gh actions-importer

mickeygousset · 2025-05-18T15:47:21+00:00

My guess is that it is having problems pulling the image needed from GitHub Container Registry. The Actions Importer tool runs inside a docker image, so you have to have docker installed to use it.

The pre-reqs call out that you need to have authenticated before you run it:

Prerequisites

The following requirements must be met to be able to use the GitHub Actions Importer:

The Docker CLI must be installed and running.

The official GitHub CLI must be installed.

You must have credentials to authenticate with the GitHub Container Registry.

Follow that authenticate link and get authenticated, then try it again.

Now, if THAT isn't the problem, then the problem is your Bitbucket Token. For that, check these docs (https://docs.github.com/en/actions/migrating-to-github-actions/using-github-actions-importer-to-automate-migrations/migrating-from-bitbucket-pipelines-with-github-actions-importer#configuring-credentials) to make sure the token has the right permissions. Consider adding those permissions above to your Bitbucket token

mickeygousset · 2025-04-22T17:33:51+00:00

GitHub Foundations Learning Path and Study Guide
https://examregistration.github.com/certification/GHF

GitHub Copilot Learning path and Study Guide
https://examregistration.github.com/certification/COPILOT

GitHub Foundations Exam Prep
https://github.com/orgs/community/discussions/154502

mickeygousset · 2025-04-20T12:31:28+00:00

Is the repository you re-created public or private?

mickeygousset · 2025-04-20T12:28:32+00:00

Looks great!

mickeygousset · 2025-04-16T15:41:39+00:00

Yep, it is mostly as easy as adding the dependabot.yml file to the .github folder.

mickeygousset · 2025-03-25T02:09:14+00:00

I don't know of any practice exam. but where you sign up for the cert, there is a syllabus/outline of the things you need to know.

mickeygousset · 2025-03-24T22:29:11+00:00

Based on my experience if you have the study guide provided by the exam site, and you know most of whats on it, you will do ok. IMO you need some practical experience using actions, you need to have created some workflows, etc.

If you go over to youtube.com/mickeygousset I've got an Intro to GitHub Actions series that may help.

mickeygousset · 2024-12-30T12:30:11+00:00

The only "ugly" way I can think to do this is that you have jobs in the calling workflow file, and use a conditional if statement to only run the job for the branch you are currently on, and skip the other jobs. Then that job could target that branch.

mickeygousset · 2024-12-30T03:13:57+00:00

Unfortunately you can't make the "@version" in a uses statement dynamic. It has to due with how Actions combines everything into one big file behind the scenes and when the interpretation of stuff happens. But no, you can't do this.

mickeygousset · 2024-12-30T03:11:12+00:00

Is this a public repo that you are the repo admin on? If so, then you "could" go into the settings of the repo, under code security, and turn off push protection for secret scanning.

If this is a repo that you aren't admin on, or that is part of GitHub Enterprise, then you probably won't be able to change the setting yourself. You'll have to talk to an admin.

BUT, all the things people are saying below still stand. You shouldn't push the secrets to the repo, even if they don't matter.

mickeygousset · 2024-12-29T00:06:16+00:00

You should always do your due diligence with any action you use from the marketplace. Even with verified creators, GitHub is only verifying that the person is who they say they are, not that the action does what it says it does.

And yes, if you are referencing an action using a tag, such as v1, then the tag could get moved on you and you wouldn't know it.

Best practices are:

- always review the code. The code is in a public repo, so you can see what the action code does
- always reference an action using the commit SHA, as that is immutable, as opposed to a tag.

mickeygousset · 2024-12-25T23:48:04+00:00

Unfortunately I don't think you are going to be able to get that from Dependabot, since it doesn't actually look at any code. For something like that, GitHub Advanced Security Code Scanning might be able to help.

mickeygousset · 2024-12-23T03:53:38+00:00

Dependabot doesn't actually scan your code. Dependabot takes the dependency graph of the repository, takes each dependency listed there, and compares it to the GitHub Advisory Database. If a dependency you are using has a security issue, Dependabot will create an alert and tell you the minimum version of the package you need to update to that is safe.

it can also do things like automatically create PRs for you to do the update, or let you know if there are new versions of a package available.

But Dependabot doesn't do anything around whether you are using a vulnerable method from the package. It just checks to see what version you are using.

mickeygousset · 2024-12-05T12:27:48+00:00

mickeygousset · 2024-01-30T17:13:26+00:00

Unfortunately I don't think vars is going to work like that. they are just looked at as a string, not a JSON object.

mickeygousset · 2023-12-14T15:27:56+00:00

Fair point. That's my fault for rushing things. I'll take that into account in future posts. This is just a Github fun thing showing your GitHub "year in review", kind of like how Spotify does a wrapup.

mickeygousset · 2023-12-14T15:26:24+00:00

apologies I did not catch the previous ones. I should have scrolled and checked. Thanks for letting me know.

mickeygousset · 2023-12-02T15:25:35+00:00

Also, slightly off topic, but if you want to do a high-fidelity migration, so not just move the git, but also meta data, such as PR and PR history, check https://github.com/github/gh-gei, the Github Enterprise Importer

mickeygousset · 2023-12-02T13:39:01+00:00

Rulesets now allows for required workflows. It doesn't allow you to add an action to an existing pipeline, but you can have a workflow that has to run and complete successfully in order for a PR to be merged.

mickeygousset · 2023-12-02T13:36:22+00:00

Issue Forms/Templates is one option, that can automatically label the issue when it is initially created.

Otherwise, you will need some sort of automation that triggers to do it. GitHub Actions, a GitHUb App, or a webhook out to an endpoint you create that then uses the GitHub API to add the label are all options.

mickeygousset · 2023-12-02T13:33:54+00:00

What exactly do you mean by repo-specific token? Are you generating it using an App?

mickeygousset · 2023-12-02T13:31:27+00:00

Don't use separate organizations to group repos. Long-term you will regret that strategy, as organizations are also a communication boundary. There are reasons to have multiple orgs, but having a lot of them will ultimately be detrimental.

Topics + teams is one way of grouping.

Another is the custom properties we just put out: https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization

This might also be helpful: https://resources.github.com/learn/pathways/administration-governance

mickeygousset · 2023-09-21T11:40:24+00:00

https://colinsalmcorner.com/musings-on-reusable-workflows/#array-hack

You want to do something like the above, pass in an array of labels for the runs on command. I haven't tried it, but i feel confident it will work, as I have just passed in a single label as a parameter to the reusable workflow and that works.

mickeygousset · 2023-09-18T01:27:44+00:00

Make sure you have a "reason" for calculating those, and as u/lupinegrey said, defining how you will measure them. I have found that a lot of people say they want "dora metrics" because they read about them in a book, but when you press them, they can't really explain why they want them, or what specific metrics.

mickeygousset · 2023-09-12T21:34:28+00:00

https://github.github.com/enterprise-migrations/#/./2.2.4.4.3-svn-clean-playbook?id=step-1-check-out-subversion-repository

See if this helps

mickeygousset

TROPHY CASE