Actions
shithub Actions runs CI workflows from .shithub/workflows/*.yml.
The workflow format intentionally follows the parts of GitHub Actions that are
useful for ordinary repository CI, while keeping the runner surface small enough
to secure.
Minimal workflow
name: smoke
on: [push, workflow_dispatch]
jobs:
hello:
runs-on: ubuntu-latest
env:
RUN_ID: ${{ shithub.run_id }}
steps:
- run: echo "hello from shithub actions"
- run: test -n "$RUN_ID"
Commit that file as .shithub/workflows/smoke.yml and push to the repository.
The run appears under the repository's Actions tab and its job also appears as
a check run on matching pull requests.
Copy-paste smoke workflow
Use this workflow to confirm a normal repository can use the shared Linux pool.
It runs on every push to trunk while Actions are enabled for the repository
and a runner advertising ubuntu-latest is online.
name: Smoke
on:
push:
branches: [trunk]
jobs:
green:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Verify checkout
run: test -f README.md || test -f readme.md || pwd
- name: Smoke
run: printf 'shithub actions smoke passed\n'
The same file should work in any repository that is allowed by the site, org, and repo Actions policies. It should not need a repo-specific runner label.
What works today
push,pull_request,schedule, andworkflow_dispatchtriggersactions/checkout@v4for repository checkoutrun:steps executed in the operator-configured runner imageruns-on:label matching against registered runners- workflow, job, and step
env: ${{ secrets.NAME }},${{ vars.NAME }},${{ env.NAME }}, and${{ shithub.* }}expressionsneeds:,if:,timeout-minutes:, and concurrency groups- live step logs, cancel, re-run, check-run sync, and the Actions Atom feed
runs-on: ubuntu-latest is a runner label, not a promise that shithub downloads
a hosted Ubuntu image for you. The site operator decides which image a matching
runner uses. On shithub.sh, the shared Linux pool advertises
self-hosted, linux, ubuntu-latest, and x64.
If a run stays queued, the run page shows the requested label set, for example
Waiting for runner with labels: windows-latest. That means no currently
registered runner can claim the job.
Current limit
The runner executes actions/checkout@v4 and run: steps. Checkout accepts
the default shallow fetch and with.fetch-depth; use fetch-depth: 0 when a
workflow needs full history:
steps:
- uses: actions/checkout@v4
with:
fetch-depth: "0"
- run: git describe --tags --always
The parser also accepts these artifact aliases:
shithub/upload-artifact@v1shithub/download-artifact@v1
The runner does not execute artifact aliases yet. A workflow containing those
artifact uses: steps will fail until artifact execution lands. Checkout
inputs such as path, submodules, LFS, and persisted credentials are not
implemented yet.
Expressions
Use the shithub namespace:
env:
REF: ${{ shithub.ref }}
SHA: ${{ shithub.sha }}
RUN_ID: ${{ shithub.run_id }}
The github.* namespace is accepted as a compatibility alias for the fields
shithub exposes, but new workflows should use shithub.*.
Event payload values such as ${{ shithub.event.pull_request.title }} are
treated as untrusted. The runner passes them through temporary environment
bindings instead of splicing them directly into shell command text.
Secrets and variables
Repository and organization settings expose Actions secrets and variables. Secrets are encrypted at rest and are redacted from logs. Variables are plaintext configuration and are suitable for non-secret values such as tool versions or feature flags.
Repo-scoped values shadow organization-scoped values with the same name.
Migrating from GitHub Actions
Most simple CI files need three edits:
- Move the workflow file from
.github/workflows/to.shithub/workflows/. - Keep
actions/checkout@v4, but replace marketplace and artifactuses:actions with equivalentrun:commands for now. - Confirm
runs-on:matches a label registered by your shithub operator. The default shithub.sh shared label for ordinary Linux CI isubuntu-latest.
Marketplace actions, Docker actions, composite actions, hosted runner images, matrix expansion, service containers, submodules, LFS, and artifact transfer are not part of the current v1 runner.
