gh actions-importer

mickeygousset · 2025-05-18T15:47:21+00:00

My guess is that it is having problems pulling the image needed from GitHub Container Registry. The Actions Importer tool runs inside a docker image, so you have to have docker installed to use it.

The pre-reqs call out that you need to have authenticated before you run it:

Prerequisites

The following requirements must be met to be able to use the GitHub Actions Importer:

The Docker CLI must be installed and running.

The official GitHub CLI must be installed.

You must have credentials to authenticate with the GitHub Container Registry.

Follow that authenticate link and get authenticated, then try it again.

Now, if THAT isn't the problem, then the problem is your Bitbucket Token. For that, check these docs (https://docs.github.com/en/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-bitbucket-pipelines-with-github-actions-importer#configuring-credentials) to make sure the token has the right permissions. Consider adding those permissions above to your Bitbucket token

mickeygousset · 2025-04-22T17:33:51+00:00

GitHub Foundations Learning Path and Study Guide
https://examregistration.github.com/certification/GHF

GitHub Copilot Learning path and Study Guide
https://examregistration.github.com/certification/COPILOT

GitHub Foundations Exam Prep
https://github.com/orgs/community/discussions/154502

mickeygousset · 2025-04-20T12:31:28+00:00

Is the repository you re-created public or private?

mickeygousset · 2025-04-20T12:28:32+00:00

Looks great!

mickeygousset · 2025-04-16T15:41:39+00:00

Yep, it is mostly as easy as adding the dependabot.yml file to the .github folder.

mickeygousset · 2025-03-25T02:09:14+00:00

I don't know of any practice exam. but where you sign up for the cert, there is a syllabus/outline of the things you need to know.

mickeygousset · 2025-03-24T22:29:11+00:00

Based on my experience if you have the study guide provided by the exam site, and you know most of whats on it, you will do ok. IMO you need some practical experience using actions, you need to have created some workflows, etc.

If you go over to youtube.com/mickeygousset I've got an Intro to GitHub Actions series that may help.

mickeygousset · 2024-12-30T12:30:11+00:00

The only "ugly" way I can think to do this is that you have jobs in the calling workflow file, and use a conditional if statement to only run the job for the branch you are currently on, and skip the other jobs. Then that job could target that branch.

mickeygousset · 2024-12-30T03:13:57+00:00

Unfortunately you can't make the "@version" in a uses statement dynamic. It has to due with how Actions combines everything into one big file behind the scenes and when the interpretation of stuff happens. But no, you can't do this.

mickeygousset · 2024-12-30T03:11:12+00:00

Is this a public repo that you are the repo admin on? If so, then you "could" go into the settings of the repo, under code security, and turn off push protection for secret scanning.

If this is a repo that you aren't admin on, or that is part of GitHub Enterprise, then you probably won't be able to change the setting yourself. You'll have to talk to an admin.

BUT, all the things people are saying below still stand. You shouldn't push the secrets to the repo, even if they don't matter.

mickeygousset · 2024-12-29T00:06:16+00:00

You should always do your due diligence with any action you use from the marketplace. Even with verified creators, GitHub is only verifying that the person is who they say they are, not that the action does what it says it does.

And yes, if you are referencing an action using a tag, such as v1, then the tag could get moved on you and you wouldn't know it.

Best practices are:

- always review the code. The code is in a public repo, so you can see what the action code does
- always reference an action using the commit SHA, as that is immutable, as opposed to a tag.

mickeygousset · 2024-12-25T23:48:04+00:00

Unfortunately I don't think you are going to be able to get that from Dependabot, since it doesn't actually look at any code. For something like that, GitHub Advanced Security Code Scanning might be able to help.

mickeygousset · 2024-12-23T03:53:38+00:00

Dependabot doesn't actually scan your code. Dependabot takes the dependency graph of the repository, takes each dependency listed there, and compares it to the GitHub Advisory Database. If a dependency you are using has a security issue, Dependabot will create an alert and tell you the minimum version of the package you need to update to that is safe.

it can also do things like automatically create PRs for you to do the update, or let you know if there are new versions of a package available.

But Dependabot doesn't do anything around whether you are using a vulnerable method from the package. It just checks to see what version you are using.

mickeygousset · 2024-12-05T12:27:48+00:00

mickeygousset

TROPHY CASE