diff --git a/README.md b/README.md index 98cf4486f..6fe8ae7e6 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,26 @@ This action makes it easy to quickly write a script in your workflow that uses the GitHub API and the workflow run context. +### Note + +Thank you for your interest in this GitHub action, however, right now we are not taking contributions. + +We continue to focus our resources on strategic areas that help our customers be successful while making developers' lives easier. While GitHub Actions remains a key part of this vision, we are allocating resources towards other areas of Actions and are not taking contributions to this repository at this time. The GitHub public roadmap is the best place to follow along for any updates on features we’re working on and what stage they’re in. + +We are taking the following steps to better direct requests related to GitHub Actions, including: + +1. We will be directing questions and support requests to our [Community Discussions area](https://github.com/orgs/community/discussions/categories/actions) + +2. High Priority bugs can be reported through Community Discussions or you can report these to our support team https://support.github.com/contact/bug-report. + +3. Security Issues should be handled as per our [security.md](security.md) + +We will still provide security updates for this project and fix major breaking changes during this time. + +You are welcome to still raise bugs in this repo. + +### This action + To use this action, provide an input named `script` that contains the body of an asynchronous JavaScript function call. The following arguments will be provided: @@ -59,6 +79,31 @@ For example, `github.issues.createComment` in V4 becomes `github.rest.issues.cre See [development.md](/docs/development.md). +## Passing inputs to the script + +Actions expressions are evaluated before the `script` is passed to the action, so the result of any expressions +*will be evaluated as JavaScript code*. + +It's highly recommended to *not* evaluate expressions directly in the `script` to avoid +[script injections](https://docs.github.com/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections) +and potential `SyntaxError`s when the expression is not valid JavaScript code (particularly when it comes to improperly escaped strings). + +To pass inputs, set `env` vars on the action step and reference them in your script with `process.env`: + +```yaml +- uses: actions/github-script@v7 + env: + TITLE: ${{ github.event.pull_request.title }} + with: + script: | + const title = process.env.TITLE; + if (title.startsWith('octocat')) { + console.log("PR title starts with 'octocat'"); + } else { + console.error("PR title did not start with 'octocat'"); + } +``` + ## Reading step results The return value of the script will be in the step's outputs under the @@ -444,27 +489,6 @@ export default async ({ core, context }) => { }; ``` -### Use env as input - -You can set env vars to use them in your script: - -```yaml -on: push - -jobs: - echo-input: - runs-on: ubuntu-latest - steps: - - uses: actions/github-script@v7 - env: - FIRST_NAME: Mona - LAST_NAME: Octocat - with: - script: | - const { FIRST_NAME, LAST_NAME } = process.env - - console.log(`Hello ${FIRST_NAME} ${LAST_NAME}`) -``` ### Using a separate GitHub token