Executing third-party scripts

However, sometimes what you want goes beyond accessing the Github API. You might want to run a Python script as part of the workflow, calling other APIs. To do so, you can simply treat them as regular files in a filesystem (think back to how jobs run in virtual machine runners) and call these scripts.

The caveat is that you have to setup the job's virtual machine runner to support the third-party script's language. So, if you're using Python, you need to ensure that Python and all of the scripts' dependencies are installed. If you're using Javascript, ensure that Node.js and all of the project dependencies are installed.

Since we've covered how to use Node.js in Github Actions in Basics of Github Actions already, we will focus on setting up the job virtual machine runner to work with Python scripts this time.

on: [push]

jobs:
  autograding:
    permissions: write-all
    runs-on: ubuntu-22.04
    steps:
      - name: Fetch repository
        uses: actions/checkout@v4
      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"
      - name: Installing Python dependencies
        run: |
          pip install -r requirements.txt
      - name: Run Python
        run: |
          python3 script.py
        env:
          base_repository: ${{ inputs.repository }}
          is_local: ${{ inputs.is_local }}
          repository_name: ${{ env.REPO_NAME }}

Essentially, what you need to do is to:

  1. Fetch the current repository

  2. Setup Python using the actions/setup-python@v5 action

  3. Install all of the Python dependencies from a requirements.txt in the current repository (or individual dependencies)

  4. Execute the Python script

It's that simple! Now, the script.py Python script will start to execute and now it will have full filesystem access to the job's virtual machine runner. You can additionally set environment variables for the script to access via env.

If you are attempting to run a third-party script every time a pull_request event occurs and want to read any repository secrets or access the GITHUB_TOKEN token, make sure you use the pull_request_target event instead. The pull_request event is susceptible to having untrusted scripts accessing this secure information, so for security reasons, Github has disabled its access to these values. However, pull_request_target does not suffer from such limitations! Read more about it here: https://stackoverflow.com/questions/74957218/what-is-the-difference-between-pull-request-and-pull-request-target-event-in-git

You may combine this use case with the previous two to create scheduled scripts that run and interact with the Github API!

PreviousGithub scriptNextReusable workflows

Last updated