Skip to content

README.md

Latest commit

 

History

History
183 lines (142 loc) · 5.13 KB

README.md

File metadata and controls

183 lines (142 loc) · 5.13 KB

github-cli

Run the official GitHub CLI from a Dagu workflow with a pinned gh binary.

This action is useful for release automation, issue and pull request workflows, repository metadata lookups, GitHub Actions inspection, and GitHub API calls that should run inside a DAG without baking gh into every worker image.

The action owns its tool dependencies:

tools:
  - cli/cli@v2.92.0
  - nodejs/node@v22.21.1

GitHub CLI v2.92.0 is the current upstream release used by this action version.

Usage

steps:
  - id: repo
    action: github-cli@v1
    with:
      repo: dagucloud/dagu
      args: ["repo", "view", "--json", "name,description,url"]

  - id: print
    depends: [repo]
    run: printf '%s\n' '${repo.outputs.stdout}'

args is passed to gh as an argument array, without shell parsing. The example above runs:

gh repo view --json name,description,url

with GH_REPO=dagucloud/dagu.

Authentication

For non-public data or write operations, pass a token through env. GitHub CLI reads GH_TOKEN or GITHUB_TOKEN for GitHub.com, and GH_ENTERPRISE_TOKEN or GITHUB_ENTERPRISE_TOKEN for GitHub Enterprise Server.

secrets:
  - name: GH_TOKEN
    provider: env
    key: GH_TOKEN

steps:
  - id: latest_release
    action: github-cli@v1
    with:
      repo: dagucloud/dagu
      args:
        - api
        - repos/{owner}/{repo}/releases/latest
        - --jq
        - .tag_name
      env:
        GH_TOKEN: ${GH_TOKEN}

Use the least-privileged token that can perform the operation. This action is not a sandbox; gh runs with the same filesystem, network, and secret access as the Dagu worker.

Common Patterns

View a Pull Request

steps:
  - id: pr
    action: github-cli@v1
    with:
      repo: dagucloud/dagu
      args: ["pr", "view", "2172", "--json", "title,state,url"]

Call the GitHub API

GH_REPO lets gh api expand {owner} and {repo} placeholders:

steps:
  - id: latest_release
    action: github-cli@v1
    with:
      repo: dagucloud/dagu
      args:
        - api
        - repos/{owner}/{repo}/releases/latest
        - --jq
        - .tag_name

Write to Stdin

Use stdin for commands that read from standard input, such as comment bodies or release notes:

steps:
  - id: comment
    action: github-cli@v1
    with:
      repo: dagucloud/dagu
      args: ["issue", "comment", "123", "--body-file", "-"]
      stdin: |
        Automated workflow finished.

Run in a Local Repository

Use workdir when the command should run inside a checked-out repository:

steps:
  - id: status
    action: github-cli@v1
    with:
      workdir: /workspace/repo
      args: ["pr", "status"]

Inputs

Field Required Description
args Yes Array of GitHub CLI arguments passed to gh without shell parsing. Do not include the gh executable name.
stdin No Text written to gh stdin.
env No Object of string environment variables for gh, such as GH_TOKEN, GITHUB_TOKEN, or GH_ENTERPRISE_TOKEN.
repo No Sets GH_REPO in [HOST/]OWNER/REPO format for commands that otherwise need a local repository context.
host No Sets GH_HOST for GitHub Enterprise or explicit host selection.
workdir No Working directory for the gh process.
timeoutSeconds No Maximum runtime for the command. Defaults to 300, max 1800.

The wrapper also sets these non-secret defaults unless the caller overrides them:

Variable Default Purpose
GH_PROMPT_DISABLED 1 Prevent interactive prompts from blocking workflow runs.
GH_NO_UPDATE_NOTIFIER 1 Disable update notifications in logs.
GH_SPINNER_DISABLED 1 Keep logs deterministic.
GH_TELEMETRY false Disable telemetry from automated runs.

Outputs

Field Description
ok true when gh exits with status 0.
exitCode gh exit code. Timeouts use 124; wrapper validation errors use -1.
stdout Text written by gh to stdout.
stderr Text written by gh to stderr.
durationMs Runtime duration in milliseconds.
ghVersion First line of gh --version.
timedOut true when the wrapper terminated gh after timeoutSeconds.
error Wrapper error object when validation or process startup fails.

If gh exits non-zero, the action fails and still publishes the structured output payload.

Security

  • This action is not a sandbox.
  • Prefer args arrays over shell commands; this action never runs gh through a shell.
  • Use least-privileged tokens and pass them through Dagu secrets.
  • Avoid putting tokens in args, stdin, or command output.
  • Avoid interactive gh commands; pass flags such as --yes, --body, --body-file, --json, or --jq.

Package Layout

dagu-action.yaml
workflow.yaml
scripts/
  run-github-cli.mjs
examples/
  basic.yaml

Sources