{"id":51339643,"url":"https://github.com/async/actions","last_synced_at":"2026-07-02T06:04:44.909Z","repository":{"id":365670014,"uuid":"1273181318","full_name":"async/actions","owner":"async","description":"Reusable GitHub composite actions for Async generated workflows","archived":false,"fork":false,"pushed_at":"2026-06-18T10:50:44.000Z","size":31,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-18T11:29:35.468Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/async.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-06-18T09:26:59.000Z","updated_at":"2026-06-18T10:50:35.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/async/actions","commit_stats":null,"previous_names":["async/actions"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/async/actions","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/async%2Factions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/async%2Factions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/async%2Factions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/async%2Factions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/async","download_url":"https://codeload.github.com/async/actions/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/async%2Factions/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35035005,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-02T02:00:06.368Z","response_time":173,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-07-02T06:04:44.229Z","updated_at":"2026-07-02T06:04:44.901Z","avatar_url":"https://github.com/async.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# async/actions\n\nReusable GitHub composite actions for Async generated workflows.\n\n`@async/pipeline` remains the source of truth for workflow triggers, job graph,\nmatrices, permissions, environments, and secret mapping. This repo only contains\nstep-level actions that generated workflows call.\n\n## Actions\n\n| Action | Purpose |\n| --- | --- |\n| `async/actions/setup` | Set up Node, pnpm, npm, optional Deno/Bun, registry auth, cache, and optional install. |\n| `async/actions/run` | Check generated workflow drift, run an `async-pipeline` job/task, and upload run evidence. |\n| `async/actions/pages` | Validate static/prerender output, build Jekyll when requested, upload Pages artifacts, and optionally deploy. |\n| `async/actions/publish` | Publish npm/GitHub Packages, create or sync GitHub Releases, and verify release state via `npm` and `gh`. |\n| `async/actions/doctor` | Run `async-release` package planning, inspection, release-note rendering, and doctor evidence commands. |\n| `async/actions/preview` | Publish same-repo PR/main preview packages to GitHub Packages and emit preview comment bodies. |\n| `async/actions/comment` | Create or update idempotent comments, append job summaries, and emit structured workflow annotations. |\n| `async/actions/contract` | Run API, claims, and schema contract checks and write bounded evidence reports. |\n| `async/actions/hygiene` | Run Async hygiene checks and write manifest, findings, and summary evidence. |\n| `async/actions/dependabot-merge` | Validate Dependabot metadata, approve, wait for checks, and squash-merge. |\n| `async/actions/update-train` | Dispatch validated package update events to explicit downstream repositories. |\n| `async/actions/dependency-bump` | Apply an allowed direct dependency bump, update the lockfile, verify, and push or open a PR. |\n| `async/actions/matrix` | Produce matrix JSON for downstream `fromJSON(...)` jobs. |\n| `async/actions/storage` | Read/write repo-local state, apply safe change sets, and emit receipts for Actions-only users who cannot install the GitHub App. |\n| `async/actions/evidence` | Collect, upload, and merge manifest-backed run evidence artifacts without copying raw file contents into the manifest. |\n| `async/actions/agent-evidence` | Collect redacted agent transcripts, context packs, explicit outputs, bundle metadata, and comment handoff bodies. |\n| `async/actions/source-impact` | Read generated source plans, emit impact matrices, validate source checkout metadata, run generated prepare commands, and write source receipts. |\n| `async/actions/cache` | Restore, save, and summarize Async task caches from generated cache manifests. |\n| `async/actions/attest` | Compute subject digests, write package SBOM evidence, validate tarball subjects, and record provenance or attestation verification receipts. |\n\n## Boundary\n\nThese actions do not own workflow-level behavior. Callers must grant permissions\nand pass tokens explicitly. Network behavior is intentionally visible in\ngenerated GitHub Actions instead of being bundled inside normal package installs.\n\nGenerated Async workflows should pin these actions to reviewed full commit SHAs.\nCompatibility tags such as `v0` may remain human-facing labels, but moving a tag\nmust not change already-generated privileged workflow behavior.\n\n## Governance\n\nExecutable changes are owner-only. External bug reports and security reports are\nwelcome through issues or advisories, but maintainers write action metadata,\nhelper scripts, and package metadata. A maintainer review is required before\n`@async/pipeline` updates its generated action manifest to a new commit SHA.\n\n## Actions-Only Storage Bridge\n\n`async/actions/storage` is the fallback path for teams that cannot install the\nAsync GitHub App yet. It works inside a normal checked-out repository with the\ncaller-provided `GITHUB_TOKEN` permissions:\n\n```yaml\n- uses: async/actions/storage@\u003creviewed-full-sha\u003e # v0.1.x\n  with:\n    mode: apply-change-set\n    change-set: .async/inbox/change-set.json\n    receipt-path: .async/receipts/change-set.json\n    commit: \"true\"\n    pull-request: \"true\"\n    branch: async/storage/${{ github.run_id }}\n    base-branch: main\n    github-token: ${{ secrets.GITHUB_TOKEN }}\n```\n\nChange sets use the same safe file shape as `@async/github-app`: `files` entries\nwith `path`, `action: \"upsert\" | \"delete\"`, and optional `content`. Absolute\npaths, `..