View source
| 1 | # Actions |
| 2 | |
| 3 | shithub Actions runs CI workflows from `.shithub/workflows/*.yml`. |
| 4 | The workflow format intentionally follows the parts of GitHub Actions that are |
| 5 | useful for ordinary repository CI, while keeping the runner surface small enough |
| 6 | to secure. |
| 7 | |
| 8 | ## Minimal workflow |
| 9 | |
| 10 | ```yaml |
| 11 | name: smoke |
| 12 | on: [push, workflow_dispatch] |
| 13 | jobs: |
| 14 | hello: |
| 15 | runs-on: ubuntu-latest |
| 16 | env: |
| 17 | RUN_ID: ${{ shithub.run_id }} |
| 18 | steps: |
| 19 | - run: echo "hello from shithub actions" |
| 20 | - run: test -n "$RUN_ID" |
| 21 | ``` |
| 22 | |
| 23 | Commit that file as `.shithub/workflows/smoke.yml` and push to the repository. |
| 24 | The run appears under the repository's Actions tab and its job also appears as |
| 25 | a check run on matching pull requests. |
| 26 | |
| 27 | ## Copy-paste smoke workflow |
| 28 | |
| 29 | Use this workflow to confirm a normal repository can use the shared Linux pool. |
| 30 | It runs on every push to `trunk` while Actions are enabled for the repository |
| 31 | and a runner advertising `ubuntu-latest` is online. |
| 32 | |
| 33 | ```yaml |
| 34 | name: Smoke |
| 35 | on: |
| 36 | push: |
| 37 | branches: [trunk] |
| 38 | jobs: |
| 39 | green: |
| 40 | runs-on: ubuntu-latest |
| 41 | steps: |
| 42 | - uses: actions/checkout@v4 |
| 43 | - name: Verify checkout |
| 44 | run: test -f README.md || test -f readme.md || pwd |
| 45 | - name: Smoke |
| 46 | run: printf 'shithub actions smoke passed\n' |
| 47 | ``` |
| 48 | |
| 49 | The same file should work in any repository that is allowed by the site, org, |
| 50 | and repo Actions policies. It should not need a repo-specific runner label. |
| 51 | |
| 52 | ## What works today |
| 53 | |
| 54 | - `push`, `pull_request`, `schedule`, and `workflow_dispatch` triggers |
| 55 | - `actions/checkout@v4` for repository checkout |
| 56 | - `run:` steps executed in the operator-configured runner image |
| 57 | - `runs-on:` label matching against registered runners |
| 58 | - workflow, job, and step `env:` |
| 59 | - `${{ secrets.NAME }}`, `${{ vars.NAME }}`, `${{ env.NAME }}`, and |
| 60 | `${{ shithub.* }}` expressions |
| 61 | - `needs:`, `if:`, `timeout-minutes:`, and concurrency groups |
| 62 | - live step logs, cancel, re-run, check-run sync, and the Actions Atom feed |
| 63 | |
| 64 | `runs-on: ubuntu-latest` is a runner label, not a promise that shithub downloads |
| 65 | a hosted Ubuntu image for you. The site operator decides which image a matching |
| 66 | runner uses. On shithub.sh, the shared Linux pool advertises |
| 67 | `self-hosted`, `linux`, `ubuntu-latest`, and `x64`. |
| 68 | |
| 69 | If a run stays queued, the run page shows the requested label set, for example |
| 70 | `Waiting for runner with labels: windows-latest`. That means no currently |
| 71 | registered runner can claim the job. |
| 72 | |
| 73 | ## Current limit |
| 74 | |
| 75 | The runner executes `actions/checkout@v4` and `run:` steps. Checkout accepts |
| 76 | the default shallow fetch and `with.fetch-depth`; use `fetch-depth: 0` when a |
| 77 | workflow needs full history: |
| 78 | |
| 79 | ```yaml |
| 80 | steps: |
| 81 | - uses: actions/checkout@v4 |
| 82 | with: |
| 83 | fetch-depth: "0" |
| 84 | - run: git describe --tags --always |
| 85 | ``` |
| 86 | |
| 87 | The parser also accepts these artifact aliases: |
| 88 | |
| 89 | - `shithub/upload-artifact@v1` |
| 90 | - `shithub/download-artifact@v1` |
| 91 | |
| 92 | The runner does not execute artifact aliases yet. A workflow containing those |
| 93 | artifact `uses:` steps will fail until artifact execution lands. Checkout |
| 94 | inputs such as `path`, submodules, LFS, and persisted credentials are not |
| 95 | implemented yet. |
| 96 | |
| 97 | ## Expressions |
| 98 | |
| 99 | Use the shithub namespace: |
| 100 | |
| 101 | ```yaml |
| 102 | env: |
| 103 | REF: ${{ shithub.ref }} |
| 104 | SHA: ${{ shithub.sha }} |
| 105 | RUN_ID: ${{ shithub.run_id }} |
| 106 | ``` |
| 107 | |
| 108 | The `github.*` namespace is accepted as a compatibility alias for the fields |
| 109 | shithub exposes, but new workflows should use `shithub.*`. |
| 110 | |
| 111 | Event payload values such as `${{ shithub.event.pull_request.title }}` are |
| 112 | treated as untrusted. The runner passes them through temporary environment |
| 113 | bindings instead of splicing them directly into shell command text. |
| 114 | |
| 115 | ## Secrets and variables |
| 116 | |
| 117 | Repository and organization settings expose Actions secrets and variables. |
| 118 | Secrets are encrypted at rest and are redacted from logs. Variables are |
| 119 | plaintext configuration and are suitable for non-secret values such as tool |
| 120 | versions or feature flags. |
| 121 | |
| 122 | Repo-scoped values shadow organization-scoped values with the same name. |
| 123 | |
| 124 | ## Migrating from GitHub Actions |
| 125 | |
| 126 | Most simple CI files need three edits: |
| 127 | |
| 128 | 1. Move the workflow file from `.github/workflows/` to `.shithub/workflows/`. |
| 129 | 2. Keep `actions/checkout@v4`, but replace marketplace and artifact `uses:` |
| 130 | actions with equivalent `run:` commands for now. |
| 131 | 3. Confirm `runs-on:` matches a label registered by your shithub operator. |
| 132 | The default shithub.sh shared label for ordinary Linux CI is |
| 133 | `ubuntu-latest`. |
| 134 | |
| 135 | Marketplace actions, Docker actions, composite actions, hosted runner images, |
| 136 | matrix expansion, service containers, submodules, LFS, and artifact transfer |
| 137 | are not part of the current v1 runner. |