# Executing third-party scripts

However, sometimes what you want goes beyond accessing the Github API. You might want to run a Python script as part of the workflow, calling other APIs. To do so, you can simply treat them as regular files in a filesystem (think back to how jobs run in virtual machine runners) and call these scripts.

The caveat is that you have to setup the job's virtual machine runner to support the third-party script's language. So, if you're using Python, you need to ensure that Python and all of the scripts' dependencies are installed. If you're using Javascript, ensure that Node.js and all of the project dependencies are installed.

Since we've covered how to use Node.js in Github Actions in [basics-of-github-actions](https://wiki.nushackers.org/hackerschool/ci-cd-with-github-actions/basics-of-github-actions "mention") already, we will focus on setting up the job virtual machine runner to work with Python scripts this time.

```
on: [push]

jobs:
  autograding:
    permissions: write-all
    runs-on: ubuntu-22.04
    steps:
      - name: Fetch repository
        uses: actions/checkout@v4
      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"
      - name: Installing Python dependencies
        run: |
          pip install -r requirements.txt
      - name: Run Python
        run: |
          python3 script.py
        env:
          base_repository: ${{ inputs.repository }}
          is_local: ${{ inputs.is_local }}
          repository_name: ${{ env.REPO_NAME }}
```

Essentially, what you need to do is to:

1. Fetch the current repository
2. Setup Python using the `actions/setup-python@v5` action
3. Install all of the Python dependencies from a `requirements.txt` in the current repository (or individual dependencies)
4. Execute the Python script

It's that simple! Now, the `script.py` Python script will start to execute and now it will have full filesystem access to the job's virtual machine runner. You can additionally set environment variables for the script to access via `env`.

{% hint style="warning" %}
If you are attempting to run a third-party script every time a `pull_request` event occurs and want to read any repository secrets or access the `GITHUB_TOKEN` token, make sure you use the `pull_request_target` event instead. The `pull_request` event is susceptible to having untrusted scripts accessing this secure information, so for security reasons, Github has disabled its access to these values. However, `pull_request_target` does not suffer from such limitations!\
\
Read more about it here: <https://stackoverflow.com/questions/74957218/what-is-the-difference-between-pull-request-and-pull-request-target-event-in-git>
{% endhint %}

You may combine this use case with the previous two to create scheduled scripts that run and interact with the Github API!