don't have to reinvent the wheel.

4. Official vs. Third-Party Actions

When you search the Marketplace, you will see two types of creators:
  1. 1. Official Providers (Verified Creators): Actions created by the platform owners themselves. (e.g., actions/checkout is made by GitHub. aws-actions/configure-aws-credentials is made by Amazon). These are highly trusted. You will see a blue checkmark next to their name.
  1. 2. Third-Party Creators: Actions made by random developers in the community (e.g., appleboy/ssh-action). Many of these are brilliant and industry-standard, but they require trust. You are letting their code execute inside your private repository.

5. Implementing an Action (The with: Keyword)

When you use a pre-built action, it usually needs instructions. For example, if you use a "Send Slack Message" action, you must tell it *what* message to send and *which* channel to send it to. We pass these instructions (Parameters) using the with: keyword.
yaml
123456 
    steps:
      - name: Send Slack Notification
        uses: slackapi/slack-github-action@v1.24.0 # The Action
        with: # The Parameters
          channel-id: 'C1234567890'
          slack-message: 'Deployment Successful!'

6. Mini Project: Integrate a Linter Action

Instead of writing complex shell scripts to check our code formatting, let's use a professional, pre-built Linter action from the Marketplace.

Step-by-Step Walkthrough:

  1. 1. Open a web browser and go to github.com/marketplace.
  1. 2. Search for "Super-Linter".
  1. 3. Click on the action by the verified creator github (Now maintained by the community).
  1. 4. Review the documentation provided on the marketplace page.
  1. 5. Create a new workflow .github/workflows/linter.yml:

yaml
123456789101112131415161718 
name: Marketplace Linter Demo
on: [push]

jobs:
  lint-code:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v4

      # Using the Marketplace Action
      - name: Run Super-Linter
        uses: github/super-linter@v5
        env:
          # Actions can accept inputs via 'env' or 'with' depending on their design
          VALIDATE_ALL_CODEBASE: false
          DEFAULT_BRANCH: main
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

7. Real-World Scenarios

A development team spent three weeks writing complex Python scripts to compress their images before deployment. The scripts were buggy and constantly failed. A new DevSecOps engineer joined the team, deleted the 500 lines of Python code, and replaced it with two lines of YAML: uses: calibreapp/image-actions@main. The marketplace action automatically compressed every image perfectly, leveraging the expertise of an entire community, and saving the company weeks of wasted engineering time.

8. Best Practices

  • Pinning by Commit SHA: In all our examples, we used version tags like @v4. While good, the creator can technically change what v4 means. The absolute most secure way to use a third-party action is to pin it to its cryptographic commit SHA.
  • *Good:* uses: actions/checkout@v4
  • *Bulletproof:* uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
Even if the creator is hacked, the code cannot be altered without changing the SHA hash.

9. Security Recommendations

  • Supply Chain Attacks: Using a third-party action is a "Supply Chain" risk. If an independent developer abandons their popular GitHub Action, and a malicious hacker takes over the repository, the hacker can push a new update containing code that steals AWS keys. Millions of pipelines automatically download the new update via @v2, and the keys are stolen. Always audit third-party actions and use Dependabot to monitor for vulnerabilities.

10. Troubleshooting Tips

  • Action Deprecation Warnings: If your workflow succeeds but has yellow warning annotations saying "Node.js 16 actions are deprecated", it means the creator of the action used an outdated version of JavaScript to build it. You should check the Marketplace for a newer version of the action (e.g., updating @v1 to @v2).

11. Exercises

  1. 1. Contrast the run: keyword with the uses: keyword in a workflow step.
  1. 2. Explain the purpose of the with: keyword when implementing a Marketplace action.

12. FAQs

Q: Can I build my own custom Actions and share them? A: Yes! You can write a "Custom Action" using JavaScript or Docker, publish it to your own public GitHub repository, and list it on the Marketplace for the world to use.

13. Interview Questions

  • Q: Explain the concept of a Supply Chain Attack in the context of CI/CD pipelines. How do you mitigate the risk of executing compromised third-party GitHub Actions?
  • Q: A pipeline utilizes a Marketplace action to upload artifacts to AWS S3. The action requires the S3 bucket name and the AWS region. Architect the YAML step, demonstrating how inputs are passed to the encapsulated action.

14. Summary

In Chapter 9, we unlocked the collaborative power of the open-source DevOps community. We learned that the GitHub Marketplace is a vast repository of pre-engineered solutions, allowing us to implement complex workflows with a single uses: declaration. We mastered configuring these actions using the with: keyword. Crucially, we shifted our perspective to security, acknowledging that importing third-party code requires vigilance, and identifying commit-SHA pinning as the ultimate defense against supply chain vulnerabilities.

15. Next Chapter Recommendation

We've seen secrets.GITHUBTOKEN and secrets.SSHPRIVATE_KEY in previous examples. Where are these secrets stored, and how do we manage them safely? Proceed to Chapter 10: Environment Variables and Secrets.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Deploying Applications with GitHub Actions
Next Chapter Environment Variables and Secrets

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5

🧪 Related Labs 1