`, duplicate paths, empty path segments, and `.github/workflows/**`\nwrites are rejected unless the caller explicitly enables workflow paths.\n\n## Evidence Artifacts\n\n`async/actions/evidence` writes a JSON manifest for explicit repo-local files,\ndirectories, and globs, then can upload that manifest-backed artifact or merge\ndownloaded manifests into one index. Manifest file entries include path, kind,\nsize, and SHA-256 digest; they do not include raw file contents, logs, or\nenvironment dumps.\n\nBridge and storage receipt JSON can be passed through `receipt-paths`. The action\nkeeps only bounded metadata such as change-set id, lease id, worker, status,\ncommit SHA, pull request URL, and changed paths. It rejects absolute paths and\n`..` segments before reading evidence inputs.\n\n## Agent Evidence\n\n`async/actions/agent-evidence` packages agent run artifacts already written by\n`@async/pipeline`: prompt files, redacted transcripts, failure context packs, and\nexplicit task outputs such as patches or reports. The action records paths,\nkinds, sizes, and hashes, writes a receipt for `async/actions/evidence`, and can\nemit a bounded comment body for `async/actions/comment`. It does not run agents,\nchoose models, apply patches, or paste large artifacts into comments.\n\n## Contract Evidence\n\n`async/actions/contract` writes manifest-backed evidence for API, claims, and\nschema checks. Generated workflows choose `mode: report`, `check`, `strict`, or\n`release`; the action records status and findings, while the caller workflow\nowns whether those findings block the job. Optional command inputs let generated\nworkflows run package-specific CLIs from the checked-out repo. Schema sources are\nvalidated from repo-local JSON files or globs, and generated workflows can set\nthe schema report path while evidence stays under `.async/contract`.\n\n## Hygiene Evidence\n\n`async/actions/hygiene` writes manifest-backed evidence for repo, GitHub, docs,\npackage, release, and mixed hygiene profiles. Generated workflows choose the\nprofile list, `mode: report`, `check`, `strict`, or `release`, release-gate\nbehavior, and whether findings are advisory or blocking. The action invokes\n`async-hygiene check --format json`, normalizes failures into findings, and\nwrites bounded evidence under `.async/hygiene` without choosing repository\npolicy itself.\n\n## Source Impact\n\n`async/actions/source-impact` is a step-level helper for workflows generated by\n`@async/pipeline`. The generated workflow writes the trusted source plan, then\ncalls the action in `plan`, `checkout`, `prepare`, or `receipt` mode. Source ids,\npaths, refs, and matrix rows are validated against that generated plan before\nthe action writes receipts under `.async/actions/receipts`.\n\nGit refs must be full SHAs or generated-safe refs such as `refs/heads/*`,\n`refs/tags/*`, or `refs/pull/\u003cnumber\u003e/merge`. Prepare commands come from the\ngenerated plan and are printed before execution.\n\n## Task Cache\n\n`async/actions/cache` restores and saves task-cache paths from a generated\n`@async/pipeline` manifest. The manifest owns cache keys, path lists, write\neligibility, and trust level; the action validates that metadata, delegates to\npinned `actions/cache` restore/save steps, and writes cache receipts under\n`.async/actions/receipts`.\n\nUse `trust: read-only` for untrusted pull requests. Save mode requires\n`trust: read-write`; read-only saves are skipped and recorded rather than\nsilently writing cache state.\n\n## Attestation Evidence\n\n`async/actions/attest` works from explicit generated subjects. Digest and SBOM\nmodes hash repo-local files and write manifests under `.async/attest`; verify\nmode re-reads those manifests, checks current digests, can scan npm tarballs for\nunsafe entries, and can require a parsed npm provenance result. The action does\nnot publish packages. Real GitHub artifact attestation requires the generated\nworkflow to grant OIDC permissions and pass that mode explicitly.\n\n## Release Doctor\n\n`async/actions/doctor` is a thin wrapper around `async-release`. Generated\nworkflows choose the command mode and package path explicitly, then the action\nrecords bounded evidence such as the release plan, package report, rendered\nrelease notes, and doctor checks. The action does not infer workflow\npermissions, release package selection, or registry credentials.\n\n## Package Previews\n\n`async/actions/preview` is the privileged executor for preview package writes.\nIt calls a released `@async/release` package source for deterministic preview\nidentity, staging, install-comment, and evidence data, then keeps npm auth,\npublish, dist-tag, outputs, and summaries inside the action. Generated\nworkflows remain responsible for event triggers, permissions, token mapping, and\nstale-head decisions such as setting `move-dist-tag: \"false\"`.\n\n## Update Trains And Dependency Bumps\n\n`async/actions/update-train` dispatches repository update events from generated\nrelease workflows. Callers pass the target repositories and token explicitly;\nthe action validates package names, versions, repositories, and event names\nbefore calling `gh api repos/\u003cowner\u003e/\u003crepo\u003e/dispatches`.\n\n`async/actions/dependency-bump` applies a direct dependency version update in a\nchecked-out repository, runs the package manager's lockfile update, executes\nexplicit verification commands, then pushes or opens a pull request according to\ncaller-provided policy. The action only stages package, lockfile, and generated\nPipeline sync files.\n\n## Comments And Annotations\n\n`async/actions/comment` owns idempotent marker management, markdown body loading,\nsummary appends, and structured annotation rendering. Callers pass tokens\nexplicitly and choose the target repository, issue or pull request number, body\nsource, and marker. Markdown bodies are bounded before comment writes.\n\n## Local Checks\n\n```sh\nnpm run check\nnpm test\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasync%2Factions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fasync%2Factions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasync%2Factions/lists"}